auditing and security - as400, disaster recovery plans

5/12/2018 Auditing and Security - As400, Disaster Recovery Plans - slidepdf.com

http://slidepdf.com/reader/full/auditing-and-security-as400-disaster-recovery-plans



This Page Intentionally Left Blank



This book is printed on acid-free paper. @

Copyright0 2001 by John Wiley and Sons, Inc. All rights reserved.

Published simultaneously in Canada.

No part of this publicationmay be reproduced, stored in a retrieval system or transmitted inny form or by any means,

electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108f

the 1976 United States Copyright Act, without either the prior written permissionf the Publisher, or authorization

through payment of the appropriate per-copyee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers,A01923, (978) 750-8400, fax (978) 750-4744. Requestso the Publisher or permission shouldbe addressed to the

Permissions Department, JohnWiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-601, fax(212) 850-6008, E-Mail: E ~ ~ E Q ~ ~ E Y . C O M .

This publication is designed to provide accuratend authoritative information in regardo the subject matter covered. It issold with the understanding that the publishers not engaged in rendering legal, accounting, or other professional

services. If legal adviceorother expert assistances required, the services f a competent professional person shoulde

sought.

Musaji, Yusufali .Auditing and security: AS/400,W,UNIX, networks, and disaster recovery plans/

Yusufali F. Musaji.

p. cm.

1.Electronic data processing-Auditing. 2. Computer security. I. Title.ISBN 0-471-38371-6 (cloth: alk. paper)

~A76.9.A93M87 2001

0 0 5 . 8 4 ~ 2 1 00-064922

Printed in the United Statesf America.

1 0 9 8 7 6 5 4 3 2 1



This book is dedicated t o y g r a n ~ m ot h e~rs . ~ u l s u m b a i ~ u r b h a i ,who taught me t o sa cr gc eo I cou ld grow.

Io my mot he^ Mrs. ~ a t i m a ~ u s a j i ,ho sacr i~ ced heraterialwell-being so I could paymy school fees.

To my son, Ali Musaji, who taught me perseverance, patience, andthe m a ~ e l s o f l ~ ~ .

Io my w$e, ~ a o ~ iusaji, for her ove, tolerance, and faith.



nd the big picture, see their roles withint, continuo



resources from hackers and computer thieves, corporations neglectedhe physical securityaspects and as a result suffered financialoss from lack of physical security controls, thusbecoming easy gameor crooks. In spite of this, physical security continued toe regardedas being limitedo the perimeter controls and bodyguardst the front doors.

Theft or damage to information processing resources, unauthorizedisclos~er era-sure of proprietary nformation,and nterruption of support for proprietarybusinprocesses are all risks that managers who ownr are responsible or info~a t ionesourcesmust evaluate. Since physical access to information processing resources exposes a com-pany to all of these risks, management mustnstitute physical access controlshat are com-mensurate with theisk and potential loss to the company.

The objective of the physical security audits to determine if mana~ement rocesseshave been implemented, are effective, and are in compliance with establishedns~ct ionsand standards as formulated in the company security policy. they ensure that the com-

pany’s information resources are protected from unauthorizeChapters 3, 4, 5, and 6 discuss auditing the most advanced platforms:AS/400,

crosoft NT, and Unix.M y re system concepts and architecture importanto understand?

do not start y choosing a computer platform. Theytart by choosingmapss needs. Becauseof this, the computer systems very often considered irst.should the computer architecture matter? The accelerating rate of change of

e and software technologies necessitates that the system selected has beensigned with the uture in mind. Do the platforms accommodate nevitab~e, apid, and dra-

atic technology changes with i ~ m u melative effort? Are the systems uture-oriented?aradoxically, the characteristic of the most advanced design and technology s subtle. It

a c c o ~ o d a t e she rapidly changing hardware and software ompo~ents-permitting oneto fully exploit theatest technologies.

Is the operating system conceived as aingle entity? Are the facilities such as rela-tional database, communications and etwor~ng apabilities, online help, andso on fullyinte~ratednto the operating system andhe machine?

Successful audits of computer platforms are intended to provide an analysis f thecomputing and network hardware components with potential risks andeco~endations.If the computing platforms not secure, neithers the company’s data.

Chapter 7 continues the discussion of auditing networks. ~ o ~ o r a t i o n seploy net-works to lower the total cost of network ownership,m ~ i m i ~ eheir return on n~estment,provide seamless, enterprise-wide services, enable appli~ations, nhance their perfom-ance, control network resources, speed up project implementation, andinimi~eisk and

riven by the rush to e-commerce, se rity has rapidly become a mission-criticalcomponent of the corporate IT infrast~cture. protecting these mission-criticalnetwor~sfrom corruption and intrusion, network security has enabledew business applicationsbyreducing risk and providing a foundationor expanding business withntranet, extranet, and

electronic comerce applications.Therefore, network security should be a continuous cycle, consistingf estab lis~ng

a security policy that efines the security goals f the enterprise, implementing security ina comprehensive and layered approach, and auditinghe network on a recurrinsure that good network security is easier and more cost-effective, lso, network securityshould ensure that no irregularities have developed as the network evolves, and the resultsof the audits should e used to modify the security policy and the technology implementa-tion as needed.



i

Chapter 8 discusses auditing the disaster recovery plan. Large poolsf shared data-bases, t i m e - s h ~ n ~ ,ast teleprocessing networks,e l e c o ~ u ~ c a t i o n sonnections to non-company facilities, multiple distributed printers and systems, and thousandsf users char-acterize the state-of-the-art computer centers in corporations. Disruptionf service or the

intentional or nadve~ent estruction of data could potentially bring business processesoa halt.Across this entire computer i n f r a s ~ c ~ r e ,he Information Security (IS) processes

must be implemented to ensure the confidentiality, integrity, and availability f the com-pany’s information assets. he responsibility for the implementationof an effective S pro-gram is assigned according to the company’soals and objectives. Generally, this respon-sibility is delegated to the information system becausef its traditional role as ProviderfService. However, ISs often not the Providerf Service for smaller systems thatxist at alocation. Regardless f the organizational roles and responsibilities, theorporate informa-tion officer (CIO)s responsible for the overall implementation.

With the emergence of disaster recovery planning, physical securitys regardedas thecornerstone to developing a viable disaster recoverylan, The pundits have suddenly pro-

ureka,” and the dawn f physical security as the foundation on whichhe disas-ter recovery plan cane built has begun to take hold. Protecting assetsrom disasters is nowone edge of a double-edged sword withhe other edge preventing losses from theft and hu-man errors, which in fact pays partlyf not wholly for the costs of disaster recovery plan-ning. The auditbr must ensure that the computing environments suppo~ing ital businessprocesses are recoverable in the eventf a disaster.

Auditing and Security has been developed for IT managers, IT operations manage-ment, andpractitioners and students of IT audit. The intent of this book is to highl i~hthe

areas of computer controls and to present them to the reader in a practical andpragmatic manner. Each hapter contains usable audit programs and ontrol methods thatcan be readily applied to information technology audits.As an added value, tworesenta-tions are available on he World Wide Web.The first presentation is a proposal or invest-ing in a disaster recovery plan and the second is a firewall selection guide. Please visitwww.wiley.co~musaji.The user password is: auditing. These documents are in Power-point format.



Yusufali. F. Musaji is the Founder, Director and Presidentf Mi’s Y, Consulting Inc., anTand Financial Consultingf m pecializing in computer consulting. Yusufalihas a strongcomputer science and financial background. He embraces theull sp ec t~ mf financial, op-erational, andIT disciplines requiredof a state-of-the-artorgani~ation.His functional andtechnical areasof expertise include system development and implementation, project man-agement, computer security and financial systems.

Yusufali F. Musaji is widely published n IT, financial, and security o u ~ a l seser Relations~ps, nd has also developed numerous business continuity plans.

e holds a Bachelor of Computer Science from York U~versity, oronto, Canada,and is a C.G.A., CISA andCISSP.



information Security throu h Dynamic Culture

Information Securi~ ~anager-L~aderoles

~ y n a ~ i culture Isa Prerequisite forG r o ~ h

Sustaining Culture for Process Improvement

~ocusnward

~ynamic ulture Overview

Leadership ~e ededrom IS ~anager-Leade~

~ y n a ~ i ~u~ture Tra~sformation

eco~n i~ i ng ~a i t s

~esired ~ehaviors~in, ~xecute, eam

~ y n a ~ i culture Self-Assessm~nt

~ o r ~ snd Values

Syste~s, tructures, and Processes

As~ump~ionsIS an age^ Leade~ r ~anager-Leaders

~otalob ~ o d e l

~uman Resources/~~ploy~esrocesses

~ a n ~ g ~ r - ~ e a d e r s A c c o u n t a ~ i l i ~

~ e wole of the ~anager

S~ared esponsibility for~Rl~mployeesrocesses

~oundational a i t snd A~ributes

Specific Skills Requiredy IS ~ana~er-LeadersPersonal Learning Sparks rgani~ationalearning

~xecutive kills Versus ~anager -~asickills

Conflict ~e ~o lu t i o n

~haracteristics f ~ ~ r m a lonflict Resol~tion lans

Conflict Awaren~ss

I f

11

26

292

31

32

33

33



r ~ a tor ~ositive ~esolution

ical Access Controls

the C o ~ ~ a n y ~nst~llation

An~lysis nd Accept~nce

34

36

38

40

41

42

43

47

49

52

53

3

57

58

59

59

63

64

65

65

67

7

69

70

70

70

77

77

78



AS/400 System Concepts andArc~itecture

System Concepts

~ u l lntegration into the ~ e r a t i n gystem and the a c h i n

ased Operating SystemAut~ority arameter

A~plicationDevelopment~001sA ~ T s ~

System ~tilities

A~/400~~~Y

Initial Pro~rams

~ami ng omenclature

Libraries

Backup and Recovery

Auxiliary Storage Pools

journal in^

Commitment Control

Checksum Protection

~ i s k ~ i r r o r i n ~

~edundant rray of Independent ~ i s k sAID^

Security

~ystem ey Lock

~ystemide Se cu ri ~alues

~ystem uthority

~ s e rrofiles

roup Pro~les

Authori~ation ists

A~op t uthority

~ r d e rf Authority Checking

~ t h e recurity Issues

~y ste m alues

Summary

tiv

Operationa~ ontrols

~ r~ an i ~ a t i ona ltructure

~rogram evelo~ment, Ac~uisition,nd ~aintenance

Access to Data i l e s

usiness Cont inui~

111

11

1

General Controls

Computer ~ o o m



Set Auditoni it or and Audit Log Parameters

Turn Auditing On or ff

Select Users to be Audited

Select €vents to be Audited

Select System Calls to be AuditedInterpreting Audit Log Data

~ a n a ~ i n gudit Log Resources

Administering the Auditing System

Using Auditing in a Disklessnvironment

Backup and Recovery n a Secure Enviro~ment

~ackup ecurity Practices

Recovery Security Practices~ount ingnd Un~ounting File System

Shu~ing own a System Securely

vir

Internetworking

over vie^

Devices

Con~rol Re9uire~ents

Different Typesof Networks

Local Access~ e ~ o r kWide Access e t ~ o r k

Internetworking Challen~es

0 ierarchy f etw works

OS1 Model

~ommunicatingData through €ncapsulation

OS1Layer 7: Physical Layer

OS1Layer 2:~ a t aink Layer (TheVirtual ~ o r l d )

OS1Layer 3: ~ e ~ o r ~ayer

~onnection-Oriented nd Connectionless et work

OS1Layer 5:Session Layer

OS1Layer 6:Presentation Layer

OS1Layer 7:Application Layer

SI Layer4: ~ a ~ s p o r tayer



Audit ails

~ r i v i l e g e ~ser ID Authori~ation

A~/400nstalled

4A.5 Other Objects

rams thatA d o ~ tuthority

~uthor i~ationists

bject ~e ve l ~e c~ r i t y

4A.6 ~tilities

Job ~escriptions

4A.8 ~ e ~ Q r kQnsiderations

4A.9 ~ecurity dministration~ u ~ i tog

IntrQduction

~ecuri ty ~e~erenceoni it or

~ecuri ty ~ccount ~anager

~~sc re t i o~a ryccess Co~tr o~ s

~ t ~ e reat tu res

~ecurityOverview

on ~roce ssnd User entity

~ ~ j e c t snd ~ecuri ty

~ e r ~ i s ~ i o n s

Access Control Lists

~ e s i g nea tu res

157

758

160

165

168

169

76

170

7 7’0

1 0

171

1.7

172

173

174

174

178178

182

182

183

184

1 5

186

188

788



i

Access Control: Securi~ ~a nagement

User Authentication

User AccountsUser ~i gh ts

User Accounts, Groups, and ~ c u r i ~

~lan#ing

erm missions §ummary

Policy Plannin~

Account ~oiicy

User ~ igh ts olicy

Aud~tPolicy

§yste~ ~ol ic ies

Share Ptannin~

Creating Shares

Creating a~ e t ~ o r k S ~ a r e

Se~ing ile System Perm~ssions

nag in^ Groups§pecial ~r o u p s

~ a n a ~ i n gser A~ ~o un ts

~ e t ~ o r k e dnd Local Users

~pecial ~uilt-Inccounts

Creating User Accounts

copy in^ User Accounts

~isab ling nd ~e le ting ser Accoun~s

~ e ~ ~ m i n gser Accounts

nv i ron~~n trofiles

~ogon cripts

~ o m e ~ i r e c t ~ r i e s

Creatin~ ser ~irectories

~ u m ~ a r ~

omains and Trust

Su~ported e ~ ~ o f ksport Protocols

A~acks nd Defenses

Services that ~nhaffce r Impact Security

eat tu res of Secu~i~y

Security Certifications

202

07

207

207

12

2 2

272273

75

76

277

217



240

240

Introduction

tion ~ an ag er e v i e ~

e~ i ng~ a Secure S y s t e ~

ecure System ~ a i n t ~ n ~ n c

Cre~ting r o ~ u ~ t ~ e s c r i ~ ~ i o niles

V e r i ~ i n ~ile S y s t e ~ onsistency

for Cust o~i~ ed ~ile sets

ing User Acce~so System and Files

ss~ord Se~urity

File ~e r~ is si on s

~rotecting ey S ~ ~ s y s ~ e ~ s

Criteria for ~ o ~ e s

e~uri ty onsi~erationsor ~e vi ce ~i le s

336

336

336

339

340

340

3 4 ~

344

344

5

3 ~ 6

34

34

349

350

350

351

352

352

353

354

355

356

356

~ 5 6

357

363



...111



P~ysical ccess to System Unit

System Key Lock

~ystem onsole

Dedicated ServiceTools

Security Level

' AllowUserDomainObjects

~ a s s ~ o r d ~ o r m a ~ i n gules

~ax imum ign-On A~empts

Limit SecurityO ~ c e rccess

emote Sign-On ~ontrols

Limit umber of Device Sessions

Automatic Configuration of Virtual DevicesAutomatic Confi~uration f Local Devices

A~ention Pro~ram

Violation Reporting and ollow-Up

Default Public Access uthori~

is play ~ign-Onnformation

Job ~me-Out

~ystemor ti on of Library List

User ~ ~ r t i o nf Library Listl ~ ~ - S u p ~ l i e dser ~ r ~ f i l e s

Special UserPro~les

User Pr of i~ e~

roup ~ r o ~ l e s

Li~rary ccess

ccess to D a t ~

Access to ~rogram ibraries

Authori~ation istsJob~escriptions

ln i t i~l rogram

C Support

Output ~ueues

Sensitive Commands

ac~upnd ~ecovery

131

137

132

732

732

133

133

134

135

135

135

136136

136

137

73

139

139

140

14014714I

742

144

1

145

1 4 ~

746747

148

749

149

150

750

151

752

User Verific~tion

153

753

155



N ~ e ~ o r k i n gopologies

lmple~enting ~thernet

Token Ring

A ~ S I ~ j b e ristrjbutedData lnte~ace

N e ~ o ~ k l n ~ ~ ~ ~ c e s

Physical Layer nte~ace

at^ Link Layer n t e ~ ~ c e

asic l ~ t ~ r n e ~ o r k i n ~evices

CiIiClJ outer

Lab ~verviewPower Up and Basicouter Access UsingFlTP ~erver

A Look lns i~e

Internet ~F e r a t i n ~ystem

irewallWhat Is a irew wall?

curity Policy

o ~ m ~ nnternet Thre~ts

irew wall Arc~itectures

Stateful Inspection

Packet ~i l ters

~ircuit-Level a t e ~ a y

Application~Levelatew wayStateful InsFectionAdv~ntages nd ~i s a ~ v a n t a ~ e s

hoosinga Firewall

Secur i~udit

lving the ~uFeruser ~roblem

~n er a/ ac~groundnformation

~etwork i~g

~onducting usiness across the Internet

~onfiguratjon

~ e t ~ o r kddress an slat ion

~onitoring

3

463

464

46

464

464

64

465

474

476

477

477

478

479

479

4

4



NT i

~ecurity

~ e t w o r ~nformation Services

~ o c u ~ e n t a ~ i o nheckl list

irew wall C~ec~ l i s t

~i l tersire wall Tests

Technical Audit Program

lnterna~ nd Firewa~l onfi~uration ecurity

~~i~

Introduction

merging Technoio~ies

~ n d " ~ s e rompu~ing

~ e t w o r ~ s

~tron ic a t anterchange

Key Com~onents f a Successful Disaster Recovery Pian

~ ~ n a ~ e m e n tommitment andF u n ~ i n ~

~ecovery eam~ i s ~ s t e rre pa redness

~ u i l d i n ~Case for Disaster ecovery

usiness l ~ p a c ~nalysis

test in^ the Disaster Recovery Plan

~etting O~~ectives

D e ~ ~ i n ghe ~oundaries

Test re requisites

~ y s t e ~ ~ o d u l ehecks

~ n a l y ~ i n ~he Test

uditing the Disaster Recovery Plan

eneral ~uestions

Documentation ~uest ions

Plan ~rga ni~a ti onnd Assignments: For~-~ine-Pointhecklist

usiness ~rocess wner

uppliers of u er vice

486

487

487

#89490

490

490

493

493

493

493

#94

494

494

494

496496

498

498

499

499

500

501501

503

504

505

507

510

512

512

515

515

518

519



What drives revenue and profit in today’s economys undoubtedly the mix of hardware,software, and services. Oftenhe di~erentiatoror this mix s the highly skilled, motivated,leading-edged employee who ete~ineshe company’s competitiveness andts growth inthe marketplace. Growths linked to satisfied customers whose loyaltys the foundation forsuccess. Thus, theactor that d e t e ~ n e s company’s growth andts customer satisfaction

is the quality of its employees.Employees arec o ~ t t e dnd highly motivated when their worknviro~entsnablethem to go the extra mileor their customers, their company, and their colleagues. Thiss whatbuilds a network of d y n ~ cmployees who strive to e the best at providing valueo theircustomers. Simil~ly, hat mobilizes the employees to understand the elementsf the secu-rity culture nd to seets relevance to the company’s business success as well as their owsonal success are the dedicatedo ~ a t i o necurity (IS)mana~er-leaders. t takes dedicatedS mana~er-leaders o guide the a n s f o ~ a ~ o no a dynamic security-conscious culture.

Employees continue o be a company’s greatest asset, perhaps moreonow than ever

before. That’swhy IS manager-leaders must not allow he urgency of their daily workloadto take precedence over thempo~antime needed for the employee aspectsof their roles.ollowing are five factors that on~ibuteo customer satisfaction:

. mage

. Value

f these, images considered to e four times more mpo~anthan anyof the other factors,Image is a composite of four e loyee-related issues:

. ighly skilled employees who re committed to excellence.

loyees who are responsive and helpful and who take charge.

. company that s customer oriented and easyo do business with.

. company you can trust.



~ u l ~ l l i n gustomer satisfaction on these four issues, e s p ~ i ~ l y ~ i r s two, is very de-

m nt processes are worldlass. t is not themS, rather it is the employeeIt is i m p o ~ ~ to di~erentia

o share responsi~ility or their collective u ~ c e s ~ .

IS manager-leade~oles,

at is the missio~f ISm

ow does their~ i s s ionelate toa cwould a security-conscious cu lture/ co~pa~yook ike?

n ~ o ~ a t i o nynamic culture

oles versus obs and titles

d ~ t u ~ expectations

ny success~lusiness s ~ a t e ~ ys geared tow



orations-attributed to failure to an sf om cultures in conjunction withffo~s-has been high.

-shap~d hart in E ~ i b i t.2,shows the four factors that must be present forbe effectively im~lemented. t is not enough o only have reengi-processes will ail without the accompanying changes inob ac-

oring methods, andnoms and values embedded in theintangible cultural factors below the surface depicted by the

ered processes as the visible tip of the iceberg above the sur-ods and ideas on employees will not work, especiallyf the

e than halfhe reengineered efforts have failed

the crucial m~o~ancef the cultural factors below he sur-to squander their huge investments inhe new processes ifestment is dismal. ~onse~uently,ttention to cultural un-

e word t r ~ n s ~ o r ~ i n gs intended to capture both the journey and the need or dy-lture. This requires modeling the new culture in the way

res new relations~ps, nd adds value inhe evolv-

S is b e c o ~ i ~ gandatory.

loyees ”+~ a t i s ~ e d ~ u s t o ~ e r s .

ts from a dynamic c u l t ~ e ~ m p l o y e e s ,ustomers, and the share-ange the e ~ t e ~ a ln~ironm ent nless you

t is becoming increasingly p ~ ~ e n to thee success of employees and the success of the organization aree n s ~ ~ n ghat employees are seen as driversf the organization,ustomers and nvestors, is pivotal to creating d y n ~ cork en-

e~ployeeatisfaction a central driver in the organization d e~ a nd s

to your customer^.^'

eir ~ i s c r e t i o n a ~ e ~ o r tn goals t~atbot^

nd ~ ~ ~ i ~ i z ehe c o ~ ~ a n y ~ success. It is this “voluntee~sm”

S of IS m~ager-leaders that enable thethese roles, and why~entiono emplpoints that provide the outlinef a d y n ~ culture:

ribe a “ d y n a ~ i c c ~ l t ~ r e / c o m ~ a n y: he ~ee-lay ered

viors, noms and values, and assumptions-provides aired dynamic culture.



ent

pliance, A dynamic culture/company unleashes he pot en ti^ of employees who are com-to clear, relevant, andmeaning~lurposes that they have helped shape.mployees will commito the new dynamic culture when four factors are n place:

~ Z ~ r i ~ :taffembersnderstandhathe is-the character-istics of the culture areclear to them and hey ate them to others,

eZev~nce:StdT members see theelevancenamic culture toheom-'S business success-they see how it wi z he company'sustomerselp the co ~panyrow.

~ ~ i ~ g ;taff members see the personal m e ~ i n gf the newwhat it means to them ersonal~y, nd they canget excited about it.

~nvozve~ent: taff members want to be, and are, involved in the shaping and de-ploymentof the new dynamic cul~re-without involvement9 no o~mitment .it is impractical to involve everyone in shaping a e-scale change, their hosr~sentativesmay be involved. Giving employees thehoice to be involved is the key

point, even f they choose not to be.

The need should be for everyone, especially S manager-leaders, to help § u s t ~ nhe jour-ney and not lip back-to be comfortable reinforcin,volving, and nurturinculture/company. In summary,I manager-leaders enable the dynamic culture that gener-ates a dynamic company9 producing highlyatis~ednd loyal customers thatuel companygrowth.

Transfo~ations about change. There are man mo els that describe S

change and organizational change.The Changethat are ah e l p ~ lontext for cultural change.tural change as follows:

~ h a s e; den ti^ needs. This phase is su~ported thheushof thexternalnvironment. There is also theeom-pany9shuge investment in reengineerin



state” willbe described

manager-leaders also touches on the follow in^:

owever, given that realulture tr ans fo~ati oquire much iteration.

hase 2 suggests that f we wanta d y n a ~ culture/com~any,wewould look like.

T r a n s f Q ~ n gny or~ani2ationo arogress can appear to be unattai~able-

complishe~ step ata time. TheLure is made up of behaviors, norms and values, and asto bring to the surfacenorms, values, and assum~tionsnamic culture/com~any. See Exhibit1.

he most obviousir l e ~ ~ end valuable

les on m a ~ a g e ~ e n t ,



izations. To help understand these behaviors in the contare o r g ~ i z e dround the three foundationaloand team.

dynami~ cul~re/companyzzle are as follows:ynarnic company has six core elementss showni

Its employees arean energetic global te

It leads in creating valueor customers.

wins thro~ghechnolot builds share~older alue.

It is involved with our~ o ~ u n i t i e s .

t expects teamwork, integrity, respect,

S on the right things.

t is invigorat~d y work that helps it wi

It works by p~nciples-not rules.

t is proud of its products and services.

t uses what it sells.

Its employees are diverse.

S and leverageshowled



1saccounta~le.

cons~icuously hares credit for results,

oyees earncom~eti t i~eay and benefits.

ecurits comes from ts success with ts customers.

t bas choices to make inalancingts work and personal priorities.

ts l e a ~ e ~ sreate and c o ~ u ~ c a t ewinning strategy.

ts lea~ers a l khe talk

loyees need to demonstrate indynamic culture.

itment; concern for the truth even when it’s un-

o-workers; ability to apitalize on



ositive ~ s w e ~ so thec~e~k l i s t ,he foll

n a scale of 1 to 5, with 1be w- e r f o ~ ~ c e ”n being % n a ~ i c ~ ’ ~ s s e s she en-



#in * Establishedbjectives* Examples

1, Focusing on winnin~creating est ustomer alue * Targets* Results

2.uttingustomer ~irs~co~panyecondunit third 4 Accoun~~bility

3. Setting aggressive targets

4. Insisting on results

5. Holding employees accountableor their

com~tments

Execute

6. Showing concern or quality and productivity

7. Using and being oyal to the company’s products

8. Co~municatin~listeningfEectively

9.Welcoming the truth

10. Capitalizing on change

1 . Showing disgust with bureaucracy

12. Putting never-ending attentiono skillsimprovement

13. C o ~ i t t i n go being a process-managed business

14. Modeling a worwlife balance

Team

15 .W a ~ n ghe talk on respect, integrity, e ~ w o r k ,

and excellence

16. Valuing diversity

17. Sharing and leveraging knowledge

18.Acting unburdened y b o u n d ~ e s

19. Empowering individuals and teams

20. Energetically building ross-functiona~globalteamwork

0 ~ e s t ~ c t u ~ n g / s ~ z end scale* Flatter organization* “Fit in fast” checklist* “Fit for you” card* Delegation of authority0 Skills process4 Skills focus4 ~rofessional areers* Expert professions* Job news

* Global processes* Workload study/module

* Diversity council0 Diversity raining* Flexible work options

* Team mplementations* Team symposiums* Teambased rewards* 360-degree feedback* Peer recognition* Roles versus job



o you focus on i n n i n g ~ neing the leader in creating the best valueor your cus-orners, using technology, integrated solutions, and services?

Are you visibly puttin the customerirs~company secon~unithird inall decisions?Are you involved with your o ~ u n i t y ?

e you driven bya c o ~ o nision of your purpose?

o you insist on results versusffort?

o you earn competitive pay and benefits based on personal and companyesults?

Do you hold employees accountableor their c o ~ t m e n t s ?

Do you showb once^ for quality and productivity?

Do you havea fierce loyalty to he company’s products and services?

o you proudlyuse what you sell?

o youpracticeoutstanding co~munications~isteningith cu st o~ er s nd col-leagues?

Do you elc come the t ~ t h ,ven when it’s unpleasant?

Is provocative inquiry encouraged?

Do you capitalize n change and quickly adoptew jobslroles and structure?

e you open to new ideas?

o you show disgust with bureaucracy?

Do you h o w what to do and do it?

o you work continuously to improve yourkills?

Does your management andmeasu~ement ystem support you becoming process-

managed business?

e you modeling worldlifebalance?Do you work onhe right things?

re you invigorated y your work?

Are you making intelligent choices about balancing your personalife p ~ o ~ t i e s ?

o you model respect, integrity, teamwork, and excellence personally?

o you expect respect, integrity, teamwork,nd excellence from your colleagues?

o you value diverse, dynamic colleagues?o you share and leverage~ o ~ l e d g eroadly?

. o you act unburdened by ou n d ~ e sf place or thought?

o you conspicuously share redit for results?

G. Do you willingly help othersn your global co~pany?

Are you empowe~n individuals and teams?



by ~ri nci ~le s,ot rules?

you ener~etically nd visibly dis~layin cross-~nctionale ~ w o r k ?

iscussionswiththersn the CO valuable to assessand to decide what

he three co m~ tme nt sf the nom categories

. xecute

. eam

The four values are

The result in^ acronym helps eme~berhatspect and excellence,may appear to have the

reinforces the need to engage in dialogueou~derstood y all.

o ~ ~ a n i e sequire systems, stru~tures, nd ~rocesseso othese include the ol lo~ing:

agement and measurement yste

archicalor ea~-based

hese are strong levers toaffect behavior since theyculture, often m~licitly.They

en syste ~s9 st~c tures ,S, cultural t ra ns fo ~a ti

tions are like 44givens,’9 andn that res

he ~ a r ~ e t ~ l a c es the drivin

t the core,a c o ~ ~ a n yepe



with a ~ i ~ i ~ ufbu-

ever lose s i ~ h tf its s t r ~ t e g i ~i s i o ~ .

arly when they work as

Id be re~ectedn the

more di~lculto dis-about them-it’s

ourunconscious9 built-nclude latent biasesnd

ct on a~proachesoward team-

n many co~panies9he terns Z e ~ ~ e rnd ~ ~ ~ ~ g e rre used interchan

business processes.



1

neSetof ~ s s ~ ~ t i o ~ s

ABOUT H U ~ATURE

Employees basically dislike work, are lazy, need * Employees basically love being challengedbyto be coerced and controlled, and prefer tohave meaning~lwork, and are energized when they helpsuperiors make their decisions or them. make decisionsdec ting their work environment.

ABOUT TRUST

e Trust s ied to positionpower;superiorsarenot * Trustwo~hy mployees who displaycharacterandquestioned because hey must have good reasons competence, andwho encourage and open two-wayfor their actions or views. dialogue earn trust.

ABOUT M O ~ A T I O N

Extrinsic “carrotsand sticks’’ are what motivate e Intrinsic satisfaction s what motivates employees-

employees. rewards are “hygiene factors.”

ABOUTTIME! FR.AME

e Short-termsurvivallsuccess sparamount; we can * Long-term surviva~successsparamount; webaseoursave ourway to profits; daily~uctuations f the actions on the lifetime value f customers and onstock price affectmy mood. principles; trends in customernd employee

satisfaction affectmy mood.

ABOUT ~ T E ~ ~O M P E ~ ~ O N

Internal competition brings out the best in e Internal competition destroys teamwork, inhibitsemployees and should be encouraged to stimulate sharing and leveraging knowledge,nd demora~zeshigh performance; reward systems should promote team members; reward systems should promotetrying todo better than peers. collaboration.

Te~inologyn the area of leadership andm ~ a g e ~ e n tan be a semantic minefield. Thou-sands of articles have been written about managers,eaders, and executives.There has beenan explosion of books, videos, and speeches about leadersh, specially in the last fifteenyears. Unfo~unately,most authors are ess than crisp in defining th

ever, drawing rom the essenceof what the expert^'^ say, the follooverall distinctions between leading and managin

eading is setting the ~i re ct iQ n; aging is getting there.

* Leading focuses on the ZQng- ter~QrizQn;managing focuses on sho~- term ottomline.

Leading e ~ ~ Z ~ y e e s ;anaging processes, systems, and t ~ c ~ r e s .

trolling, directing.

Leading is doing the ~ i g ~ things; mana

paradigms.

* Leading is c o a c ~ in g , ~ ~ o ~ e r i n g , f a c i l i t ~ t i ~ g , s e ~ i n g ;anaging is ~lanning , on-

* Leading change, ~ e ~ e e ~a r a d i g ~ s ;tatus quo, within



~~ituationallyith earned pow er based on co~petence;m ~ a g i n grom ap-

iness of innovation; m ~ a g i n graves order.

w directions; managing demands proof.

ing relies on control.

?”;anaging is asking“

gments o hese characte~stics. do notneed either

The label ‘‘com~leteeader” for the person that embodies a rich blendf both lead-

ities is preferred. The term co~pZete a n a ger ould be equallyblend of leadin and managing is further reinforcedby the quote at the

leading or ~ ~ a g i n g 9ather we need both as shown inx ~ b i t .9.

eo The Powerof ~ s i o n :

Vision wit~out ction is only a dream;

Action without visions just passing the time;

Vision with action can changehe world.

m the ‘6com~leteeader” label in Exhibit 1.9, it is noted that the terming, managing, and doing. he working de~nit ion f l e a ~ e r s ~ ps

“ t ~ eb i l i ~o e~ect iv ely directionand ~ o d e lnterpersonalbehaviors ( ~ a d i n g ~ ,a l i g ~ ~ a n a ~ eusinessnoyees processes to a c c o ~ p ~ i s hesiredusiness re-

n ~ ~ i n g ~ ,nd contribute ers son a lly to de~ i red usiness result s ( ~ o i n g ~ . ~ ~

Administrator

A~dicato~

Complete

Leader

Dreamer

HIGH

ws that varying degrees of leading, managing, and doing skills are

is, leadership is the umbrella tem-leading, managing9 and doingare ~ u ~ s e t sf credible leadersh ibit 1.10 also ndicates hat eadership is expected

out he organi~ation-it ust theprerogative of senior mana~ers ndexecu-me employees may assume the role of a leader temporarily, n a given situation.

nent leaders, such as n senior positions or on some teams.n allnts that will ensure business success are the same.

The conc~usions that “c o~ pl et e m~ ag er s”re required to lead and “completeead-ers” are required to a nag^. In termsof the typicalor~anization, manager-leader” applies



\

\

\

\\\

\

\\

\

\

\\\

\ \0% \ \

\ \

t

i

es are, at least situ-



\ \

\\

~ligninghe culture with the desired direction andtratesults for the orgmization

~ e a d i n g y e ~ a ~ p l e / ~ e a d i n ~ay to day, This role consists ofsonal le ad er s~ pn hundreds of daily “moments f truth’’ with in

leading, ~ ~ a ~ g ,d doing roles.effect”-every action of a

the mmager-leader whois ~ m s f o ~ n gn org

a. Coach (which, in turn, requires ~ o ~ s i ~ e r a t i

b. Change gent (whichequires ~ o ~ u n

c. CoElaborator (which equires ~reativity,

~ o ~ i t ~ e n t )

~ a g i ~ gusiness p r ~ce sses.This role consistsof

anaging c o ~ t m e n to the defined waysof doing things

~hallenging usine§§ processes hat do not supportthe delivelutions to satisfied customers

ma~ing ~nancials~ni t ia t in~equired improve~entso achieve business esults

There is an ac~owl edgedaradox that reengineebut once major new processes are operation^, theycludes i~pl e~en ting cont inuo~ s i~pr ove~e nt§ndof the business.

Eoyees pr ocesses. This role ensures that thefive

manage~ent rocesses, described later, re e ~~ c t i v e l yxecut



S role consists of ~ e ~ o ~ i n ~ecific tasks, alone or

d to as “employees leaders” and “process

their time andhe focus of their



anager-leaders that do not it in the above ategories.rnore effective in the next six months with a different

aders enable them to accorn lish their rnission of trans-xhibit 1.12 shows how the roles contribute

to the t ~ e n t yehaviors of a ~ y n a ~ c c ~ l t u ~ e~t l inedarlier.

Win"I 1.Focusingn w i n n i n ~~re a t i ~gestustomeralue H H H H M

1 2. ~ u t t i n gustomer ~ s ~ c o m p ~ yecondh it third H H H M

I Execute"

I 9. Welcoming the truth M H L L1 10.zing on change H H M L

1 14.eling a worldlifealance L H L MI Team

15.alkinghealk on respect,ntegrity,eamwork,nd H H H Mexcellence (the 'RITE9values)

17.Sharing and everagingnowledge M H H M M1 18. Acting unburdened by boundaries M H H L M

1 19.E~poweringndividu~s andeams H H H L

20.nergeticallyuildingross-functional/globaleamwork H H H ' H M



)~mployeesrocesses merit more explanation becausef theirare processes, there are consistent steps thatconstitute the best

esses, therefore, involves ensuring that the stepsre

the goalof the resulting acronymof whichR ’ than those who striveo make it Better.

~ ~ l ~ n ~ ee s o ~ r ~ ~ s .his process consists of

* Inco~orating lanning for the right level of resources directly into the business

0 Making sure the approp~ate taffing solut io~~roce sss used, based on the work

* ~ n d e r s t ~ d i n ghen to staff nte~allynd when to se external resources andol-

* Recruiting and hiring employees using~ll-basedriteria and reflecting on thei-

0 Ensuring the optimum balancef employment options, bothull and part time, and

processes.

that needs to e performed.

lowing the appropriate policies and processes when doingo.

versity in the marketplace.

respecting diverse needs.

\ \



ø sing employee development processeshe way they are intended.

from the business and doing both with sensitivity andood judgment.siness needs to add to stafEng levels and to release employees

i s io~~ss io~~a lues /ob jec t ivesf employees with the objectivesf

loyees to their ew work environment,

reating an environment that accommodates each individual’s diverse needs andesires so that they are engaged and energized.

nvolvement issues with em-

the unit as a whole.he necessary complement f skills to serve

uppo~ing nd fost e~nghe ~ndividualSkills Plans (ISPs) of unit members.

A s s i ~ ~ n gevelopmental activitieso employees that align with these skills plans.

odeling theway by visibly using theSkills tools and enhancing personal skills.

ssessing p e ~ o ~ a n c egainst the plannedc o ~ ~ e n t s ,ith the helpof feed-ack from others.

n su~ngerformance is rated equitably nd fairly within and among related units.

ompen~ating em~loyeesairly and equitably by establishing their correctob lev-

unicating and ~ p l ~ n i n ghe total et of compensation programs, in an open

electing a p p r o ~~ a t eewards and t ~ l o ~ n gecog~tiono the stated preferences

o~icitingnput from the unit colleagues on who should be recognized,nd how.

advanta~ef the full range of formal awards offeredy the organizations.

special attention o the simplest, most valued, and most underestimatedf

els and followinghe compensation guidelines.

responsive ~a nner .

of employees.

all recognitions-a sincere “thankyou.”

ager-leader is defined as “a person whose job includes accountability formanage~entf employee processes andlor business processes” to achieve

business results, This accountability is norm~lyccompanied with a shared responsibility



l attain~ent f the b ~ s i n ~ s sesults,

oyees in ~ ~ n yases.



managers need to e network-savvy practitioners notob hol

sense.

elationships built on trust are vital.

The f ~ a g ~ e n t a ~ i o nf the t ~ a ~ i t i o n a la n a ~ e ~ e n tob among several

mental to he new c o n s ~ c t , E x ~ p l e sf specialized mana

~ e s o ~ r c e c o o r ~ i n a t o ~his person s often not amanhas the responsibility to deploy employees with valu

~ ~ ~ j e c t / ~ r o p o s a l l e a ~ e ~ / ~ a n a g e ~his person ovwork. Employees moverom project to project, so

during the course of the year. Some are knowledgand others are not, depending on thea ~ r ef the p

someone who s steeped in their discipline, canknow what associations o join, and so on. InS

Elsewhere, it’s less formal. This role builds the

Proce~ses’~ole.

~ e ~ s o n a l ~ e v e l o p ~ e n tana age^ An individual who ove~seeswith employment, transfers, assessment and evaluation, introucation, handling increases, ando on. They ensure that all five

This phenomenon of splitting managementthey move to a virtual, project-based onstruct,S

ome Team Leaders (TLs) and their teams havein which they share or assume many manatrue when the TL‘s business and technical

ay-to-day basis and the manager-leade~sspan of supponew and working with a teamhat is in its early stage o

ager-leader may need to be more involved. This spectrc m be seen in Exhibit 1.14.

Exhibit 1.l5 shows how the fr a~ me nt ed ma na ~cific to Team” statement under the TL role in the chof defining a one-size-fits-all role for TLs throderfully diverse set of team implementations tbl~eprints.The team leader might be the ‘



ties

HIGH

0 l 2 3

does the task, doesthe task, team does team doeswithout with the task, the task,team leader/ team leader/ with Manager- without ~anager -team input team input LRader input Leader input

~age r-Leader Team leader/ Team leader/

described in this chapter.

to ensure that new processes areith ~ a n a ~ ~ r - l e a ~ e r so acco~plishainaccountabilityfor the ~rocesses

n n i n ~f any job is the personal~aits/att~butesf the



issio~values/objectives* U ~ d e ~ s t ~ ~ob linkages-busin~sslpersonal

* Establish specific objectives

I ~ ~ t ~ r ~ n e60-degree input sources,~ e c h ~ i c s

* Gather ~ e ~ f o ~ ~ c eata-~60-de~re~nput* ~ e t e ~ i n everall evaluation

* Adclress c o ~ ~ t ~ e ~ tssues/oppo~unities

* ~ ~ t e ~ i n e~ ~ ~ o ~ ~ i ~ ~ ec ~ o w l e d ~ ~ e n t* Deliver ac~ no~ led gme nt ~ng oi ng

dGR EE RC L

1

FRT

RoleLegend:MGR = ~o~le-Holding~ a g e r RC =Resource Coor~nator A =Accoun~bleensuret is done;EE = mployee PT L = roposal Team has a u t h o ~ ~o delegate t)

TL = TeamLeader PRTL = Project Team Leader R =Responsible (does it)



emonstrate the courage of your convictions.

trive to grow and improve.

e the initiative and leadhe way.

alance personal needs.

onsider them as “gatingfactor^^^^

anies look for the desired raits W

them by the time they oin or~anizationssome blend of rehiring n~turercelebrated, and valued in aei~orcing ultural environment.

attributes are important, ow can they be developed and improved?o answer1.16compares ways n how both skills andaits/attributesmight be improved.

should hasten o acknowle~ge hat ways to improve both skills and traits/attrib-utes are very similar. ~ e l e c t i o ~s i m p o ~ a ~ to both. F u n d ~ e ~ t ~ lo both is some formof~ n ~ i ~ s e ~ ~ e e ~ ~ ~ c ~nd i n t e r p e r s o n ~ l ~ ~ i ~ ~ ~ c e . ~ ~ p e r i e n c es ~ e r h a ~ she major contribu-tor in both ena as, given high-~uality eedback and a limate that motivates oneo ch

improve. The personal desire to chan e and continuously m~rove neself is essefor lasting learning to occur.



Skills Selecting, tr ~n in g,mentoring,oaching,eading,tudying,racticing,pplying the, ersonali~ed eedback from assessment tools

T r ~ t s / ~ t ~ b u t e selecting employees with the desired raits; receiving 360-degree nput; reflecting on~ ~ ~ ~ ~ n ~ e snd thers’ eing oached nd/ormentored by rolemodels;being r e ~ ~ ~ e dor disp traits; receivinghonest eedback nd oachingwhenthe desired traits are not exhibited;ersonali~ed eedback from assessment tools



-~acilitateorganization change

uild shared c o ~ t m e n t

*

~ o m~ u n ica t i o n -p resen t a t i o n-Com~unica~ions-written

* Leaders~pno t key because it is coveredby the other key skills)

* Create client-driven vision

- C o ~ ~ a n y v i s i o ~ ~ s s i o ~ s t r a t e g y

evelopc o m o n go~s~ategies/plan

* Apply business conduct ~uidelines

3

2

3

3

3

3

3

3

3

3

3

1

3

* Encourage a l e~ningrganization

* ~ l i ~ n a t e~iers/inhibiters

* Coaching

* g go ti at ion

* ~nte~ersonalommunication

* Fac~litatemeetings

* Risk awar enes s/t~ i~g

3

3

3

3

3

3

3

3

3

3

3

* Understa~d lobal ope~a~ions

siness initiatives

* Apply basic financial concepts

* ~rgani~dtio~businessssessment



* ~ p l e m e n t R processes

* Recruit employees

* Release employees from the business

~ ~ i n v o l v e / ~ ~ ~ a g employees”)

* Delegate tasks/responsibi~ties

( “ e ~ ~ h a s i z end oster skills development”)

* Use skills dev~lopment rocess

* Give career advice

( ~ ‘ ~ ~ a ~ ee ~ o r m ~ c ef employees”)

(“ackno~ledgemployeecon~bu t i ons” )

3

3

3

3

4

3

3

3

3

3

3

- nalyze problems/situations

-Client relationships

-~uality/proble~revention

--Apply project ~a n a ~ em e ntractices* Internal support ools

shows e~ ec ~ t iv es ’obs with a wider bers. The skill tem~latesor ~ r s t - l i ~ ean

r, the~xecutives’ki1

The e x ~ e ~ t e ~evel o f ~ r o ~ c i e n c yor an exec~tives hi

ecutives are moreencom~assin



e proficiency levels are as follows:

oficiency: No skill.

Expe~ence: None.

vel l:

oficiency:imitedkill.

xperience:one.

vel 2:

~roficiency: Limited ability to perform. Has general, conceptual knowledge only.

Expe~ence: Very limited.

Level 3:

~roficiency performwithssistance.Has pplied nowledge.

Expe~ence: performedwithassistanceonmultipleoccasions.Hasperformed n outinesituations

vel 4:

oficiency: Can perform without assistance. Has in-depth knowledge. Can lead or direct others in performing.

Expe~ence: Repeated,uccessful.

Level S:oficiency: Can give expert advice and lead others to perform. Is sought by others for consultation and

leadership. Has comprehensive knowledge with abilityo make sound judgments.

Expe~ience: Extensive, co~prehensive.

er scope implied in the skills for executives than for first-line man-ers because of the larger size of the organizations and business results

for which they are accountable.

manager-leaders be involved inconflict resolution?ecause conflict in any endeavor that requires he interaction of two or more disci-

or, for that ~ a t t e r ,ninds is inevitable. As the complexity of security increases, theood of differences in opinion and approach increasess a function of the numberof

d the ~ o u n tf time requiredby the employees in their involvementor after i~plementation f projects. Nomally, these conflicts arise during imple-ion becauseof people’s natural resistance to change, scheduling pressures,r initial

at should the IS manager-leaders look for in conflict resolution strategies? Theulty of the system o support existing reporting riteria or func~onality.

rs this impo~ant uestion.



com~onentsn e n ~ ~ r i no ~ u c t i v ~ e m ~ l o ~ e e su

t in c o ~ ~ i c t~solution ill set



critical step in buildingconflict resolution strategies s a formal declaration to themembers of the probability of conflictanisms being establishedto c

amountsto ‘6flushin

sibilit of hidden agendas or tokethat conflict is inevitableon, the employees involv

or concern to remain buried, which often allowsi~lcultieso fement and blow out of pro-

conflict resolutioncomplete issue res

. discussion of the qu~it y-o~e nte d bene~tsf conflict resolution.

tions the team as a whole can

mdce individual contributionsolution.

an organized procedures designed and wille implemented in r-der to allow ll te rn members to achieve their personal nd cu~ulative oals.

stablish the attitude and approach that both the ehen, present he structured plan or enactmentguidelines to be followed durin

To validate the mpo~ancef the resolution tasks, e plan should be presented at thebeginning of the project as a formal, written s tr uc~r e. ople n o ~ a l l yperate comf o~-

round rules are clearly defined and und ood by all players at the outset.elines, the misconception of different s t and~dsor different peo-all team members o c o ~ o ~ a b l eom~unication round withult task and is depe ent on the quality and integ~ty f leader-perience has always indicated thatip service is usually the case.

can be repercussions, whichs the main reason why onflictn theory but improbable in practicend why it fails to secure

n the verbal co~ponent f the conflict plan, he team leader should pay special t-to the use of “”I” statements asa positive toolfor c l ~ ~ c a t i o nf the conceptof or-

nized,structured conflict resolution.onflict is always ntegr d with emotion~ity,en if it is couched in totally professional, business-directedernfeel,’, or “”Im confident that our approach to resolutions will

the desired results.

ng a personal emotion^ co~ect ion.

mation (e.g., twelveor more p~ ic ipants ),t is more bene~cialor than to have the project team leader assume theuties of logging,

~ o n i t o ~ n g ,ndocumentingach issue thatrises.m leader is theppro-priatendividualoresenthe issue resolutiontrucordinatorhouldhen

n the mec~anics nd steps being usedo ensure complete reso~ution. he ideal issuenatorhould be a teammemberwith ighomp d credibilitywith the

other teamme~bers .



ted that may have a

~ i n a t o ~ ’ st t ~ n t i o ~ ,



ssive silence should e employeto the viewpoint and inp

’r nter~ptinghould be allowed, so thato state their viewpointop

d by each person shoestions should elp t

to elicit and e x a ~ nis to avoid presen

other person’s perspeution of the u~der lyi

L ehould be employedecreserved moreby what is

ponse body language means usingpen.,r

mework. The questions to beconflict disc~ssion re as follows:

e relative importance f the issue to each dissentia discussion to a successful conclusiono

odated by the other party.this may be the solution

e conflictor he i~sue-causing racticof this p~t icula ropic)?It

find the solution than toi

hat would be affected by a change in each relative e p a ~mof people involved has been resolved,he dems, or tech~iqueshat would be

at is the view from the top?This should be a “best guess” relativeothat ay be pr~sented y ma~agementoncerning thessue at han

e ~echanismshat

t e ~ i n e dhat the considerations-approximately the same numbe

lowing question should be asked:point and concernr o maintain cooperationWI

ordepart~e~t(s)?

rcise of examinationdiscussion,whenfocused CO

ly by facilitating system ntepractices, raising the levels of c

creasi~ghe levelof co ~p an yoyalty and employee o ~ t m e n t .



bear in mind that thiss a review for the auditor. Depending on he nature of

the resolution processmay require far more sophisticated procedures such asnflict resolution can be addressed. In such a case, it becomes the audi-to comunicate the existence of such tension in he workplace. In all

g how conflicts are managed and resolved adds value tohe client’s man-

anies need IS manager-leaders. They need IS manager-leaders who areo m ~ ~ e do their transformationo a dynamic ulture and who inspire that

ent in others. They need IS manager-leaders who coZZ~~o~ateith their globalthey pursue their customers’ long-term loyalty and the attainment of their

siness results. They needS manager-leaders who understand he big picture,ithin it, continuously improve their skills, and coach and mentor others’need dynamicIS manager-leaders who know how and when to ead, man-d are role models or a dynamic company’s core values. Dynamic IS man-

er-leaders enable dynamicorga~zations! ee Exhibit l 19for a sumary of the IS man-



l



fine the security policies, practices, nd procedur~sducts to support these policies and practices, it is

evaluate, select, and i ~ p l e ~ e n troduct s ~ c ~ ~ tative procedures and or appropriate controls in applicationyst~ms.

ation was processe

ired technical ex-

crooks. In spite of this, ~ h y s i c ~ ~~curity ontinuedy ~ u ~ d st the front door.

hich in retrospect paid



s ~ o ~ l ~nclude:



escription of the controlled accessed areas within the p r e ~ s e s 9trolle~ccess areas are,md what they contain.

denti~cation f risks (~reats )nd c o nc e ~bout their likelihood f

ontrols to guard again$t ese risks and the costs associated if measurable.

sks that are being toleratednd accepted and he risk analysis.

e physic^ security plan with ts accompanying ~ocumentations a sensi

that contains de ta il ~d in fo r~ at io ~bout the com pa~ y9s ri s~c on~ ol mea s~r eshas to be in a neatly ompar~entalizedorm so that youdo not have to btai

owever,npracticeaynot be the case,andce the computerm

f u l in the cornan ' S risk analysis when l ~ ~ i ~ gor its disaster rcon~actsor disaster re cove^ services annd expe ~ence conce ~inghe pitfalls that

the i ~ ~ o r t a n c ef judgment in reviewhasized. This is because the issuesractice~, nd protections~are ifferent for practically eifferent from or mization to organization because the ri

e~uently9lways remember to be astuyour risk assum~tions hen evaluatin

any theoretical model. No amount of theoretical owle edge is a substitute for real-worldexperience that corn keeping your eyes and ears open and mostly

~ n ~ ,lbeit skepti r the inexperience^, bear inmind that audithe information to be obtaine the course of your workr judgment about risks andm before jumping to any

conclusions.

Are the i~ormation ssets protectedfo~ i tous lyr by design? The physical secu~tylanshould contain the measures taken to rotect the in fo~a t ionssets.

us eth hods of protectin and restricting access tonfoze the risks of loss. The main methodsof restricti

eter controls such asenced b u i l ~ i n ~ites,

identi~ed,isks explored, and the methodf secu~nghem implemented.he perimeter of the facilities

nce the corn uter facilities are p d from u~authorized ccess9 ubse~uent ~easures

essential ' erontrolsntoreas~ i ~ e r e n t o need-to-haveasof protection given to thesec o n ~ o l l e ~ccess areascan ange fromfull protection and close

,e,, tightly secured areas) toi ~ t e drotection (i.e.,loose~y seally, companies have dividednternal spaces into two or three

have established standards that dictate the kind of e a~ordedo eachnated controlled areas. For example



rs must have an alarmystem,

owner or equivalent level executive.

imum, this ns~ection ho

ness requirements or access to

access these areas.

one 2 areas are located within

from the outsideat all times,

st be restricted to only thoseu



Access is controlled to limit entry to persoprocedures vary, depending on the levelfall cases, only persons on the approvedFor Zone 1 and Zoneareas, persons ll

son are considered to have one-time authorized access.

Persons with authorized access to a controlled access area must haveness requirementor access. The owner is expectedconstitutes a business requirementntion was made.The Zone 1 area ownmining valid business requirements or access to the Zone 1 area anaccess based on theseriteria. Individuals who have outine access toand who do not meethe documented c

Access authorization must e reviewed as follows:

*For Zone1area the access ist is to be verified and signedby the class owner t least every six months. Persons withremoved from the accessist on a timely basis.

However, persons whimplicitly through e ~ n a t i o nf emplist on a timely basis.

0 For Zone 2 area the re

e :he definition of t i ~ e Z ys subject o int~rpretation, ut n

fic standard it will generally be defined as “at the earliest

forded by management control processes.”Emergency exits for Zone 1area must hFor both safety and security reasons, the alarms must operaten eand alarm events must initiate investigative action. Periodgency exit alarms are functioning shoulde p e ~ o ~ e dndarea owner must nsure that there s an annual review f all em

For Zone1 area an accurate, currentoflects the visitor name,ime of entry,purpose of the log is to provide a historical recordf access and s

trol tool. Therefore,here shouldbIf a badge exchange processs used,the control over the ssuing, retrievnonroutine access o Zone 1 area must be retained for the current

Proper operation f the Computer Accessresponsibility of the CAS service provider.area owners (e.g., malfunctioning dcurity or the CAS service provider ~ e d i a t e l y .

To ensure that system integritys effective and to avoid compromicontrols provided in the system, the installation must assume resmation processing resources that are housed within the computer

These physical access controlequire men^ are app~cableo theand midrange environments. The m ~ ~ ~ environment includes



aster consoles (i.e,,~ t e r a c ~ v eevwithout havin~ iclen~~cationnd

s include the ollow in^:

onnectio~media, suchas wiring, ~beroptics nd wirelessco~nections

r i ~ ~ e r a l ~ e v i c ~ snclude:

nnection for p ~ n t ~ r snd plotters

er ~ ~ ~ e ~ ~ c es usedservices on behalf of

e and value f the service provi~



er

I T e l e ~ ~ o n eines x I



t



Systems that are essenti~lo supportingvital business process

All network c o ~ u n i c a ~ i o nontrolunits regardlessof system servicebeing supported

All n e ~ o ~ k c o ~ ~ ~ n i c a t i o n

control its

VPe B

Typec

Highonerea 1 orn anofficeoom that

is lockedwhen unattended

Highonerea l rn an office roomhati s locked when unattended

Highonerea 1orn an officeoomhatis lockedwhen unattended

Mediumonerea 2Lowonerea 3

ecision has tobe made on whether to lement protective measures or as-sume the risk with the associatedxpos~ e . order to demons~ateical access control process, managers responsibleor computing faciltain the follow in^ minimum documentation:

ntification of the area, its use, the levelof i n f o~a t i onuppoequipmen~se~ice,nd the level of control required.

The means of communicatin evel of i n f o ~ a t i Q n s u p ~ o ~ eprovisions and equire~ents

~ ~ ~ ~ t e :he information sy s t e ~snvironment is continuallyerefore, risk analysis should becQmen on~oing rocess that s

cted and reevaluated on a periodic basis tonsure that thecost assQciated withim~lementations ac~evin ghe projected benefits o

timate decision f what risko accept and what riskoement, risk analysis requires a total team effort.in~ividuals ho can help to evaluatehe risk.

ons within the precedinto review the site’s process

and d e t e ~ n ef addichanges to these ~uestionswe required o ade

temal systems range from lof ~ersonal com~uters.

ronments, the in fo ~ati on se cu~tyrocess must be implemented to

rocesses have been



on assetsorequipment est

efer to the secu~ty olicy for detailsvolvement with this document.

i n t e ~ a lrrestri~terequires approp~at

i ~ ~ t i o n sre revalidated on e

st:

tected by sec~redpace.



r inclusion in your ~ ~ l e :

a sample or c ~ e n tccess au~or i zess list v e ~ ~ c a t i o n ~ e r f o ~ e dy

sure that valid ~ s i ~ e s se~uirementor accessct h o ~ ~ a t i o ns reviewed in accordance with

ments. For n o n - ~ ~ ~ c o n t r o

stems are considered

If volume is suf~cient, o m ~ ~ t ~ rhoc mode to verify

sure that all e n ~ ~ c e snd exits are s ~ c ~ r

access levelmech~ism,



hese con ~o lsre not applicableo individual§con troll in^ their owneir ~croproces§orince the c~stodialelationship does not exist.

neffective con~olsver po ~a bl et0 e media could result inoss of oruncess to stored data.

rocedures that allow tape removal without ownerp

, edia placed incust§~ountedor bu§iness , ontains in fo~a t ion

for records retention,orc o n t ~ n

le stor~ge edia may not be removedfrom the control offrom the owner of the data. The desi~nationf data asdication that the owner has approved its being mov

tional sched~le.



dia av~labili tyn case recovery

trol process applied to media placed und

ackups are prerequisite for any compute^

ackup tapes is extremely vulnerable sincechecks and balances and protection to preventnauAfter the nfo~ations written on a backupape, itical possession of the tape. For this reason,ac~up

uters t ~ e ~ s e l ~ e s .guidelines for backup ~rotection re:

ackups should not beeft unattended in a comp

ntmst backups to only bona ide and bonded m

nsure backup apes are sanitized be€ore

ackups shouldbe stored at an OR-site stora~e

rified to nsure that they contain valithat a sample f backup tapes be checkedt least once a ~ o n t ho en

The data storedon the backup tapes shouldyou encrypt the backup of file systemou~ f o ~ a t i Q ntored on he backup willbe us

media separation s not possible, thenentory Control process desc~bedn

e movement of media to and roaccounted for by means of trans mitt^ records orequivalentmedia mustbe ad~n ist eredn away that prevents unauthoridard label processing, controlled usef bypass labelprocess~ng

ustodians of storage media are responsibleor implemand p e ~ o ~ i n ~n accurate inventory reconciliation f tbrary at leastbiannu~ly . he custodial m e ~ i aibrarianprocess with at least one person not directly ireconciliation must be able toemon st rat^ the

inventQry (prior nd in^ inventory)



ortof the custodial mediai-

ion and suppo~ ing doc u~e ~tati one) mast be re t~nedor a

ation is rocessable in fo ~a ti on re m~ ni ngrom prior use (e.g., deletedesidual con~dential ata must be made ~ ~ e a d a b l e

oftenc o n t ~ ~e ~ o ~red i n f o ~ a ~ o nith approp~ate ontrol se uences.A s a re-

sensitive ~ o ~ ~ t i o ~s ~ e ~ u ~ ~ t l ~opied into such localbeing aware of it andonse~uen~yot ~ r o ~ ~ n gt.

ation faster than p~nte rsan p ~ n tt, printers are

ing when he printer isrs, and fax machines

ta on the tapes have beeno~pletelyrased.es o v e r w ~ t ~ n ~he enti

lated for that p ~ i c u ~ a risk drive’s modelum -



r a n ~ o m ~ m ~ e r s .,he tape canbe deg



W what they are doing.nfov~rsions f operating syste

in ~astepaper askets

ia inclu~ing inve~tory

ressable i n f o ~ a t i o n r e m ~ n i ~

the po~a bletorage messes all po~abletorage media h

t u ~ i n ~ ~torage, and~ e s t ~ c t i o n .

ntrols to ensure that bypass labfrom un au th o~ ~e dse. ~ ~ p l ee

ia ~ansactionso ensure that prview the ~ ~ e c t i v e ~ e s sf

tape remo~alprocedurprocesses, and procedures or mposalornonpropriet~se,



ed a classification or labeled to iden-controls ensure accountabilityor the

and that nvento~ecords c o m p ~ eo phys-

rtable storage media ibr

these invento~es, electach inventory entry,e

so , select a sample of portablecorrectly on the in ve nt o~ecor

tively to prevent unauthorized access toa is kept (e.g., he taptrol re~uirements e.

classi~ed ata is st0

ti~cationf r e ~ u ~ e d .

and reconciled to the previous invento~tliations have beenpe~ormed ith appro

liation records maintained (for libraries containing data

, n inve nto ~f all p ~ r t ~ b l ~ediafy that ~ v e n t o ~on~olsxist.

rized copying, damage,dest~ction, rby the fo ll owi ~~ :

in a locked facility.



rasing obsolete data.

or securely disp os in~ f console lo

You have now secured thephysic^ access to theco~put ingacilities.

hat are theessential services required for the computers tob

ow will you provide these e s s e n ti ~ervices?

ow will you m a i n t ~ nhese essential services?

ow will ~ o uoni it or ~ e ~ es $ e n t i ~ervices?

levels?

out a doubt, the essential services are

puters require care and p on it or in^ like all complicated devicessical a d n~iron~ental c~ndi t ionso operate at opti

fail in une xp ec te~ nd often undesy cont in~eo operate,albeit e~at ic a l ly , pain ~l ly pro~ ucig valuable data. (For more i n f o ~ a t i o nbout essential

xhibit 2.5 for more in fo r~ at io n bout risks

The power supply can be blown out. at protection do you have?ven i f the power surge doesn't destroy then f o ~ a t i o nn your

'on inaccessible until the computer system s repai



I Cabling X X X

I Telephone x x IPeople X X x x

ower surges fatally shorting out the

utside and nside saboteursndalism

Electrical noise is usually generatecan also come from fans and evenations in the power supply. For exaelectrical outlet as a ~orkstation

tion’s power supplyoreven causi

by other factors.No matter whdent in. co~puterystems. Vibout of their edge connectorscan come out f align.ment

The control requirem

There should be no

d installed or e



etective re~e~tive orrective

Fire A l m s Emergencyroceduresire extin~uishers

Smokeetectorirerills

~aintenance CO2

Water, dry-pipe

Halon

Sprinkler heads

Disaster recovery plans

Ins~ance

~ ~ r i ~ g

~ i r i n ~rays,eilingsmokeetectorsulesndegulationsprinklereads

Rulesndegulationsleaning

~ ~ n t e n a n c e

Maintenance Vacuum cleaning

A l m s

Mainten~ce

Dust covers

~ a i n t e n a ~ c e Vacuum cleaning

Circuitoardracematicrcarrying voltage and atracearryingroundateretectors

I Insurance 1

hould be kept at least five feetrom the largeco~puters,ables,~ a n s ~ t t e r such as cellular te~ephon~s, ~ ~ e - t a l ~ e s ,nd

nic devices cm causecomputers omctionwhen heyarel ~ a n s ~ i ~ e r san cause ~ e ~ a n e n t

c ~ a r ~ e sn some sealedire extin



rotecting the physic^ access to the telephonecomputer to which the telephone line and its mode^lines include:

c t ~ h y s i c a lccess o the t e l e ~ h

secure. All junction boxes shouldd in an electrical conduit, pull1 areas.~ ~ t ~ d e r sho gain p

spoof in^, as thisis called, thefurther compro~sehe comp

all the pe~inentnonly to he system

the users are connected cane com~ro~ised .

b he t ~ l e ~ h o n eine s ~ o u l ~ot al

telephone can be r o g r a ~ e doi n c o ~ n ~elephone calls to an0ber that has beenr o g r ~ e ding their u se~ames nd passtheir calls to your modem line.

Use lease^ line w ~ e ~ e s e c ~ ~ i ~

vided by the phone company.or receive calls. As such, it alldoes not allow~ y o n eo dialmore expensiv~han egular licost justified, Leased lines also provide fa~ a n s ~ e rata much faster than

e control e~uirements or water are:

e mounte~ n all floors i

well as on those adjacento the area,

and also abovet.ter detectors shoulde ~ou ntedndern

o a l a r ~ s ,ocated atshould sound an alarm; the secondl m houl



be in the basements f buildings inar-

revents this buildup. Computer rooms should notthe discharge f which destroys nfo~at ionnd

hich in many cases t does. Conversely, the com-is causes condensation n the com~~te r ’ s c i r cu i~ ,short causes too much current toe pulle ~hrough

ibly melts it. Shorts ama~ehe electrical circuitsling too much current throu

ative h u ~ d i t yf the computer room should be be-t, which depends on theb i e n toom tempera~re.

ty a l m hat should ring when theu ~ d i t ys out

r the air-conditionin

reventative m~ntenance.

he c o n ~ o l r e q ~ ~ e m e ~ t s

irements for re-e~tinguishing e ~ u i ~ m e n tre:

to ~u mansut does not cause environmental degra-



though disks, tapes, and~ntoutshat aren the opat the comp~ter’s ower be automatic~~yhut o

r-based sprinkler system. t keeps water

, nd t is safer from disa§t~r§ t e ~ n

Q O ~ ~ Yf the computer room.

rol re~uirementsor smoke dama

eads need to be positiQned n theabove the suspended



er e ~ u i ~ ~ e n tut also rele

o a good conductor f

ust cov~rshould be used wherever~ o s s i ~ l e ,

ient temperat~eround the'S i n t e ~ a looling s y s t e ~s ~ n a ~ l e

Conversely, if the t e~~ e ra tu r een it is turned on, causi

ters operate optimal l~rom 10" to 3ways be referred tofor ideal t e ~ ~ e r a



e r a ~ r eontrol are:

t can be connectedn u ~ b e r so advise

S, ~~ntinuouslyo ~ i t o rnd record the c o ~ ~ u t e r0 0 ~ ’ s

rvices ~ersonnelo obtain in for~at ionn. environ~en-viron~en.ta1ontrols and the f~nctio~snd ~rocedures

ce logs to verify that re ve ~t at iv e ~a in te n~ nc es t ~ n



.

I

.

.

*

.

.

.

(t

.

otor ~ e ~ e r a t o rverheat?



bo causes break-ins?

bo writes computer viruses?

ho steals passwords?h0 causesvandal is^^?

o can be no~orious r e a t s ?

Is it aliens from outer space?

tentional or nadve~ent ctions. The greatest threats areor e ~ h ~ u ~ e sut from men and women, s fraud indic

The level of physical access privileges granted is based on. the clpeople need to be grouped into di~erent sses com~ensuratewhich is based on their need to h o w or on scretionary access c

access control as “a ~ e ~ n sf restricting access to objects basejects and/or groups to which theybelong. The controlsa subject with a certain access p e ~ i s s i o ns capable of passin

e f e ~ s ~ ~ r u s t e ~ ~ o ~ ~ ~ t e r S y s t ~ ~ ~ v a l

ne techni~ueor increasin~ ccountability in security ad~in ist rations to dis-tribute security-rela d respon.sibi1ities a ~0 n . g ifferen

fficer is responsible for overall S

for the physical security and the

implementation of the logical controls. ond duct controlm ~ a ~ e m e n tesponsible for the computin~ n v i r o n ~ ~

, ata~ase dministration);processes and the physic

The security policy must ensure that mana ment awarenessof all physical aceco~putingacilities, i n t e ~ a lystems, and ta can be demonstrated and that



Various classesof m~agementositions.

monitors auditing policy.

e secure password system.hich users and events are audited.

privileges on public iles.

user accounts.ems for sensitive security programs.

0 Impl~l~entsudit in^ procedures.Inspects and analy~es udit logs.

* ~ ~ ~ n i s t e r sroup and user accounts.0 Repairs d ~ a g e dser files and volumes.

* Sets sys~emonfiguration p~ameters.Updates system software.

Collects various system statistics.

0 ~ e r i o d i ~ ~ l ycans file permissions.Dealswith invalidsuperuser ttempts and invalid network requests.

0 Installssecurity-relev~toftware.erforms routine ~a in tenanceuch as backups.

Installssystem upgrades.Pedoms dump analysis.

* Writes pro~~amshat conform to security criteria.

* Uses the computer resources.

sed when there is no longer a b~siness justi~catione.g., at

ent) in a timely manner.has to be current. At a ~ n i m u m ,here must be an annualrivileges anda quarterly process to assist in he removaligned to employees who have separated or retired. All

must be identi~ableo an i n~ iv id~a le.g., a ~a nag e r ay haveee physical access privileges). Physical access controlspancies, and the security standards sho~ldtipulate the



I OperatorTasks

I

y with which owning mana ers should review the nonregular employ

ld ensure that effective

eir in fo ~a ti onecurity respons

used in a~osition here systemcontrols cres for completeness?as s i~nme~ tf resp

vider of Service senior executive approval shoulde de

.,who a u t h o ~ ~ ~ sccess toa user to the CO

ow resources are identi~ede.g., who ownsa dataset, minidisk,or sub

ow users are“ ~ a p p e ~ ’o resources (e.g., who u t h o ~ ~ e ssers to or

1and unsuccessful) that

controls have they eter~nedre re~uired).

ures shouldade~uately ddress control points specific ocess to the computin~acilities and resources.



ctive physical access privile. ' t

le to an owner.

eview documentatio~

vent ~ n a u t h o ~ z e ~hprocedures ~escribin

at here^ orobtaine~.

cedures exist o ensure that only utho~zecilities, that s, the ph~sical sec~ri ty

view proce~ures utlinin access to the controll~d

physical se cu~tylan ( ,, o ~ p ~ t e racilities, croom, tape library9orms storage area9

iscussions with them a n a ~ e ~ e n tf the c o ~ p ~ ~ e renlowing environmental control hec~ist:

all entry points o the computer ~acilities ecur~ow are they secured (i.e., electronic access control

2. Are these e n t r ~ c e s m o ~ i t o r e ~y. a central s ~ s t e ~ ?



during power failure?

ter room maintained during shifts?

nauthorize~ ~ersonnel?

cility record vi ola tio ~ at te ~p ts?

d to reportllknown intentional and n-

eness of the access control system.

sical security measures have been~ i n eow to access these prlocks, and electronic control

of the ~h ysi calecurity pl

ative ~ r o c e d ~ e sor c

ys are issued and who can au th o ~ ze

the computer enter, ~ o c u ~ e n tn



g. Accounting for allsecurity keys,

h. Verifying that security keys haveo y been issued to autho~zed sers.

authorization is appropriate basedon their j

3. Select a sample of twenty-~ve ersons hav sec~ri ty eys and

. Select a sample of fifteen employee te~nations/resignations/transfersand verify

. Verify that the security system can place ime and day rest~ctions n specific ac-

e sec~rity ey return proced~reswere followed.

S cards and s able to logically deactivate access cards.

in and review the access log and verify:

aff movements in the building are recorded.

b. Violation attempts are recorded and investi

rocedures exist to ensure that visitors’ accesso the computer centers con~olled.

S, maintenance personnel, cleaning crew, consultants, contractors, vendors, and others who have temporary accesso the computer acilities and its contents are, in nutshell,outsid~rs ho pose he same if not greater risk than those in the outside world because tare now inside the guarded territory and with e ~ s s i o n . valuate the risks of theft fromthese people with emp or^ access and d e t e ~ i n e hat detective and preventive controlsare available. At theery least, no one fromhe outside should e allowed u ~ e s t ~ c t ~ dhys-ical access to the computer and networkquipme~t.

btain and review visitor sign-in procedures.

discussions with the managementf the physical security, complete doc-ument and assesshe adequacyof

a. Visitor sign-in and escort procedures

rocedures for maintenance personnel

3. Selecta sample of twenty-five visitors over wo-week period and verify that sign-

in procedures were followed.

escorts required o accomp~yisitors around he computer center?

t visitors wait in an outside lobbyor their escort to arrive?

isitors have to present anyI to pick up their temporary ardkeys?

d. Are visitors required o sign in?

e. Are visitors required to signout?

visitors treated he sameas ordinary visitors with respect to:

g. Are visitors res~ictedrom the p r e ~ s e sfter n o ~ a lorkin

h. Are repair or maintenance personnel employed y ~u~pl i e r se ~ i t t e ~ntry tocritical areas onlyafter proper identi~cation?



c o m ~ ~ t e rs a valuable ~ o ~ ~ o d i t ~nd yety for a thief to steal it or steal from it the

i s h or, ~ o r s etill, the sys te~’s



own accounts* forwarding e-mail; c h a ~ ~ i nise r e ~ o v i n g ccess1s quite sudden and dr ~m at ic . omeone may show

a security guard waiti with a box contain-

ready been deleted,ser’s office phone number is no longeron in ~n anc ialervice indus-



ses with a low-cost,gh-pe~ormanceomputing0 clients, with secure connections to the n t e ~ e t .

*

Offers d e p ~ e n t snd small businesses a robustsolutio^ that isto i ~ p l e ~ e n t ,nd cm u~gradeo morethan~ u a d ~ p l ~e

del 73Q/74Q; n t e ~ r i s e - c l a s s p e ~ o ~ a n c en a a age able, a ~ o r ~ a ~ l eackage.

res eight-way or twelve-way processor confi urations ~ecifically

0 1’70servers designed or exceptional price and per-o wor~oads. he first servers n the industry builtust for

tuned for increasedprocespowerandmemory.

a variety of computin~ envi ro~ents, i~cludingesktopomino servers, and Java servers, can be a challen

1400provides a simple solutiono this complex task.~ ~ / 4 0 0reatly simplifiesPC uppo~y prov

ndows PCs. No special hardwareor software is reprint~rsimply show up in their Network Neighborhood. For

y tightly integrating hardware, sofiware, ~ d ~ l e ~ ~ e ,nd the operating system,/400 providesa co~bination f power,flexibility,and eas thatcanhelprun he

operations moothly.Thisdesignalsomakes it possible for tokeepabreastwith

create a more manageable informatione c ~ o l o infrastr~cture y consolidating

/~OOewith its seamless supp o~or

ogical p ~ i t i o n i n ~ets you run multiple indepence§§ors, memory, and is~s-within a single s y m ~ e t ~

server consolidation, business unit consolidation,ed clusters, as well asor suppo~in

otecting your businessro



not run on earlier

and to reduce the

. ll i~stances f these objects are stored

processor (which itself cane com~risedf twelve separate proces-written to any U 0 device. That re-

ar ~croprocessor edicated to that U 0 device.application progra~.storage access times.

ntinues with executing another ~plica~onro-econds( second). This designprovides thein the c o ~ e r c i a l ,ans sac ti on-based environ-computing, and one f the main characteristics

it is U 0 intensive rather than compute intensive.nefit of outstan~ing e ~ o ~ a n c en the business environment,

an elegant method f int~grating iverse environments nto a sin-

on a card9which enables

an A ~ / ~ O Ore unaware f underlying hardware characteristics be-so unaware of the ch~acter is tics f any storage devices on

concept of single-level storage means that the knowledgef thethe hardware storage evices-

e storage s auto~aticallyman-work withobjects (see the next section on object-basedp-

ss. No user intervention s ever

ss the number f bytes~,~099551,616.here-

1,616bytes, or 18.4 ~uintillion



bytes. To put this into morem e ~ i n g ~ lems, it is~mately trillion miles

e enables another exstence means that the

tem forever. An ordinary machine requirestern if the in fo~a t ions to be sharedor if i

objects is extremely impo~antor future supto continue to exist evenfter their creatorto exploit this characteristic of object permechanism that requires themo store theirall the attendant e ~ o ~ a n c emplications.

Logicalpartitioning is also for companieshatwanto unserverworkloads n a single Q system.Logicalpformance of an AS/4OQ system to be flexibly allocattems havea p r i ~ ~arti it ion with all resources initiaging econdary p ~ i t i o nprocessors, memory, andonly an initial progrput output processorsoperate ndependeL A N ~ A Nacilitimunications betw

14.00 is licensed oncefor the entire system bynumber of pa~itions. i

V4R4 must be installed onpartition.

As the per fo ~a nc e f an ent e~ ri selass server grthat p e ~ o ~ a n c eo run multiple workloads indepehas become o~onplacen the mainframe marketTypically, separate partitions are used or test releple business units orompan~es rom a single server.

TheAS/4QQ’smplementationis an adaptatiwith flexible and granular allocationf system resourc~s. heplementation introduces both the flexibilityo a1speed internal c o ~ u n i c a t i

Logical p ~ i t i o ~ n gstances or p ~ i t i o n seachmetric multiprocessingcan now be a ~ ~ e s s e dn a single machineo achisolidation, mixed production and test n v i r o ~ esystem values can be set ina difFerent primary or ec0



rogram must be restri

touthorizedersonnel. can also besedoerform

S an interactive screen-design tool that allowse, and maintain ~~l icat ioncreens and menus.

, umeric, a l p h ~ u m e ~ c )nd diutese.g.,olor, flash, nondisplensitiveelp.hese featuresbe used to limit application~rogram-dependent ata validation. Therefore,tion reviews it may be ne cess^ to e ~ a ~ n ecreen sourcemem~ers.

implications, arediscusse~nities listed ~reviously,many S

utilities, productivity aids, r~ningools, and other system S

uti~t ies r ~ a c ~ a g e sntroduce additio~alecurity co nc e~ s. U~ li tyrograms and pera tin^

system functions that aref interest to a~ditors re as follows:

at facilitates the creation and maintenance

to ~ ~ ~ ~ o r i z e de r s o n n e l .

s i m ~ l i ~ e satabase in~ui ry rocedures.llowssers to interac-tively specify criteria for the e~~action, summ~zat ion,nd resenta at ion of database



erating randomnum~ers

ty parameter for each user (

nter Function (APF)s a utility that allowsb.codes, creates ogos, and createsbar graphs.

trol impact,

Within the user profile, ann i t i ~ P r o g r ~ndlor an nitia

on to the system, thcan display a seriesment, or a controlmandatory menu.

This control f e a ~ r es

be inapprop~ateor manyA u ~ o ~ t ys designated as



e s



t a d to allof system



after images of changes,, ll entries stored in the o

abase so that it will be n the same state ast was, ll the transactions

isk space and o ~ a l seed to behe command to review the o u ~ ~eceivers on the system is

hen a single ans sac ti on updates multiple iles, there is a isk that dataO

should the s y s t e ~rash before all he files are updated.~ o ~ ~ t ~ e n tO

t e c ~ i ~ u e so record ata until the transactions compldata c o ~ p t i o ny e~suringhat the transaction s CO

atabase is updated pen-nanently.

ecksum protection uses an 1e data residin~ n several othe

use the redundant data to re const~cthe data tostore the entire system. This saves considerablever, use approximately1596 of ~ e m o ~o m ~ a g e .he cost of ch

time utilized and ddition~l isk storagespace,

S method of protection stores duplicatedata on separate disks. hould One of the disks, rocessing continues usinghe mirrored disk.The cost of this 1 el of protection s that

all write operations are d licated and av~labletorage is halved. This option is utilizedwhen it is critical for the system o be up and~ n n i n g . se of this option results in increasedperfon-nance for read operationssince there are two places to readnf o~a t i onrom.

7 disk units offer redundantma y of independent disks (uses data detection and correction echni~uesn such a m ~ n e rhat if one ofe con~gurationails, the system s able to reconst~cthe data and continuethe disk is repaired or replaced.

his operation s similar to checksum, but the performance impacts i

checksum) ~ o u g hardware fe a ~ r e sn the disk unit.

400, a evel of security can e chosen to meet customer’s needs.

inimal s e c ~ t y ~ ~ oasswords are used, an any user can p e r f o ~ny

asswords are used, but users can erf0n-n any function.



ste

1. Manual 3. Secure

2. Normal 4. Auto

Auto IPL

RemotePL

Power Switch Off)

Power Switch (On)

P W R D ~ N S ~ S

Run Dedicated Service

Yes

Yes

No

Yes

Yes

Yes

Yes

N O

Yes

S

NO

Yes

Yes

No

NO

N O

NO

NO

0

Yes

No



wity officer may set the= 0,20,30,40,orSO). inlmostllases,

ed from the factory with the

stem value containsa list of libraries allowed to contain user do-

.These object types are user

strict the objects of type *

which is a temporary object t level 50, and, there~ore, an-l data between users.

rd fo ~a tt in gptions. These ptions can. help improve

ords more difficult to guess. assw words can be con-g an egective combination of the following options:

: ontrolshe ~ n i m u ~ength of a password.

m a ~ i ~ u mength of a password.

asswords from being the same s any of the previ-

to ten installation-defi~ed haracters that cannot ap-

Forces each character in theew password to be di~erentrom theame position n the old password.

acters from being usedmore than once wit hi^ a pass-

revents a user from specifying password with numbers0 to 9)

: mplements password validation programo perform additional

l new passwords have at least one numeric character.

ds for user profiles to expire by using the system valuem number of days that a password is valid.hed for a password, the systemuto~atically



user to select a new pavent users rom chnumber of days unvaluean be overri n~iv id ~a l’ sserrofile eter er (with needsdi~erentrom the system value.

It is possible to prevent users wi

number of workstations accessi~ley users with special utho~ty.

tion is sent with an automatici~n-on.



system value specifiesattention key.

security re ~ui re~ en ts.

is used to display totion (e.g.,date of last sign-on, numberf invali~ a s s ~ o r dxpires, if less than seven days)

If a job is inactive for a specified numberof ~ n ~ t e stomatica~l takes action bas

>*

specifies the system portionfects in the syst~m

s ~ a r c ~ e dirst, before any l ibr~iesn the user portion f the



ortion of the ~ i b r a ~ist have been

at is either a t t ~ ~ h e ~o the



ere are eight p e c ~ c ~ u ~ o ~ t i e shatared v

thorities.To work withanobject, a user must havect ~uthori ties re:

remove users and their ut~orities n alist of users authorize^ to access an bj

ata Authorities. They reuse

rities. The user can

The usercan run a p or display the o~ j e ~ t ’ sis prevented from ch

ect an ~i tiesoerivehestern Au t~ o~ ti es .



A

x x X X X X X

x x x x x

x x

No system authorities given

uthority e~plicitly revents a user or a group of users from accessing theified, no other autho~tiesan be g r ~ t e ~o the objectns should set the public accessa r ~ e t e ror produc-

o assure that only ~plicitly ranted access salg r ~ t i n gf access basedon public access.

It level of authority that s granted if access to an objector aup has not been explicitlyg r ~ t e dr denied access.This de-

thority library parameterX command that was

after creation.The

the system, control the objects they can access, controhow the system appears to thems their user profile.

user’s ability to access objects on the systems allowedordenied based onhe in-user profilecontain^ the i n ~ o ~ a t i o nbout

of a group profile) andhe objects the user or group0 security, a “user s anyone using the system, both

ers, system op~rators) nd end users (e.g.,

on of the A ~ / ~ O Operating system, ach user pro-of the user’s capabilities are defined withinuser’s pro-

s profile also defines the user’s workn v i r o ~ e n tl menu, ~ ~ i ~ u mecondary storage, user prior-



disable the user

as possibleand the user profile deleted.

may be of i ~ t ~ r e s to



0 operating system does not autoprofile and password. Therefore

among ~roup sf individu~s.duces user accountability. Thus, sharing of usshould be di s~oura~ed.

If a number f users on the system. requimembers of one group profile.This m.ethothorities by con~olling multi~lesers at th

thority to multiple users. Thiss accomplished byfile level and thena s s i g ~ n ~ach individualuse

A group profile is a user profile

up profiles is that th

to have the same level f access to an

ject in a group profile and then assione of the users requires a different levelf

adminis~ativel complex wi

An au~orizationist is a m.eans ofspecifiles. The a u ~ o ~ z a t i o nist feature is ususer profiles (and their associatedutho~ty)hat can accesst~orizationist. Two key features of an authorization list areto each user is independent of other users on

toall

objects securedby the list.

shown in Exhibit S .



S

Users may be assigned di~erentccess rights.

ned the same access rights forllobjects secured by theist.

Users may be listed on multipleautho~zationists.

Objects can onlybe assigned to onea u t h o ~ z a ~ i o ~ist.

Objects must be ex~licitly dded to theauthorizati~nist.

All users are assigned the same access rights.

A user (as part of the group) may have a different accessright for each object secured by the group profile.

Users can only be assigned to one group profile.

Objects can be secured by multiple group profiles.

Objects are authorized automaticallyo group memberswhen created by a group member if setp to do so.



on the screen.



~ ~ e t e r snd Events

Authority failures are logged.

Object create operations are logged.

Object delete operations are logged.

Actions that affect aob are logged.

Object move and rename operations are logged.

Changes to the system is~bution irectory and office mail actions are logged.

~ b t a i ~ i n guthority from a program that adopts authoritys logged.

~ystemntegrity violations are logged.

~ ~ n t i n gspooled file and sending output directly to a printerre logged.

Restore operations are logged.

ecurity-related operations are logged.

Using service tools are logged.

Actions performed n spooled files are logged.

Use of system manage~entunctions s logged.

ybeogged on a system~ideasis by including o e

s y s t e ~alue.Forhisoggingoakelace, the L

as one of its p~ameter s. ee xhibit 3.6 for pa rme -

ged on an individual user basis by includiuser profile p~amete r. or this logging to

asone of its p ~ a m e t ~ r s .

value for theS determines

~ystem alue conta i~she p ~ m e t e r

user profile p ~ a ~ e t e rnd theall users accessing critical objects on the



meters andEvents

Command strings areogged,

Object create operations are logged.

Object delete operations are logged.

Actions that affect job are logged.

Object move and e n ~ n eperations are ogged.

Changesto the system dis~butionrecto^ and oEke mail actionsare logged.

O b t ~ n i n ~ a u ~ o r i ~rom a p r o g r ~hat adopts autho~tys Logged.

Restore o~erations re logged.

ecu~ty-related perations are logged.

Using servicetools are logged.

Actions pe~ormed n spooledfiles are logged.

Use of system management n c ~ i o n sre logged.

Vdues andP ~ a ~ e t e ~ s

None None Nolle

None Change Change and Use

C ~ ~ g e Change Change

Change andUse Change and Use Change and Use



r the following protocols:

LC ( ~ ~ ~ Networks)

The following c o ~ u ~ c a t i o nacilities are ava i l a~ l~

OS1 ( O ~ e n S y s t e ~ snterc

c o ~ u n i c a t e ith other'onal st an d~ dsrgani~ation.

rity level.

e distributed until the target system becomes~a i l a~ le ,

in any of the three scenarios d e s c ~ ~ e ~revio~sly.



the s i ~ n - 0 ~ontro~sn efYect00 c o ~ u ~ c a t e sith otherthe system. The ne t ~ o r k t-

n ordinary workstation

ts has exceeded the

L indexes, stored ~ro ced ures,user-abase en ha nc e~ e~ t s )

d a ~ ~ l i c a t i o nnd network security (TC



ial~ ~ t h o ~ t ynd the

ossiblev ~ l ~ e sre:



all function au tho~tyboveheouserith * y. The defaultalue is

-one sec u~ tyystem values are listed in alphabetic^ order.ison of unctions at di~e rent secur i~evels.

alloweddomain

ttention-~ey-han~lingr o g r a ~s used by the user.

perational Assistant is used. The program specified willbe exe-ttention-~ey uring an interactive job.

n ~ e n tn the specific e~uirements.

e t e ~ i n e hether audit in^ is performed on the system. It s

the opera tin^ system. It serves toturn he fQllo~ ingttrib-

user profile parameter.

objects by means of the Change Document *

d, the Change Object Auditing (

ed for users by means of the Cha

ossi~lealues are:

ting of user actionsor objects is perfoed for objectsp by means of the

ctionspecifiednhe L ys-

individual user profile ~arameter,while using the



ecific re~uirements,

system value s reset to

I

m value d e t e ~ n e she ~ e ~ u e n c yi which new audit o ~ n a lntri

om ~ e m o ~o disk. This will enablehe stem ad~n ist ratoro controlof audit in fo~a t ionhat couldbe lost if the system ended b ~ o ~ a l l y .

The system d e t e r ~ n e is based on i n t e ~ a lystem per-formance.A number between1 ill determine the n u ~ b e rf au-

dit journal e n ~ e shat can accumul written to auxiliarye number, the ess impact there will e on systemp e r f o ~ ~ c e .

value: ~epe nden tn the specific re

nes the type of events recorded in

nts as peci~edy the system valuea1 users based on the user profilearamet~r

ese include onermore of the following:

bject create operations are logged.



Object delete operations are log

Actions that affect aob are lo

Object move and rename operations areo

Changes to the system distribution directory and

b t~n inguthority froma progr

tegrity violations are 1

Printing a spooled file and se

estore operations are logged.

related operations are logged.

ice tools are logged.

Actions performed on spooled files are logged.

Use of system ~anagementunctions is log

e c o ~ e n d e dalue: ~ e p e ~ d e n tn the specific e~uirements.

The systemvaluedetermines the devicename of theconsole. It is r e c ~ ~ ~ et he

console be located in a secure physical environment.

ossible values are:

The publicmay view but not change the created object.

The public may change the created object.

The public may perform any function n the created object.

0

The public is specifically excluded from e ~ o ~ n gnyefault value: *

e c o ~ e n d e dalue:

hanging the parameter to a different u ~ o ~ t yill not chaning objects created with the authority as definedy the existin

'This system* S the auditingalue for a new objthe library is eystemalue is alsoheefault

uments without olders. Possible values are:

* o auditing is performed for the object.

* ~udit ings based on the user profilea r a ~file accessing the object.



ect is changed, an auditournal entry is written.

of the object is changed, an audito u ~ a l e ~ t r ys ~ r i t ~ e n .

ndent on the specific r e ~~ i r ~me n t s .

alue in minutes that an nterac~ven on to the system within th

sconnected, but users will be bro

e time that jobwill r ~ m ~ nisconnected.

t on the specific e~uirements.

tio on is not displayed.

the time thata job s inactive.

e t e ~ n e she action to be t n by the S stem whensystem value s reached.

econdary jobs, andor group job(s) is ended. The n-group job(s) is disconnected. The

actually ends he disco

ecific re~uirements.



ines the action takenby thempts as s ~ ~ c i ~ ~ ~n the

Possible values are:

he nu ~ be rf i n c o ~ ~ c t s i ~ n - o n a t t e ~ ~ t ss unlimite~.

ossible v~lues re:

It.



A value of 1 to 365 This represents the number of days before a password ex

efault value: "N

ecommended value: 30 r higher

This system value can e used to prevent a userrom specifying a password with numbers(0 to 9) next to one another (e.g., 12345). Possible values are:

* 0 Adjacent nu ~b e r sre allowed.

1Adjacent numbers are prevented.

ependent on the specific requirements.

Specifies up to ten installation-defined characters that cannot appearn a password (e.g., ,).Possible values are:

P e r ~ t sny available character to appear in a password.p to ten restrictedcharacters, A throughZ, ,9,#,$,@, nd --.

e c o ~ e n d e dalue: Dependent onhe specific requirements.

e c o ~ e n d e dalue:0 or higher ( set values: 10 equals low secu-rity, and 50 equals high security.)

/400e is brilliant in ts architecture. There are many examples of where theSarchitecture has delivered n its promise of making the most advanced echno1and continuo~sly vailable to its custtomers to give Internet access to exis

T ~ o u g h product known asS can access and runAS1400 applicationcrosoft WindowsNT, firewall, and Lotus

All customer solutions require a rangef hardware and software products from a varietyfvendors. The AS/400, through inte~ratinghese mixed environments, simplifieshe task ofmanaging them. The~ S / 4 0 0an move fromCISG processor technology to RISC proces-sor technology wi tho~t eding to recompile programs. r o g r a~ sre saved off thesystems, restoredon the SG systems, and run as full 64-bit applications.chines reco~pilations necessary (sometimes someew~ting), nd the resultingp r o ~ r ~ sdo not fully exploithe 64-bit hardware.The AS/4OO's fu~re-o~iented arc~itectureas en-



'

User profile created automatically.

User profile name required.

Password required.

Active password security.

Active initial program and menu securityLNTCP

Active limit capabilities.

Active resource security.

Users have access to ll objects.

Security auditing available.

Programs may not contain restricted instructions.

~rograms ay not use unsupported call interfaces.

Enhanced hardware storage protections available.

l i b r ~s a temporary object.

N N system value determines the librarieswhere the objectsWSRSPC, *URDX, and USRQ may be created.

Pointers inp ~ ~ e t e r sre validated oruser domainprograms running in system tate.

Enforcementof message handling rules between systemand user state programs.

A program's associated space cannot be modified directly.

Internal control blocks are protected.

10

Yes

Yes

No

No

No

No

No

Yes

Yes

Yes

No

No

No

Yes

No

No

No

No

0

No

Yes

Yes

Yes

Yes

Yes

N O "

Yes

Yes

Yes

No

No

NO

Yes

No

No

No

No

30

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

No

No

No

Yes

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

No

Yes

No

No

Yes

Yes

50

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

*At ~ 5 E ~ ~ R l ~0, resource security s active but may not be effective since defaultRLLOBJ Special A u ~ ~ o ~ t ys granted onuser profile creation.

e rapidly changing hardwarend software te c~ol og iesn its stride.This sametecture will continue o serve its users well y enabling its customers to con-

tinue to deploy theery latest technologies while causing theini mu^ possible di s~ pt ionto their work.

1400 ~chitecture as another advantage besides speed: it makes thent of data and applications easier. Why? e it lets AS1400 assign a unique,address oeverypiece of dataandapp nside hesystemusing a tech-

el storage. Imagine what would happenf you were mayor of a townthat had 10,000~ u i l d i ~ g sn state law re~uired ou to identify them using ree -d igi t d-dresses and no street names bviously, you couldn't give every ~uildingts own address.



ine how d i ~ c u l tt would be o deliver mail r respond to eleve it or not, many of today’s mode^" servers face a si

assign a unique address to every object in memoryoron disgram~ersave found clever ways o work around these prop r o ~ r a ~ n gime, added complexity, added costs, andrr0sin~le-level torage lets~ ~ / ~ O Oark every object, whetherage, witha unique, permanent address.his reduces the timdevelop nd nhance ap~lications. t S the entire system mn mopecially when~ n n i n g ultiple tasks.

oftware failures.As one custoeneral ~rotection ault.”



A s y s t ~ ~alues report,



ment should be designed to provide segregation betweenns, systems and applications p r o g r a ~ i n g , data control. Often in midrange

installations, there are a limited num~erf personnel, and control concerns

trols thatmay address or monitor a ack of segregationofhe segregationof duties.

cess to production objectss limited to read-onlyy using in-built sys-

ccess to source production programs and compilerss restricted using in-built sys-tted only with ~anagement’s

istory log s reviewed by management or unauthorized useoftern ~ r o g r a ~ s ,tilities, and compilers, ~ n u s u ~ctivity is logged by user and/orect and is investigated.

are restricted to an initial program and/or an initial menu

capabilities and attention-key-handling areet to preventprogram a n ~ o rn initi~lmenu.

of last change, are compared periodically to

sole is limited to authorized

he modemseither are turnedalsecurity features, such as dial-

f no in-house program. developments per f o~ed ,seofpurchased software r third-rs may provide an appro~riate egregation of duties in the IS

ng controls that ay address or monitor a lack of segregation ofserand S dep~mentsre:

ssigned an nitial program andlor nitial menu that restricts options avail-

es and attention-key-handling are et to preventdifying their nitial program andlor an initial menu. Managementrs from accessing~roduct io~ata files by using system security

of reconciling inputs and outputs (e.g., usef batch controls, re-

nt of authorizing and entering transactions, are responsibleorr~con~iliationnd review procedures.



Access violations are investigated promptlyy appropriate management personnel,

he security officer profile is assigned to only one individual and Specialned to a limited number of management personnel who have sec

urity ~nct ions ay be p e ~ o ~ e ~nly froma limited numberof terminals.ublic Authority to production data filess *

aressignedn Initial ~ r o g r ~ndlonu limit in^ accessonly~nct ionsecessary to perform their work.

Limited ~apabili tiesnd atte~tion-key-handling re set tosonnel from modifying theirnitial ~ r o g r a ~ndlor an nit

to the system s controlled after business hours o u g hhe use of automatedand co ~u ni ca t i onines c o ~ a n d s .

.,dis~ettes,apes) is r ~ s ~ c t e do au tho~~ed

system is p r o g r a ~ e do cancel or deactivate interactiveobs (i.e., t e ~ n a les-) f there is a specified periodof inactivity.

01Control rights are lirnite to appropriate au-

uthorization to use restore commandss limited toa~propriate ersonnel.

se of data-altering utilities s restricted to authorize^ personnel and from production

nv~ronm~nts,nd their usages closely monitore~.obs are executed duringschedule^ time frames, and deviationsrom scheduled pro-

nizations are placing more reliance on in fo~a t ion rocessing facilities to s up p o~critical business applications.heref fore, it is important to ~ ~ n t a i nhe av~labili tyf

this information and the associated processingacilities and to be able to promptly restorecritical in fo~a t ionrocessing systems in the eventof an interruption of service.tional controls related to businessontin~itynclude:

rocedures should be in place to regularly measure and assess he impact of inter-

sponsibilities should be assi ned and contingency plans pre-

ontingency plans should e documented and tested to ensure timely,on~ollede-

n-site and off-site backupor critical information and materials should bensti~ted.

should be developed, and preve tive measures should beage and mitigate the impact on the usiness from disaster or

rupted in fo ~a ti onrocessing on the business.

nction and user ep~ments.

covery of critical in fo~a t i onystems.



he systeme n v ~ o ~ e n ts adequately secure.

bserve the adequacyof e following requirements in the computer roomroom equire-ments depend on size an se of the A~/~OO(s)):

azard detection toolsndeq~ipment

~otectionrom risks of water d ~ a g e

bserve the physical a su~oundinghe system unit and evaluate whether t resides in a

, ccess by unauthorized individuals s restricted).

ter with its peripherals located?

hat physicalsecu~ty easures are used to reducerprevent access?

Are visitors (nonco~puteroom personnel) ente~nghe computer room required oout and bea c c o ~ p ~ e d ?

00 is eq~ippedwith a four-position ystem Key Lock. Each of the positions al-lows for a different levelof system control.

is not set to manualornormal, and the ey to the ~ystemis ~ ~ n t a i n e dn a secure location.

e t e ~ n ehet~erhe ~y st em y Lock is in the auto or secure position.y is maintained ina secure location.

here is the key to the System y Lock maintained, and who has access tot?



hat procedures are use~followedwhen the position of the

hat is the positionof the

chan~ed?

he system consoles situated ina physic~lyecure location. Certain e s ~ c t e ~nd sensi-we opera~onsan be p e ~ o ~ e dnly from the system o~sole. ll jobs s ~ b ~ i t t e dromthis

0, and it can be usedo control jobs and spool files. Theon to the system console, evenf the profile s disabled becauseof

at is the value of

S the device specifiedn the

Ts) are not usedo provide access o sensitive data,

with the assistance of the client,It passwords to ensure that they have

T and to ensure th S are wellontrolled.

ave the default passwords or

he s y s t e ~ecurity level s set at a sufficient levelo provi



s report to ~ e t e r ~ ~ e

o a ist of l i ~ ~ ~ i e sha



red to change their password at leastnce a quarter?

e history or audit logs reviewedor possible password violations?

S each user have a unique userD and password?

port tod e t e ~ n ehe following:

p ~ ~ e t e ras been changed fromNto a reasonab~e umber of days.

words is activated (i.e.,a new password to be different from the previous32 pass-

N) parameter is not lower than5.

parameter is greater than8.

ation p r o g r ~s used, ensure that the additional validation checking per-sult in users being forcedo use pass~ordshat c o n f o ~o a f o ~ a that

assword validation program has a security risk thatv~idation progra~uring input f a new password.

owing parameters have been set to ac o ~ ~ ~ i n a t i o nhat reasonably prevents

number of unsuccessful sign-on attemptss not set too high. When the max-of unsuccessful sign-on attempts s reached, the user ID s revoked and/or

at is the valueof

ho is authori~edo change the value f

value on he system values report and determinef the maximum

et to a reasonable number.he ma~imumum-sful attempts. In addition, determine whether

iews all unsuccess~lign-on attempts.

ew the client's follow-up procedures



value on the system values report toer of unsuccessful sign-on atte

parameter has been changn on to any workstations

* What is thealue of ?

* Is this value ever changed?

value on the system valuesparameter has been set to.Verify that chan

parameter has not been chan

unauthorized access o the system via a remote workstation.

* What is thealue of ?

* Is there a need fo rs to signon to the system?

Obtain the value ofhe p a r ~ e t e rrom the systemse display stationp a s s - ~ o ~ g hsers to

If users to access the system, thealue

parameter has been changedo preventusing on to more than oneor~station t a time.

* What is the value of

* In what kind of situations do users need to sign ono more than onetime?

n to multiple orkstations?

valuesto the



at is the value of

at is the valueof

s i ~ a t i o ~ §o vi~u al eviceseered auto~~tica~ly?

on the S st^^ valu~sep

ete er has been set to a v

t is the value of

t ~ ~ ~ n ehat the

hat is the valueof



he system will write security-related events to e history journal and also to the auditjournal if it has been activated.

olations are reviewednd followed up onn a complete and timely man-urnal has been activated.llap~ropriate ctivities are bein

f e a ~ r ectivated?

ow often andby whom are history logs/audito u ~ a l seviewe

at security-related events are being recordedor users of the system?

e followed when a security violations noted?

cted from nautho~zed ccessan

ogging of specific users’ activiti

Is there a need to monitor the usef and changes to specificbjectsbyusers?

Is there a need to mo ~t o rhe use f andchanges to p ~ c i ~ cbjects by S

eview the settings to the following system values onhe systemeva~uatehe appropriatenessof the settings:

the parameters setEoeiL. It should be set to *

if either specific user and/or ll user activity s be-

appropriate to satisfy the needsf the or-

. f the organization’s se-ly preventing any furtherit journal, the p ~ ~ e t e r

. uch a recommendation should onlye made af-ences of such a setting.



S uate the settings nexistenced de te r~ in e hichobjectsand

ed. Ensure that activity loggi meets the organization’s secu

xamine thedocu~entation suppo~inghe regular reviewf the history(or audit journal. Determine if the review is des d for detection andunautho~~edccess attempts, nauthori~ed seunscheduled processing.

0 m~agement’s ssistance, at t e~p t * on toensitivebjects U

userprofiles.Review hehistory ( log or audit journal forattempts.

btain the access authority tohe audit and historyournals and j o u ~ a

ensure that access to thems appr op~a tel~estricted.e t e ~ i n e hich system users have been assigned the

temine that it is approp~ateor these users to be givenmove auditing valuesor both user profiles nd objectsthat relate to auditogging,

Use the Display User Profiletaining all user profiles. Withutility to print a samplef this file. Forhe sample of use

ter has been changed fromis a r e ~ u ~ r e ~ e n that anser accesses a specific

loggingillake * ,venhoughheserrofilea-

LVL ~ ~ e t e ras been c h ~ g e drom the default settingtwelve avai~able alues if additional monitoringof indi-

e appropriat~ness f the para ~eteret-tings and ensure that the p~amete r se tt in~seet the needs of the or~anization’ssecurity r e ~ u i r e ~ e ~ t s .

* tson theystem,sehe c o ~ ~ doealue is approp~ateo th

user profile parameterf the cthe user profile parameters set to

To ensure that audit og

the object, the settingry may be developed to help pe

UT is set to a value that does notcreated objects.



ho authorizes changes to

for production programs and files been

chan es to this system value re authorized.

that the n~vidual ccesses allowed are appropriate.

p a r ~ e t e ras been set to 0, preventing the displayof simation.

hat is the valueof

0 Aresersnstructedshen the sign-onnformationndicateshatunsuccessful sign-on attempts have been made using their userD, or when the dateof last sign-on is inco~ect?

eter on the system values report and ensure that it hasbeen set to 1.

Unattended t e r ~ n a l sre bein timed out; thus no opportunity is created for an unautho-rized user o gain access to the systemy way of an active but unattendedwor~station,

0 Are inactive jobs cancele~disconnected?

After how many ~ n u t e ss an inactive ob cancele~disconnected?

After how many minutes is a disconnected job canceled?

hat is the valueof

What is thealue of ?

What is the valueof



view the s y s t e ~alues report to

p ~ a m e t e ras been setwill function like an *

sure because thei-

o a ~ t h o ~ z e s c ~ a n ~ e so

list are authorize^.

The user o ~ i o n o fhe librar list is s e ~ c ~ e

c o m ~ a n ~ , ~ e t e r ~ i n ehether the access to theen appro~riatel~estric

eness, ~ e ~ i ~ yhat all chuser p o ~i o n o fhe library list are a ~ t ~ o ~ ~ e ~ .



The passwords for thesix supplieduserprofileshavesupplied user profiles are not used as user or group profiles.

* Have the passwords for the

Determine that he passwords for

~ ~ o ~ l e

ser profiles using the

-supplied user profiles set to*

User profiles with certain special autho~ties rovide unlimited access to vipects of the AS/400. Users do not have accesso profiles witlevels of access greater than requiredy their job function.

* What users have been assignedSpecial A u ~ o ~ t i e s ?

* Do all users with Spetheir job function?

Review all responsibilities of individuals assigned the (Special Authorities for ap

used as a group profile, use the



field is not set to * . f it is, discusswithhe e-n for the setting and w h e ~ e rhe pr o~ les still neces-will be disabled but aretill valid for process in^, such

the objects created y the user profile.

at the e~ployee’snitial Progr

gned does not allow the

not be set if not use



If audit logging s being used, refer o the section on historyogs and audit ou~alsinwhatuditrocedureseed to be carriedutnhe andparameters.

ityofficer may define a groupprofile for a group of e ame apabil-n a user is assigned o a group, heuser is given he itiesdefined in

the group profile. Therefore,he authorities assi~nedo the group should be appropriateorall g r o ~ p ~ e ~ b e r s .

Users have not been granted levelsf access by a group profile greater than those requiredto perform theirob function.

at policiesand procedures are usedor the as s i g~ ~ e n tf individ~also

up embers ship reviewed on a periodic basis (or when transfers, teor pro~otions ccur)?

Are the access rights assigned to the group reviewedn a periodic b~si s?

e group profile passwordset to *

splay Authorized Users(group profiles. For aects authorized by usi

rfom the fol lo~ ingudi

ew reasonableness ofobjects authorized

4 Check that group p

parameter is set to

profile ~ a r ~ e t e r sre appropriate or the g r o ~ profile.epeat the audit steps is

ted levels of access greater than those required to p

function.

Which libraries contain sensitive information?

S the public authority to these libraries appropriate?

o is authorized to access sensitiveibraries?



Using I ,obtain a list of all li client in f o~a ti onystemsstaff, asce~ainhe si sourcendbject libraries

braries and willbe installation specific.The following standard sys-hat access authorities to them

, s well as any p r o g r ~ n g

d e t e ~ n ehe following:

blic Authority s no higher than*

Usershave a maximum uthority o toystem ndutilityibrariesexcept

m e r s have a ~ a x i m u muthorityystemndtility libraries,o production object ibraries,

to production source libr *

n data libraries

source libraries.

Notehatrn in te~alrofilewithout a password,uch as uldeheowner of libraries.lso,otehatostendor-written so , nd datalibraries will have an owner thatay also be a group profile or end users. This means thatusersffectively aveuthority ver endo or-written ects, and therefore ccessousersmust be controll ugh pac~age-based ontrols (e res~ct ionfmenuoptions).

fault publicccess is set to (if the

data.

Users are not granted levels of access greater than those required to perform theirob func~on.

W are user access rights e t e ~ n e dnd granted?

hat default levelof public access s granted to users?

W is production data segregated from testata?

w are programmers prevented rom testing programs in prod~ctiveibraries in a

live environment?



eview and ev al~at e

same profile to access the s y ~ t e ~ ) :e t e ~ n ~hat objects the ~ r o ~ l ~

object i d e n t i ~ e ~revio~sly, serofile is allowed read-onlyaccess.



at policies and procedures are usedor crea

ow are authori~~tionists del

Are authori~ationists reviewe

ist of authori~ationists onheensitiverhese lists, obtain a listing of all use ilities as-

d to these lists and verify the appro

A job des~riptionepresents a otential sename s~ecifiedn the

job ~es cri ~ti onan sup~ameterf the job description.

y using job descriptions, users can not obtain

Is the security level 0 or lower?

Are job descriptions used to grant acces

hat proce~ures re fo ll o~ edo establi

Are job descri~tionseviewed on a regu

riptions on the syste

curityevel 30 or rityandbtain list of de-

e the user profile parameter

1400opera ti^^ system allows a progfeature allows a user whosystem authoritiesas the

authority could run aTherefore, the program adopt

uthority feature, users cannot obtdata files and r o g r ~ s .



rocedures are followed touthori~ehe useof Adopt ~ ~ t h o ~ t y ?

systems are lly removed when the

ed to avoid to redefine accessau-

lders for ( t e m ~ o r ~ l y )one~istentiles and use his ca-they sho ~ldot have.

lders r ~ ~ o v e dn a imely manner?

) o ~ a n do list all

m136 mode and Au

access ~arameter o heCreate

e unless this authoritys revoked byis ~ansferred.n certain si~ations,

ners should be revoked. For example, aen thepro~rams reviewed~ a n s f e ~ e do a production

ority to ~roduction pro~rams

are t r ~ s f e ~ e dnto ewnership also ransferred to a

le?



re objects owned at the user level r the group level?

hat procedures are followed when ownershi

Who assumes ownership f owned objects when n own

~dentify rocedures p e ~ o ~ ~ dy installation ~ersonnelo ensure that c

ership of an object does not CO r o ~ s enstallation securiewing user profiles, incl

C C ~ S So sensitive utility pro

ata andlor programs and compilers,s ap

hat users have access to sensitive utilities?

1sthe use of sensitive utilities log ed and fol~owed p?

Are all S re~uiredo produceuditrails?

access p ~ ~ e t e rs

ed by installa~on ersonnel

ned to user profilesrarenotc o ~ a n d srother objects

Users do not have accesso the operatin

ich usersare able to access he CO

ich users have imite

Are the c o ~ a n d sisted n sermenus for their job functions?

hich c o ~ a n d san limit the capabili

th the client’s assist~ce,se theer pro~ le save beere may be pe~ormed n a



Evaluate the propriety f the Initial Program assigned based onhe individual user'sjob function. Review the Initial ogram assigned, usually a menu9 ooptions allowing the user to accessrogra~sr data files con~ict ith thregation of duties conventions.

users have been granted the use of a d d i ~ o n ~omm ' verify that the CO

a p p r o ~ ~ a t ea~abilities*

eview the limited capabilitiesp ~ ~ e t e rnd ve fy that it has a setting

upport is the utility program that allows users to use~crocomputernsteamal'' workstation to access an AS/400. For PG upport to p e ~ o ~unctions,~ a n s f e ~ i n gf a data file, PC Support ignores menu security.

G Support users do not store their ~ S / 4 0 0assword in a C file that can easily be

* The installation has secured production programs and data files usin

* ~ S / 4 0 0iles are secured in the PC environment.

* Users are not able to bypass security by using the submit remote CO

lists or Specific Authorities.

(

PC Support users re not able to freely download and upload data files.

upport used to transferiles?

o has access toPC

Is secured data stored

data uploaded to the ~S/400?

hat data s downloaded?

elect a sample of microco

and production data files.

in which it resides has been set to *

Users do not have accesso sensitive and confidential a t ahile it is he1



sensitiveorcon~dential info~ationn spooled files n the system?

ave user^ been assigned * L pecial authority that gives them access to all in-rmation contained in outputueues?

re the contents of output queues restrictedo authorized users?

tem are used to print sensitive andon~dentialn-om the client, review the following output queue parameters:

nsure that thepara~eter ettings are appropriate o achieve the desired levelof se-

queues that hold spooled files ont~ningensitive and con~dentialn-

ensitive systemc o ~ ~ d s .

eview the authorities over the following sensitive c o ~ ~ d s ,sing theat such c o ~ a n d sre appropriat

~ ~ s c ~ i p ~ i ~ n

Add Authorization List Entry

upport User toDistrib~tion

Change Aut ho ~z at io ~ist Entry

edicated Service Tools a s s ~ o r d

atabase File (using D W )

hange Network Attributes

C h ~ g ebject Ownership

lear Logical File Member

Clear Library

Create Authority Holder

Create Authorization List



p procedures for critica~vitalnformation andm

rary list in~so ensure thatl ib r~ iesre being saved.

: aves all ~on§ystem li~rarie§.

ified).



cannot be saved via

users outof the

At least a whole systetion’s backup scheme.

eview backup retenti

A listing of the backuwhere (e.g., copy of tape index ocontent of each tape s easily dete

Verify that j o u~ a li n g c o ~ t ~ e n tontrol-

Verify that off-line bcurity no onger ap

be Access Control Facilityor theAS

Verify that only authorized individualsither have: his capability requires

(to change a user pro~le),n



usedyheecurityfficer or someoneith theauthoritynlessccessohe S beendditionallye-

s must be accou~tableo individuals (i.e., if arofile is p e ~ i t t e d ,ach in~ ividua~n the Group ofile must be authorized). If a

, specially one ~ n ~ i n gith adopted authority, used to perform this function,individuals can run he program. ~rograms~ n ~ nunder the program owner’s user profile.

done concurrently with the~ ~ v i l e g e dser 1 Authorization Testof this test is to verify that those individu~ tually p e ~ o ~ i n

tasks have the responsibility tonsure that ap pr o~~a te mana ge ~enation for the business need exist.

with the users authorized tousers. The list of privileged

. .

The s~ecification of the

/400, there is a user pro~le. his profile may contain the following



nsure that pa§§word nte

in the systern values.

eview the § y § t e ~aluessp ec i ~edn the systern v

Ensure that there is appro riate control for the use o f “ s h ~ e d

esourstern.

out ~ o c ~ ~ e n t e drocedur~ontrols.

tain the procedures ormantion of theser a u ~ o r i ~ e ~o the u

nsure that all objects on the systern have a responsi

R e t e ~ n ef the n u ~ b e r o fbjects owned by



e Determine if procedures for findingvalidowners for allobjectsowneN are adequate.

e: Object ownership can e viewed using the

All esources on the AS/400 are called objects.The system m~ntainshe followinof information onallobjects:

wner (a useror grou

ublic Authority(*

Specific Authority (individual usersr groups)

~uthorization ist

bject Type (file, user profile, r o g r ~ ,ibrary, andso on)

This information identifies the object owner; any individuals authorize to access publicly,speci~cally, r through anautho~zationist; and the type of object.

Sound security policyequires that all resources be protected from general accessn-

less explicitly required, with ormal docu~entation f the business ustification for all ex-ceptions (e.g., system broadcast functions).his implementation relieves not only ownersfrom the e~uiremento identify he highest classificatio~evel of theirthe supplier of service organization fromhe requirement to “scan,, or

tial data.Objects on an S1400 cannot exist without an~ n e r .or

not be deleted untilall objects owned y that user are deleted~ircumstancesmay arise in which the systemannot detestance, the system assigns ownership to the default ownerowned by a user r group profile.

Verify that the access methods effective.

W the system values, system exits used, and groupt~c tu r eor

for a sampleof objects.

group, user, and autho

e: Also ensure that appropriate control mechanisLocation onf figuration List andDirectory) are usedor co n~ ol l in ~c

corporate backbone network.f applicable, obtain fromanagement regissiness case seems reasonable. Follow upi

owners. Review he object access authorizations or the exceptions andcritical sy~ teme-sources.



bject uthorizations an be displayed singhe UTcornan d. AU-t h o ~ z a t i o ~ists can be dis la edusing he L ornand . Systemvaluescan be dis-

L ommand.

of controlling access toorexclusion fromC specific or list authorization. Specific u-

on. List autho~zations a

irements for system values,eview the exception list

n only be in one group. Usersnay be on multiple authorization ists. Mem-list can have differentobject can have a sin-

s a mem er.

the basic authorities have been given separate names. They are as follows:

ted access to he data in the object.

: llows no access to the bject or its data.

he autho~zationearch order is as follows:

asic autho~zation)

a u t ~ o ~ t yor the object

authority for the a u ~ o ~ z a t i o nist associated with the object

: he first authori%ation entryound, matching the user and bject, is taken. There rnaye otber ~a t c h esf hi her or lower authority, but they are not used.

that ade~uateudit trails are generatednd audit trail histories are maintained to pro-ana~em~ntndlor legal with u ~ ~ i e n tocumenta~onor security incident follow-up

and resolution. The re~uirementor a documentation retention period shoulde documentedin the ~ f o ~ a t i o ~



Audit trails are maintainedcontrolshich secu~ty-re1 ng j o u ~ a l . ny usercannotlter a j o u ~ a lntr ~ ~ ~ l i c a t i o nesign

t ~ a nvera~l y s ~ e ~e c ~ r i ~ .

ince the usef journals is relateauditor needs to understand the site’s

tten to o u ~ a lll the activityf the S

tem audit save andestore information9 uthorization failures, deleted objects,rsecurity-related functions.

and is c u ~ e ~ t ,he

istrative au tho~ty~’of the access con-

trol system:

dministrativeuthority is theivi at is general1sednhe er-of ad~ing,el et in^, and a1e individual own in^ a us

not have theob responsibility of strati on^, they arestill considered tohave this privilege and mustO ireme~tsor its authorization.

/400 attributes, as escribed ~reviously, an often e co~sidered s the re-~~ i r emen t sf system su

ccess to components f the ntrol system s not considered “privi-

in the explicit sense of the te ever, by the potential ability to circum-he access control systemtself, with access to these components should

e ma~agement autho~~ationor eac~ e n tith follow-u~ ontrol assess ent i~ terv ie~(s)ith the system security owneras necessary.

eviewwritten justi~cationsor lonnwoweeks) and s h o ~ - t e ~lessthan two weeks) use. Lone~ergencyr s h o r t - t e ~esi~nee.



the ~ a n a g e ~ e n t a ~ t h o ~ ~ a t i o nnd business rationale or p r o g r a ~ s ~ n n i nto ~ r o g r a ~ swned by

e ~ a n a g e ~ e n t a u t h o ~ -

~ o ~ ~ dhe

ith adopteda ~ t h o ~ t y ,

thorities are not

to all s y s t e ~esources.

and other users’ obs.

strator or ofker



com mies will survive, and even then, only by rest~cturinusiness. The laurels will go to those companies with

adapt themselves tohe changed industry mdsca~e.

Successful auditsof ~ n f o ~ a t i o nanalysis of the physical environmentpotential risks and recommend

The objective of the ausary to successfully an age

bility for all services relate

mounts, andso on),the

opethat ~uarantees ptimum

infras~cture , heuditillpecify stan~ards stablish a com-puting e n v ~ o ~ ~ n tn

and creases the availabing will be brought into



I

The following is list of reports that have audit significance. They can be printed and used to audit the AS/400 platform:

* All Libraries On The System

* Library Save And Restore formation

* A Specified Library Description

* All The Objects In A Specified Library

* The Library List For The User SignedOn

The Basic Information Fromn Object’s Description

* The Full ~ f o r ~ a t i o nrom An Object’s Description

* Service Info~ation rom An Object’s Description

* Users AuthorizedToA Specified Object

* Access ranted By An Authorization List

asic I n f o ~ a t i o ~or A User Protile

* DisplayAllParameters For All User Profiles

* Au~orizedUsers In User Profile Sequence

* Authorized Users In Group Profile Sequence

ions On The System

* AI1 Devices On The System

* Program In fo ~a ti on

* P r o ~ a ~ shat Adopt The Owner’s Authority

* AuthorityHolders

Date Of Last Change For All Programsn A Library

ystem Statistics

* Disk Statistics

* Active Job Statistics

* NetworkAttributes

4 C o l ~ a n dnfor~ation

* Local ~ardw are

* IBM Software Resources List



162

166

169

170171

173

175

179

ote ~ ~ s i ~ e s s~ ~ 1 i ~ a t i o ~ sn.



is r e c o ~ ~ e n ~ e ~ ~max

s not effective or users

~ i n i ~ u ~characters

be the same as previousones,

The fol1owing value is r e c o ~ e n ~ e ~ :.



that may not e used. Valid

more than once.

me of the validationprandensure hat it does ow someusers o

is found to be onero~s.



eter~inef the syste ity to linnit access to worksta-tions for profiles wi special authority s being

thority cannot sign ono any displayorized to the display station.

a u t h o ~ t y an sign on to anyis~lay

a ~ t ~ o r i t yor objects created n a ibrary:

s y s t e ~alue takes) or the library s set to*



is recommended, but clientthis change because ll(e.g., device descripti

normal operation.

e systemwide attention"k:ey-handling program:

. o attention-~ey-h~~lingrogram.user-w~tien rogram that will handle the attentionnte

2.10 ~ e t e ~ i n eheystemalue , hich de t e ~ in e s hetherbjectsthat are security-sensitive

t may be restored to your systemy a user with a proper

ty-sensitive objects, such as system state probe restored to the system.System state objects may be restored to the system.: bjectshatdoptuth ' tohe

ended;owever,fhe es pro ndthe value should beet to

o reflect IT anduserdment org~ization,ensu~nghat appropriate segregation of duties is maint~ned. file at t~butes nd specialautho~tieshould reflect users' business functions.

3.1upofiles by ente~nghe CO

This will ist all group profile names and user profile a ~ e sithin each groupof users. It will lso list at the bottomny user profile

3.2 Evaluate each group profile to ensure that it represents a common group of userswith the same or similar business~nctions.

Where group profiles are used,nsure that the group profilesto prevent anyunautho~zedign-on.

3.3 Check: that he ollowing supplied profileshavehad th~irrichanged:

User Pro le

lease of QS/400V3assword



3.4

3 ,

3.6

3.6.2

3.6.3

heckhatheasswords for theollowingnchanged,retoredecurely, and are on1 neers:

Ori inal assw word

heckhat the passwords for ilityhavebeen hanged or that the~ ~ / 4 0 0ey is held by the and that he key lock is in the “Nomal”position.

Passw rd

* For service representati~eroperator to use functions thato not

nsure that usersre members of appropriate groups relatedo their business~ ~ n c t i o ~ s .

assword E~piration n t e ~ a l )

ecific interval has been set for *

the system default specifiedn



.4

3.

.he s e c u ~ t y ~ ~ ~ s t ~ a t

pecifies which user profile is the owner f objects createdby his user

the i~itial enu, the

er c m change all the values in the user profile with the



will prevent a ser from droppaborts. Ensure that users have

User profile can be used.: ser profile cannot be used.

and so on must be et to

)~~pr opr i a t eccess a u t h o ~ t ~hould be d e ~ ~ e dt the l i ~ r ~evdata files and programs are r o t e ~ t ~ drom u n a u ~ o ~ z e ~ccess

4.1



ibraries that willbe searched when the systemfor which a library name has not beenx~licitly

nds with he correct name.

L d e t e ~ i n e she initial s~ttings f the system

e con~o l p r oce~ur ~srom the implementationof new

programs or files from ~ e v e ~ o ~ m e n to ~roduction

y of a ~r o~ uc ti onr o * * usersomiseecurity byd priate

grams should be res~ictedo autho~zedse the integrityof ~r od ~c ti onystems.

~ o ~ ~ do review any programs that adopt the author



. c c e s so the query ~ e~ n i t i onshould be ~r~ve nt ed.

security-related c o ~ a n ~ ssin

nistrators haveuse of

rities are usually requiredo exe-

cm use this c o ~ ~ a n ~ .



nds should be*

6.

ority of work in the system is d e t e ~ i n e dy job desc ~~t ion s.

S for a sample of production joby n a m e / n ~ ~ ef job description)

~~~ to obtaina listing of the job desc~ptions:n a ~ ~ / j o b ~ e s c ~ ~ t i o n )



7.

7,

7.

7.7

7.

7.

7.10



.1



of network files or the receivingay,cancel, or receive the ob stream into a database

the input stream was

using the values in theto display the systemarameters are:

means allow any address.

e user o whom it was sent.

sure that the user profile does

e t e ~ i n e sow the system

meter is as follow *

C requests from remote

, ut they are controlled

ort is actually used. f it is not,

co~munic~tionsetwork entry~ o u ~ hhich PC

user can use the s u b ~ temote” command facility without hav-active wor~station is lay emul~tionctive.



8.4.

8.

d e ~ n e ~ ,hen the su bs y st e~

target system allows the sourceuser ~ ~ e c i ~ e dn the c o ~ u n i c ~ -

then the source s ~ s t e ~ill send a uill be under the authority of this user



.6

.S.7

.5

s y s t e ~ a l l o ~ s ~ c c e s s ~ i t h

is s ~ e c i ~ e dnd he s e c ~ ~ t yevel is 30, hen no ~ a s s ~ o r d sre

the first available vir^^ device that has been o n ~ g ~ ~ e d

is not set to 0 be-

urces are ~eco~dedn the auditmd

S sho~lde revie~edn a reg-

s ~ s t e ~alu~shat control audit l o ~ ~ i n

( s ys t e ~alue)



E ~ i b i t.1, n whichle for enforcing allaccess val-

thority. In this way, the S

validation code, and its the only copy f thatS ensu~eshat all~ r o t e c t i o ~s provided uni-rovides services for valid at in^ access to ob-



that will be used ~ n ~hat session.

s c r ~ t i o n a ~ccess c o ~ t ~ o ~ s

control who can access ~so~rces



be the File Name, data it cont~ns,nd the

Network shares

object has anACL thatthority to access that object.

e logon process defines the usero thecan access.~ e ~ i s s i o n sefine the operoften, the operationshe programs can perform n

~ i n d o w sT manages access control y assogy, an access tokens thesecurity identifiers (which areto which he user belongs.manager on the computers h ~ n gcess control list of the requested object. f ority token matches an accessontrolaccess. For example, suppose a usermembers of the en gi ne e~ ~gomember of the engineeri

dows NT assigns the user an ~ccesso n (i.e., a representa~onof

group to which he user belocompares the individual S

cess control list (locks) toto access the object.



'I'object, they contain tt~butesto the system and~rovideheir se ~i ce s .

Utes in the access o ~ e ~nclude:

S represent in^ the lo ~~ ed -o nser's group me~berships

er~ss ions a l lo~edor the user

ue s~curi ty identi~ersoreach user roup in the ~ s e rccountsS are uni~ue,f an t or

t retain the same

er be repeated, so the systeother.

and accessco~trol n t ~ ~ sre cov-

a l l o ~ she spe ci~ c



S

if the user is a t t e ~ ~ t i ~ ~o 10

. he ~ a s s ~ o r ~s b 1.



S

None No access to files anddirecto~es

Llst Not specified List directory contents

Change tosubdirec~ories

No access to files unlessgranted explicitly

Read List directory contents

Change tosubdirecto~es

Read data from files

Rdd WX Not specified Create subdirecto~es

Create files

No accessto e~istingfiles unless grantedexplicitly

RWX RX List directory contents

Read data from iles

RWXD List directory contents

Chan~eo subdirectories

Delete subdirectories

Create subdirectories

ead data from files

Create and modify files

Execute programs

Delete files

All All Alldirectory ~ e ~ s s i o n s

All filep e ~ ~ s s i o n s

Change pe ~i ss io ns

Take ownership

is the only file s y s t e ~hat slh

that treats eachile anda ~ ~ ~ t e shat arestoredwith the object,sac



of an object orpart of ~ l o w ~ do access an object (as

ncept, there are additional levels of control.

a user’s identit?, s thill facilitate ac c ~ s so

i ~ p a c tan^ ypes of s ~ s t e ~ ~n d u ~ t

e a d d r e s s e ~and awareness ~ ~ o ~ r a ~ s .

the account exists, the a s s ~ o ~ ds run th

for the session. Changes to a user’s

. romthe console



a n o n y ~ o ~ sogon to the ince the acco~nt a ~ e ~

case it is acc id~~ta l ly ~eena~~ed .heS if it is ena~ledndhasno ~ a s s ~ o r d .



, nd groups should e created to give usersgn pe ~s s i on so groups and allow access

em me ~b er sf the appropriate groups. Groups areo ~ a l l yased on

ani~ationfunction^ units (marketing)

ating shares because per~ss ions an be as-s the groups already exist.

ires that consistent and coherent nention has the~ollowing hee charac

stand.If users don’t understandhe n a ~ n gonvention, they

n a ~ n gonvention should b able to cons t~c tn objectr users, the name may incl e their full name and func-

nter, the name may include the model number and con-cation in he build in^, and the kind of work the printer

have obvious and meaningful relationships withsent printers, the n a ~ e should CO

erJet I11~ ~ n t e rn the oor). If objectsareuserto ~ e t e ~ i n ehat JAS c o ~ e s ~ o n d so John A.

co~ventionshat producem~aningful ~ e sor objects is fairly easy;

conventions that translate easily in both directionss more difficult.

uring resources from nauthori~e~ccess. There are two ap-

rs are allowed m ~ i ~ u me ~ i s s i o no access informationS in which i n ~ o ~ a t i o nhould notbe availa~leo them.

wher~in sers are allowed to access only the n fo~a t ionhey need to

. he nature of the organization and the work it ~ e ~ o r m sthod to choose. For example,ove~mentsollow the pes-

because access to their info~ationould pose a security risk to their, ost medium to small businesses use the ~ t i ~ s t i cpproach because

at would be useful to anyone o~ ts ideheir or~ani~at ion .



revents access to the shared directo~egard~essf o ~ e rllo~ed per~issiolls.

Allows viewingof c o ~ t ~ n e diles and dir~ctories, oadingof files, and execu~n

~ s s i o n slus creating,d~ le t i n~ ,nd c ~ ~ ~ i n gontained directories and files.

per~ssionslus c ~ ~ g ~ nile s y s t e ~ e ~ i s s i o n snd takin



Prevents any access to the directory andlevel full control.

Allows view in^ and browsing the director directoryper~iss io~s .

nes access

ined per-



securing files. Use the

t use file system secu-

Id be reserved or sharing h ~ ~e-

s s u c ~s e~t ire

licy,r in

iversal s~ cu ri t~ se tt in ~sor user ac

e forced to h ~ ~ ~

ass~ords userm ~ s tQtatea m o ~ ~ .



~ i ~ u r nassw word Agesswordeverxpires

Expires in x days

Allow changes immediatelyAllow changes n x days

elmit blankassword ~ a s s ~ o r dt least six ch~acters

At leastx c h ~ a ~ t e r s

assw word Uniqueness o noteepasswordistory e ~ e ~ b ~ ren ass words

e m e ~b e r passwords

Account Lockout N o account lockout

Accou~tockout

Account lockout selected

A~count ockout Lockoutafter x bad ogonattemptsLockoutafter hree bad o~onattei~pts

Account Lockout eset count after ~ n u t e s~ o ~ r s )

Lockout ~uration reveruntil a d ~ n .nlocks)electorever

uration n ~ n u t e s

Forciblyisconnectemotelectedusers from sewer whenogon Not selected

hours expire

Tied to logon hours spec i~edwhenuser account was created

Users must log on in order to Selectedchange password

Not selected

Select

*Six ty days would be a e ~ i s s ib l e assword change rate onlyf strong passwords re im ple ~en ted . trong passwordsmay only be im ple-mented under~ i n d o ~ sT 4.0 at the domain controller. Strong passwordsay bei ~ p l e m e n t e d s in g the p sr;R I .dl program availableunder service pack oftVindows NT 4.0. The strong passw ords prov ided y p ~ s s f i l t . ~ l lre urther described n the section on passwordfiltering.



~ i n i s ~ ~ t i o nr ba



Access this computer from network Adminjstrators, Everyone

Add workstations to domain No default group

ack up files and directories Administrators, Backup Operators, Server Operators

~ ha ngehe system time Adminjstrators, Server Operators

Force shutdown from remote system Administ~ators, erver Operators

Load and unload device drivers Ad~nistrators

Log on locally Account Operators, Administrators, Backup Operators, PrintOperators, Server Operators

anageuditingndecurityog Ad~njstrators

Restore files and directo~es Adminis~ators,Backup Operators, Server Operators

Shut down the system Account Operators, Administrators, Backup Operators,i n tOperators, Server Operators

e ownershipof files orotherdirectories Ad~nis~ators

~ocessessuch as la~nching ap~lications)

nt from the other policies in that they are managedhr

, whichwas in~oduced in ~ ~ d o w s 4.0.

conve~ent ay to edit system policies that were previ



Files private to membersf theAdmin department

~ s t ~ l e dpplicationsto be runfrom the server

C ~ ~ m ~ n Filesublico eve~onenheomain

lneerin~

Finance

R e s ~ a r c ~

temp

User

Files private to the nginee~ngglobal group

Files private o the Finance global

group

Files private to theM ~ k ~ t i n gglobal group

Files private to the Researchglobal group

Applications that can be installedoff the network onto local computers

Files used by Windows NT and

server resident software

~ o n t ~ n e ror subdirectoriesprivate to each user

The system directory containing~ i n d o w s T

No access is necessary.

This directory s not shared.

No explicit accesss necess ~y.This directory is not shared.

directoryis now shared in



ons are not available

in the~ i ~ ~ o ~or that drive.

t ~ e n tn anor-

each ~ e ~ ~ccess.This



S

e

Local

Local

Local

Global

Global

Global

Local

Local

Local

Local

Local

ctio

Members can administer domain user and groupccoun~s.

Members can fully administerhe server and the domain.

embers can bypassile security to archive files.

Members canad~nis te romain accoun~s nd computers in the domain.

st rights to all domain resources.

All domain users are partf this group.

embers have Guest accesso the domain.This group should e~ a i nempty.

Members can administer domain printers.

A special goup for directory replication.

Members can administer domain servers.

Server users.

in the inputbox,

usersarea c c o ~ t sttao not have an account.



uest



c c o ~ n t ~in these



0

t in u n ~ o w nasswords.As with the

field displays asterisks.

are both checked.

t ical users.

count, but t cannot be set.

S the user can log on to the network

ion date and the cco~n type.

User accounts are d~nistered ith the

tive tool.

The follow in^ illustration shows he processof creatinlustr~t io~sn this chapter assume that you have alre



thesystem,deleteeuser’saccount insteay all user preferences ande ~ s s i o n s ,ostem beforedel~tinghe account.

The process for del et in^ a user account s as follows:

environment profiles allow the changef soe users that are og

file location basedon the c u ~ e n tser or o mapa drive lettero a user’sa s e ~ e rf the person is log~ingn to a network.

User e~vironment rofiles also allowy

es as each user logs on.his batchdrive ~a ppin gsrfor any other p

not use user environment profilesless the profile somehow depends n the user’s name, The

od for ~ n n i n g p r o g r ~ sutomatically.



r.



in the text box. Replace theS

c ~ ~ a t enew sh and he user direc-

etween ~ o l u ~ e suri

cure environ~ent.

ng up too much space.

th function works



220 WINDOWS NT SERVER: SECURITY FEATURES

Profiles

User profiles control Windows NT features such as desktop colors and settings, program

groups and start menu settings, and network connections. Because these settings are dif-ferent for each user, storing them separately allows users to customize and control theirWindow s NT environment. Bob will always log on to the same environment, even if S usanchanges her wallpaper.

Local

Windows NT stores each user’s settings in special directories contained in the Prof i les di-rectory under your Window s NT System W INNT-ROOT directory. Each user’s local profile

is stored in a subdirectory named after the user. These directories contain all user-specificsettings. A special directory called Al l Users stores the settings that are global to all users.

Each profile contains many subdirectories. Applications such as Word and Excel

store user preferences in the App l icat ion Data subdirectory so that shared copies of theseapplications can maintain different customized features for each user. NetHood containspersistent network connections. Many other directories may exist and contain other settings

such as Star t menu programs and program groups.

Roaming

Roam ing profiles are stored like the local profiles, except that they a re stored on a W indowsNT Server. Storing one profile on the server, instead of storing a local profile on each of theWindow s NT computers that you use, m eans that changes to your environment will be ineffect for all the computers you use rather than just the one on which you m ade the change.

W hen specifying a roaming p rofile in the user settings for your user acco unt, the pro-

file is dow nloaded from the server every time y ou log on. C hanges you make are then sentback to the server so that they will still be in effect the next time you log on and dow nloadthe profile. Window s NT profiles affect only Windows NT. Logging on to a Windows 95computer will not bring dow n the Windows NT roaming profile.

You may want each user’s home directory to contain the user’s profile. The%username% environment variable can be used when creating User Director ies to

autom ate this process (see the list discussed earlier on the steps to create a user directory).

1.

2.

3.

4.

5.

6.

To create a roaming profile, follow these steps:

Select Start -+Programs -+ Administrative Tools+User Man ager for D omains.

Double-click Adm in stra or.

Click Profi le.

Type \\name-of-your-server\winnt\profiIes in the Use r Prof ile Path input box.(Replace name-of-your-server with the share name of your server and replace

winn t with the name of you r Windows NT directory share name.) If your W indows

NT directory is not shared, use the following path: \\name-of-your

server\c-drive-share\winnt\profiIes .

Click OK to close the User Pro f i les window.

Click OK to close the User window.



SUMMARY 221

7. Close the User Manager for Domains.

8. Log on as Administrator on another Windows NT machine in the dom ain to observe

the results.

SUMMARY

Just as providing service to network users is the primary purpose of a netw ork, creating acoheren t, secure, and useful user environm ent is the primary function of network ad minis-

tration. Window s NT Server creates such an environment by using group accounts, security

perm issions, user rights and policies, and network sha res.

Effective groups make administering large numbers of users easy. Rather than as-signing permissions to individual users, you can assign rights to groups and sim ply indicate

mem bership in different groups for each user. Window s NT will manage the combinationsof rights for users with multiple group memberships.

Security keeps resources from being exposed to unauthorized access. An op timisticsecurity policy allows maximum access to information and secures only specific informa-

tion. A pessimistic security policy secures all resources an d grants access only where nec-

essary. Both approaches are valid, and the cho ice will depend on the physical security en-

vironment. W indows NT supports two types of secured resources: network shares and filesystem objects. File system objects provide more control over security than shares do.

Wh en resolving con flicting file system and share restrictions, Windows NT chooses the

most restrictive permission.Policies are the general security characteristics of W indow s NT. Policy changes af-

fect the entire system, not just individual users or groups. Windows NT implements fourtypes of policies: Account Policies control access to user accounts, User Rights permit orrestrict security-related activities, Audit Policy controls the auditing of use r activity, and

System Po licy controls all other security-related system settings.Setting specific permissions for many users of a network can be an error-prone and

time-consuming exercise. Most organizations do not have security requirements that

change for every user. Setting permissions is more manageable w ith the security groups

concept, in which p ermissions are assigned to groups rather than to individual users. Userswho are memb ers of a group have all the permissions assigned to that group. Window s NT

implements two types of groups: those local to the machine and those g lobal to the dom ain.Global groups are stored on the primary domain con troller and replicated to all backup do -

main controllers.User accounts allow you to control security on a per person basis. Every person who

accesses a Windows NT domain receives a user account through which identity is estab-lished to the network and by w hich permissions to resources are granted. Window s NT also

provides two types of user accounts: accounts local to the machine and accounts global to

the dom ain. As with groups, global accounts are stored on the primary dom ain controller

and backed up to the backup domain controllers. User accounts can have logon scripts,

home directories, and roaming user preference profiles to allow users to work co mfortablyat any computer in the netwo rk.



DOMAINS AND TRUST

A domain is a set of computers with a central security authority, the primary domain controller

(PDC), that grants access to a domain. Usually a domain also contains one or more backup

domain controllers (BDCs) that provide distributed authentication services to continue

authentication services in the event of failure in the PDC as well as load balancing for au-

thentication services.As a rule many types of systems may join a domain, but the PDC and

the BDC must be Windows NT systems because of the compartmentalized security they can

offer.A domain can be set up to ease viewing and access to resources, to share a common user

account database and common security policy, and to allow administrators to enforce a com-

mon security stance across physical, divisional, or corporate boundaries. Once users are au-

thenticated to the domain, using either the PDC or a BDC, they can gain access to the re-

sources of the domain, such as printing and file sharing, or access to applications across all of

the servers within the domain. This concept of a domainwide user account and password elim-

inates the need for every machine to provide its own authentication service. Instead, the au-

thentication processes are passed through to the domain controllers for remote authentication

against that user account database. This allows machines to be dedicated to servicing indi-

vidual applications or programs without the overhead of authentication.

The primary function of the PDC is to maintain the security database. A read-only

copy of this database is replicated to each BDC on a regular basis to maintain consistency

in the environment. Because of the importance of maintaining the security database on thePDC and BDC, strict logical and physical access controls should be implemented.

Trusts are one-way relationships that can be set up between domains to share re-

sources and further ease administration. These relationships allow a user or groups to be

created only once within a set of domains yet access resources across multiple domains.

There are a number of trust models used to configure domains. The first is the single do-

main model with only one PDC and, by definition, no trust relationships (see Exhibit 5.10).

The next model is the master domain model for companies who desire centralized se-

curity administration. In this configuration, all domains, known as user or resource do-

mains, trust the master domain. The master domain maintains security resources for all ofthe domains within this structure. This configuration can support up to 15,000 users. There

is one trust relationship for every domain that trusts the master domain (see Exhibit 5.11).

The multiple master domain model is designed for larger organizations that desire

some centralized security administration. With more than one master domain, administra-

222



DOMAINS ANDTRUST

Exhibit 5.10 Single Domain Model

223

Exhibit 5.11 Master Domain Model

Exhibit 5.12 Multiple Master Dom ain Model

tion needs increase as a result of the need to create all network accounts on each master do-

main. The two master domains in this case trust each other, while the resource domains have

one trust relationship with each of the master domains (see Exhibit 5.12).

Finally, there is the complete trust model. This is designed for larger companies that

desire totally decentralized security administration. This configuration presents considerable



o m ~ n save two-way trust relationships with each other. This concept essentier-to-peer domains (see Exhibit.13).

tocols but also s compliant

.One of the top considera-cols to install and use.Pro-

or challenge faced y operating system vendorss how to m&e a secure, stan-product while possibly relyingn old, insecure protocols.This has been an on-

r all operating system vendors. ssent i~ly,Windows NT does not attemptoesses inany protocol,.~ o m p e n s a t ~ gontrols, such as the se of link- or applica-

tio~-level enc~ption,ay be a necessary addition or secu~ty-conscious organi~ations.

oss business and indus~yncreases, WindowsNT Server has come underny than ever regarding possible security flaws and holes. Exhibit 5.14 exam-ous attacks on the WindowsT Server operating system and the defenses put

has been vulnerable to various Denial of Service (DOS) and other at-attempt to retrieve sensitiven f o ~ a ~ o nr attempt to gain access with per-

those that the attackers own. To provide a secure environment, Mi-the formof patches and service packs. After being notifiedf therosoft issues fixes. Exhibit 5.14ists some of the more widespreadentified and the associatedix that has been released.

ts to mitigate them.



Anonymous User Connections (red button) is usedto gain information eg~dinghe administrativeaccount and the network shares that are available.

Remote Registry Access attemptso gain access tothe registry, either to retrieve passwords or to changesystem settings.

Password Theft and Crackingsan attempt to capturehashed passwords and crack them in order to gainfurther access o a system.

Weak and Easily Guessed Passwords

con~guration ack to installation settings.

GetAd~n-The GetAdnnin program was recentlyreleased from a Russian source. GetAdmin allows

regular user to get d~nis~ativeights on thelocal machine.

A follow-on to GetAdmin thatay bypass thehot f ix has just been released.

Services running under System context couldeused to gain access to the registry and other partsof the system as ,I

Unsec~ed ilesystem access using eitherDOS-or~inux-basedool gives accesso theNWS filesystem without any security controls,

Server Message BIock SMB) NetBIOS access.These access ports that are required for file sharingmay present an access path, especially when exposedto the Internet orwhen used in conjunction withUnix server~ ~ n n i n ghe Samba toolset.

Insert key into registry that prevents the anonymoususer from making a network connection to the server:

t.1KLM~~1stem\CurrentControI

~ e ~ t r i c t ~ n o n Y I m o u ~ *

D

Value: l

Remote registry access is prevented in WindowsTServer version 4.0 y the additionof a Registry key.This key is presentby default in a new installation ofWindows NT Server 4.0 buts not presentby default inWindowsNI?Workstation 4.0. It maylso not bepresent in a computer that has been upgraded fromWindowsNT Server 3.5 1.

WI(LM~ystem\CurrentControISet\ControI~ i p e ~ e ~ e r ~ ~ l n r e ~

Increase password encryption in theAM by applyingthe featuresof SP3. Remove onymous access to thesystem and tighten registry security.

Enforce a strong password policy rom the domaincontroller usingp~ssfllt.dll.~~s5 f i i t . d l ls availablefrom Service Pack onward.

Rollback may be used as a Trojan horse, andt shouldbe deleted from all systems.

A security hot ix to patch both GetAdmin and thefollow-on issuehave been released byMicrosoft.

Run Services as accounts other than system whereverpossible.

Physically secure the server to prevent access to thediskette drive.

Apply Service Pack 3nd disable TCPand UDP ports137, 138,and 139on any server connected to an outsidenetwork.



ttac

Denial ofService

efense

Telnet to unexpected ports can leado locked systemsor increasedCPU usage. Telnet expects connections tobe made to port 23 only.y default, WindowsNT oesnot support a telnet daemon.

The Pingof Death (large ping packet).n attack thathas affectedmany major operating systems has alsobeen found o affect Windows NT. The Ping of Deathis causedby issuing ping packets larger than normalsize. If someone was o issue the ping o ~ a n d ,specifying a large packet size> 64 bytes), theTCP,”stack will cease to function correctly. This effectivelytakes the system off-line until rebooted. Mostimple~entationsf ping will not allow a packet sizegreater than the 64-byte default;owever, Windows‘95and NT do allow this exception and can therefore causeor be vulnerable to such a system denial.

A recent versionf this problem has affectedWindows NT erver version4.0 SP3 systems thatrunIIS and are exposed to the Internet. This was dueto a fragmented nd improperly formed ICMP packet.

‘SW?’Hood Attack-A flood of TCP connectionrequests (SYN) can be sent o an IIS server thatcontains “spoofed” sourcep addresses. Uponreceiving the connection request, theIS serverallocates resources to handle and track theewconnections. A response is sent to the “spoofed”none~stentP address. Using default values, theserver will continue toe tr~smitnd eventuallydeallocate the resources that were set aside earlierfor theco~nection 89seconds later. This effectivelyties up the server, and multiple requests can cause the

IIS server to respond with a reseto all furtherconnection requests.

Out of Band Attacks-Out of Band (OOB) attacks, inwhich data s sent outside the normal expected scope,have been shown to affect WindowsW.The first OOBattack was identified after Service Pack 2 (SP2), and apatch was released that was also included in SP3. Thisattack caused unpredictable results and sometimescaused WindowsNT to have trouble handling anynetwork operations after onef these attacks. Sincethe releaseof SP3, another problem has been identified

network driver that caused Microsofrnetworking clients to remain vulnerable to variationsfthe OOB attack, coming from the Apple Macintoshenvironment. The OOB attack crashes the CPmprotocol stack, forcing a rebootf WindowsN T . Asubsequent hot fix as released to counter this attack.

Apply Service Pack 2 or 3.

This problem was resolved in SP2.

A new hot fix has been released, post-SP3, called theicmp-fix.

Service Pack 2 provides a fix to this vulnerability.

Apply Service Pack 3nd the subsequent OOB-fix.



fense ~ e p ~ m e n t ’ srpanet, which was first createdn thetraffic was allowed n it for the first time. With commer-

cial use and the subse~uent evelopment of the hypertext transpo~ rotocol and he Worldb that uses t, companies began to connect theirorporate WANs to the Internet.visible co~ectivity nd accessibility to corporate networksy large numbers of

people have created number of changes incorporate views of data security. The primaryone of aw~ene ss .n y short time, nontec~ical eople started talking aboutThey also started as about the security of their connections. The hype and

misinfo~ation su~oundinghe Internet’s eatures and risks have created the needor tech-

nology solutions and education about technology and security. Anyone can becomecon-tent publisher almost overnight. Sharingata with employees, strategic~ n e r s ,ustomers,and even competitors has become very easyo do. Naturally, this introduces or enhancesthe risks to an organi~ation’s ata.

he addition of Internet Information Server (11s) to the base ndows NT operating sys-ndows NT Server withew functionality as wells exposing Windows

sks of the Internet. 11s is integrated with the Windows NT operatingalternative to expandNT Servers to Web servers for in ~anetnd theudes standard TCPm servers for FIT and Gopher. ThisWeb client-a method toutilize Windows NT to provide~ o ~ a t i o no people on

ell-known security risks associated with the Internet, and IIS al-ws NT o be exposed to them. However, because IISs coupled with Windows

applications and protocols have been developed in an~empto limitS.

A ew of these applications and protocols have been explored insectionsasan exampleof icrosoft’s role in Internetec~ologies, s always,

the internal n e t~or ks wellas on the terne et.

Server, it allows for the use of the security features found in the operating system.

any system exposed to the Internet should be protected using multiple layersf security.

erver offers eatures such as site filtering, access control, requestog-ging,multipleInternet pr support,caching,andremoteadministration.Thisapplica-tion also integrates with the Windows NT operating system. The Proxy Server is an

optional product, not included with the base operating system.The Proxy Server assists in preventing network penetrationy masking the internal

network from other external networks. Client requests cane verified to be sure that theyare coming from thenternal network. I packets with destination addresses not defined are

sing computers on thenternal network. This helps to prevent spoof-can limit access o specified network addresses, address ranges, sub-

net masks, or Internet domains. The Proxy Server provides two levelsf activity or secu-g. ~ser-level uthentication is provided between the client and Proxy Server.



lines and the n t e ~ e t , eliminates the need ensive, leased-lineOr se-de~icated c o r n on servers because can be used over

is a combination of the co n~ g~ a t i o nf hardware and soare five subtrees in the registry.es and their purposes are s fo

eps all the con~guration n fo~a t io nor the specific

eps each user's i n fo ~a t io n ho has ever logged on the m a-

ins info ~ati on pert ai~n go the

chine.

Contains in fo~a t ion ertaining only to the cu ~ e n t

ns i ~ o ~ a t i o n p e r t ~ ~ n go the hard

changes hardware the users chan~inghe regt-end tools to change the registry rather than

c o ~ ~ decause the us

elp prevent users and othersrom causing problemsor

alues, inadvertentlyorotherwise. All users must have readc-of the registry in order to function in the WindowsT nvironmento change all registry valuesor make new registry entries.



The registry supports hree types of access p e ~ s s i o n s :

ers can edit, create, delete, or take ownershipof keys.

read any key value but make o changes.

cific key. These ten specific ights are listed in Exhibit5.15.Users canbe granted oneor more of ten specific rightso a spe-

Query Vdue

Set Vdue

Create Subkey

Enu ~er ate ubkeys

Notify

Create Link

Delete

Write DAC

Write Owner

Read Control

Read the settingsof a value entry in a subkey

Set the value in a subkey

Create anew key or subkey within a selected key or subkey

Identify all subkeys within aey or subkey

Receive audit notifications generated by the subkey

Create symbolic links o the subkey(s)

Delete selectedkeys or subkeys

Modify the discretionary access control listDAC) for thekey

Take ownershipof the selectedkey or subkey

Read security nf o~at ion ithin selected subkey

techni~ues hould be used for securing the registry:

isable remoteegistryditing by verifyingxistence or creating: ~~~

ecure the root keyss shown in Exhibit 5.16.

ecure registry subkeyso limit the accessof the Everyone groups shown in Exhibit.l6 using the following keys and subkeys:



egistry Key efadt Setting

HK€Y-LOC~L-~~CHI~E Administrators:ullontrol

System: Full Control

Everyone: Read

HKEY-CL~55€5-RO~T Administrators:ullontrol

Creator/O~ner: ull Control


Everyone: Read

HKEY-USEFI5 Administrators:ullontrol


Everyone: Read

HKEY-CURRENl-U5ER Adminis~rators: ullontrol


User: Full Control

HKEY-CURRENT-C~NFIG Ad~n istr ators: ull Control

(Windows NT 4.0 only) System: Full ControlUser: Full Control

Adminis~ators: ull Control


Everyone: Read

Administrators: Full Control

Creator/O~ner: ull Control


Everyone: Special Access (definedfollowing)

No Change

No Change

No Change

* Allow special access only to the Everyone group with only four of* ns: Query Value, Enumerate Sublceys, Notify, and Read Control.

NG: Using the Registry Editor incorrectly can cause serious, systemwide prob-lems that may require reinstallation of Windows NT. Microsoft cannot gu~anteehat anyproblems resulting fromhe use of the Registry Editor can e solved. Use this toolt yourown risk.

Windows NT is designed to provide an operating systemhat could be used in many typesof implementations, from local application servers andAN ile servers to r e ~ o t eccessservers and~ t e ~ e ~ i n t r a n e teb servers. WindowsNT has f ~ a ~ r e sor s e c ~ t yesi~nedto provide he user with choicesof a limited or extensiveontrol implementation, depend-ing on the business needs. Exhibit .17 lists the features and their descriptions that eithercontrol or implement security,



The LSA is also referred as the security subsystem and is theheart of the WindowsNT ewer subsystem. TheLSA provides thefollowing services:

* Creates access tokens during the logon process

* Enables WindowsNTServer to connect withhi rd-p~yvalidation packages

0 Manages the security policy

* Controls the audit policy

* Logs audit messages to the event log

The SAM maintains the security account database. SAuser validation services that are used by the LSA. SAM provides asecurity identifier or the user and the security identifierf anygroups that the users a member of.SKernel.

The SAD contains informationor all user and group accountsn acentral location. It is usedy the SAM to validate users. Duplicatecopies of the SAD can reside on u~tiple ervers depending nwhether a workgroup or domain models implemented and thetype of domain model implemented. Passwords stored in the SADare stored using a 128-bit ~pto~aphical lytrong system key.

SIDSare createdby the security accountm ~ a g e ruring the logonprocess, They are retired hen an account is deleted. If an accountname was created with the same name as an account that waspreviously deleted, the EI created will be i~erentrom the§IDassociated with the deleted account.

The SRM is the WindowsNT Server component responsibleorenforcing the access validationnd audit generation policy heldythe LSA. It protects resources or objects'rom unauthorized accessor modification. Windows NT Server does notllow direct access

to objects. The RM provides services for validating access toobjects (files,~rectories, nd so on), testing subjects (useraccounts) for privileges, and generating the necessary auditmessage. TheS W ontains the only copyf the access validationcode in the system. This ensures that object protection is provideduniformly throughoutWindows NT, regardless of the typeof

object accessed.

Discretionary access controls provide resource owners the abilityto specify who can access their resources ando what extent heycan be accessed.

Access tokens are objects that containnfor~ation bout aparticular user. When the user initiates a process, a copyf theaccess token s permanently attached o the process.

ACLs allow flexibility in controlling accesso objects and are aform of discre tiona~ ccess control. They allow userso specifyand control the sharing f objects or the denialf access toobjects. Each object'sACL contains access control entries thatdefine accessper~ssionso the object.



Y

S

The interactive logon processs ~ i n d o w s T Server’s first line of

defense against unauthorized access.n a successful lprocess flows fromhe client system to the server sysexposing the user’s password n clear text overhe network. Theentire logon process s described inan earlier section entitled“LogonProcess.’’

The Windows NT Server egistry is an access~controlled atabasecontaining configuration ata for security, applications, hardware,and device drivers. The registrys the central point for storingthese data. The registry contains all user profile informations

well as the hashed user password.

Windows NT Server auditing features record events to showwhich users access which bjects, the typeof access a~empted,and whetheror not the attempt was successful. Auditing caneapplied to:

* System events such s logon and logoff, ile and object access,use of user rights, user and group management, security policychanges, restarting and shuttingown the system,and processtracking

* File and directory events such s read, write, execute, elete,changing permissions, and taking ownership

* Registry key access to subkeys

* Printer access events suchs printing, taking ull control,deleting, changing permissions, and taking ownership

* Remote AccessService events suchas authentication,disconnection, disconnection ue to inactivity, connection butfailure to authenticate, connection but authentication time-out,disconnection due to ans sport-Ievel errors d ~ n gheauthentication conversation, and disconnectionue to inabilityto projectonto the network

* Clipbook page events suchs reading the page, del

contents of the page, changing e~ li ss ions ,nd chaudit types

security and systems staff* Events of significance canbe sent to a pa

Three logs record system-, security-, and~plication-relatedevents:

1. The system log records rrors, warnings, or information

2. The security log records valid and invalid logon attempts and

generated by the Windows NT Server system.

events related to the usef resources such as creating, opening,

or deleting files r other objects.

3. The application log records, rrors, w ~ i n g s ,nd inf o~a tio ngenerated by application software, suchs an electronic mailordatabase app~ication.



ibit

roeess solation

UserA e c o u ~ t e c ~ r i t ~

The size and replacement strategy can be modified for eachf thelogs. Each logged event’s details cane displayed.

WindowsNTwas designed to provide process isolation to preventindividual processes from interfering withach other. This isaccomplished by providing each process with its own memoryspace withno access to any other process’s memory. Thissegregation of memory is also designedo prevent data from beingcaptured from he memory space.

There is an option to overwrite an individual user’s swaprtemporary disk pace after logout to prevent anyone from readingthat user’s temporary iles and data.

User account security policies are managed through the usermanager and consist f account policies and user rights policies.

* Account policy controls the ay passwords must be used y alluser accounts. The major account policy controls includemini~umnd maximum password age, n i m u masswordlength, password uniqueness, forcible disconnection beyondlogon hours, and account lockout.

* User rights policy allows the granted usero &ect resources forthe entire system. The basic rights offeredy Windows NTServer include access from a network, backing up, changing the

system time, remoteorcible shutdown, local logon,ana agingthe audit and security log, restoringiles, shutting down thesystem, and taking ownershipf objects. Windows NT Serverais0 contains many advanced rights. n total, there are twenty-seven rights that may be assigned to users.

Windows NT Server offers two built-in accounts: the Guestaccount and he Administrator account. These accounts werecreated for specific uses and arey default members n a numberof default groups. The Guest account is disabledy default.

The user properties feature allows the administrationf user

accounts, passwords, password policies, group membership, userprofiles, hoursof logon, the workstations from which the useranlog on, and the account expiration date. In addition, passwordfiltering canbe i~plementedo increase the strengthf passwordsecurity policy.

User profiles enable the WindowsT erver to structure andmanage the user’s desktop operating environment and present theidentical environment without regard to the workstation. Thisileis loaded on logon. The user profileditor allows disabling Run inthe file menu and disabling the Save Settings menu item, showscommon groups, changes the startup group, locks program groups,

restricts access to unlocked program groups, and disablesconnecting and removing connections in the print manager.

Home directories can be assigned to each user for storagefprivate files.



Feat~re

ain Controllers

eplication

Logon scripts are executedn logon by a user. They provide the

network administrator with a utility for creating standard logonprocedures.

Groups allow an administrator to treat large numbersf users asone account. Windows NT Server utilizes two typesf groups inits tiered administration model:

* Local groups are defined onach machine and can contain bothuser accounts and global groups. WindowsT upplies anumber of built-in local group accounts.

* Global groups are defined at the domain level and can containonly user accounts from the local domain but not from trusted

domains. Windows NT supplies several built-in global groupaccounts.

In a WindowsI7 network environmentt is possible to implementtwo different network models:he workgroup model r the domainmodel.

* The workgroup model allows peer-to-peer networking formachines thatdo not participate in a domain. Each WindowsT

machine that participatesn a workgroup maintainsts ownsecurity policy and SAD.

* The domain model is n effective way to implement security

and simplifya d ~ ~ s t r a t i o nn a network environment.hedomain allows he sharing of a common security policy andSAD.

~ e s c ~ p t i o n

The domain model establishes security between multiple domainsthrough trust relationships. A trust relationship is a link betweentwo domains causing ne domain to honorhe authentication ofusers from another domain. A trust relationship between twodomains enables user accounts and global groupso be used in adomain other than he domain where these accounts are located.

Trusts canbe uni- or bidirectional andequire the p~ ic ip at io nfan ad~nistr atorn both domains to establish each directional trustrelationship.

Windows NI7 Server provides domain authenticationervicethrough the use of primary and backup domain controllers.fcommunications to the primary domain controller break, thebackup domain controllers will handle all authentication.backup domain controller ay be promoted toa primary domaincontroller if necessary.

Windows NI7 Server uses replication to synchronize the SADs onvarious servers. This processs automatic. Replication s not

restricted to the SAD but can be used to create and maintainidentical directory trees nd files on multiple servers andworkstations. The replication feature contains a security toolocontrol the import and exportf files and directories.



TFS

The server manager tool enables the following typesfadminis~ative ctivities:

e Display the member computers f a domain

e Select a specific computer for d~ in is~at ion

e Manage server properties and services, including start and stopservices, and generate alerts

e Share directories

e Send messages to systems

These adminis~ative unctions requirea d ~ n i s ~ a t i v eccess.

NTFS is the more secureof the two writable ile systemssupported by WindowsNT Server.NWS is the only file system toutilize theWindows NT file and directory security features,is a og-based file system that offers recoverability in the eventfa disk fault or system failure.

The nextmajor elease of the operating system il l provide anoption for file-level encryption.

"he legal notice features provided to strengthen the legal liabilityof in~v id ua ls ho may attempt to accessa system withou~authorization. The feature displaysmessage to the user &er theC T ~ L ~ ~ L T ~ ~ E L

eystroke combination during the logon process.When the legal notice appears, the user must acknowledge thenotice by selecting theOK button in the message box presented.

WindowsNI? erver has fault tolerance features that cane usedalone or n combination to protect data fromot en ti^ mediafaults. These features are disk ~ o r i n g ,isk duplexing, diskstriping with parity, and sector hot-sparing.

The Tape Backup enables backing up and restorationf files anddirectories. Backups can beull, incremental, d i ~ e r e n t i ~ ,ustom,or on daily basis for those files changed on the dayf thebackup.

The lastknown good con~gurationeature allows the restorationof the system to the last working systemon~guration.Whenused, it discards any changes to the on~gurationince the lastworking system configuration. This features automaticallyupdated after any system boot.

The emergency repair disk allows the restorationf the system toits initial setup state. The emergency repair disk can be usedfsystem files are corruptnd the user s unable to recover theprevious startup configuration. Securing the ~ergencyepair diskis of utmost importance since it contains a copyf key pieces ofthe security accounts database.

The Ul?S feature allows for the connectionf a batte~-operatedpower supply o a computer to keep the systemn n i n guring a

power failure. The PS service forWi~dowsNT Server detectsand warns users of power ailures and managesa safe systemshutdown when the backup power supplys about to fail.



E ~ h i ~ i t.17 ( ~ o ~ ~ ~ ~ e ~ )

N e t ~ o r kMonitor

Task M a n a ~ ~ r

Network Alerts

~ oin t-to -P oin t n n e l i n ~

otocol (PPTP)

~ i s t r i b u ~ d C o ~ p o n e n t

Object Model ~ C O M )

Services A d ~ n i s t r a ~ o ~

Feature

emote Access Services

A d ~ ~ i s t r a t i o nools

The Network Monitor allows examinationf network traffic toand from a server at the packet level.his traffic can be capturedfor later analysis, making it easiero troubleshoot networkproblems.

The Task Manager is a toolfor monitoring application tasks,eyperformance measurementsof a WindowsNT Server-basedsystem. Task manager gives detailednfo~at ionn eachapplication and process running on the workstation, as well asmemory and CPU user.t allows for the terminatio~ fapplications and processes.

The performance monitor tool enables theonitor in^ of systemcapacity and prediction of potential bottlenecks.

Alert messages can be sent to designated individuals. These

messages can report on security-related events, such as too manylogon violations or performance issues.

This set of encryption APIs allows developers to developapplications that willwork securely over nonsecure networks suchas the Internet.

P P V provides away to use public data networks, such as theInternet, to create virtual private network connecting client PCswith servers. PPTP provides protocol encapsulationndencryption for data privacy.

WindowsNT 4.0 includes DCOM, formerlynown as Network

OLE, which allows developers and solution providers to useoff-the-shelf and custom-created OLE componentso build robustdistributed applications. Most~portantly,t utilizes Windows TServer’s built-in security.t addresses a problem thatasfrequently associated with OLE applications trying to run asservices under WindowsT:Windows NT Server’s built-insecurity did notet OLE services o ~ u n i c a t eetweenapplications because most applications are launched from adesktop running a different security context from the services.Using DCOM, Windows T 4.0 now allows c o ~ u n i c a t i o ~between different security contexts.

The Windows NT diagnostic tools used toe x ~ n ehe system,including in fo~ at io nn device drivers, network user, and systemresources.

The Service Manager enables the access and administrationfnetwork and operating system services.

e s c ~p t i o n

The M S dministration tools control the remote connectionenvironment.

The following tools are used in theS onfig~ation nd

ad~nistrationrocess:

* Network Settings enables the installationnd configuration ofnetwork software nd adapter cards andheports inw ~ c hheyreside.



* Network Con~gurationontrols theRA§ inbound and outbound

protocols as well s encryption require~ents. ach protocol hassubsequent dialog boxes ith con~gurationnd control features.

* The Remote Access ad~ in is ~at io nool enables~onitoringfrts, a~ini strati on f remote access permissions, andon of any callback require~ents .

nte ITS is m dd-onoindows NT .0. Integration of TISwithT 4.0

allows IIS to have full usef NT .0 Server securityand directoryservices. The integration supports logging serverrafik to NCSACommon Log File Format as wells any ODBC database. IISprovides Web, FTP, and Gopher services to theWindows NTsystem.

Windows NT Server supportshe TCPfiP protocol and IP addressformat. The TCPlIP on~gurationool ad~inisters CP/IP as well

IP routing, tradition^

to theG2 security standard.

t wrote a series of ~a n ua l s omputer security over thedifferent color of cover. This nbow Series” of manuals

how to desi n, build, choose, analyze, and rate a trusted system,cember 1985and discussedW criteria to use to v

uals were subse~ue~t lyoduced that expanded the general terns used mn

. heyreheedook,which int book withelationoS, and the Blue book, which book with rel~tiono

book divides securitynto four S

hile class A s verified protectioand C2, controlled access prot

sub~yst~ms.

follow in^ ~eas-~ecurityPolicy,ccou c~me~tat io~-fineshat a systemustebleo do i r e ~ e n t sf that

a system is evaluated agai~sthese critn is created and used for the ev~uatio

the appropriate levelof securi



S of resource isolation.

ilure, access con-e s~stemo enforce access controls toob-



3ce~ification,he source codef the systems available for review as well asalldevelopment process. Somef the critical conceptso understmd are:

Out of the box many operating systems (including ndows NT) are considered in-secure,

0 C2 compliance may or may not meet an organization’s security need.

0 A C2-level security configuration (this includeso floppy drive andno network con-nectivity) may be impractical or inappropriate to use in many organizations.

There are other controls such as physical and ~onitoring ontrols that must be ad-dressed for compliance but are not operating system components.

Av~lability,which is often critical in mmy corporat~nvironments, is not oneof thecriteria for C2 ce~ification.

0 An organization must assess the level of risk ~ssociatedwith the data they are at-

tempting to protect, have a policy in place to define what security levels appropriatein their environment, and have monitoring controls in place to~terminef the policy

is being complied with.

Using thesecrit~ria, co ~p an y cmpp~opriately ecide if the level of secu~tyheyhave implemented s too much, appropriate, or needs additional controls, such asinklevel crypto~raphy etween a client and a server. In this t, the question is not “is

product C2 certified”utwillhisperatin lone or withdditional

M or th ir d- p~ yools, meet he security need

Cowarts,R.Windows lW4.0 S e~er- ~o r ks t a t i o n ~n l ea s ~ed .ams ~b li sh in g, 997.. igrat ingo Windows ~ 4 . 0 .ukeW., et al. ~ i n d o wsW Sew er 4: S e ~ u r i ~ ,rou~les~oot i~g,nd

WindowslW Sewer 4 ~ n l e a s ~ e d .

Grant, G., et al. Troubleshooting with Microsoft:G

Karanjit, S. WindowsW Sew er ~ r o f e s s i o n a l

dows NT ~ ~ g a ~ i n e .

Corporation. Windows NT o r ~ s t a ~ o nW 4.0: ~xplorehe N ~ weat t u res .

S NZ’ S e ~ u r i ~ssues. So~ ars oft orp.Sheldon, T. ~ i n d o ws T S e ~ u ~ i ~a n d ~ o o k .

Sutton,S. A. Windows N ~ S e ~ u r i ~ ~ u i d e .rusted Systems, 1997,

Microsoft Security w w w . ~ i c r o s o f t . c o ~ s e c ~ r i t y )



sk

1 Systemllerversnheomainlderervers,uchsll W~ndowsNT .5ndConfiguration hould beWindowsNT 3.51 WindowsNT3.5orLANLAN ~anagerervers

orhigher;no LANManagerManager,may ubject he houldbe eli~natedromorWindows W serversWindows NT environmentohe domainorupgradedprevious to version.5 l undueecurityisk. i~ediately.should exist within thedomain.

1 SystemheatesticrosofterviceConfigurationpacksand hot fixesshould

be installed and properlyconfigured.Service packs and hot fixesshould be reapplied aftereach new softwareinst~lation.

1 System The “system key” optionsf

Configuration Service Pack3 (SP3) shouldbe implemented.

Current versionsof the

operating system containprocessing and securityenh~cements . ervice packscorrect bugs that ave beenc o ~ u n i c a t e do Microsoft.If the versionof the operatingsystem is not current, there isan increased risk thatnunauthorized user may be ableto exploit weaknessesn theoperating system. Certainservice packsand hot fixesrequire systemad~nistrationintervention such as therunning of an application orthe manual entry f a registrykey into the registry.

The systemkey feature ofService Pack 3 providesstronger encryption f theSAM database. Enabling this

option decreases the risk thatpassword hashes will becracked if obtained.A utilityhas been released that canextract the Windows NTpassword hashes even withsyskey implemented;therefore, this risk is onlymrtiallv mitigated.

Obtain the latest servicepack and hot fixes from~i cr os of t nd properlyinstall and configure theservice packandappropriate hot fixes. Thelatest service packorWindows NT3.51 is5, andthe latest service packorWindowsNT4.0 is 3.

Enable the syskey option



Upgrade allLAN Manager andWindowsNT 3.5 servers toWindowsNT version 3.51 rhigher.

rowse the Microsoft home pageand download the latest servicepack. ~dditionaliy, iew availablehot fixes and determine which arenecessary to install on targetsystems. Install the service packand applicable hot fixes on a testmachine to ensure compatjbilitywith existing applications. Ensurethat the hot fixes are installednthe correct order by referring tohe

hot fix documentation and installonly after thorough testing.

Ensure the system key options areinstalled by reviewing the settingof the~~L~~ys tem\Cur rent

boot registry key. Ensure, in a testenvironment, that this feature isco~patible ith all installedapplica~ions.After testing andinstallation, update the repair disk.Note thatSP 3 will no longer beuninstallable.

Choose one of the three methodsfor storing the system key:* obfuscated key on machine* obfuscated key on diskette* password protected key at boot

T ~ c h n i ~ u ~ s

Verify, through discussion with thecompany and physical inspection,that each sever s running theWindowsNT operating systemversion 3S1 r higher.This

document is only applicable andeffective for said versions.

Determine, by searching heMicrosoft home page, the latestavailable service pack and hot fixversions. Ensure that appropriatepatches are installed on eachWindowsNT server. Confirm thatprocedures exist to update servicepacks and hot fixes as new versionsare release and new software isinstalled on the system.

Determine, through discussion withthe network a d ~ n i s ~ a t o r ,f thisoption was considered. If syskey wasd e t e ~ n e do be viable in thisinstance, verify that the properoption is set in the registry:~~L~ystem~urrentControiSet\ControlU5~~ecureboot.nsurethat sufficient regression testingoccurred on a machine outsidef theproduction env~onment.

Verify the choice of the key storage.

Verify, t ~ o u g hiscussion with thecompany and physical inspection,that each sever s ~ n n i n gheWindowsNT operating systemversion 3.51 or higher. Thisdocu~ents only applicable andeffective for said versions.

During specific server reviews, refer

file to verify the versionf theoperating system.

hotf~x.txtiles to ensure thatappropriate service packs and hotfixes have been applied. Confirmthat procedures exist to updateservice packs and hot fixes as newversions are released and newsoftware is installed on the system.

Refer to guidance material andhe

Mjcrosoft home page to determinethe latest service pack version andhot fixes available.

Determine, through discussion withthe network ad~inistrator,f thisoption was considered. If syskey wasd e t e r ~ n e ~o be viable in thisinstance, examine thec ~ ~ ~ e r n ~ r n e ~ .Isa.txt file and ensure the value

to 1.

Verify diskette s protected, if used.

Verify knowledge of boot passwordfor the key.



1 Systemhe Primavyomainunningpplicationsn a PDCshouldetilizedConfigurationController PDC) houldnotPDCopens hePDC to any forauthentication and

be utilized for other purposes vuln~rabilitieshat xistn elated ervicesonly.except those directly related that application. Additionally,to authentication, such s if the PDC is used for otheraddress assignment or name purposes than authentication,lookup. there is an increased risk that

the server may not possessenough resources o performboth functions adequately.

1 System System services should e If servicesare allowed to

Coll~guration running under a secured interact with the desktopcontext.henheyretarted,here is

an increased risk that domainresources may becompromised.In addition, ifthe service is compromised,the service will be runningwith too much authority.

No services should havethe “Interact with thedesktop” check boxchecked. Services shouldnot run under globalaccount but rather localaccount. Accounts createdto run asa service shouldnot be allowed certainrights such as LognLocally unless required.

2 Networkingorkstationndimeestrictingsersasedn ~orkst ation ndimerestrictionshould beworkstationsndimeeducesestrictionshouldeenforced whenossible.he risk thatnauthorizednforced when possibleor

access will be obtained. These typical domain users.controls shouldbe enforcedfor users that utilize nly oneworkstation during set hoursof the day.



~ o m ~ l i a n c e A s s e s s ~ e n tTech~ques

Ensure that all DC servers are Verify that thePDC is onlyused for

only performing authentication. authentication by p e r f o ~ n ghefollowing steps:l.Open server manager.2. Select the PDC and choose

Services. . rom thecomputer pulldown menu.

3. Review each running service todetermine if it is used or apurpose other thanauthentication.

W e n services are startedheyshould not have the allow serviceto interact with desktop optionselected. Open server manageroreach server in question. Openservices from the computerpulldown menu. Double-click oneach serviceand verify the settingsfor Log On As.

Verify that services cannot interactwith the desktop y performing thefollowing steps or all servers inscope:l. Open server manager.2. Open 5ervices. . from he

computer pulldown menu.3. Double-click on each service

and verify that the l low

services to Interactwlth the~esk topption is not selected.

l ,2.

3.

4.

5.

6.7 .

When enteringnew users or o Verify the user Logon hoursychange existing users perform the performing the following steps:following steps: l. Open User Manager.

Open User n nag er. 2. Open u5er Properties byOpen theUser P r o p e ~ ~ e sy double-clic~ng n the

Verify that the PDCs only used forauthen~cation y reviewing the<servername>.5ervic

ensu~nghat only authenticationrelated services are installed andstarted. Also, eview the<servername>.pulist.txt file toensure only authentication-relatedprocesses are running.

Allowable applications includeDHCP, WINS, and DNS.

Verify that services cannot interactwith the desktopby revi~wing heServices Report portionf<senrername>,uJinms~.~tndnoting any services with a ServiceAccount Nameof anything otherthan Localsystem or any serviceswith a ServiceHag of Interactive.

Verify the user Logon hours andworkstation restrictions y reviewing<servername>.users.txt anddeter~ning hether workstation ortime restrictions are enforcedor any

d~uble-clic~ngn theusernarne.Click theHours button.Select the appropriate timeand click theAllow andDisallowbuttons asappropriate.Click OK to confirm changes.Click LogonTo button.Verify user accessby stations.

username.sers on heystem.3. Click theHoursbutton.4. Verify that the hours listed in

5. Click theCancelbutton to

6. Click LogonTobutton.7. Verify user access by stations.

Blue meet corporate standards.

close.



3 Networ~ng Usershouldeorciblyavingsersutomaticallynablehdisconnected from servers disconnectedromheystem acco~~t clwhen their login hours whenheir time expireseature in accountolicies,

expire. ensures that networkresources will not be accessedunless the user is specificallyauthorized for access duringthose hours.

UserM~agement

UserManagement

UserManagement

All users and groupsn thedomain should be knownand documentedby thegroup responsible or

maintaining the WindowsNT environment.

All user and directorymanagement should beperformed through WindowsNT native tools.

All user accounts shouldhave an applicable,informative full name anddescription.

If users and groups existwithin the domain that are notknown or documented, thereis an increased risk that the

security of the domain may becompromised.

Certain versions of non-WindowsNT nativeadministration tools(Windows95 ) create useraccounts and user homedirectories in an insecuremanner.

Requiring all users to havedescriptions and full namesminimizes the possibility thatan extraneous, unneeded useraccounts will be created. Sucha user could bypass systemadministration and be used forunfavorable purposes.

An inventory of users andgroups should beperformed periodicallyand checked against an

approved listing of usersand groups. If “rogue”users orgroups are foundthey should be investigate^~mmediately.

administration toolsshould be used toadminister users andgroups and createdirectories.

Add an applicable andinformative full name anddescription to each useraccount.



Enable theForced accountDlsconnect feature in accountpolicies by p e r f o ~ n ghefollowing steps:

1.

2.

3.

4.5.

6.

7 .8.

Open Uier ~anager.

the user pulldown menu.

Click OK.

Select account from thepolicies pulldown menu.

Select the~ o r c i ~ l yis connect remote users

Close User ~ a n a ~ e r .

Document all users and groups inthe domain.Verify that all usersare presently employed with thecompany by obtaining a list from

Human Resources.

Utilize native Windows NTadminis~ationools to administerusers and groups and to createdirectories.

When creating users, fill in theullame and Description fields for

the new account in the UserManager.

~ o ~ ~ l i a n c essessment~ e c h ~ q u e s

Verify that theForced accountDisconnectfeature in accountpolicies has been enabledyp e ~ o ~ i n ghe following steps:1.2.

3.

4.

5.

6.

7 .

8.

Open User Manager.

Choose Select Domain. .from the user pulldown menu.Enter theAuthen~cation

omain in the Domain: box.Click OK .Select Account. . rom thepolicies pulldown menu.

Verify that theForciblydlsconnect remote users

from server urhen logon

hours expire check box hasbeen checked.Click OK.

Close User Manager.

Compare user inventory withnactual employee list fromumanResources and verify that all usersare current employees. Also

determine if there are procedures inplace to periodically check the usersand groups in the domain againstthis listing.

Determine, through discussion withthe network administrator andphysical reviewof the system,which tools are used to administerthe network. Ensure that all toolsare designed specifically or

Windows NT.Verify that all users have ull namesand descriptions in the appropriatefields by viewing the usersn UserManager by performing thefollowing steps:

1. ChooseSelect Domaln. .

2. Enter theAuthenticationomain.

3.Click OK.

from the user pulldown menu.

C o m p l i ~ c e ~ e ~ f i c a t i o nTech~ques

Verify that the Forced accountDisconnect feature in accountpolicies has been enabledyreviewing c5ervern~me>.

pollcies.txt and ensuring that the“Force logoff when logon hoursexpire” control s imple~ented.

Verify thatlogon hours are set forusers.

Compare user inventory withnactual employee list from HumanResources and verify that all users

are current employees. Alsodetermine if there are proceduresnplace to periodically check the usersand groups in the domain againstthis listing.

Determine, through discussion withthe network administrator andphysical reviewof the system,which tools are usedo administerthe network. Ensure that all toolsare designed specifically orWindows NT.

Review cservername>.users.txt

and verify that all users haveapplicable and ull names anddescriptions.

View all users and verify thatheyhave full names and descriptions.



No. C a t ~ ~ o r ~ Control Objectives Risk

3 User Naming conventions should Having all users with the

Management be established and followed same naming conventionfor all user accounts. increases network security, asNaming conventions should users can easily e identifiedcover end users, contractors, and accounts that do notconsultants, and vendors. adhere to the naming standard

are easily identified. Settingup emporary accounts forcon~actors, onsultants, andvendors with an identifiablenaming convention allowsthese accounts o be easilyidentified and purged ifwarranted.

3 Userserccountshouldnly Having all user accountsManagementbe nterednhe centrally administered y

Authentication Domain’s domain increases networkPDC and noton security because resourceworkstationsrervers.llocationan be controlled.

The only accounts that shouldexist outsideof the domain,on local workstations, are thebuilt-in Guestand

Administrator accounts.

Name all user accounts inaccordance withestablished n ~ i n gconventions.

Remove alluser accountsfrom resource domains,servers, and workstationsand move them to theirrespective au~enticationdomain.



Name all user accounts inaccordance with establishednaming conventions.

Move all user accounts from theresource servers to theauthentication domain byperforming the following steps:

1. Open User ~ a ~ ~ ~ e r .2. Choose Select Domain. .

from the user pulldown menu.

4. Click OK.

5.Double-clic~ ser account.

6. Write down all visible

7. Close user information.8. With the user account

info~a t ion .

highlighted select Deletefrom the user pulldown menu.

9. Click OK.

10. Repeat steps 5-9 until all

1 s . ..

12.

13.14. Select Neu User. m . rom

the user pulld o~n enu.15. Enter all user information.16. Click Rdd.

17. Repeat steps 14-16 until all

enu.

Verify that all users are named inaccordance with corporate policy byviewing the users in User a n a g e rby performing the following steps:4. C h o o s e 5 ~ l e ~ to m ~ i n .

&om the user pulldown menu.5. ~ u ~ e ~ t i c a ~ o ~

6.7. View all users and verify that

they have been named in

accordance with corporatepolicy.

Note whether he namingconventions provide or the ability toidentify employees, vendors, andtemporary IDS.

Verify that there are no useraccounts on each server andwor~station y performing the

3.nterhe servernname.

4. Verify that the only accountslisted are the DefaultAd~nistratornd Guestaccounts.

5. Repeat steps 2-4 until all serverand workstations have beenverified.

6. Close User Manager.

Obtain a copy of the company’s usernaming conventions and ensure theyare being enforced on all user

Note whether the a~ i n gconventions provide or the ability toidentify employees, vendors, andtemporary IDS.

~ern~me>.~sers. tx t

and ensure that end user accountsare only created in theAuthentication Domain.



ain ~ o n t r o ~ l e r e ~ ~ ~ t y

ory ~ o ~ t r o l~ j e c t i v e s sk

3 Usernyccounthatasotnactiveccountsreften~ a n a g e ~ e n t loggedntohe uthenti-used by intruders tobreaknto

cation omain for an a etwork. If a userccountextendedperiod of timehasnotbeenutilized for someshouldeisabled.ime,heccounthoulde

disabled until t is needed.This minimizes the possibilitythat an unauthorized user willutilize the account.

Disableallaccounts thathave not been logged intoin accordance withcorporate standards.Industry guidelines statethat if an account has notbeen used for 90 days, it isinactive. Enableanaccount only after beingcontacted by, andverifying, the users

appropriate.

3 Userccounts of individuals whoavingutstandingccountseletellnneeded

dooteedheirccountsncreasesheisk of accounts, t e r~na ted

shouldeeleted. unautho~zed ccess.mployees, and

~anagement areoongermployedrhatre no longereededccounts,ncludingendor

contractors.



Disable stale user accountsyperforming the following steps:

l. At the command prompt, issuethe net user<User Name>command for each user.

2. Note the last login time.f theaccount has not been loggedinto in a specified period ftime (in accordance with ourbest practices), this accountshould be disabled.

3.Disable the account y issuingthe net user UserName . / ~ c t ~ v e : n o>

Note: If a user often authenticatesto aBDC ather than the PDC,then this proceduremay notprovide the true last logon time.

Remove unneeded user accountsfrom the authentication domainyperforming the following steps:

2. Highlight the unneededaccount and select eletefrom the user pulldown menu.

3. Repeat until all unneededaccounts have been removed.

~ o ~ ~ l i a n c e ~ s s e s s ~ e n tT e c h ~ q u e ~

Verify thatall nactive user accountshave been disabled y performingthe following steps:

1. At the command prompt, issuethe net user<User Name>command for each user.

2. Note the last login time. If theaccount has not een loggedinto in a specified periodf time(in accordance with corporatepolicy or out best practices), this

account should be disabled.3. Verify through the use f a toolwhen the last valid logon timewas.

Verify that there are no unneededuser accounts inhe authenticationdomain by pe r fo~ inghe followingsteps:1. Open the User ~ a n a ~ ~ r .2. Review the list of users.3.Discuss these users with the

network adminis~atorndhuman resources to determineapprop~ateness.

~ o ~ ~ ~ ~ n c ee ~ f i c a t i o ~T ~ c ~ n i ~ u e ~

Verify that all inactive user accountshave been disabled by reviewing<servernarne>.user5;.txt foraccounts with a T ~ u e ~ a s ~ o g o nTime” that exceeds the corporatepolicy.

Verify that there are no unneededuser accounts n the authenticationdomain by obtaining a listing frecently departed employees fromthe HR department and ensuring thatthe former employee’s account havebeen removed or disabled from theAuthentication domain. Thisinformation can be found in theappropriate< s e ~ e r n a m ~ ~ .users . t x t file.



No. C a t e ~ o ~ Control ~bjectives isk

3 Userheefaultdministratorhe ~dminis~atornduest

be assigned a strong on all Windows IT systems.

password and renamed Consequently, they are one ofimmediately after the first accounts that aninstallation. intruder will altempt o use.

The Ad~ ini s~ ato rccount onWindowsNThas all systemrights and therefore should ethe most protected account onthe system. If these accounts

are not renamed, all anattacker would have toaccomplish is brute forceguessing a password.Depending on other systemsettings, this might be easy toachieve in a elatively shortperiod of time without beingdetected.

Management ndGuest ccounts hould ccounts reknowno xistRename the defaultAdministrator and Guestaccounts. Assigna strongpassword to both theaccounts. Addan accountnamed “Adminis~ator”and assign t no user rightsand no groupmemberships. Having anaccount namedAdministrator with no user

rights will aid intruderdetection bywriting to theaudit log.



EN

Rename the default accounts byperforming the following steps:

1. Using User ~a na ge r

highlight the Rdminlstrator

account.2. Choose the rename option

under theUserpulldownmenu.

3. Enter a new account n ~ e ,which conforms to corporatestandards, in theChangebox.

4. Click RK to confirm changes.5. ~ouble-click n the

6.

d

7. S.

8. Choose NeuJ User from the

9. Enter A~~inistratorn theUser pulldown menu.

Usernamebox.

10. Enter a full name inaccordance with corporatee .

11.

12.

PassuJordboxes.13.hat the User Must

e PassuJ~rd atextbox is not selected.

14. he PassuJordeverExpirescheck box.15. Click the Groupsbox.16. groupsnderhe

17. Remov~utton.18. Click the OK button to confirm

19. Click the Close button.

Of: box.

changes.

C o~ p l i an c e A s s e s s ~ e n tTechNques

Vetify, with the networka d ~ n i s ~ a t o rnd physicalinspection, that he Administratorand Guest accounts have beenrenamed and assigned strongpasswords.

A cracking program can e used todetermine if passwords exist andhow strong they are.

Some companies may not allowpassword cracking programs to erun. In thatcase you may have toaccept the word of the systemmanager regarding passwordstrength.

C o ~ p l i ~ c e V e ~ ~ c a t i o nTe c h ~ q u e s

Review <servername>.users.~t

and ensure the default d~nistratorand Guest accounts are renamed.Also ensure the accounts have beenassigned a strong password byexecuting LOphtcrack against the<servername>.passusd.txt ile ifpermitted.



ain ~ontroll~re c u ~ t y

0. C ate ~o ry Control Objectives

3 UserheefaultuestccountManagementhouldeisabled

immediately afterinstallation.

3 UserheeplicatorccountManagementhouldedequately

secured.

sk

The Guest account isnownto existon all WindowsIWsystems. Consequently, it isone of the first accounts thatan ntruder will attempt touse, If enabled,an attackerwill attempt to logins heGuest and compromise thesystem.

By default, Windows NT.0

disables this account;however, a blank password sset.

If the directory replicatoraccount and password used bythis account are notadequately secured, there s anincreased risk that the securityof the domain may becompromised.

Disable the default Guestaccount on all WindowsNT systems. The accountshould remain disabled atall times. f the Guestaccount is needed for anytypes of services (i.e.,printing), definea newaccount for that function,

The Replicator accountshould havea secureusemame and passwordand should not e allowedto override defaultpassword policy. TheReplicator account shouldbe a member of theReplicators group.

(The Replicators groupwill not have “lognlocally” or ‘‘access thiscomputer over thenetwork” user ights-only “Logon as service.”)



Disable the Guest account byperforming the following steps:

2. Disable the a

changes.

Rename the Replicator accountand secure t by performing thefollowing steps:

2. Choose the rename optionunder theUserpulldownmenu.

3. Enter a new account ~ ~ e ,

which conforms to corporatestandards, in theChangebox.

4. Click OK to confiim changes.5. Double-click on the

Replicatoraccount.

7 . Ensure that the User Must

Expirescheck box.9. Click the Groupsbox.

10. Select all groups under theember Of:box.

11. Click the Removebutton.12. Add the Repllcatoraccount

to the replica tor^ group.13. Click theOK button to

confirm changes.14. Click the Close button.

T e c h ~ ~ u e s

Verify that he Guest accounthasbeen disabled by performing thefollowing steps:

1. Open User Manager.2. Double-click on the Guest

3. Verify that the Rccountaccount.

Oisa~ledheck box s selected.

Verify, through discussion with thenetwork ad ~n is tr atornd physicalinspection, that he Replicatoraccount has been renamed andassigned a strong password. Alsoensure that the Replicator accountsonly a member of the Replicatorsgroup. These can be accomplishedby performing the following steps:l. Open User ~ a n ~ g e r .

2. Verify that an account namedRepl~catoroes not exist.

3. Double-click on the renamedReplic~torccount,

4. Click on theGroupsbutton.5. Verify that this account is only a

member of theReplicatorsgroup.

A cracking program can be used todetermine how strong the passwordfor this account s.

Some companies may not allowpassword cracking programs o berun. In that case you may have toaccept the word of the systemmanager regarding passwordstrength.

C o ~ ~ l i a n c e ~ e r i ~ c a t i o nTechniques

Review <seTVername>.usefs.txtand ensure the Guest accountsdisabled.

Review <servername>.users.txtReplicator account security settingsand ensure he account hasadi~lcult~to-guesssername, belongsonly to the Replicators group, and isnot overriding default accountpolicies. Also ensure the account hasbeen assigneda strong password byexecuting LOphtcrack against the<sen/ername>.passlud.txt ile,

if permitted.



rima^ ~ o m a i n o~ tro ller ecurity

ry ControlObjectives Risk

3 UserAutomaticogonptions for There is an ncreased risk thatnsurehealue of the

enabled. gainnowledge of a usernarneegistry key is seto 0.

and password for the domainas the use of this optionembeds the passwordf anaccountin the registry n cleartext.

~anagement servershouldote an unauthorizedseray AutoA

3 User The defaultaluesorven if theutomaticogonnsurehat the~anagement automaticogonhould not option is disabled, the default Def~ultPa

beresent.assworday still exist in the D e f ~ u l t ~ ~ d

registry.An unauthorizeduser Def~ultD~may gain access o his key registry keys do not exist.and compromise he system.



ti0

Ensure the valuef the

Ensure that the

keys do not existy perfor~ngtheollowinocedures:

N~Winlagan,

above.3. Delete the keys mentioned

set to0 by p e r f o r ~ n ~he following

2. Select the hive:

N ~ ~ i n l a g o n .

3. Determine if the valueof

4. Close r e g e d t ~ ~ .

dm~nLogons set to 0.

Verify that theDefaultPassuJor~,

do not exist by performing thefollowing procedures:

2, Select the hive

N ~ ~ ~ n l o g a n .

abovedo not exist.3. Verify that the keys mentioned

tx t and ensure the value~ U t ~ ~ ~ m ~ n L a g a ns set to0.

Review <sen/ernamer.uJlnlogon.txt and ensure the valuesDefaultU~erNam~,

DefaultPass~ord,ndDefaultDo~ainNamere blank.



o. C ~ t e ~ o r ~ ~ontrol Risk

3 Usernonymoussershatheullredentialsogon~anagement connectwithheNullivesndividuals a method of

Credentials Logon shoulde procuring every share anddenied access to all systems username that existson thein the domain. system.In addition, group

Null session pipes should be discovered.With hisdisabled. in fo ~a ti on , ttackersan

start brute force guessingpasswords and attemptocompromise the system.

members~psan alsobe

Note: Some softwaremay notfunction after these changes.Additionally, the ability ochange passwords may belost. Ensure compatibility ytesting. Also, users may beunable to proactively changetheir password.

Add the regisbykeyRe5tr~ct~nan~mau5othe ~ ~ L ~ ~ ~ 5 t ~

Cafltrai\L5~\po~ionfthe registry. The valuefthis setting should be .

Review the valueson thenull session restrictionsregistry keys n the

~ K L ~ ~ ~ 5 t e m \ C u r r ~ n tCan t r a l 5 ~ t 5 \ ~e~ i c ~5 \f i a nman se~e~~arameterortion of theregistry.



Add the registry keyn o n y m o u ~o the

ontrol\LSA portion of theystem\CurrentControl\

registry by performing the

7 . Enter 1 n the Data:box.8. Click OK.

In addition, verify that the NullSessions Access has beenrestricted by p e r f o ~ n ghe

following steps:

CESSis set to 1.

the default.

Com~liance ~s§e§smentTechniques Technique§

Verifyhatheegistryeyeview cservern~m~>.iR e ~ t r i ~ t A n o n y m o u ~aseennsurehealueadded to the~ ~ L M ~ y s t e m \furrentControl~et\ControlUSRportion of the registry by performingthe following steps:

2. Select the key ~ K L ~ ~ y ~ t e m \CurrentControl~et\Control\LS~.

3. Verify that the registry keyRestrictAnonymour:RE[;__D

~ 0 R O : ~ x ls listed.

In addition, verify that the NullSessions Accesshasbeen restrictedby performing the following steps:

1. Open r e ~ e ~ t 3 ~ .

2. Select the hiveM~ L M ~ S l E M \CurrentControlSet~eric

LanmanServeNJarameters.

is set to 1.4. Close r e ~ e ~ t 3 ~ .



Sk

4 Passwordhemaximumassword age Withoutorcingsers to~ a n a g e ~ e n tshouldbe et naccordancechangepasswords, he isk

with orporate ecurityhatpasswordwillhave nstandads andguidelines.unlimiteduseful life after

Industryguidelines tate 60 increased.days.

Set the m ~ i ~ u ~password age inaccordance with corporatesecurity standards andguidelines.

~ d u s ~uidelines state60 days.

4 Passwordhe ~ n i ~ u masswordaving an adequateassword Set the mi n i ~ umMa~agement lengthhouldeetnengthncreasesheifficultyasswordength in

accordancewithcorporate equired to guessapassword.accordancewithcorporatesecuritytandardsndecuritytandardsguidelines. guideli

Industry ~uidelinestate 7characters.

Industry guidelines state7characters.

4 Passwordhe ~ n i m u masswordgeaving this featurenabledet the ~ n i m u m~ a n a g e l ~ e n ~houldbeset naccordancepreventsauser romchangingpasswordage n

with corporate security theirnewpasswordback oaccordancewithcorporate

standards and guidelines. the original password, thereby security standards and

Industry guidelines state3 uniqueness control,days. Industry guidelines state3

bypassingheassworduidelines.

days.



For all servers, set the maximumpassword age parameter yperforming the following steps:

e. This should be set inaccordance with corporatestandards.

3. Click O K to confirm changes.

Industry guidelines state 60 days.

For all servers, set the n i m u mpassword length parameter byperforming the following steps:

l . Using User Manager, selectthe Rccount. . ption of hePoliciesmenu.

This should be set inaccordance with corporatestandards.

3. Click OK to confirm changes.

Industry guidelines state7characters.

For all servers, set the minimumpassword age parameter yperforming the following steps:l. Usi

thethe

2. EnttheThiaccordance with corporatestandards.

Industry guidelines state3 days.

ssessment

For all servers, verify the maximumpassword age parameter bype~orminghe following steps:1. Open User ~ana ge r.

Select the Account. .Option

under the Policiesmenu.Ensure that thePassword

xpires inX days radiobutton is selected. View thenumber of days for theMaximum Password Age.Thisshould be set in accordancewith corporate standardsorourbest practices.Click OK to exit.

Compliance ~ e ~ ~ c a t i o nTechni~ues

Review <se~ername>.

policles.txt for compliance withcorporate polices relating tomaximum password age. If ocorporate policy exists, use60 daysas a baseline.

Industryuidelines state 60 days.Review <se~ername>.policies.txt for Compliance with

Forallservers,verify heminimumcorporatepolices elating opasswordengtharameteryminimumasswordength.foperformingheollowingteps:orporateolicyxists,se 7

Open User Manager. characterssaseline.Select the Account. . Option

under the Policiesmenu.Ensure that the A t Least XCharacters radio button isselected. View the number ofcharacters required for theMinimum Password Length.This should be set inaccordance with corporatestandards orourbest practices.Click OK to exit.

Industry guidelines state7

characters.

For all servers, verify that the Review <se~ername>.

minimum password age parameter policies.txt for compliance withhas been set by performinghe corporate polices relating tofollowing steps: minimum password age. If no

1. Open User Manager. corporateolicyxists,se 3 days2. Select he Rccount.. Option asabaseline.

3. Ensure that the Rllow

under the Policies menu.

Changes in X days radiobutton is selected. View thenumber of days for theMinimum Password Age.Thisshould be set in accordancewith corporate standardsorourbest practices.

4. Click OK to exit.

Industry guidelines state 3 days.



262 APPENDIX 58

Windows NT Primary Domain Controller Security Review Program

No. Category Control Objectives

4 Password The password uniqueness

Management should be set in accordance

with corporate security

standards and guidelines.

Industry guidelines state 6

passwords.

Risk

Requiring unique passwords

prevents a user from recycling

old passwords that may have

been compromised in the past.

Control Techniques

Set the password

uniqueness in accordance

with corporate security

standards and guidelines.


passwords.

4 Password The Service Pack Having a high degree of Enable passfilt so that not

Management Enhancement, passfilt, password strength decreases just lowercase letters are

should be implemented to required for passwords. Beenforce strong password aware that with Windows

controls. 95 companies, passfilt

does not enforce case-

sensitive passwords.

Additionally, the error

messages produced bypassfilt are often unclear

so administrators must

stay alert. Finally, know

that administrators can

create their own dll with

their own password rules.

the likelihood of passwords

being guessed by intruders.



APPENDIX 5B 263

Implementation Techniques

For all servers, set the passworduniqueness parameters byperforming the following steps:

1. Using User Manager, selectthe Account. . . Option ofthe Policies menu.

2. Enter the number of

passwords for the Password

Uniqueness. This should beset in accordance withcorporate standards.



passwords.

For the PDC, enable passfilt byperforming the following steps:

1. Open regedt32.2. Select the Key HKLM\

System\CurrentControI\Se \Con tro \LSA .

3. Edit the NotificationPackages value name.

4. Add passf i l t to the Valuename.

Compliance Assessment

Techniques

For all servers, verify that thepassword uniqueness parametershave been set by performing thefollowing steps:

Open User Manager.Select the Account. . . Optionunder the Policies menu.Verify that the Remember XPasswords radio button isselected. View the value enteredin this field. This should be setin accordance with corporate

standards or our best practices.Click OK to exit.

Industry guidelines state 6passwords.

For the PDC, check for passfilt byperforming the following steps:

1. Open regedt32.2. Select the Key HKLM\

System\CurrentControI\Set\

Con ro I\LSA.

Packagesvalue name.3. View the Notification

Compliance Verification

Techniques

Review <se we mame>.policies. txt for compliancewith corporate polices relating topassword uniqueness. If nocorporate policy exists, use 6

passwords as a baseline.

Review <servername> Isa.txt toensure the value NotificationPackages contains the passfilt.dl1en try.

If the Noti ficat ion P acka gesvalue contains an entry ofFPNW CLNT. d , inquire with thecompany if this is required forconnectivity between NT and Novel1servers. Also, ensure that theFPNWCLNT.dl1exists within thesystem path and is properly secured.

Ensure that the FPNWCLNT.dl1 sthe proper size, date, and versionbased on the service pack and anyhot fixes that are installed.



ontrol ~bjectives Sk ~ o n t r o l e c ~ n i ~ ~ ~ s

4asswordheccountockouteatureockingutccountsfter a Enableheccountockout~a nag em en t should be enabled, ndhepecified umber failedeaturendet the

related parameters shouldbe login attempts decreases the appropriate parmeters inset in accordance with risk that user accounts wille accordance with corporatecorporate security standards compromised through brute security standardsand

and guidelines. force attacks. guidelines.

4assword~anagement

4assword

~anagement


bad logon attempts and toreset the counter after 1,440minutes. Accounts should be

locked forever or until anadministrator manuallyunlocks them.

The resource kit utility,passprop, should be utilizedto enable lockout on theAdmi~stratorccount overanetwork connection.

The password for the

Administrator accountmaintained oneach servershould be changed inaccordance with corporatestandards and guidelines andbe unique across all servers.

The Administrator account issusceptible to an infinitenumber of password guessesover a network connectionunless passpropisimplemented.Regardless, Administratorsshould not be able to “accessthis computer from thenetwork,” but this s a goodsupplemental procedure.

The renamed Administrator

account oneach server is themost privileged account onthe system. Therefore, extracare should be taken withtsuse. Changing the passwordperiodically limits the usefullife of any compromisedpasswords. Requiring uniquepasswords on differentsystems limits the exposure tothe system if oneadminis~atorccount is

compromised.


bad logon attempts and toreset the counter after1,440 minutes. Accounts

should be locked foreveror until an administratormanually unlocks them.

Enable passprop’s~ m i n l a ~ ~ a u tunction.

Require that the password

for the Administratoraccount on each serverschanged periodically andis unique for all servers.



For all servers, set the accountlockout parameters by performingthe following steps:

I . Using User Manager, select

2. Ensure the Account Lockout

option is enabled.

settings shouldbe set inaccordance with corporatestandards.


Industry guidelines state3 badlogon attempts and to reset thecounter after 1,440 minutes.Accounts should be locked foreveror until an ad~nist ra tormanuallyunlocks them. From the o ~ a n dprompt, typepassprop/

a~minlockout.

Change the passwords on theAd~nistrator-level ccount by

performing the following steps:1. Using the User Manager,

open the user account thatrequires a change of password

both the PassuJordand theConfirm PassuJor~ields.

3. Click OK to close theUser

ProPE~ies.

2. Enter the ~e~ passwo

~ o m p ~ a n c es s e s s ~ e n t

~ e c ~ ~ q u e s

For all servers, verify the accountlockout parameters by performingthe following steps:1. Open User Manager.

2. Select the ~ccount. ptionunder thePolicies menu.

3. Ensure the ~c co un t ockoutradio button is selected.

4. Verify the settings for Lockout

After Bad Logon ~ttempts,

Reset Count After Minutes,

and Lockout Duration.These

settings should be set inaccordance with corporatestandards or our best practices.

5. Click OK to exit.

Review<sENernam~>.polici

compliance with corporate policesrelating to account lockout.Cnocorporate policy exists, se thefollowing as a baseline:* Industry guidelines state 3bad

logon attempts ando reset thecounter after 1,440 minutes.

* Accounts shouldbe locked foreveror until an administrator manuallyunlocks them

1,440 minutes equals 24 hours.

Industry guidelines state3bad logonattempts and to reset the counterafter 1,440 minutes. Accountsshould be locked forever or until anad ~n is tr ator anual~y nlocksthem.

Verify thatpa55prophas been used Review < S E N

to enable lockout of the passproP.txt to ensure theadministrator account over Adminis~atorccount lockoutnetwork connection. control is enabled.

From the command prompt, typeP ~ ~ ~ P ~ O Pnd view the results.

Verify, with the networkadministrator and administrator

equivalent users, that Administrator-level account passwords are beingchanged in accordance withcorporate security standards andare

unique across all servers.

In large multidomainimplementations of WindowsT ,this maynot be a practical policy.An alternative might be differentpassword within different domains.

Review <servername>.users.txt

and ensure the Ad ~ i n i s ~ a t o r

accounts are required to followdefault account policies. Also reviewcservername>.passuJd.itxtandensure theAd~inistrator ccountpassword hashes are unique acrossservers.



ectives

4 Password Default passwords supplied Application default passwords Change all defaultManagem~nt with software packages are widely known and application default

shouldehanged upon typicallynitialargets for passwords uponinstallation.ttacks. The riskhatnstallationfpplications.

unauthorized access willbeobtained is increasedf thesepasswords are not changed.

4 PasswordrivilegedserasswordsistributionfrivilegedM~agement shouldot be widelyccountasswordsomultipledis~ibuted. userseakenshe

effectiveness of a stringentpassword policy and reducesuser accountability.

4 Passwordser-levelverridesffser-levelverrides ofmanage men^ passwordpoliciesshouldnotpasswordpoliciesareallowed,

be enabled for any user there is an increased risk thataccounts except for service unauthorized access by usersaccounts. will be obtained.

4 PasswordllewserccountshouldManagementbe equired ochange heir

passwordon first logon,There should not be genericor predictable passwords usedas a new default. Each newaccount should be createdwith a unique andiEcult todetermine password.

4 PasswordontrolshouldeManagementmplemented to ensurehe

A d ~ ~ s t r a t o rassword isavailable for emergencies.

Requiring new users tochange their passwordupon

login ensures that thetemporary password will notbe in use. Additionally, byhaving users create their ownpasswords, the chance of theirremembering their passwordis significantly increased.

System adminis~a~orshouldprovide a mechanismoobtain the Ad~ni st ra to rpassword in he event of an

emergency to reduce he riskof significant downtime.These passwords should bestored on and off site. Theyshould reside n a physicallysecure location.

Only distribute privilegedaccount passwords to userswho require this access fora legitimate businesspurpose. Each user with aprivileged account shouldhave a unique ID andpassword.

Change Pas5wardandPassword NeverExpires user overrides ofthe default passwordpolicy.

Require all new useraccounts to change their

password on &st logon.

Write down theAdministrator password,place it in a sealedenvelope, and keep t in

secure locations,on andoff site, in the eventt isneeded in an emergency.



Change the passwords n theap~rop~a teccounts byper fo~inghe following steps:

Properties.Implement a procedureor

distributing privileged accountpasswords to only users whorequire this access or a egitimatebusiness purpose.

For all servers, disable the useroverridesof default passwordpolicies by performing the~ol~owingteps:

open the user account.

options are not enabled.fthey are enabled, hey shouldbe unchecked to disable them.

3. Click OK o confirm changes.

For all new users added to thePDC7 require thathey changetheir password on initial login by

pe~orminghe following step:1. When creating a new user

with the User ~a na ge r ~t il it y,re the User Must

Establish a procedureor keepingthe A d ~n i s ~a t o rasswordswritten down and ina securelocation. Establisha secondprocedure for obtaining the

passwords in the eventf anemergency.

Verify, with the network~ d ~ n i s t r a t o rnd through physicalinspection, that default applicationpasswords have been changed inaccordance with corporate securitystandards.

Review the account password

distribution procedure.Verify thatprivileged account passwords aredistributed only o those individualswith a egitimate business need forsuch access.

For all users, verify that the useroverrides of default passwordpolicies have been disabled yperfor~nghe fo~lowingteps:1. Open User ~anager .

2. Double-click on the useraccount.

3.Verify that theUser Cannot

Change Passu~ordnd thePas~word ever Expires

options are not checked.4. Click OK to exit.5. Repeat for all users

Verify, with the networkadmi~strator,hat theUser MustChangePassword at Next

Logon box is checkedwhen newaccounts are created.

Verify, through discussion with thenetwork administrator ndinspection of written policies, thatprocedure exists for the storagendretrieval of the ad~inistrator

password. Verify that this procedureis followed and that the passwordsstored in a secured location. Ensurethat the retrieval processs known toseconda~/e~ergencyadministrators.

and ensure thatany default accountsare required to follow defaultaccount policies. Also review<sen/ername>.pa~suJd.txl ndensure that these default accounts’password hashes are unique acrossservers.

Review the account password

dis~butionrocedure. Verify thatprivileged account passwords aredistributed only to those individualswith a egitimate business need forsuch access.

Review csen/ername>.u

and ensure there are o end useraccounts that are allowed to overridedefault account policies.

Inquire with the company regardingthe procedures or creating new useraccounts. Determine f the accounts

are required to change theirpassword on&st logon. Also reviewthe <sen/ername>.users.txt forusers who are required to changetheir password on next logon.

Verify7 through discussion with thenetwork administrator ndinspection of written policies, thatprocedure exists for the storage andretrieval of the administrator

password. Verify that this procedureis followed and that the passwordsstored ina secured location. Ensurethat the retrieval processs known tosecond~y/emergencyadministrators.



ain ~ o n t r o ~ e rec~r i ty

No. ~ a t e ~ o r y Control Objectives Risk ~ o n t r o l e c ~ n i ~ ~ e s

5 Grouphesersocalroupoth the Usersocalroupdd the Domainsers~anagement shouldnlyontainhendDomainUsersloballobalroup to theUsers

Domain Users global group groupreuilt into theocalroup.from the PDC f the system. All domain users areAuthentication Domain. by default membersof the

Domain Users global group.There is no need to haveadditional accounts inheUsers local group, and doingso increases the risk that alocal system resource will beabused.

5 Groupllserccounts,ithhe~an ag em en t exception of thebuilt-in

accounts of Guest andAdministrator, should e inglobal groups only. Globalgroups should be assigned tolocal groups.

The renamed Administrator

account shouldbe the onlyuser account in theAd~nistratorsocal group.

Having all user accountscontained within globalgroups increases networksecurity by simplifyingadmi~stration.User accountsshould never appear inocalgroups or have AccessControl Lists (ACLs) with nyobject.

Remove all user accountsfrom local groups andmove them to a respectiveglobal group,

The renamedAdministrator accountshould be the only useraccount in he

Administrators localgroup.



Add the Domain Users globalgroup to the Users local groupyperforming the following steps:1.

2.

3.

4.5.

6.

7.

8.

9.

10.11.

32.

13.

Choose Select Domain. ,from the user pulldown menu.Enter the erver n ~ entothe Damainbox.

Double-click on the UsersLacal Graup.Domain users should be

present.If domain users s not present,click theAdd button.Select theAuth~nticationDomain in theList NamesFrarn:box.Highlight theOornaln UsersGlobal group.Click theRddbutton.Click OK to confirm thechanges.Click OK to close the ocal

Group ~ r o p e ~ i e sox.Close User ~anager.

Remove alluser accounts fromlocal groupsand move them torespective global groupyperforming the following steps:

1.2.

3.

4.

5.

6.

7.

8.

9.

10.

Open User Manager.Double-click on theappropriate Local Group.Domain users should not bepresent.If domain users s not present,

click theAdd button.Select theAut~enti~at~onDomain in theLlst NamesFrom:box.Highlight theDomain UsersGIabal group.Click theAdd button.Click OK to confirm thechanges.Click OK to close theLocalGraup ~ r o ~ e ~ i e sox.Close User ~anager .

~ e c h ~ ~ u e s

Verify that the Domain Users globalgroup is listed in the Users localgroup by performing the followingsteps:1.

2.

3.

4.5.

6.

7.

8.

Open User Manager.Chooseselect Domain. .from the user pulldown menu.Enter theserver or workstation

ame into the Domain box.Click OK.Double-clickon the UsersLocal Group.

Verify thatDomainusers ispresent as a member of Users.Click Cancel to close.Close User ~anager.

Ensure that all user accounts aremembers onlyof global groupbyperforming the following steps:1.

2.

3.

4.5.

6.

7 .

8.

Open User Manager.Choose Select Domaln. .from the user pulldown menu.Enter the erver orworks~t ionname into theDomainbox.Click OK.Double-click on the Users

Local Group.Domain users should be present.Click Cancel to close.Close User Manager.

C o m ~ ~ a n c e ~ e r i ~ c a t i o nTechni~u~s

Review cservername>.groups.txtand ensure the only end useraccounts in the Users local group arethose accounts contained within theDomain Users global group from theAuthentication Domain.

Review <servername>.groupf;.txtand ensure that all end usersaccounts assignedto local groups aredone soby the use of global groups.



ory ~ o n t r o l b j ~ ~ t i v e s Sk

5 Groupserccountshould be Globalroupsimplifyreatelobalroupsnhe

theuse of globalgroups in con t~ningogical groups of andadd allapplicableuserthe AuthenticationDomain.sers.Usershouldeccountsoheseroups.

grouped accordingo similarjob functions, department, oraccess requirements.

Managementogicallyroupedhroughetworkdministration by AuthenticationDomain

5 Group Naming conventions should Global group names, which Name alllocaland global

Management be established and followed can be easily identified, groups in accordance withfor allglobal and local simplifyetworkstablished n a ~ n ggroups. Global groups ad~nistration. his increasesconventions.should have different naming ecurity because nonstandardstandards than local groups. groups can easily be

identified. Groups should enamed in sucha fashion thatthe type of group, grouppurpose, and/or departmentcould be identified.

5 Groupachrouphouldave a Requiringllroupsoave Add an applicablend

~anagement descriptionprovided by the descriptions ~ n i m i ~ she info~ativedesc~p~ionorapplication or business possibilityhatxtraneous, allgroups.manager. unneeded groups will be

created. Such a group couldbypass system adminis~ationand be used for unauthorizedactivities.



Create global groups according tocorporate policy and access needsand add all applicable usersaccounts to these groups.

Name all groups in accordancewith established naming

conventions.

For all servers, provide napplicable and informative

description for all local groups yp e ~ o r ~ n ghe following steps:1. Using User ~aflag@r,pen

the appropriateLocal GfRUp

2.

the D~script~onox.3. ClickOK to confirm the

changes.

T e c ~ ~ q u e s

Verify, through discussion with thenetwork ad ~i ni s~ at ornd review ofwritten policies, that global groupshave been created and are utilized inaccordance with corporate policy.Ensure compliance with saidpolicies through physical inspectionvia User Manager.

Verify, through discussion with thenetwork ad ~ n i s ~ a t o rnd reviewof

written policies, that all groups arenamed in accordance with orporatepolicy. Ensure compliance with saidpolicies through physical inspectionvia User Manager. Note whether thenaming conventions distinguishbetween local and global groups andprovide for the ability o identifyemployee, vendor, and temporarygroups.

Verify that all servers have anapplicable and nfor~ativedescription for all local groupsyp e ~ o ~ n ghe following steps:1. Open User Manager.

2. Double-clickon the Local

3.Verify that an applicable andGroup name.

informative description xists inthe D~~criptiRflox.

4. Click OK to exit.5. Repeat for each local group.

Inquire with he co~panyegardingprocedures for grantingsersaccessto resources. Ensure that theseprocedures requirea ~ ~ ~ s ~ a t o r soadd end user accountso globalgroups (in the AuthenticationDomain), global groups to localgroups, and local groups to resourcepermissions.

Obtain a copy f the company’sgroup n ~ n gonventions and

ensure that they are enforced on alllocal and global groups yexamining the<se~@rname>.grRup

Note whether he n ~ i n gconventions ~stinguishetweenlocal and global groups and providefor the ability o identify employee,vendor, and temporary groups.

and ensure thatallgroups have anapplicable and ~ormativedescription,



ain ont troll er ~ e c u ~ t y

5 Groupheackupperators,~anagement ServerOperators,Account

Operators, and PrintOperators local groupsshould only contain globalgroups that are authorizedfor this purpose.

5 Grouphepecialroupveryone~anagement shouldnotbeused.Using

specialized groups will allowthe Administrator toavebetter control over filesnddirectories.

Note: Certain applications,aswell as the Windows NTsystem directory, will notfunction without the

Everyone group in theCL.This is more appropriate ordata directories.

Risk Control Techniques

The Backup Operators, ServerOperators, Account Operators,and Print Operators localgroups have several privilegesassociated with them, suchsthe ability to log on tosystems interactively.Therefore, caution should eexercised when adding usersto these built-in groups.Having only global groupss

members of these groupshelps to ensure that the groupswill be properly restricted.

Add the authorized globalgroups to the Backup Op-erators, Server Operators,Account Operators,andPrint Operators localgroups on each server inthe Authentication nd Re-source Domain and anyworkstations in the net-work environment.

Using the special group Replace references to theEveryone isvery broad and special group Everyonecould inadvertently allown with Domain Users orintruder to gain access to Domain applicationsystem resources. groups.

If more broad group namings Note: Certain applications,required, the Authenticated aswell as the WindowsUsers groupmay be usedas a NT system directory, willsubstitute for Everyone. not function without the

Everyone group in the

ACL. This is moreappropriate for datadirectories.



Add the authorized globato the Eackup Operators,Operators, Account Operators,ndPrint Operators local groupsneach server n the Authentication

esource Domain andnyworksta~onsn the networkenv~onment y p e ~ o r ~ n ghefollowing steps:l,

3.

4.

5.

6.

7 .

9.

10.

from the user pulldown menu.Enter the e ~ e rame in the

Select theautho~ized lobal

Click theCl# button,Re eat ste S 4-43or the

estrict default group access toapplication and system files anddirectories by p e ~ o ~ i n ghefollowing steps:l. Open the ~ i n ~ o w sT

Explorer.

directory to set the securitype r~ ss io ns nd select theproperties option.

.Right-clickon he fileor

security pe ~ is si on shat youselecton ll files andsubd~ectoriesnder the

selected directory, while the

that all files containedn thedirectory have the selectedsecurity pe r~ ss ions .

want to remove, doso by~ighl~g~t inghe applicablegroup and clicking

roup has access thatou

VerifyhatheuthorizedlobalReviewhe <servernam

groups are mexnbers of he Backup ~ r ~ u p s .xt and ensure that onlyOperators,erverperators,uthorizedsersremembers ofAccountperators, and Printheseroups.Operators local groupsn eachserver in the Authentication andResource Domain nd anyworkstations in the networkenvironment by performing thefollowing steps:

l. Open User Manager.

2. Choose Select Domain. .from the user pulldown menu.

3. Enter theserver namein theD ~ m a ~ n :ox.

4. Do~ble-click n the Backup

Clper~ t~rocal group,5. Verify that only authorized

global groups are listed.6. Click theCancel button.7. Repeat steps4-45 for the Server

Clperator5group.8. Close User Manager.

Verify, with the network Review < s~ r ve r name~ .pe r ~ sa d ~ n i s ~ a t o r ,hat the special group <drive lettEveryone has been replaced with special group Everyones notDomain Users or Domain allowed access to any fileson heapplication groups. system.

If more broad grouparning isrequired, the Authenticated Usersgroup may be usedas a substitute forEveryone.



omain ~ o ~ t r o ~ l e re c u ~ ~

No. Cate~o Control Objectives Risk ControlT e c ~ ~ ~ ~ e s

5 Grouptherhanheuilt-inloballobalroupsimplifyeletelllobalroups

should exist outside of thecontaining ogicalgroups of globalgroups)containedauthenticationomains.sers.There is noeed to in resourceomainsnd

createlobalroups on re-createhemnheresourcedomains.Doing so AuthenticationDomain.only decreases the abilityfthe network manageroeffectively manage thenetwork.

Managementroups, no globalroupsetwork ad~~nis~ationy (otherhenheefault



emavebutton. "he specialgroup everyone's permissionsshould be removed fromllfilesand directorieson he system.f all

users require this access, it shouldbe granted to theUsers Local

Click theAdd button toinclude thea~plicable roupsto be grantedpe~issions.When you have selectedllthe applicable groups, click

Grant theTgpe of Accessfor each group y ~ghlighting

hehese

Pefmlss~anshould be set inaccordance with corporatesystem standards.Click theCIK button to confirmthese changes.

After the security permissionshave been changed, click theOK button to close the filenddirectories propertieswindow.

ote: Certain appl~cations,s wellas the WindowsNT ystemdirectory, will not function withoutthe Everyone group in theCL.This is more appropriate ordatadirectories.

Delete ll lobal roupsother Ve~fy,hrough iscussionwithhe Review the <se~~rname>,thenhedefidultglobalgroups)network ad~nistratornd physical groups.txt and ensurenoglobalcontained n esourcedomainsand nspection, hat no globalgroupsgroupsexist in nonauthentica~onre-createhemnhexist in theesourceomains.omains.Au~entication omain.



5 GroupManagement

6 FileystemAccess and~anagement

6 FileystemAccess andManagement

6 FileystemAccess andManagement

Access Control Lists (ACLs)for filesand directoriesshould only specify localgroups as having access.ACLs should not specifyindividual user accounts orglobal groupsasbeinggranted or revoked access.

The WindowsNTFileSystem (NWS)should beused on all partitions.Additionally, there should beno unformatted space n thedrive.

Application and systemdirectories should not llowWrite, Delete, ChangePermissions, orTakeOwnership to users. Thebuilt-in special group shouldhave no permissions.

Data files should e stored insegregated directoriesexternal to the applicationand system directories,possibly in the data owners’

home directories, or theapplica~on-specified atadirectory.

Sk

In WindowsNT, only localgroups should be grantedrights to resources. All usersshould be placed in globalgroups, and global groupsshould be placed in localgroups. This ensures that theenvironment hasa s ~ c t u r e dmethod of adminis~ation nddecreases the possibility thatusers will be granted

excessive rights.

NTFS associates permissionswith each file and directory.Using these permissions,different levelsof access canbe granted or deniedodifferent groups f users.UnderNT, ile access is basedsolely on file permissions.

Granting excessivepermissions to applicationscould lead o their abuse ordeletion.

Data files should e placed inseparate directories o helpprevent the changing fdirectory permission levelsthatmay accidentally flow

down to executable programfiles. It s also good practiceto separate data fromapplication files in order togrant the appropriate levelfsecurity for each typef file.

Utilize local groupsogrant pe ~i ss io nso filesand directories.

All File Allocation Table(FAT) or HighPerfo~ance ile System(HPFS) partitions shouldbe converted to theWindows NT ile system

(NTFS).

HPFS is not supportedunder WindowsNT 4.0.

Any file systems in thatformat would have to beconverted during the3.51to 4.0 upgrade.

Set the default permissionsfor users to besrestrictiveas possible onapplication directories.Remove all permissionsfor the built-in specialgroup of Everyone. I fthese typesof permissions

are needed, create newgroups that contain theappropriate usersand havethe required pe ~i ss io ns .

Separate application filesfrom data files.



plianee~ssessment

niques

Implement a procedure to utilize Verify thata procedure exists to

local groups for granting ensure hat permissions for files and <drive letter>.txt and ensure hatpe~iss ionso files and directories are only grated to local only ocal groups are granted accessdirectories. groups.Makeertain,hroughoilesndirectories.

discussion with the systemad~nistrator,hat this proceduresfollowed.

Open Disk Administrator toiew Verify that theNWS file system s Review the<sthe partition informationnd file being used and that theres no <drive letter>.txt and ensure thatsystem for all drives. unformatted or nonpartitioned space drives revieweduse the ~ F ? Sile

Issueheollowingommando 1. Open Disk ~ d m i ~ i ~ t r ~ t a r . unformattedr nonp~t ionedpace.converthe FAT p ~ i t i o n so 2. View the artition in for~at ion

enter the following command:

by performing he ollowingsteps:system a d hat here is no

S: At the ommandprompt ndile ystem for alldrives.

Implementa procedure to setdefault pel~issi onsor users to beas restrictiveas possible onapplication directories andoremove allpermissions for thebuilt-in special group Everyone.If these typesof pe~issionsreneeded, create new groups that

contain the appropriate usersndhave required ermissio~s.

Impleme~t procedure to placedata files in separate directoriesfrom the application and systemdirectories.

Determine, with the networkad~nistrator,he appropriate (mostrestrictive) level f permissions forapplication and system directories.Verify that this levelf access isgranted. Ensure that the specialgroup Everyone has o file systempermissions. Under certain

circumstances, ensure that ewgroups are created o managerelaxed permissions.

Verify thata procedure exists toensure thatapplica~on nd data filesare segregated. Ensure, throughphysical inspection, that applicationfiles and data files are located inseparate directories or n separatedrives.

Determine, with the networka d ~ n i s ~ a t o r ,he appropriate (mostrestrictive) levelof p e ~ s s i o n sorapplication and system directories.Verify that this levelf access isgranted by reviewing

ensuring that end users are notallowed excessive permissions toapplication filesanddirectories.Under certainc~cumstances, nsurethat new groups are created omanage relaxed permissions.

Verify thata procedure existso

ensure that application and data filesare segregated. Ensure, throughphysical in sp~t ion,hat applicationfiles and data files are located inseparate directories or n separatedrives.



6 File ~ys te m CertainirectorieshatAccess and contain sensitive Windows

~ a n a g e ~ ~ n tT ystem files shou~d esecured (these directories arelisted in themplementatio~checklist).

If unautho~zed sers gainaccess to sensitive systemfiles, they could executeaTrojan horse or create denialof service on the P I X .

ControlTechniques

Restrict access o sensitiveWindowsNT directories(listed in theimplementati~n hecklist).



~ N p l e r n e n ~ ~ o nechniques

Restrict access to the followingdirectories by performing thefollowing steps:

1. Open the WindowsNT

2. Right-click on the file orExplorer.

directory to set the securitypermissions and select thePropertiesoption.

The following directories should

be secured:

C:\c:\uJinnt\

C : ~ i n n t ~ y ~ t e m 3 ~

The following permissions shouldbe set:

Ad~nistrators Full ControlServer Operators Change

EveryoneRead

Creator/Owner Full Control

System Full Control

3. Click the Permissions

button of the 5ecurity tab.4. Select the Replace

Permissions on

5ubdirectories. and theReplace Permissions on

Existing Files heck boxesas appropriate.The Replace

Permissions on

CoNpliance As§e§sment~ e c h ~ q u e §

Verify that permissions n hefollowing directories comply withthe recommendations y performingthe following steps:

1. Right-clickon he directory inExplorer.

2. Choose Properties.

3. Select theSecurity tab.4. Click the Permissions button.5.Compare the current

permissions to the

reco~endat ions .6. Repeat for all isted directories.

Directories:C:\C:\uJinnt\

C:\uJinnt~ystem3~

C: \uJ inn~ystem3~r ivers

R e c o ~ ~ e n d e d P e ~ i s s i o n s :Ad~nistrators FullontrolServerOperatorshange

Everyoneead Creator/OwnerullontrolSystemullontrol

5ubdlrectorles will place thesecurity permissions thatouselecton all filesandsubdirectories under theselected directory, while theReplace Permissions on

Existing Fileswill ensurethat all files contained in thedirectory have the selectedsecurity permissions.

5. Click theOK button to confirmthese changes.

6. After the security permissionshave been changed, click theOK button to close the ile anddirectories propertieswindow.

Directories:C:\C:\uJi~nt\

C:\uJinnt~yst

C : \ uJ i nn t~ y~

R e c o ~ ~ e n d e d P e ~ i s s i o ~ s :Ad~nistrators FullontrolServerOperatorshangeEveryoneeadCreator/OwnerullontrolSystemullontrol



ry ~ontrol ~ j e c t i ~ e s

6 Fileystem The c : ~ l n n ~ y s t ~ m ~ ~ \Access and canfig directory contains the

Manage~ent SAM, audit files, and otherregistry files. These shouldbe secured fromunautho~zed se.

Ifunauthorized users gain Restrict access to theaccess to this directory, hey c:\wicould view the audit filesor canfi

attempt to get access to the prevent unautho~zedSAM if theycrash the server. access.



byS:

l. Open the ~ i n d o w s"

2. Right-click on the fileorExplorer.

directory to set the security

rties option.

The followingper ~ss ions hould

be set:

Ad~nistrators Full Control

Everyone ListCreator/Owner Full Control

System Full Control

' ions and select the

3.

4.

select on all files andsubdirectories under the

directory have the selected

security permissions.5. Click the OK button to confirm

these changes.6. After the security permissions

e been changed, click thebutton to close the file and

directories propertieswindow.

Verify that permissions n thefollowing directory comply with thereco~~endationsy performing thefollowing steps:

l . Right-click on the directory in

2. Choose ~ r o ~ e r t i e s .3. Select the5 e c u r l t y tab.4. Click the ~ e r r n i s s ~ o n 5utton.5.Compare the current

permissions to the

recommendations.

Explorer.

6. Repeat for all listed directories.

Directory:C:\uJinnt\systern3;?\rronflg

~ e c o m m e n d e d P e ~ i s s i o n s :Ad~nistrators FullontrolEveryoneistCreator/OwnerullontrolSystemullontrol

Review the < s e r v e r n a m e >c ~ e r r n ~ < ~ y ~ t e ~riveIetter>.txt and ensure the followingpermissions are in place for:

Directory:C : \ u J i n n ~ y s t e r n 3 ~ ~ ~ n f f ~

~ e ~ o m m e ~ e d P e ~ i s s i ~ n s :Ad~inistrators FullontrolEveryoneist

CreatodOwnerullontrolSystemullontrol



rimary ~ o r n a i ~o ~ t r o l l ~ r

o, C ~ t ~ ~ o r y Control ~ ~ j e c t i v ~ Sk

6 Fileystemhe c : ~ ~ n n t ~ ~ s t ~ r n ~ ~f unauthorizedsersainestrictccess to theAccess and spool directoryontainsheccess to this irectory, they ~ : ~ I n n ~ ~ ~ t ~Managementrinterriversndiles.ouldainccess to printer spool directory to prevent

Thesehould be securedettingsndrivers.nauthorizedccess.from unauthorized use.

6 FileystemheeplicationirectoriesfnauthorizedsersainestrictccessoheAccess and contain login scripts, access to these directories, re~lication irectories soManage~ent policies, and other user- they could gain access to user that only authorized users

sensitive data thats data,olicies, andoginaveccess.replicated among servers. scripts. That type ofThese should be secured information could containfrom unauthorized use. password information ore

replaced with Trojan horses.



."

mp lem en~ tion echni¶ues

Restrict access oc:\luinnt;\system3~~poolyperforming the following steps:

I. Open the WindowsNT

2. Right-clickon the fileorExplorer.

directory to set the securitypermissions and select thePropertiesoption.

The following permissions should

be set:

Administrators Full ControlPrint Operators Full Control

Everyone ReadCreatorlOwner Full Control

System Full Control

3. Click the Permisslons

button of the fjecurity tab.

rmissions onbdirectorles and theplace Permissions on

sting Flies check boxesas appropriate. TheReplacePer~lssions n

Subdirectorieswill place thesecurity permissions thatouselect on all filesandsubdirectories under theselected directory, while the

place Permissions on

sting Files will ensurethat all files contained in thedirectory have the selectedsecurity permissions.


6. After the security permissionshave been changed, click theOK button to close the file anddirectories propertieswindow.

Restrict access to replicationdirectories by performing thefollowing steps:

l. Open the WindowsNT


directory to set the securityPermissions and select thePropertlesoption.

Compliance AssessmentTechniques

Verify that permissions n thefollowing directory comply with therecommendation by performing thefollowing steps:1. Right-click on the directory in

2. Choose Properties.

3.Select theSecurity tab4. Click thePermissions button.5. Compare the current

permissions to the

reco~endat ions .

Explorer.


Directory:C : ~ i n n ~ y s t e m 3 ~ p o o l

Recommended P e~ is si on s:AdministratorsullontrolPrintOperatorsullontrolEveryoneeadCreatorlOwnerullontrolSystemullontrol

Compliance Verifica~onTechNques

Review the <servername>.

perms<system drive letter>.txtand ensure the followingpermissions are in place for:

Directory:

C : \ l u i n n ~ y ~ e m 3 ~ p o o l

Recommended Pe ~ i s s i o ~ s :

AdministratorsullontrolPrintOperatorsullontrol

EveryoneeadCreatorlOwnerullontrolSystemullontrol

Verify that permissions n the Review the<servername>.

following directories comply with perms<system drlve letter>.txtthe reco~en dati onsy performing and ensure the following

the following steps: permissions are in placeor the1. Right-click on the directory in following directories:

2. Choose Properties. Directory:3.Select theSecurity tab. C:\luinnt\system3~epi

Explorer.



ControlObjectives



~ m p l e m e n ~ t i Q n T e c ~ n i ~ u e s

The following directorypermissions should be set:

~ : \ w i n n t ~ y s t e m 3 ~ e p l

Ad~nistrators FullontrolServer Operators Full Control

Everyone ReadCreatorlOwner Full Control

System Full Control

C : \ ~ i n n t \ s y s t e m 3 ~ e p I \

import

Administrators Full ControlServer Operators ChangeEveryone ReadCreatodOwner Full Control

Replicator ChangeNetwork No Access

System Full Control

C : \ w i n n t \ s y s t e m ~ ~ e p l \export

Ad~inistrators Full ControlServer Operators ChangeCreatodOwner Full Control

Replicator Read

System Full Control

3. Click the Permissionsbutton of the 5ecurlty tab.

4. Select the ReplacePermissions onSubdirectories and theReplace Permissions onExisting Files check boxesas appropriate. TheReplacePermlsslons on5ubdirectories will place thesecurity permissions thatouselecton all files andsubdirectories under theselected directory, while theReplace Permissions onExistlng F iles will ensurethat all files contained in thedirectory have the selected

security permissions.5. Click theOK button to confirm

these changes.6. After the security permissions

have been changed, click theOK button to close the file anddirectories propertieswindow.

CQmpliance AssessmentTec~niques

4. Click thePermlssions button.5. Compare the current

permissions to thereco~endations


Directory:C: \winnt \system3~~epl

Recommended Permissions:

AdministratorsullontrolServerOperatorsFullControl

EveryoneeadCreatodOwnerullontrolSystemullontrol

Directory:C:\winnt\systern3~~epl\im~ort

R ec~m m end ed ermissions:A d~ ~ s t r a t o r s Fu l lontrolServerOperatorshangeEveryoneeadCreator/Ownerullontrol

ReplicatorhangeNetworkoccessSystemullontrol

Directory:C:\winnt\system3~epI\E?xport

R e ~ o m m e ~ e d P e ~ i s s i o n s :AdministratorsullontrolServerOperatorshangeCreatodOwnerullontrolReplicatoreadSystemullontrol

R ecom m en~ ed ermissions:

Ad~nistrators FullontrolServerOperatorsFullControlEveryoneeadCreator/OwnerullontrolSystemullontrol

Directory:

Recommended Permissions:Administratorsullontrol

ServerOperatorshangeEveryoneeadCreator/OwnerullontrolReplicatorhangeNetwork NoAccessSystemullontrol

Directory:C : \ w i n n ~ y 5 t e m

Recommended Permissions:Administratorsullontrol

ServerOperatorshangeCreatodOwnerullontrolReplicatoreadSystemullontrol



6 Fileystemhe c : ~ i n n ~ ~ ~ ~ ~ rfnauthorizedsersainestrictccessoheAccess and directory contains a backup access to a backup copyf the ~ : ~ i n n ~ ~ ~irectory

~ ~ a ~ e ~ ~ n topy of the SAM and needs SAM, they can un a so that only authorizedto beprotected gainstpassword racker ndpossiblyusers have access.unauthorizedccess.uessserasswords.

6 Fileystem The default system shares WindowsNT reates special Document the defaultAccess and for tile systems shouldbe ad~n~strative-levelhares by shares and their

Mana~ement disabled and re-created default thathave preset directories.under standard share security levels. These sharessecurity. The default admin provideaccess to the ootDisablehem pe~anentlylevel shares are:C$ , D$. . level of eachNI'drive and the if they are not required.and Admin$. NT system root directory.

Re-create new shares to

those directoriesf neededwith appropriatepermissions.



"es

Restrict access o c: \~ innt~epai r

by pe~ormi nghe following steps:l.Open the WindowsNT


the securityand select thetion.

The followingpel~issions houldbe set:

Ad~nistrators Change

as appropriate. TheRep1

~ ~ ~ i r e c t o r i e sill place the

security permissions thatouselect on all files andsubdirecto~esnder theselected directory, while the

ermissions on

that all files contained in thedirectory have the selectedsecurity permissions.

these changes.6. After the securityper~ssions

have been changed, click theK button to close the file and

directories propertieswindow.

Disable the shares in the registry

2. Select the Keg

5. Change value to0.

6. Click OK.

Create new shares to these pointsif necessary,

Verify that permissions on thefollowing directory comply with therecommendations bypedorming thefollowing steps:1. Right-click on the directory in

2. Choose Prope~ies.

3. Select theSecuritg tab.4. Click the Permissions button.5.Compare the current

permissions to therecommendations.

Explorer.


Directory:

C: \~ inn~epa i r

Reco~mended Per~issions:

Ad~nis~ators Change

Verify the existenceof the defaultsharesby hecking theShare buttonunder the Server Manager.

If none exist, verify the registryeyby checking the valuef the

~wices\LanmanSeweh

The value should be.

p ~ r m 5 < 5 g s t e ~rive lett er> .~t

and ensure the followingpermissions are in place for:

Directory:

C : ~ ~ n n ~ e p a i r

Recom~ended Pe~iss ions:

Adminis~ators Change

Review <s~wername>.~hares.

txt to ensure only authorized usersare allowed access to the shares.



o m ~ nont troll er ~ e c ~ ~ t y

No, C a t e ~ o ~

7 SensitiveSystemPrivileges andUtilities

Cont~ol bjectives

Permissionson hares mustnot allow Write, Delete,Change Permissions, orakeOwnership to the specialgroup Everyone. Permissionson shares shouldbeequivalent to the e~ iss ionson files within the share.

Risk

Shares allow userso accessresources remotely n thenetwork. ~onse quen ~y ,areshould be takenwhengranting share rights.nparticular the default systemgroups should not be grantedpermissions thatwould allowmembers of these groups oabuse the system.

Set the default e ~ i s s ~ o n sfor the default group Usersin accordance withpermissions seton the fileswithin the share. The built-in special groupEveryone’s access shouldbe removedon all sharepermissions.



Restrict share permissionsypedorming the following steps:

1. Using the Server Manager,highlight the applicable serverand select the shareddirectories option under theComputermenu.

2. Highlight the shareand viewits propertiesby selecting thePropert~esutton.

3. Click on thePermiss~ons

button to view the Users whohave access o this share viathe network.

include the applicable groupsto be granted accesso thisshare and select the groupsyou wish to grant access to.When you have selected allthe applicable groups, clickthe OK button to confirm theseadditions.

each groupby high~ghtingheapplicable group and selectingthe access from thegpe of

Access box. ThesePermlss~onshould be set inaccordance with corporatesystem standards.

6. If the special group Everyonehas access to the share, thisaccess should be removedyhighlighting the memberndclicking theRemove button.

7. Click theOK button and thenthe Yes button to confirmthese changes.

4. Click theAdd button to

5. Grant theType of Access for

Com~liance ~ssessmentTe~hniques

Verify that share permissions areproperly restricted y performing thefollowing steps:1. Open 5erver Manager.

2. Highlight the applicable serverand select the shared directoriesoption under theComputer

menu.3. Highlight the share nd view its

properties by clicking thePropertlesbutton.

4. Click on thePerm~ss~ons

button to view theUserswhohave access to this share via thenetwork.

5. Verify that only appropriategroups have been granted accessto this share.Verify that thespecial group Everyone does nothave access.

close.6. Click theCancel button to

7. Repeat for all shares.8, Close 5erver Manager.

C o m ~ l i ~ c eerificationTechniques

Review <se~ername>.shares.

txt to ensure only authorized usersare allowed access o the shares.Permissions should only e grantedto groups. The special groupEveryone should not e allowedaccess to the share.



o ~ ~ i ~ont troll er ~ e c u ~ t y

7 Sensitive Access to sensitive system

System utilities should be removed

Privileges from allusers who do notand Utilities require this access or a

legitimate business use.

isk es

If user accounts are granted Remove user access toaccess to potentially sensitive system utilities that do notutilities, there is an increased require this access for arisk hat heusermaygain egitimatebusinessuse.info~at ionhat could be usedto compromise the securityfthe domainorperform actionsthat may affect the securityand productivityof thedomain.

8 ~ ~ n t e n a n c e If standard user profiles are If standard profiles are Move all standard userand used they should be utilized they should resideon profiles, if implemented,Operations maintained on the PDC. the PDC, where their access to thePDC in the

can be controlled and changes Aut~entica~ionomain.can be monitored. Havingstandard user profilesn localsystems can easily, lead to

their modification, and/orabuse.



For all servers, disable the abilityfor normal users to access sensitivesystem utilitiesby p e ~ o ~ i n ghefollowing steps:

1. Open the WindowsNT

2. Right-clickon the utility to beExplorer.

restricted and select the

4. Click theAdd button toinclude the applicable groupsto be granted securitype~issions.

5. Select the groups ou wish toadd to the securitypermissions. m e n you haveselected all the applicablegroups, click theOK button toconfirm these additions.

6. Grant iheTgpe af Access

for each group by highlighting

These pe r~ ss io ns hould beset in accordance withcorporate system standards.

7 . If the special group Everyoneor the group Usersavepe~iss ionso the utility, they

these c h ~ g e s .

9. After the security permissionshave been changed, click theOK button to close the fileproperties wi ndo~ s.

ove all standard user profiles, ifi~plemented,o the PDC in theauthentication domain.

~ o ~ ~ l i a n c e§§e§s~ent

T e c ~ n i ~ ~ e s

Verify, through discussion with thenetwork administrator nd physicalinspection, that sensitive systemutilities are properly restricted.

Sensitive utilities include:

P a l ~ d i t . ~ x ~

User Manager or DomainsServer ManagerResource kit utilities

Auditing tools

If standard profiles are used, verify,through discussion with the networkad~inistratorndphysicalinspection, that all such profilesreside in the Authentication Domainand obtain the applicable policiesand procedures.

ri~cat ion

and ensure the sensitive systemutilities are properly protected.

If standard profiles are used, verify,through discussion with the networkadministrator and physicalinspection, that all such profilesreside in the ~uthentication omainandobtain the applicable policiesand procedures.



0 . Y

8 ~ ~ n t e n a n c e Windows NT’s screen saverand should be enabled with the

pera at ions password protection featureturned on.M e n not beingused, accounts should belogged off from the systemconsole.

9 FaultToleranceBackup andRecovery

9 FaultToleranceBackup andRecovery

l0 PhysicalAccess

A disaster recovery planshould be setn accordancewith corporate securitystandards and guidelines.

An uninte~upted owersupply must be used withllWindows NT PDCs. Thiswill provide poweror thesystem to be shut down in

the eventof power loss ordegradation.

Two copies of theEmergency Repair Diskshould be made with eachplaced ina physically securelocation.

Enabling theWindowsNTscreen saver with thepassword protection~ n i ~ z e she chances that nunattended servers andworkstations will be brokeninto.

Without a properly con~guredand tested disaster recoveryplan, the system is open toextended downtime.

Not using aWS will makethe system more open tocorruption and will increasethe riskof losing user data inthe event f a power loss.

The Emergency Repair Diskcontains critical nfo~ationreferencing users andilesystem details.Thisinfo~at ionould bede~mentalf an unauthorized

user obtained t. Two copiesof the disk should e made:one for on-site storage andone for off-site storage. Bothcopies should be located inphysically secure areas.

Enable the WindowsTscreen saver with thepassword protectionfeature active.

Establish aproper backuprotation plan n accordancewith company policy. Theregistry mustbe backed upusing a ~ r d - p ~ ~ackuptool or the regback utility

from the resource kit.Backups should be cycledthrough an off-site storagelocation along with thecopies of the emergencyrepair disks.

An ~ t e ~ p ~owersupply thats fullycompatible withWidowsPIT shouldbeused.UshgWidows PIT-compatible

UPS will allowfor a gracefulshutdown of theWidowsPIT ystem, ~ m i ~ gheamount of system filec o ~ p ~ o nnddata oss.

Create two copies of allcritical WindowsNI?systems’ EmergencyRepair Disk. Store onecopy on site and another ata secure remote location.



Enable the native WindowsTscreen saverby perfo~inghefollowing steps:

l.

2.3.

4.

5.

6.

Right-clickon ny blank areaof the desktop.Select theP r o p e ~ i e 5ption.Select theScreen Save abof the D ispla y P r o p e~ ~e r rbox.Select a screen saver from thepulldown box.Click on the P a 5 5 w ~ r d

Protected check box and setan appropriate time to enablethe security feature f thescreen saver.Click OK to lose theDl5playP ro ~e ~ i e 5ox.

Note: Be sure to runRDISWS

before backups are created o thatthe Repair directorys up to date.

NIA

Com~liance ~ssessment~ ~ c h ~ q u e s

Verify that policies existo mandatethatpasswordprotectscreensavers txt andensure hevaluesare enabled on allmachines.Attempt screen§aver~ct iveandto disable the screen savern ar a n d o ~ yelectedmachine ndheo 1,PDC by moving the mouse orpressing akey on the keyboard.Verify that you are promptedfor apassword.

Inquire with the company regarding Inquire with the company regarding

policies and procedures for updating policies and procedures for updatingof the Emergency Repair Diskn of the Emergency Repair Disknperiodic basis. Check the file dates periodic basis.Review thein the repair directory to assurehey < ~ e ~ e r n a m e > , d i r < 5 y ~ t

are not out f date. drive>.txt and ensure the datesnthe files in the ~ y ~ e ~d r i v e> :~ i nn t ~ep a i rre current.

Inquire with the company regardingthe controls in place to mitigate aloss of power. If the server sprotected by an individualUPS ,

inquire whether the UPS is

integrated with WindowsI’operating system. Then, ensure thatthe PDC is connected to afunctioningUP S system.

Run RDISK and click“Create Ensure that a procedures in place o~ e p a i r irrk.” create, update, physically secure,

Reminder: RDISK only creates the Repair Disk. Verify that thedefault in fo ~a ti on n the disk Emergency Repair Disk exists,s notwhen the /S switch is not used. out of date, and is physi c~ly

retrieve, and utilize the Emergency

secured. Ensure that properindividuals are awaref the recoveryprocess.

Inquire with the company regardingthe controls in place to mitigate aloss of power. If the server sprotected by an individual UPS,inquire whether the UPS is

in te gra t~ ith WindowsNToperating system. Then, ensure thatthe PDC is connected to afunctioningWS system.

Ensure that a procedure isn place tocreate, update, physically secure,retrieve, and utilize the EmergencyRepair Disk.Verify that theEmergency Repair Disk exists,s notout of date, and is physically

secured. Ensure that properindividuals are awaref the recoveryprocess.



m y ~ontrol ~ j e c t i v e s es

11 Au~ting, If network managers are It is important to note that If theWindows NT systemLogging, and being used,SNNlP should be SNMP hould not be run with is equipped withSNMonito~ng installed in a secure fashion. the defaultc o ~ u n i t ynown ensure that the accesso

as “public.” This wouldbe a his service info~a t ionspotential security breach. The limited to daily monito~ngS ~ Patabase of errors and and alert w ~ i n g soalertsmust be protected ifmanagement.used in the Windows NTenvironment becauset cancontain informationon host orrouter operating systems,

network interfaces, addresstranslation, and protocolsoftware. This i n f o ~ a t i o ~could be used to compromisean environment by “spoofing”or “denial-of-service.”

11 Auditing,Auditinghould be enabled A hackermighterying to EnableuditingorogonLogging,ndorLogonndLogoff.uess user’sasswordndndogoff, for bothMonito~ng gainccessoheystem.uccess and failure.

Without auditing, this mightgo undetected.

1 Auditing,Auditinghould be enabledWithoutuditingnilesndEnableuditingorileLogging,and for FileandObjectAccess.objects,hackersmighthave and objectaccess or~o n i t o ~n g e n o u g hime to figure out auccess and failure.

way around compensatingcontrols. For example,hackers might tryo accessfiles they do not have readaccess to. In addition,t ispossible to detect a virusoutbreak if write accessauditing for program files,

.dl1extensions,is enabled.



C o ~ p l i ~ c essess~ent

Tech~ques

Remove the default community Verify that the default om~unity“public” and input the correct “public” is not being used byname by p e ~ o r ~ n ghe following p e r f o ~ n ghe following steps:

steps: 1.

1.

2.3.

4.

5 .

Open Controlanel’s 2.

3.

4.

service. S.Disablehepublic” 6.

com~unitynd enter the

Enable the~uditiugor systemlogons and logoff by performingthe following steps:

1. Using the User Manager,select theAudlt option from

Events button is selected.3. Enable both theSuccess and

option.

these changes.4. Click theOK button to confirm

Enable theAuditi~gor file andobject accessby performing thefollowing steps:

1. Using the User Manager,select theAudlt option from

the Policies menu.

ents button is selected.

Failurecheck boxes forFileand O b ~ ~ c tccess auditingoption.

4. Click theOKbutton to c o n k nthese changes.

Open Control Panel.

Double-click the~ e t ~ o r ~applet.Choose the1Servlces Tab.Double-click theSNMP service.View the community settings.Click OK.

Verify that Auditing has beenenabled for system logons and logoffby perfo~inghe following steps:

1. Open User Manager.

2. Select theFiudlt option from thePolicies menu.

3. Ensure theAudit TheseEvents radio button is selected.

4. Verify that both theSuccessand Fallurecheck boxes orLogon and Logoff auditingoption have been selected.

S. Click theOKbutton to exit.

Verify that Auditing has beenenabled for system filend objectaccess by p e r f o ~ n ghe following

steps:1. Open User ~anager.2. Select theAudit option from the

Policies menu.3. Ensure theAudit These

Eventsradio button s selected.4. Verify that both theSuccess

and Failurecheck boxes forFile and Object Ficcess

auditing option have beenselected.

5. Click theOK button to exit.

Inquire with the company whetherSNMP is being used to monitor theserver. IfSNMP is being utilized,inquire whether the o ~ u n i t yname has been changed from“public” to a i~cult-to-guess ame.

Review <senrername>.policies.

txt to ensure auditing s enabled forsuccesses and failures for logons andlogoffs.

Review <servername>.policies.

txt to ensure auditing s enabled forsuccesses and failures for file and

object access.



omain on troll er ~ecurity

0 . Cate~ory Control isk Control ~ e c h ~ ~ ~ e s

1l Auditing,Auditing failures should be Asermightryakingnableuditing for Use ofLogging,andenabled for UseofUser ownership of files hey do notUserRights failureonly.~on i to~ng Righ t s .aveccess to in ordero edit

them. Or, a user whosomehow got physical accessto a PDC might try logging inlocally, Without auditing,these events might not bedetected.

l1 Auditing, Auditing shouldbe enabled If a user is granted access Enable auditing or UserLogging, and for User and Group above what they deserve,t and Group~anagement

~onitoring ~ ~ a g e m ~ n t , would be important to know success and failure.who made those changes.Without auditing User andGroup ~ ~ a g ~ m e n t ,t wouldbe impossible to now withinWindows I?".

l 1 Auditing,Auditinghouldenabled If changesremadeohenableuditing forLogging,and orSecurityPolicyChanges.SecurityPolicy,whereusersSecurityPolicyChanges~ o ~ t o r i n g aregrantedccessouccessndailure.

resources they should nothave been, t is important foran ad~nistratoro be able to

determine who made thosechanges.



Enable the Auditing or Use ofUser Rights by erfor~nghefollowing steps:l. Using the User Manager,

2.

3.


Enable the User and GroupManagement byp ~ ~ o r ~ n ghefollowing steps:l. Using the User Manager,

2.

3.

4. Click theOK button to con~rmthese changes.

Enable the Auditing or SecurityPolicy Changes by e~orminghefollowing steps:

auditing option.4. Click the OK button to confirm

~ o ~ ~ l i a n c e ~ s s e s s ~ e n tT e c ~ n i ~ u e s

Verify that Auditing has beenenabled for Use of User Rights byperforming the following steps:1. Open User ~anager.2. Select the Audit option from the

Eventsbutton is selected.4, Verify that the Failurecheck

box Use of User ~ i g h t s

auditing option has been

selected.5. Click theOK button to exit.

Verify that Auditing has beenenabled for User and Group~ ~ a g e m e n ty pe~forming hefollowing steps:1. Open User nager er.2. Select the A ~ d i tption from the

3.

4.

5. Click the OK button to exit.

Verify that Auditing has beenenabled for Security Policy Changesby pe rf o~ in ghe following steps:l. Open User ~ ~ n ~ g e r .

2. Select the Audit option from the

3.

4.

d.

auditing option have beenselected.

txt to ensure auditings enabled forfailures for Use of User Rights.

txt to ensure auditing s enabled forsuccesses and failures for User andGroup ~an ag e~ en t .

Review < s ~ ~ e r n ~ m e ~ . ~ n l i ~ i e

txt to ensure auditing is enabled forsuccesses and failures for SecurityPolicy Changes.

thesehanges. 5. Clickhe OK buttonoxit.



l l Auditing?Auditinghould be enabled Only authorizedsershouldnableuditing forLogging? and for Restart, Shutdown, and have the capability to change Restart, Shutdown, and

~ o n i t o r ~ n g System. the stateof a system. This System for success andactivityhouldbe speciallyailure.scrutin~zedn all servers.

l 1 Auditing, Auditing shouldbe disabled Process Tracking will not help Do not select successrLogging, and for Process Tracking. much in determiningny failure for Process

onito~ng securityreaches. It is moreracking.useful for debugging aprogram that doesn’t functioncorrectly. If used, ProcessTracking will generate

thousands of audit entries in afew seconds, thereby floodingthe log.



C o ~ ~ l i a n c esse§§~entTechniques

Enable the Auditingor Restart,Shutdown, and System bypel~orminghe following steps:l. Using the User Manager,

select theRudit option fromthe Policies menu.

2. Ensure theRudit These

Eventsbutton is selected.3. Enable the both the Success

and Failurecheck boxes forRestart, 5 h u t ~ o ~ ~ ,nd

5ystem auditing option.4. Click theOK button to confirmthese changes.

Disable auditing or ProcessTrac~ngy performing thefollowing steps:l. Using the User Manager,

select theRudit option fromthe Policies menu.


Events button is selected.3. Deselect bothh ess

and Failureche S forthe Pracess Tr

auditing option.

these changes.4. Click theOK button to confirm

Verify that Auditing has beenenabled for Restart, Shutdown, andSystem by p e ~ o r ~ n ghe followingsteps:l. Open User Manager.

2. Select theRudit option from thePolicies menu.

3.Ensure theRudit These

Events radio button is selected.4. Verify that both theSuccess

and Fallurecheck boxes for

Restart, Sh ut do ~n , ndSystem auditing option havebeen selected.


Verify that Auditing has beenenabled for Restart, Shutdown,ndSystem by performing the followingsteps:1.Open User Manager.

2. Select theRudit option from the


4. Verify that both theSuccess

Policies menu.

Events radio button s selected.

and Failurecheck boxes for theProcess Tracking auditingoption have been deselected.


Techniques

Review <sen/ername>.policies.

txt to ensure auditing s enabled forsuccesses and failures for Restart,Shutdown, and System.

Review <sen/ername>.policies.

txt to ensure auditings not enabledfor successesand failures forProcess Tracking.



11 Auditing,Logging, and~onitoring

~ o ~ t r o l~ j e c t i v e s Sk

Logs containing auditing Audit logs may containin fo~a t ionhould be sensitive i nf o~a ti on boutsecured. the system and can be used to

compromise the system. naddition, if logs are unsecuredit would be possible to deletethem in order to eliminate anaudit trail.

S

Logsshould be secured toprevent them from beingviewed or deleted yunauthorized individu~s.

11 Auditing, All audit files should e Having all reviewed audit files After audit files have beenLogging, and archived and purged in archived and purged ensures adequately reviewed in

~onitoring accordance with corporate that if they are needed they accordance with corporatestandards.ill be availablendthetandardsnduidelines,

same imeguarantees hatallaudit iles houldbeunauthorizedsersannotrchivedndurged.pursue the audit files toidentify system patterns.



~ o ~ ~ l i a n c essessment

Tec~niquesThe Auditorsand System groupsshould have ull Control of thefollowing filesand nootherpermissions should be specified:

Verify that permissionson hefollowing files comply with thereco~endationsy performing thefollowing steps:

1. Right-click on he file in Explorer.2. Choose Properties.3. Select the Securi ty tab.4. Click the Permissions button.5. Compare the current permissions

to the recommendations.6. Repeat for all isted files.

Note:The System groups a built- Files:in special group, nd the Auditors c:\uJinnt\l3ystem32\config\group will needo be createdby an ~ P P ~ E N T . E V Tadministrator. c:\Luinnt~ystem3~~onfig\

SECEVENT.Emc:~innt\Eiystem32\confl~\SYSEVENT.EVT

Reco~mended Per~issions:

AuditorseadSystemroupshange

Review the audit filesin Ensure that policies exist to archiveaccordance with corporate and purge audit files. Verify, throughstandards and guidelines. Properly discussion with the networkback up the audit logs nd then ad~nistrator,hat these procedurespurge them from the system. are followed.

~ o m ~ ~ a n c ee~fication

T e c ~ ~ q u e sReview the < se ~e r n am e> .~ er ms<system drive letter>.txtandensure the following:

Files:

c : ~ i n n ~ y s t e m 3 ~ ~ n f ~ g \~ ~ PE V E N T . E mc:\uJlnnt\Eiystern3Stconflg\5ECEVENT.EVTc:\Luinnt\l3ystem3~config\SYSEVEN1.M

R e c o ~ ~ e n d e d P e ~ i s s i o n s :

AuditorseadSystemroupshange

Ensure that policies exist to archiveand purge audit files. Verify, throughdiscussion with the networkad~nistrator,hat these proceduresare followed.



omain Contro~er ecurity

No. C a ~ ~ o ~ontrolObjectives Risk Co~trol e ~ h ~ i ~ u e s

11 Auditing,Auditing of sensitiveystemAuditingccess to sensitivenableWindows NI'Logging, and and application files nd system and application files native auditing feature n

~onitoring directories shouldbe and directories increases the all sensitive system ndenabled.hanceshatnauthorizedpplicationilesnd

access o he ystemwillbedirectories.detected and terminated in atimely manner.



~ l e r n e n ~ ~ o nechniques

Enable WindowsNT nativeauditing feature on all sensitivesystem and application filesanddirectories. Identify thesedirectories per the corporatestandards. In addition, thefollowing Windows NT systemdirectories and files within shouldbe audited:

The following items shouldeaudited:

Write: Select Success& FailureDelete: Select Success& FailureChange Permissions: SelectSuccess& FailureTake Ownership: Select Success&Failure

C o ~ ~ ~ a n c essessrnentTe c h ~ q u e s

Verify that the Windows NT nativeauditing feature has been enabled forall sensitive system nd applicationfiles and directories by performingthe following steps:l.Right-click on the directory in

Explorer.2. Choose Properties.3. Select theSecurity tab.4. Click the~uditingutton.5. Compare the current audit

settings to therecommendations.6. Repeat for all listed directories.

Directories:Those stated in the best practices,plus

R e c o ~ m e n d e dettings:Write: Select Success& FailureDelete: Select Success& FailureChange Permissions: Select Success& FailureTake Ownership: Select Success&Failure

C o ~ ~ l i ~ c e ~ e r ~ c a t i o nTechniques

Review the<servemame>.perrns <systemdrive letter>.txt and ensure thesensitive system files are beingaudited for the following actions:

Directories:Those stated in the best practices,plus

~ecom m ended e t t ings :Write: Select Success& FailureDelete: Select Success& FailureChange Permissions: Select Success& FailureTake Ownership: Select SuccessFailure



ryontrolives Risk Control ues

12 Auditing,Auditing of sensitiveystemAuditingccessoensitivenable ~indows TLogging, and registry keys should be system registry keys increases native auditing featureon

Monitoring enabled. the chances that unauthorized all sensitive systemaccess to thesystemwill be registrykeys.detected and terminatedn atimely manner.



audi~ingeature on all ensit~vesystem registry keys. Identifjr thesekeys per the corporate standards,In addition, the following eysshould be audited:

The f o l ~ o ~ i ~ gtems sh ou l~e

audited:

Set Value: Select SuccessFailureCreate Subkey: Select SuccessFailureCreate Link: Select SuccessFailureDelete: Select Success& FailureWrite DAC: Select Success&Failure

Verify that the Windows T nativeauditing feature has been enabled forall sensitive system registry keysyperforming the following steps:1. Open r ~ ~ ~ d t ~ ~ .

u ~ i t ~ n ~ ,rom the

4. Compare the current auditsettings to thereco~endations.

5. Repeat for all listed keys.

Kf2Y.S:

plusThose stated in the best practices,

~ e ~ o m ~ e n d e dettings:

Set Value: Select Success& FailureCreate Subkey: Select Success&

FailureCreate Link: Select SuccessFailureDelete: Select Success& FailureWrite DAC: Select Success&Failure

portions of the registry are beingaudited for the following actions:

Irltys:

plusThose stated in the best practices,

~ K L ~ ~ 5 T E ~~ K ~ ~ D ~ W ~HKCR

~ e c o ~ ~ e n d e dettings:Set Value: Select Success& FailureCreate Subkey: Select Success&FailureCreate Link: Select SuccessFailureDelete: Select Success& FailureWrite DAC: Select Success&Failure



1 Auditing,Logging, and~onitoring

The event viewer should beallocated sufficient space oraudit logs.

If events a e ove~rittenbefore they can be reviewed,there is an increased risk thatcontinuous unautho~zedactivity may go undetected.

Control ~ e c h n i ~ ~ e $

The event viewer shouldbe allocated adequate diskspace to store allauditlogs. The disk spaceneeded should be based onsize of the domain andreview intervals f theaudit logs.

12ecurityUnauthorizedndividualshere is an increasediskhat Set the winreg registryAd~nis trat ion should ot e llowedo an unautho~zed sermayey ~ e ~ i s s i o n so complyActivitiesemotelyditheegistry.ainnowledgeboutheithorporatetandards.

PDC anddomainandeven ndustryguidelines tate

attack the system with denial that only Adminis~atorsof services or Trojan horses,f have full control.they can access the registry.



Set the amountof space that sbeing allocatedby performing thefollowing steps.

Set the log settings according tocorporate standards. The followingare industry guidelines:

after 14 days)System: 1-2 MB (Overwrite after14 days)Application: 1-2 M B (Overwriteas needed)

3. Click Close.

ote: If a log is set in the abovemanner, for example, Security Log5MB, 14days, the log cane filledthe first day, ando events would

be logged for the next 13 days.

Log sizes should e basedon thesize of the system including thenumber of users if logon andlogoff is going tobe tracked.

Secure thewinreg registry key byperforming the following steps:

1. Open rege~t32.2. Select thekey ~ ~ L ~ y ~ e m \

CurrentControl5et\Control\

3. ecurity Iper mission^ from the pull-down menu bar.

4. The permissions should e inaccordance with corporatestandards.

Industry guidelines state:~ d ~ n i s t r a t o r s :ull Control

Verify that suflcient space is

allocated for log filesy performingthe following steps:

1. Open Event Viewer.

2. Select Log ~ e t t i n g ~ . rom

3. Select appropriate log ile in thethe Logpulldown menu.

C ~ ~ n ~ ~ettings for Lobox.

4. Compare current settings to therecomtnended settings.

5. Click Cancel.

6. Close Event Viewer.

Log: SecuritySettings: 5-10 M B Overwrite after14 days)

Log: SystemSettings: 1-2 h4B (Overwrite after14 days)

Log: ApplicationSettings: 1-2 MB (Overwriteas

needed)

Note: If a og is set in the abovemanner, for example, Security LogS M B , 4 days, the log can be filledthe firstday, andno events would belogged for the next 13 days.

Verify an appropriate security settingon the winreg registry key byperforming the following steps:

1. Open regedt32.

2. Select the key ~ ~ L ~ y s t ~ m \CurrentControl5et\Control\

5 e c u r e ~ i ~ e 5 e ~ e r ~WinReg.

3. Choose Permissions. . romthe Security pulldown menu.

4. Compare the permissions to therecommended settings.

5.Close regedt3~.

R e ~ o ~ ~ e n d e detting:Administrators: Full Control

MaxSize and ensure adequate diskspace is allocated

Log: Security~ e t t ~ n g ~ :-10 M B Overwrite after14 days)

14 days)

Log: ApplicationSettings: 1-2 M B (Overwrite asneeded)

ote: If a log is setn the abovemanner, for example, Security Log5MB, 14 days, the log can be filledthe firstday, and no events would belogged for the next 3days.

Log sizes should be basedn the

system including the u ~ b e rfusers if logon and logoffs going tobe tracked.

restricted to only authorized users.

~ e ~ o ~ ~ e n ~ e d S e ~ t i ~ ~ :Administrators: Full Control



on ves sk

12 Security Partsof the registry run With its default permission Set theA d ~ i ~ s ~ a t i o nrograms at startup should levels, any locally logged on R ~ f l ~ f l c eegistry keysActivities ured to not allow user can change the valuef permissions to comply

u ~ a u ~ o ~ ~ e dserso edit the ufl key to ointo a with orporatetandardsthe list of programs.rojanorserogram. This orndustryuidelines.

Trojan horse can be anythingfrom malicious code toprogram that, when run asa d ~ ~ s ~ a t o rquivalent,dumps the password hash.



I ~ p l e m ~ n ~ t i o ~e c h ~q u e s

Secure theR un and R u n o n c eregistry keysby p e ~ o ~ i n ghefollowing steps:l. Open regedt32.2. Select the followingkeys

inde~ndently

H K L ~ ~ O ~ W ~ R ~ i c r o s o ~ \Windour~CurrentVersion\Run

o ~ w ~ R ~ i c r o 5 o f nW i n d o w s \ C u r r e n t V e r 5 i ~ n \

R u n ~ n c e

3. Choose Securitg I

P ~ r r n i s s i o n 5rom thepull-down menubar.

4. The permissions should be inaccordance with corporatestandards.

Industry guidelines state:

Creator Owner: Full ControlAdministrator: Full Control

System: Full ControlEveryone: Read

5.Close r e ~ e d t ~ ~ .

Com p~ance s s e s s ~ ~ n tT e c h ~q u e s

Verify an appropriate security settingon the R u n and R u n ~ n c eegistrykeys by performing the followingsteps:l. Open r e g e d t 3 2 .2. Select the appropriate ey.3. Choose P e r r n l s s i o n s . from

the S e c u r i t y pulldown menu.4. Compare the permissions o the

r ~ c o ~ e n d e dettings.5.Close r e g e d t 3 2 .

Kt?J)s:~ K L ~ O f f ~ ~ ~ ~ i c r o 5 o ~ \Windours\CurrentVersion\Run

H K L ~ O ~ W ~ R ~ ~ c r o s o f t \W i n d o u r ~ C u r r e n W e r ~ i o n \

u n O n c e

R e e o m m e ~ e d et tin gs:

Creator Owner: Full ControlAdministrator: Full ControlSystem: Full ControlEveryone: Read

C o m p ~ a n c e e ~ ~ c a t i o nT e c h ~ q u ~ s

Review < 5 e ~ e r n ~ r n e > . r u n . ~ tand ensure the following:

K q S :

H K L ~ ~ O ~ W ~ R ~ i c r ~ 5 o ~Windours\CurrentVersion~un

H K L ~ ~ ~ W ~ R ~ ~ ~ c r oWindours\CurrentVersion\R u n ~ n c e

~ e c o m m ~ ~ e dettings:

Creator Owner: Full ControlAdministrator: Full ControlSystem: Full ControlEveryone: Read



ry Control Objectives Risk Co~trol ~ c ~ ~ i ~ ~

12 Security Parts of the registry contain If an unauthorized user could Set the registry keys’A ~ s ~ a t i o nensitive system nfo~at ion read these registry keys, they (listed in theActivities like performance data, the might gain access to sensitive i~ple~enta t ionhecklist)

logon process, and security system resources or be able o permissions o complyinfo ~ati on. heseegistryearnnformation bouthewith orporate tandardskeyshouldeonfigured to PDC.rndustryuidelines.not allow unauthorized usersto edit the list f programs.

12 Security Certain registry keys should If an unauthorized user could Set the registry keys’A ~ s ~ t i o ne secured to prevent read these registry keys,hey (listed in theActivities unauthorized access to the might be able to launch implementation checklist)

PDC’s configuration.enial of servicettackrermissionsoomply

or industry guidelines.upload aTrojanorse.ithorporatetandards



Secure the following registry keys

independently:

4. The pe ~~ ss io nshould be inaccordance withcorporatestandards.

I ~ ~ s t ~~ i ~ e ~ i ~ e state:Creator Owner: Full ControlAdministrator: Full ControlSystem: Full ControlEveryone: Read

5. Close r

Secure the following registry keys

indep~ndently:

PC and all subkeys)

Verify that appropriate securitysettings exist on the followingregistry keys by performing these

the 5ecurity pulldown menu.4. Compare thepe~iss ionso the

r e c o ~ e n d e dettings.

WindolusN~CurrentVersion\

Wini~gon

R e co ~ ~ e n d e d S e t ~ ~ n g s :Creator Owner:Full ControlAd~nist ra tor: ull ControlSystem: Full ControlEveryone: Read

Verify that appropriate security

settings exist on the followingregistry keys by e~orminghesesteps:

3.Choose Permissions. . romthe 5ecurIt.ypulldown menu.

4. Compare the per ~s si on so therecommended settings.

5.Close regedt.3~.

and ensure the following:

Keys:H K L ~ O ~ U J A R ~ l C R O ~ O mUJIndolusN~urrentVerslon\

Pe~L ibH K L ~ o f t ~ a r e ~ i c o r s o ~ \

Windolu~N~CurrentV

Set\C~ntroI\LS

WKLM\Syste~\CurrentControIS e ~ e ~ i c e ~ a n ~ ~ n 5Shares

R e c o ~ ~ e n d e dset t ing^:

Creator Owner: Full ControlAd~ nis trator : ull ControlSystem: Full ControlEveryone: Read

Review ~ ~ e ~ e r n ~ m e > . h k i m . t x t

and ensure the pe l~s sio ns n thevalues

HKCR (all subkeys)

H K L ~ O ~ W A R E

H K L ~ ~ ~ U J R R ~ ~ l C ~ ORPC and all subkeys)

H K L ~ ~ O ~ W A R ~ l C R O 5 O mWindo~sN~CurrentVefsio~\

H K L ~ O ~ W A R ~ I C R ~WindoursN~CurrentVerslon\AeDebug



oryontrol ~ ~ j e c ~ ~ e s isk Control ~echni~ues



H K L M ~ D F F W f l R E W I l C R D S D ~WindowsM\Cum2ntVefsionWeDebug

H K L M ~ D F T W f l R E W I l C R D S D ~

WlndoursNnCurrentVersion\

Compatlbliity


WindowsNnCurrentVersion~rivers

H KLM\SD FTWf lR EWI lC R D SD ~

WlndowsNnCurrentVersion\

~ m b e d d i n g

H K L M ~ D ~ W f l f l E W I l C f l D S D ~

WlndowsNnCurrentVerslonts

H K L ~ D F F W f l R ~ l C R D S D ~WindowsNnCurrentVerslon\Font

Substitutes

H K L M ~ D F T W f l R E W I l C R D ~ O m

WindowsNnCurrentVersion~ont

Drivers

H K L M ~ D ~ W f l R E W I l C R D S ~ m

Windows~urn?nWefsion~ontMapper


WlndowsNT\CurrentVersion~ontCache

H K L N \ S D F T W f l R ~ l C R D S D ~

WindowsNnCurrentVersion\~ f lE - l n i t i a l i z e

H K L ~ D F F W f l R R M l C R D ~ D m

WindowsNnCurrentVersionVvlCi

H K L M ~ D F T W f l R E W I l C f l D S ~ mWlndowsN~CurrentVersion\

M C l ~ x t e n s i o n s

H K L M ~ D F T W f l R ~ l C R D S D ~

WlndowsNnCurrentVersion\Po~ allsubkeys)

H K L M ~ D F F W f l R ~ M l C R D ~ D F n

WindouJsNnCurr~ntVerslon\

Typellnstaller

H K L M ~ D F T W f l R ~ l C f l D S D ~

WindowsNT\CurrentVersion\Pr~flleList

H K L ~ D F T W f l R E \ M l C R D S D ~

WindowsNnCurrentVerslon\Wlndows

3.lMigrationStatus(all subkeys)

H K L ~ D F T W f l f l ~ l C f l D S D ~

WindouJsN~CurrentVersin\WDWailsubkeys)

HKLM~ytern\CurrentControlSet\

Services\UPS

HKEY-USERS;de~auIt1. Choose Securlty I Permiss ions

2. The permissionsshouldbe nfrom the pull men u bar.

accordance with corporate standards.

C o ~ ~ l i a ~ c es s e s s ~ e ~ t

T e c h ~ ~ u e s

Industry guidelines state:

Creator Owner: Full ControlAdm inis~ato r: ull ControlSystem: Full ControlEveryone: Read

5.Close regedt3S.

H K L M \ S D F T W f l R E W I I C R D S D ~ P ~

(and all subkeys)

HKLM\SOFFWflREWIICRDSDmWindouJs

~ C u n e n W e r s i o n \

HKLM\SDFTWRREWIICRD

NnCurrenWersionWeDebugH K L M \ S O F T W f l R ~ I C f l D S D ~ W i n d o w s

N72CunentVersion\Compatiblllty

H K L M \ S D F T W f l R R M I C R D S D ~ i n d o w sNnCunentVersionMrlvers

H K L M \ S D F T W f l R ~ I C R D S O ~ W i n d o w sNnCunentVersion\Embedding

H K L M \ S D ~ W f l R R M I C R D S D ~ ~ i n d o w

sNnCurrentVerslon\Fonts

HKLE\/RSDFTWflflEWlICRDSD~Windows

NnCunenWerslon~ontSubstitutes

H K L M \ S D F T W R R R N I C R Q S D ~ i n d o w s~CurrentVersion~ontD~vers

HKLMLSDFFWflRRNICRDSD~Windows

NnCunentVersion~ontMapper

HKLM\SDFTWf lRRNICRDSD~Windows~CurreniVersion~on~Cache

HKLM\SDFTWRREWIICRDSD~indows~CunentVersion~RE-Initialize

HKLM\SDFFWflRE\MICRDSOmWindows

N72CurrentVers ion~CI

H K L N \ S D F F W f l R ~ l C R D S D ~ l n d o w s

NnCunentVerslonWICIExtensionsHKLM\SDFFWRREWIICRDSD~lndowsN T \ C u ~ e n t V e r s i o n ~ o ~all subkeys)

HKLM\SDFTWRREWIlCRDSD~Windows

N71CurrentVerslon\Typellnstaller

H KLN \SD FTWf l f lE \MIC R D SD ~ 1ndow sN72CunentVersionV3rofileList

H K L N \ S D F T W f l R R N I C R D S D ~ l n d o w s

N~CurrentVersion\Wlndo~s3,1Nigratlon

Status (all subkeys)

HIII"\SDFTWflREWIICRDSD~Windows

NnCur ren tVe~ ion \WDWall subkeys)

HKLN\System\CurrentControISet\

Serv icesUPS

H K ~ - U S E f l ~ . d e f a u l t

Creator Owner: Full ControlAdministrator: Full Control

System: Fnll ControlEveryone: Read

H K L ~ D F T W f l R E U V I I C R D 5 ~ ~ ~ i n d o w s

NnCurrentVerslon\Compatibility

HKLN\SOFTWRREWIICRD5D~indows

NT\CurrenWersion\Drivers

HKLM\SDFTWRRRN ICRQED~ indowsNT\CurrentVersion~mbedding

HKLM\SDFTWRRRMICRQSD~WindowsNnCurrentVersion\Fonts

HKLM\SDFTWflf lEWIICRDSD~WindowsN~CurrentVersion\Font5ubstitutes

H K L M \ S D F T W R f l ~ I C R D S D ~ i n d o w s

NnCur~ntVersion~ontDriver~

HKLM\SDFTWf lREWI ICRDSD~ indows

N~urrentVersion~ontMapper

HKLM\SDFTWRRE\MiCRDSD~WindouJsNnCurrentVersion\FantCache

H K L M \ S O F T W R R ~ I C R D S D ~ i n d o u J sNnCurrentVerslon\GRE_Initialize

NnCur ren tVers ion~Cl

HKLM\SDFTWflREWIICRD5O~indo~s

N72CunentVersionWICIExtensions

HKLM\SDFTWf lRRNICRQED~WindowsN n C u r r e n t V e r s i o n ~ o ~all subkeys)

HKLM\ SD F7WRRRN iCRD 5O~ lndows

NnCurrentVersion\TypelInstaller

HKLM\SDFTWflREWIICRDSO~WindowsNnCurrentVersion~ro~le~is~

HKLN\SDFTWRRE\MICROSO~lndowsNnCur~ntVersion\Windows3,1~igration

Status(al1 subkeys )

H K L N \ S O F T W R f l R M I C R D S O ~ i n d o w sNnCurrentVersion\WDW (all subkeys)

HKLM~ystem\CurrentControlSet\

Services\UPS

H K E Y - U S E R ~ . d ~ f a u l ~

are restricted o only authorized users.

Re~ornrn~l~dedettings:

Creator Owner:Full Control

Administrator: Full ControlSystem: Full ControlEveryone: Read



12 Securityhea s t u s e r n~ endheresnncreasediskhat Set theA d ~ ~ s ~ a t i o nefault u s e r ~ ~ ehould not an unau~horized ser mayActivities be displayed at login. gain knowledge of the

company omain amin alue f 1and elete anystandards and a name to usein use~ame cont~nedithingaining access o he domain the registry keyifheastsername is ~ ~ f ~ u l t ~ ~ ~ rdisplayed at logon.

12 Security It should notbe possible to If users could shut down the Set theA ~ ~ s t r a t i o nhut down the PDC without PDC without logging n, no ~ ~ t h ~

Activities logging on . audit trail would be created, entry with a value of.and unauthorized users might

be able to shut the PDC down.

12 Security The system should not e In some cases, t might beA d ~ ~ s ~ a t i o nhut down if the audito necessary to shut downhe

Activities becomes full. server when the audit logbecomes full, ensuring that naudit trail is always inexistence. However, t is notnormally necessary o enablethis on a PDC.

Set the

registry entry with valueof 0.A value of 1 shouldbe set under certaincircumstances to shutdown the machine but isnormally unnecess~y.

12 Securityheuditingfllseruditingllserightsillethe ~ ~ l i ~ f ~ ~ i i

Ad~nistration rights houldbedisabled.generateveryargenumber ~ U ~ ~ t ~ f l ~egistry ntryActivitiesfudit with a value of. A value

user rights, including Bypass of 1 should be set undertraverse checking,are certain circumstancesto

enabled. audit all user rights butsnormally unnecessary.



ained within the registry keyu l t ~ s e r ~ a m ~y p e ~ o r ~ n g

1. Open regedt3~'

Verify that theDontDls~la~L~st

of 0 by pedorming the following

WithautLogan is

Verify that theCr~shOnRuditFail

registry entry s set to a valueof 0 by

Verify that theFullPrlvllegeAudltrng egistryentry is set to a valuef 0 or 1byp e ~ o r l ~ i n ghe following steps:

Selecthe hive 1. Open regedt~~.

Techniques

Review <se~ername>.~lnlogo~.txtnd ensure the value

to 1.

S ~ ~ t d o ~ n W i t ~ ato 0.

Review the<se~ern~me>.l~txt and ensure the valueCr~sh~nRud~tF~l l

s set to 0.

and review the valueFullPrivlegeRuditing.If it is ahighly secure server, the settingshould be 1;otherwise, it shouldbe 0.

Note: Setting this value to greatlyincreases the numberf eventslogged in the Event Viewer.



ry Control ~bjectives Sk Control T e c h n i ~ ~ e s

12 Securityfllompanies run Windows NT supportsAdministrationWindows W, hennlyanManagerhallengeActivitiesWindowsThallengeesponse andWindowsT

Responseuthenticationhallengeesponseshouldeccepted.uthentication.ecausehe

LanManager uses a weakerform of encryption, a hackermay potentially be able tocrack the password hashfthey sniff it ast traverses thenetwork.

Set the L ~ C a m ~ ~ t ~ ~ ~ ik v e l registry entry with avalue of 2 if all companiesrunWindows NT,Otherwise, set t to a valueof 1, which only sends theLM hash if it is required.

Note: This requires theLM hot fix or ServicePack 4.

12 Securitynlydministratorshouldhecheduleerviceouldethe ~ u ~ m ~ t C ~ n t r a lAdministrationecheduling jobs. potentiallyllow an registryntryithalueActivitiesnauthorizedser to execute of 0.

malicious code as ana d ~ ~ s t r a t o r .

12 Securityndividualshouldnlyessigningndividuals to therantndividualsheAdminis~ation members of the Ad~nis tra tors roup may minimum necessary rightsActivities Administrators group f grant them excess user rights. o perform theirob

absolutelyecessary.Thesexcessightsmayllowunction by placinghemIndividualsmanaging iles hem to performunwarranted in appropriateusergroups.and sharesshouldbeServeradministrativefunctions.Operators. Individualsmanaging accounts shouldbe Account Operators.Individuals managing

printers shouldbe PrintOperators, and individualsp e ~ o r ~ n gackups shouldbe Backup Operators. Theseaccounts should not beallowed to log on locallyexcept for Ad~ nis tratorsand Backup Operatorsfbackups of the PDC are no tdone remotely.



(Set to2 if all companys areWindowsW)by performing the

following:

Individuals managing iles andshares should be Server Operators.Individuals managing accountsshould be Account Operators.Individuals managing printersshould be Print Operators, andindividuals pe r fo r~ngackupsshould be Backup Operators.These accounts should not beallowed to log on locally exceptfor ad~ni strator snd backupoperators if backups of the PDCare not done remotely.

Verify that theLNCompatibilit~Levelegistryentry is set to a valueof lor 2 byperforming the following steps:

1. Open regedt32.2. Select the hive

ControlSet\Control~S~.

Compati~ilit~Levels set to1

or 2.

3. Verify that the key L N

4. Close regedt32.

Review <servername>. isa. tx tand review the valueLNCompatibilit~Level.f theenvironment being reviewedsstrictly Windows T, he valueshould be equal to. If theenvironment is mixed, the valueshould be equal to1.

Verify that the~u~mitControl Review <servername>.l5a.txtregistry entry s set to a value of 0 by and ensure the valueperforming the following steps: SubmitCofltrol s set to0.

1. Open regedt32.2. Select the hive

3.

4. Close regedt32.

After discussionof users and userroles with the network administrator,open User Manager or Domains andensure the following:

Individu~smanaging files andshares are Server Operators.Individuals managing accounts areAccount Operators. Individualsm ~ a g i n grinters are PrintOperators, and individualsperforming backups are BackupOperators. These accounts shouldnot be allowed to log on locallyexcept for administrators and backupoperators if backups of the PDC arenot done remotely.

Review the <E;ervername>.right5.Mand ensure onlyauthorized users re granted UserRights. Verify the following:Individuals managing files andshares are Server Operators.Individuals managing accounts areAccount Operators. Individualsmanaging printers are Print

Operators, and individualsp e r f o ~ n gackups are BackupOperators. These accounts shouldnot be allowed to log n locallyexcept fora d ~ n i s ~ a t o r snd backupoperators if backups of the PDC arenot done remotely.



No. C a t e ~ o r ~

12 SecurityAdminis~ationActivities

12

Control ~ ~ j e ~ t i v e s sk Control T ec h n i~ ~ es

The Guest account should The System and Application Set thenot be able to view the Event Log could contain ~ ~ S t f ~ C t ~ U ~ S t ~ C C ~ 5

System EventLog and the sensitive information about registry entry with a valueApplication Event Log. the PDC that guests could use of l .

to attack the system.

Security The “Access this Computer If an Administrator account is Restrict who can accessAd~ ni str atio n from the Network” standard compromised, it would not be the PDC from the network.Activities user right should e able to compromise thePDC

restricted to ensure the PDC from the network. In addition,is secure from outside threats nonauthorized users will notand hat if Administrators be able oaccess he PDCaccountsarecompromised, rom henetwork.the entire domain on’t be.



Set theRestrictGuestAccess

registry entry to a value f 1byperfor~nghe following steps:

1. Open regedt32.

2. Select the following hivesindependently:

MKLMUSMstem\CurrentControlSetUSe~ices\EventLog\

Applicat~on

3. Set the key Restrlct

Restrict user rights y performingthe following steps:

1. Open User Manager.2. Choose ~ ~ l l c i e srom the

pulldown menu and choose

r Rights..)

I1 through theR~ghtsndfind “Access this Computer

commensurate with corporatestandards.

Industry guidelines state:* Users* Server Operators* Account Operators* Print Operators* Backup Operators

5. Click OK on the new windowto confirm changes.

6. Close User Mana~er.

C o m ~ l i ~ c essessment~ e c h n i ¶ ~ e s

Verify that theRestrictGuest

Access registry entry is seto avalue of 1by performing thefollowing steps:

1. Open regedt32.2. Select the following hives

independently:

ystemUurrentControISet\

)3ervice~ventLog\application

3. Verify that the keyRestrlct~uestAccesss setto 1.

4. Close regedt32.

Verify who has the “Access thisComputer from the Network” userright by performing the followingsteps:1. Open User Manager.

2. Choose Policies from thepulldown menu and chooseUser Rights. .

3. Scroll through theRigh s andtind Access this computer fromthe network.

4. Verify that the list of users scommensurate with corporatestandards and best practices.

5.Click Cancel.


Industry guidelines state:* Userse Server Operatorse Account Operators* Print Operators* Backup Operators

C o m ~ ~ a n c eerificationT e c h ~ ¶ u e s

Review <servername>.

event1og.Mand ensure the valuesRest r l c t~ues t~cc~sss set to 1for the system, application, andsecurity entries.

Review the <se~ername>.r lghts .~ tnd ensure onlyauthorized users are granted the“Access this Computerrom theNetwork” user right. The following

guidelines can be used:* Userse Server Operators* Account Operatorse Print Operators* Backup Operators



Sk Control T@c~ni~u@s

12 SecurityTheA d d ~ o r ~ t a t i o no theUsershouldoteddingRestrictwhoanddA ~ ~ s t r a t i o nomain” tandarduserightmachines to thedomain omputers to the domain.Activities houldbeestricted to ensureunlesshey re uthorized.

that unauthorized users They might be able to add acannot add miscellaneous domain controller ndmachines to the domain. compromisethe SAM.

The “Backup Files nd12 SecurityDirectories”tandardserherehould be aegregationestrict whoandd

A d ~ i s ~ a t i o nighthouldeestricted of dutiesetweenackupiles.Activitiesecausenyoneith this Adminis~ators, sers, and

user right can bypass individuals who can back upresource ACLs and readall files. Individuals with thisfiles. user right can bypass theCL,

of a fileand read any file theywant.



Restrict user rights y pedomingthe following steps:


2. Choose Polkies from thepulldown menu and chooseUser Rights. .

3. Scroll through the Rights andfind “Add Workstation o theDomain.”

commensurate with corporate

standards.

4. Edit theGrant To list to be

Industry guidelines state:* Administrators* Server Operators

5. Click OKon he new windowto confirm changes.


Restrict user rightsy performingthe following steps:



3. Scroll through theRights andfind “Backup Files andDirectories.”

4. Edit theGrant To list to becommensurate with corporatestandards.

Industry guidelines state:* Backup Operators



T e ~ ~ ~ ~ u ~ s

Verify who has the “AddWorkstation to the Domain” userright by performing the followingsteps:



3. Scroll through theRights andfind “Add Workstation o theDomain.”

4. Verify that the list of users iscommensurate with corporatestandards and best practices.

5.Click Cancel.


Industry guidelines state:* Adminis~ators* Server Operators

Verify who has he “Backup Filesand Directories” user rightype r for~nghe following steps:1. Open User Manager.


3. Scroll through the Rights andfind “Backup Files ndDirectories.”

4. Verify that the list f users is

commens~ate ith corporatestandards and best practices.

5. Click Cancel.

6. Close User Man~ger.


rig~ts.txtnd ensure onlyauthorized users are granted the“Add Workstation to the Domain”user right. The following guidelinescan be used:* Ad~nistrators* Server Operators

Review the<sewern

r lghktxt and ensure only

authorized users are granted the“Backup Files and Directories” userright. The following guidelines canbe used:* Backup Operators

Compliance Assessment



l2 SecurityAdminis~ation~ctivities

Control Objectives

The “Change the SystemTime’, standard user rightshould be r e s ~ c ~ e decauseanyone with this user rightcan change the system time,which in turn couldmisconfigure the timen all

member servers.

Sk Cont~ol echni~~es

Accuracy of the system time Restrict who can changeis a prerequisite for an audit hesystem ime.trail because knowing whowas accessing resources at aspecified time could implicatea user. The entire audit, eventmonitoring, and loggingsystem is based on time andtherefore requires that timenot be tampered with.Security policies, suchs

those for account lockout andexpiration, are based n thesystem time

12 SecurityheLog on Locally”ndividualshatnteractithestrict whoannteractA d ~ n i s ~ a t i o ntandarduser ight houldbe he PDC anusuallygetwithhePDC.Activitiesestricted so thatormalccessoeryensitive

users cannot interact with the ystem resources or createPDC. denials of service.



Restrict user rights y performingthe following steps:1. Open User Manager.2. Choose Policiesfrom the


3. Scroll through theRights andfind “Change the SystemTime.’’

4. Edit theGrant To list to bec o ~ e n s u r a t e ith corporate

standards.

Industry guidelines state:* Administrators* Server Operators

S. Click OK on he new windowto confirm changes.


Restrict user rightsy performingthe following steps:1. Open User Manager.

2. Choose Policiesfrom thepulldown menu and chooseUser Rlghts. .

3. Scroll through theRightsandfind “Log on Locally.”

4. Edit theGrant To list to bec o ~ e n s u r a t e ith corporatestandards.

Industry guidelines state:* Ad~nistrators* Backup Operators (onlyf the

* Server Operatorsbackups are performed locally)

S. Click OK on the new windowto confirm changes.


~ o ~ ~ l i a n c essessmentTe c h ~ q u e s

Verify who has the “Change theSystem Time” user rightyperforming the following steps:

1. Open User Manager.2. Choose Policiesfrom the

pulldown menu and chooseUser Rights. .

3. Scroll through theRlghtsandfind “Change the Systemime.”

4. Verify that the listof users isco~mensuratewith corporate

standards and best practices.5.Click Cancel.


Industry guidelines state:* Adminis~ators* Server Operators

Verify who has the “Log on Locally”user rightby performing thefollowing steps:


2. Choose Pollciesfrom thepulldown menu and chooseUser Rights. .

3 Scroll through the ig hs andfind “Log on Locally.”


S. Click Cancel.


Industry guidelines state:* Administrators* Backup Operators (onlyf the


~ o m ~ ~ a n c e ~ e ~ l c a t i o nTechniques

Review the <se~ername>.

rights.txt and ensure onlyauthorized users are granted the“Change the System Time” userright. The following guidelines canbe used:* Admi~s~a tor s* Server Operators

Review the <se~ername>.

rightrj.txt and ensure onlyauthorized users are granted the“Log on Locally” user right. Thefollowing guidelines an be used:* A d ~ n i s ~ a t o r s* Backup Operators (onlyf the




NO.

12

12

SecurityA d ~ ~ s t r a t i o nActivities

SecurityAdministrationActivities

~ o n t r o lObjectives

The “Manage Auditing andSecurity Log” standard userright should be restrictedothat only designated auditorscan view and delete thePDC’s logs.

The “Restore File andDirectories” standard userright should be restrictedbecause anyone with thisuser right can bypassresource ACLs and read andwrite toallfiles.

sk ~ontrol es

There should be a segregation Restrict who can audit theof dutiesetweenDC.Ad~nistrators, sers, andindividuals who can audit thePDC’s logs. Since individu~swith this right can clearsecurity log, they have theability to attemptn attack onthe system and then delete thelog, althougha security controlinherent in WindowsHT s

that theErrst entry in the newlog states that the old logascleared and by whom. Onlyauthorized individu~s,uchas

the Security Officer or theInternal Auditor, should begiven this right. Those types findividuals should be membersof an Auditors group.

There should be a se~regation Restrict who can addof dutiesetweenestoreilesromackups.Administrators, users,andindividuals who can restorefiles. ~ndividualswith thisuser right can bypass theCLof a file and read or writeoany file on the PDC.




1. Open User Manager.2. Choose Pollciesfrom the


3. Scroll through the Rights andfind “Manage Auditing andSecurity log.”

4. Edit theGrant To list to bec o ~ e n s u r a t e ith corporate

standards.

Industry guidelines state:* Auditors (must be created)

5, Click OK on he new windowto confirm changes.



l. Open User Man~ger.2. Choose Pollcles rom the


3, Scroll through the Rightsandfind “Restore File ndDirectories.”

c o ~ e n s u r a t e ith corporatestandards.

4. Edit theGrant TO ist to be


5. Click OK on he new windowto confirm changes.


Co m~ lian ce $$e$$mentTechnique$

Verify who has he “ManageAuditing and Security log” user rightby performing the following steps:

1. Open User Manager.2. Choose Pollcles from the

pulldown menu and chooseUser Rlghts. .

3. Scroll through theRights andfind “Manage Auditing andSecurity Log.”

4. Verify that the listof users is

commensurate with corporatestandards and best practices.5. Click Cancel.6. Close User Manager.

Industry guidelines state:* Auditors (must be created)

Verify who has he “Restore File andDirectories” user rightyp e r f o ~ n ghe following steps:

1. Open User Manager.2. Choose Policies from the

pulldown menu and chooseUser Rights..

3. Scroll through theRlghtsandfind “Restore File andDirectories.”


5. Click Cancel.



Compliance ~ e ~ f i ca t i o nTechNque$


r/ghts.txtnd ensure onlyauthorized users are granted the“Manage ~u di ti ngnd SecurityLog” user right. The followingguidelines can be used:* Auditors (must be created)

Review the<servername>.

rights.txtand ensure onlyauthorized users are granted the

“Restore File and Directories” userright. The following guidelines canbe used:* Backup Operators



12 Security~ d ~ n i s ~ a t i o nActivities

The “ShutDown theSystem” st an d~dser rightshould be restricted toprevent unautho~zedindividuals from shuttingdown the PDC and causingadenial of service.

Individuals who can shutdown the PDC could cause adenial of service or degradethe performance f thenetwork depending n theBDC c o n ~ ~ u ~ a t i o n s ,

es

Restrict who can shutdown the PDC

12 Securityhe ‘‘Take ownership of This is a veryowerfulserestrictwhoanAd~inis~at ion iles or Other Objects” right because ndividu~s an ownership of files or otherActivities standard user right shoulde ignore theACL of an object, objects.

restricted so that no one can take ownershipof the object,

manipulate a ile they do not and change theACL to whatdready own. they want.



Restrict user rights y performingthe following steps:l.

2.

3.

4.c o ~ e n s u r a t e ith corporates t~dards .

Industry guidelines state:* ~dminis~ators* Server Operators

S, Click OK on the new windowto confirm changes.

Restrict user rightsy p e ~ o ~ n gthe following steps:l. Open User ~an age r.

c o ~ e n s ~ a t eith corporatestandards.

Industry guidelines state:* No one


Verify who has the “Shut Down theSystem” user righty perfor~ngthe following steps:

1, Open User ~ a n a ~ e r .

2. Choose Policiesfrom thepulldown menu and chooseUser Rlghts. .

4. Verify that the listof users isc o ~ e n s u r a t e ith corporatestandards and best practices.

5.Click Cancel

6. Close User nag

Industry guidelines state:* A d ~ n i s ~ a t o r s* Server Operators

Verify who has the “Take Ownershipof Files or Other Objects” user rightby performing the following steps:

1. Ope

2. ChopullUser Rights. .

3. Scroll through the R ~ ~ ~ t sndfind “Take Ownership of FilesorOther Objects.”

4. Verify that the list of userssco~mensuratewith corporatestandardsandbest practices.


“Shut Down the System” user right.

* ~ d ~ i n i s ~ r a t o r sServer Operators

“Take Ownershipof Files orOther

Objects” user right. The followinguidelines can be used:No one



ory ~ o n t r o l ~jectives isk ~ontrol echni~ues

12

12

Security The “Act as Part f theAdministration Operating System” advancedActivities user right should be

restricted so that no one canact like the “system.”

This right s required bysome applications such asBindview.

Security The “Bypass Traverse

~ d ~ n i s t r a t i o n hecking” advanced userActivities right shouldbe available toEveryone.

ote: This i s a divergencefrom the book, whichspecifies that theAd~nistrator7erverOperator, and BackupOperator groups are the onlyones to have bypass traversechecking on the PDC.

The “ActasPart of theRestrict whocanactasheOperating System” right isone of the most powerfulrights within WindowsW. tallows the designatedaccounts to act as a trustedpart of the operating systemand can therefore do anythingregardless of other rights.

If Everyone is removed from Ensure that Everyone has

this useright, POSIX- theighto ypassraversecompliantpplicationsouldhecking.cause a denial of access whenthey t ry toraverse Note: TheBypasssubdirectories.raversehecking”ight

allows WindowsNT o beconfigured in a POSIX-compliant manner. Itallows users to traversesubdirectories regardlessof parent p e ~ s s i o n s .




l , Open User ~ a n ~ ~ e r .

OU I ~dvanced

find “Act as Partof theOpera~ng ystem.”

S. Edit theGrant l a list to becommensurate with corporates ~ a n d ~ d s .



Ensure user rightsy performingthe following steps:

1. Open User ~ ~ n a ~ ~ r .2. Choos

pulldoUser

3.SelectUser

4. Scrollfind “Bypass TraverseChe~king.’~

5. thepecialroupis granted this

right.

to confirm changes.6. Click OK on the new window

Industry guidelines state:* Everyone

Verify whohas he “Act as Part ofthe Operating System” user rightyp e ~ o r ~ n ghe fo~~owingteps:

ow ~dvanced

find “Actas Parto

Operating Sy~tern.~’5. Verify that the list of usersscommensurate with corporatestandards and best practices.


Verify who has the “Bypass TraverseChecking” user righty perf or~n g

the following steps:1.

2.

3. OU I ~ ~ v a n c e ~

4, Scroll through thefind “Bypass TraverseChecking.”

S. Verify that the listof users isc o ~ ~ e n s u r a t eith corporate

standards and best practices.6. Click Cancel.7 . Close U5er ~ a n a ~ ~ r .

Industry guidelines state:* Everyone

user right. The followinguidelinescan be used:* No one

autho~zed sers are granted the“Bypass TraverseChec~ing” serright. The following guidelinesanbe used:* Everyone



No. Cate~ory

12 SecurityAdrninistrationActivities

ControlObjectives sk

The “Logonas a Service” The“Log on s a Service” Restrict whocan log on sadvanced user right should rightallows a user to log on a service.be restricted so that noone as a service, sirnilar to thosecan actas a service. required by virus scanners

and faxing software. Theseservicesrun n thebackground without anyinteraction from nyadditional users. Someservices have Full Controlover the system and could be

very powerful if configuredin that manner.

12 SecurityheModifyirmwareheModifyirmwareestrict whoanodifyAdministration Environment Variables” Environment Variables” right firmware environmentActivities advanced user right should allows users o modify the variables.

be restricted so that users system environment variablescan’t modify the system that affect certain programs.environment variables that If a variable is modified, it

affect certain programs. could be set to point tobatch program that launchesaTrojan horse or denialfservice.




1. Open User ~ana ge r.

pulldown menu and chooseUser ~ l ~ h t s .

3. Select the “Show Advanced

User ~i gh t5 ”heck box.4. Scroll through the right^ and

find “Log on as a Service.”5. Edit theGrant To list to be

c o ~ e n s u r a t e ith corporatestandards.

Industry guidelines state:* Replicators


Restrict user rightsy performingthe foilowing steps:S.

2.

3. ow Advanced

4.find “Modify FirmwareEnvironment Variables.’’

5. Edit theGrantTo ist to becommensurate with corporatestand~ds.

~ n d u s t ~uidesines state:* Administrators


~ o m ~ l i a n c e ~ s s e s s m e n tT ~ c h ~ q u e s

Verify who has the “Log on as aService” user righty pedorrningthe following steps:1. Open User Manager.2. Choose Policies from the

pulldown menu and chooseUser Rights. ..

3.Select the “Show Advanced

User Rights” check box.4. Scroll through the Rights and

find “Log on as a Service.”5. Verify that the list of users s

c o ~e n s u r a t e ith corporatestandards and best practices.

6 . Click Cancel.

7 . Close User Manager.

Industry guidelines state:0 Replicators

Verify who has the “ModifyFirmware Environment Variables’’user rightby performing the

following steps:1. Open User Manager.


3. Select the“Show Advanced

User Rights” check box.4. Scroll through theRl~h tsnd

find “Modify FirmwareEnviron~entViuiables.”

5. Verify that the list of users isc o ~ e n s ~ a t eith corporatestandards and best practices.

6. Click Cancel.

7 . Close User Manager.

Industry guidelines state:* Ad~nistrators

Tec~niques


rights.txt and ensure onlyauthorized users are granted the“Log on as a Service” user right. Thefollowing guidelines can be used:* Replicators


right§.~tnd ensure onlyauthorized users are granted the

“Modify FirmwareEnvironmen~Variables” user right. The followingguidelines canbe used:0 Administrators



omain ont troll er ~ e c ~ r i t y

No. C ate ~o ry

12 SecurityAdminis~ationActivities

Control Objectives Sk

Certain advanced user rights Theseadvanceduser ightsRestrictwho sgrantedshould either be granted to could be used to compromise these advanced user rightsnoone or to Administrators thePDC f they are granted to (as listed in

only. These rights are listed thewrongndividualsothermplementation hecklist).in the implementation than Adminis~ators. hey arechecklist. very powerful and do not need

to be granted to normal users.



Restrict user rights y performingthe following steps:l. Open User Manager.


3.Select the “Eihow ~ d v a n c e ~

4. Scroll through theRightsandfind the following:

Should be granted to

Ad~nistrators:e Create a pagefilee Debug programse Increase quotase Increase scheduling prioritye Load and unload device driverse Profile single processe Profile system performance

Should be granted too one:e Create a token objecte Create pe~manent hared objectse Generate security auditse Lock pages in memory4 Modify firmwareenv i ro~en t

variablesReplace a process-level token

standards or the aboveindustry guidelines.

6. Click OK on the new windowtoonges.

7. Close a ~ ~ g ~ r .

ote: The standard user right“Force shutdown from remotemachine” and the advanced right“Log on as a batch job” are notlisted anywhere in ESAS becausethey are not implemented inWindowsNT 4.0 and have noconsequences.

Technique§

Verify who has certain user rights yperforming the following steps:

1. Open User Manager.2. Choose Policies from the


3. Select the “Show ~dvancedUser R~ghts”heck box.

4, Scroll through theRightsandfind the following:

GroupA:

e Create a pagefilee Debug programse Increase quotase Increase scheduling prioritye Load and unload device driverse Profile single processe Profile system performance

Group B:e Create a token objecte Create permanent shared objectse Generate security audits4 Lock pages in memory4 Modify firmware environment

* Replace a process-level tokenvariables


6. Click Cancel.7. Close User Manager.

Industry guidelines state:e Group A (Adminis~rators)

e Group B (No one)

ote: The standard user right “ForceShutdown froma Remote Machine”and the advanced user right “Log onas a Batch Job” are not listedanywhere in ESAS because they arenot implementedinWindows NT4.0and haveno consequences.

C o m ~ ~ a n c ee r i ~ c a t i o nTechNque§

Review the <sewername>.rights.txtand ensure onlyauthorized users are granted thefollowing user rights. The followingguidelines canbe used:

Should be granted toAd~nistrators:e Create a pagefilee Debug programse Increase quotas0 Increase scheduling prioritye Load and unload device driverse Profile single processe Profile system pe~ormance

Should be granted to no one:e Create a token objecte Create permanent shared objectse Generate security auditse Lock pages in memorye Modify fmware environ~ent

e Replace a process-level tokenvariables



Domain Controller~ e c ~ r i t y

No. C a ~ ~ o r ~ ontrolbjectives Sk

12 Security The company’s legal Displayinga egalwarningSet he egistryvalueAdminis~ation department should e ensures that users are awarefActivities consulted, and consideration the consequencesof

shouldeivenonauthorizedccessndAuthorizedsenly”imple~entingegalssistsnonveyinghendThese of thiswarningmessageobeprotection of corporate ssets.System is Restricted todisplayeduringogin.uthorizedersons Only.

All Others will eProsecuted to the FullExtent of the Law,”respectively.

12 Security Services that compromise If the company has services Disable any unnecessaryAdministration the securityof the domain running that compromise the or insecure servicesActivities should not be started. security of the domain, there running.

is an increased risk thatdomain resources will ecompromised.

12 SecurityerviceshatrovideertainervicesMessengerhe ~essengerndAdminis~ation enticement information and Alerter) allow userso get Alerter services and nyActivities should be disabled. enticement information about other services that provide

thedomainand tsresources.usersenticementinformation should edisabled when possible.



For all servers, enable the displayof legal textby p e ~ o ~ n ghefollowing steps:1, Open the Registry Editor

2. Select the(regedt~~.exe).

Softluar~\Microso~\

UJindolus~urrentVerslon\UJinlogonsubkey of theWKIMhive.

3.Enter the appropriate text inthe IegalNot ice~a~t~onnd

4. Close the Registry Editor.NiA

NiA

Compliance ~s se ss m en tTech~qMes

Verify that an appropriate LegalNotice has been created and clearedwith the Legal Department. Ensurethat the Legal Notice is implementedon all machines by attempting to logon o selected machines ndverifying the existence f a egalnotice.

Verify that there are o servicesrunning on the PDC that could leadto unnecessary risk and exposureyperforming the following steps:1. Open Sewer Manager.

2. Select the PDC and chooseServices. .. rom thecomputer pulldown menu.

3.Review each running service odetermine if it may compromise

the securityof the PDC.Discuss with the networkadministrator the usef Messengerand Alerter. If these services are notused, be sure that they are stopped.

Comp~anceV e ~ ~ c a t i o nTechniqMes

Review <sewer~ame>.luinlog~n.~tnd ensure theI e g a l ~ o t ~ c e ~ a ~ t i o nndLega~~ot~ceTextalues containadequate legal text.

Verify that there areo servicesrunning on the PDC that could leadto unnecessary is k and exposure, yreviewing <sewername>.

sewices.txt and ensuring thatunnecessary or insecure services arenot running.

Review <sewername>.

sewices.txt and determine if theMessenger and Alerter services arerunning. If the services are running,inquire with the companyf they arenecessary to support applications orservices runningon he server (e.g.,backup software).



g specific security”re1ated tasks andalso cont~nsrocedures

trusted system. Acco

s o ~ w ~ e i n t e ~ t y ~ e a sove orclassified info~ation.’,

fora comprehensive securitytasks must be dis~ibutedo

ulates that f ~nancia loss occurs asa esultty Act of 1987cast new urgency on c o ~ ~ u t e rec

e pe~et rator,s liable for damages. Thus, he~ ~ i n gn f o ~ a ~ i o nies with in

rm ~nvironment f coop er ~t in ~atically. Unauthorized persons

le havoc to the system.

ty, a ~usinessntity shouldesta~lish comprehensivese-e ~ i n ~om~uter se. computer security policy is a state~en t f rulesehavior of users to ensure s y s t ~ ~nd data integ~ty.

it ~anagemento security.

ont~ol hysical e~ ui~ment .

what is expected of them.



Design administrative procedures to increase security.

~egregate nd c om p ~ m e n t ~ i z eata.

Disconnect unused terminals and mass storage devices.

Never perform any task as super userhat can be performed with a lesser privilege.

Do not trust what others can alter,Require users o be on the system purposefully, on aneed-to-how” basis.

ties might include unaccounted-for programsr unexpected software behavior.

ave users report ny unusual or irresponsible activities o authorities. T ~ e s ectivi-

esides software features, d~nis tra tiveupport is essential for achieving a workablesecurity policy.When drafting a security policy, be sure to address the followin

What facilities require protection?

ich data warrant protection?

o is allowed access o the system and under what circumstances?

8 m a t permissions and protections are required to maintainecurity?

can the system security policye enforced by physical, procedural,md systemanisms?

hysical security safeguards system hardwarerom damage. It protects softw

ruption as a resultf envir~nmental onditions and assureshat unautho~zed person~e~redenied access to areas containing system equipment. Hardware includes the ~entralcessing unit (CPU), system console, terminals, andther peripherals such asdrives, and tape drives. Software includes the operating system, progrstrict physical access to areas containing system equipment by:

Using perimetercontrols, such as locked computer rooms,enced builguards at building entrances.

Using antitheft protection designedor desktop computers.

8

Issuing keys and ID badges.* Physically securing access to terminal wiring and network cables.

8 ~afeguarding ensitive or proprietary data by keeping media archived o

locked facility.

Erasing obsolete data.

8 Shredding or securely disposing of console logs or printouts.

Although practicesmay differ dependingon the type of computer involved, he p r o c e ~ u ~ a ~security policy should govern the following:

* Use of equipment and systems operation.

anagement of software and data, including the following:

8 How computer-processed information can be accessed, manipulated, antored tom ~ t a i nystem safeguards.



the system’s ife cycle.

ncluding frequencyof audit review and analysis

audit in^ should be performed by authorized sect use securityeatures suchas action c o n ~ o list

ntai~ing ystem security involves:

a system level, Unixrovi~eswo ~ n ~ sf au t ho~ ~e dom-er user. ~ndividual sers also may be granted or rest~cted

nal file p e ~ § s i o n snd accesscontrol lists.

diting of computer usageby user, systemcall,

tents and trained ints use.

levels.

rity ~e as ur esften force users to develop oopholes to maintain



s y s t e ~ ~ ~ i ~ i s t r a t i o ~s to ~ i s t r i ~ u t e

e syste

ollects v ~ i o u s y s t e ~tatistics,

r super user) at te~ptsnd i n v a l i ~ etwork

S online t e r ~ i n



The system programmer,^ tasks are:

Installs system upgrades.

Performs dump analysis.Writes programs that conform to securityriteria,

This section providesa strategic road map or setting up a secure system.ered include setting uphe system, enabling auditing, and maintaininghe system after m-plementing the security features.

1 is used to perform security-related systemadministration tasks. , window environment reserved for users with super user ca-

through. each step, focuses choices, and protects the ser fromc o ~ p t i n gritical files. It avoids in~oducing s t ~ e sr comp ro~s eshat might breach

e following security-related system ad~nistration asks can be performed

* Turning auditing on and off.

Setting the audit monitor andog parameters.

Viewing audit logs.

Viewing and modifying audit optionsor users, events,and system calls.

~ o n v e ~ i ~ go a trusted system.

ana aging user accounts.

t the following area you wisho work in:

interface and theest

The procedures presented here cover all of the tasks required to implement a secure(trusted) system.Deternine whether the following steps were followed:

lan prior to conversion.

Install the system from tape.



onvert to a secure ( t~s ted )ystem.

rior o the convers

to evaluateyouraudit logsdeter~ned?

nts of the work site i~entified?

user levels, how were the writtene work site established?

S i n f o ~ e df their se-

y risks? This is mandato~files should be exam-

ined r e ~ ~ l ~ l y ,r when a security breach s suspected. How was it d e t e ~ ~ e dhat nosecurity breaches existed beforeroceed in^ to the next section?

updated but should be installed from tape because the effective-may be co mp ro ~s edf the system files were altered.The steps

. he file system s~oulde bac d up for later recovery of user files.

m the backup media.

ed as a reference when checkin1for each product fileset ~ s t a l l e ~n the system

e onv version. After step4, proceed directly tothe conversion task thats described as follows.



ass ~or ds romhe 1 file tohe 1. 1filendeplacesheithn *,

orces all users to use

ets the audit flag on or all

files to use the ub~t ter’ sudit

efore ~ ~ i n ghe conversion program:

If the system returns h.

d string to copy the file:

Inserthese lines ifheyreot ert the subroutinethe nd of the list of calls in the section ndnhe I

this file.

To convert to a secure ( ~ s t e d )ystem:

onverted, theuser will re-

subsystem is now ready to be enabled.

The system supplies default uditi~g ~ a m e t e r st installation.activated a~tomatically, ome have to be enabled.

tem calls canb



cree

Primary log file path name

Primary log file switch size(AFS)

Auxiliary log file path name

A u x i l i ~og file switch sizeCAPS)

onitor wake-up interval

Allowable free spacem i l i i ~ u ~FSS)

trigger w ~ i n g s

5,000 kbytes

1,000 kbytes

1 minute

20%

90%

The full p a ~ n ~ ef the file set to collectaudit in^ data initially.

h size for the bac

witch point, the ~ n i m u m a ~ o u n tf filespace allowedon the file system before a

ill



ollowing is an exampleof the possible outputof the

kbytes Used ~vailable ~ a p a ~ i ~o u ~ ~ e dn

23,191 19,388 1,483 93% I

207,~67 184,224 2,3 16 99% /mnt120,942 13,374 95,473 12%. / m f l ~ ~ t

121,771 48,273 61,320 44%

hoose a file system with adequate spaceor the audit log iles. For example, usingthe system supplied defaultor the primary audit log ile would mean that:

tc file system must have more than ,000 kbytes available forthe primary audit log ile.

. t must have more than 0% of its file space available.

The following errors can occur f file system space s inadequate:

the primary audit logile resides ina file system with ess than 20 percent ileace available, the system immediately switches to the auxiliary audit logile

when auditing s invoked.

. f the file system chosenhas insufficient space o handle the indicated audit ileswitch size (i.e., 5,000kbytes), the system issues the followihave completed task. current audit file 1.

le on audit file system, speci

diting system unchanged.vide a new pathname for the auxiliary auditog file. The primarynd auxiliary au-

files should reside on separateile systems. Since each installationof Unix isnt, it is not known which file systems are available at the user’s installation.,he default situation has both the primary and auxiliary log files residing on

same file system, I .

(I These parameters can now be enabled and auditing turned on. Leave the defaultd leave the default of (y) at

he system is now ready for normal operation as secure system.

nce the system is up and ~n n in g ,ne should periodically verifyile system security and

for security breacheson a regular basis.

for each of the product filesets n-

stalled on the system tobe used as a basis for later comparison. The f files created willle-line entry or each file having the followingnfoma



mbers are isted for device

~ l ~ o r i t ~ ~ .his field reflects the

er user to ese-



fck does not produce output unless it findsdiscrepancies.

Examine the results, paying particular attentiono changes in:

* Mode permission bits.

* Owner ID and group ID.

-iscrepancies.

Use the same procedures as before to verifyile consistency for customized systems.

Create a prototype file list and run thenk 1c o ~ a n dn that list to produce a

listed files, run he fck commandusing thewill read eachentry in the file, gather the cur-

rent statistics, compare t to the baseline, and reportny discrepancies.

This section covers basic infomation on password security, system and user ile pemis-sions, and file access control usingACLs.

The password is the most important individual user identification symbol.tern authenticates auser to allow access to the system. Since they are vu1promise when used, stored,r even known, passwords muste kept secret at all times.

for password security.The security policy should e based on the followingssumptio~s:The System Security Officer and every user on the system must share responsibility

A password is assigned when a users added to he system.

* A user’s password should be changed periodically.

The system must maintain a password database.

Users must remember their passwords and keep them secret.

Users must enter their passwords at authentication time.

The ~yst em ecurity O~ l ce rerfoms the following sec~rityasks:

Assigns the initial system passwords.

aintainsroper pe~issionsnhe / files,

Assigns the initial passwords to all new users.

Establishes password aging.

Deletes or nullifies expired passwords, userS, and passwordsof users no longer l-igible to access he system.



security violations.

bserveheollowinguin c ~ o o s i n ~assw word:

t must contain t least two~ ~ h a ~ e t i caracters cm include control charac-

o nothoose a wor ifou spell it bac~w ar~ s.

I , or re~etitions f your

d words make suitable

t is a securit~ ~iolationor users to sh

atelyafterentryand storessvvord is used inCO

sists of seven fields sep-



he fields cont~inhe fo~l o~in g in f o~a t ionliste

e consistingof up o

rd field held y an

nteger less than ~0,OO~.

ser can change the encryptedc o ~ ~ a n d ,he c o ~ ~ e n tield

file, accessible onlyr ields s e p ~ a t e ~y

Thefour ieldsof theI tainhe ~ollo~ingnfor~at ionlistedin order):

ting of up o eight c ~ ~ a c t e r s

eneral use~s a ~ o tlter any fields in1.



users should construct,he system searches th

7 before creating a file. This restricts

o not leave executables where they were developed. Restrict access to executablesunder development

r m s hould be set as restrictively as possible withoutet to prevent users from writing to them. These include:

t cl . nly root shouldbe bleo ead rom

on encompass entire subsys-access to files hey protect or use, the

ility to grant access

enforces the security of all programs en-

f Unix programs areet according to the principle of least privilege,to any object based on ‘heed to knowluse” only. The number of

ize the risk of Trojan horsgrams have been changed to



Directories to which files are addedor deleted often (dynamic directories) nemission, for example:

The same guidelines or static and dynamic directories e applicable to executables,scripts, and databases (e.g.,

Access to all devices in a system is controlled by device special filesbe device independent. These files have been shipped with permissproper use andm ~ m u mecurity. If installing any other special filescommand manual entry or the

the following precautions:Since device special files cane as vulnerable o t ~ p e r i n gs any other ile, o b s e ~ e

Use only Unix-su~plied evice drivers in your kernel.driver, you invalidate the ru

Protect the memory andWsince these files contain usernfo~a t ionhat has a potentialorple, a program that watches memory or an invocation of the I

copy the password from o in'sbuffers when a user typest in.

All device files shoulde kept in d

Write-prokt alldisk special files from general users to preventn

Read-protect disk special files to prevent disclosure.

Terminal ports on Unix systems maye writable by anyone ito communicate by using theshould haveread permission.

Individual users should neverown a device file other than a t e ~ i n a lsonal printer.



e the lowestpn~ilegeev

on m ~ ag i ngser accounts, refer tohe ~ y ~ ~~ ~ i ~

work is con~dential.

e ~ s s i o no general users.seI

e accounts on, or accounta~i~itynd as-

Include the user’s ull name and a~ork-re~ated identi~ersuch as phone number) ininclude confidential info~ation,ince any-

oradirectories uch as

promote accoun~bility.

er’s account to call at-



ew user account with

auses the user to re-

s it is ~ e c e s s ~ ~o deactivccount assoon as it is es

ui~elines an be used to reactivate a user account:

to reactivate a user account.

To allow the user toet the passwor~,

chanceof system penetration, e ~ o v en account as oon as a user leaves anr-cess.To r e ~ o v en account follow these te~s:

&e a backup copy of the user’s d i r ec to~ree so that the account can be recon-



Search the systemor files owned by the user after removinghe home directory tmc-Remove reference o the user in

To remove them, ype the following commands:

Remove reference tohe user in

Remove the user’s mailboxrom /U

(1)c o ~ a n do locate all files in which he user is explicitly included inan ACL entry, as follows:

If appropriate, notify theile owner and remove he ACL entry.

referenceoheser in /U or redirectheser’smail, if ap-

A user might have accounts on other systems that one does not admi~ster. nformother systemadmi~stratorso remove the user.

Useoemoveheccount.

Moving a user account from one system to anothers trickier than t seems.

on the new system. If eitherS , the user must be reassigned aew one for the new system, and heof all of the user’s files must be changed.Do so from the user’s hom

opy the user’s files fromhe old to the ew system.

move or deactivate the user from the old system.

If ac~uiring user from a system one does not administer, or the user is moving

from a less to more secure environment, check the user’s files carefully forprograms that might com-promise security.

ecause teamsof employe * andirectories,e-ne groups of users in the . ll members of a



have sole access to

hen addinga group:

~ d ~ n ~ i a lork.

~ s s i o nits to rant or restrict access



Access control lists are a key enforcement mechanism of discret(DAC), for specifying access to objects by users and groups moretional ‘Unix mechanisms allow, based onhe user’s legitimate needor access.

ACLs offer a greater degreeof selectivity than permissionbits bowner or super user o set (permit or deny) access to individual users orAn ACL consists of sets of entries associated with a file toS combinationet

ut resentednheyntaACLs are supported for files only.

To understand the relationship between access controlists and traditional ilconsider the following file and its permissions:

-rwxr-xr- - karen adrnln dat~fii

The file owner’s grou

The file group’s permissions are-X.

The file other permissions are- -.

L, user and group IDS an be represented by narnes or ~ ~ m b e r soun

. he following special symbols can alsoe used:96 No specific user or group

Current file owner or group

When a file is created, three base access ontrol list entries are mapped from thcesspermissionbits to matchile’s ow group

Base ACL entries can be changed by the I1and

) Base ACL entry for the file’s owner

) Base ACL entry for the file’s group

ase entry or other users

(Except where noted, examples are represented in shortorm notation.ACL notation.)



358 UNlX

Granting Selective Access with Optional ACLs

Optional access control list entries contain additional access control information that the

user can set with the setacl ( 1 system call to further allow or deny file access. Up to thir-

teen additional user-group combinations can be specified. For example, the following op-

tional access control list entries can be associated with the file:(mary. admin, rwx)

(george.%,- - -)

Grant read, write, and execute access to user mary ingroup admin.

Deny any access to user george in any group.

Access Check Algorithm

ACL entries can be categorized by four levels of specificity based on their user and group

IDS. In access checking, ACL entries are compared by effective user and group IDS in thefollowing order:

(u.s, rwx)

(u.%, rwx)

(%.g, rwx)

(%.%, rwx)

Once an ACL entry is matched, only other entries at the same level of specificity are

checked. More specific entries that match take precedence over any less specific matches.

In the Berkeley model, a process might have more than one group ID, in which casemore than one (u.g, mode) or (%.g, mode) entry might apply for that process. (Seesetgroups(2) in the Unix Reference Manual.) Under these circumstances, the access

modes in all matching entries (of the same level of specificity, u.g or %.g) are mode to-

gether. Access is granted if the resulting mode bits permit. Since entries are unique, their

order in each entry type is insignificant.Because traditional Unix permission bits are mapped into ACLs as base ACL entries,

they are included in access checks. If a request is made for more than one type of access,

such as opening a file for both reading and writing, access is granted only if the process is

allowed all requested types of access. Note that access can be granted if the process has twogroups in its groups list, one of which is only allowed read access and the other is only al-lowed write access. Even if the requested access is not granted by any one entry, it may be

granted by a combination of entries as a result of the process belonging to several groups.

Specific user, specific group

Specific user, any group

Any user, specific group

Any user, any group

ACL Uniqueness

All ACL entries must be unique. For every pair of u and g values, there can be only one(u.g, mode) entry; one (u.%, mode) entry for a given value of u; one (%.g, mode) en-

try for a given value of g; and one (%.%,mode)entry for each file. Thus, an ACL can havea (23.14, mode) entry and a (23.%, mode) entry, but not two (23.14, mode) entries or

two (23.%,. mode) entries.

How to Use ACL Notation

Supported library calls and commands that manage ACLs recognize three different sym-

bolic representations:



MANA GING USER ACCOUNTS 359

operator form Used to input entire ACLs and modify existing ACLs in a syntax similar to that usedby the chmod(l1command.

Easier to read, intended primarily for output. The chaclIll command accepts thisform as input to interpret output from the IsaclIll command.

A multiline format easiest to read, but supported only for output.

short form

long form

The base AC L entries of our example file are represented in the three notations as follows:

Operator form karen.%.= rwx, %.adrnin = rx,%.% = r

Short form (karen.%,rwx) (%.admin , r-x) (%.%, r- -)

Long form rw x karen.%

r-x % .adminr- -%.%

Som e library calls and comm ands use a variant format known as ACL Patterns (described

later in this section).

Operator Form of ACLs (Input Only)

Each entry consists of a us er identifier and group identifier, followed by o ne or more op-erators and mode characters, as in the mode syntax accepted by the chmod(1) command.

M ultiple entries are separated by com mas.

u s e r . group operator mode [ operator mode] . . . , . . .

The entire ACL m ust be a single argum ent, and thus should be quoted to the she ll ifit contains spaces or special characters. Spaces are ignored except within names. A null

ACL is legitimate and means either “no access” or “no changes” depending on context.Each user or group ID may be represented by:

name Valid user or group name.

number Valid numeric ID value.

% Any user or group, as appropriate.

@ Current file owner or g roup, as app ropriate; useful for referring to a file’s u.%

and %.g base ACL entries.

An operator is required in each entry. Operators are:

=

+-

The m ode is an octal value of zero through seven or any combination of r, w, and X. A nullmode denies access if the operator is =, or represents “no change” if the operator is + or -.

M ultiple entries and mu ltiple operator-mode parts in an entry are app lied in the order

specified. If more than one entry o r operator for a user and g roup are specified, the last spec-ified entry or operator takes effect. Entries need not appear in any particular order.

Set all bits in the en try to the given mode value.

Set the indicated mode bits in the entry.Clear the indicated mode bits in the entry.



~ s e r so only r ~ a d i ~

be ~ o l l o w i ~ ~llowsuse

space.



ies arnated.Forconsistencywithoperator orm,adot (.) s used or andntifiers.

n output, no spaces are printed except in names (if any). Identifier numbe~s reprinted if no matching namesre known. Either identifier cane printed as% or 66any seror group.” The mode is always represented by three characters: (r, U, nd X) and padded

with hyphens for unset mode bits. f the ACL is read from the system, entries are orderedby specificity thenby numeric valuesof identifier parts.On input, the entireACL must bedelimited by quotation marks o retain its quality as a single argument,ince it might con-tain spaces or special characters such as parentheses. Spaces are ignored except withinnames.A ate andmeans either “noccess”rnohanges”ependingonontexdentifiersreepresentedsnperatororm. The mode ispresented by an octal value of zero through seven orny combi

dundancy does not result inrror; the last entry for any U

takes effect. Entries need not appear inny particular order.The

The following is a sampleACL as it might be printed. It allows user t:to read or executethe file while in groupccess to the file whil

to only read the file, ny 0thr usermay only read he file.

On input, he following ex

The followingets uJri ss for user bill in any group:

The following sets the entryor user 1

cl “l

The following setshe base ACL entry for the file’s owner to allow both

capabilities for other (%,%) sers:

ut. The mode appears first in a fixed-width field,bits) for easy vertical scanning. Each user and group identifier



st to least specific thenat least three entries, th

L as in an arlier ex

r- - ~.~

e library calls andc o ~ ~ ~ secos al l~wsperationson all

f o ~ l o ~ i n ~ays:



e v a ~ ~ e sfbase

This sectiondescri~eshe new ~ r o ~ r a ~ svailable tomr the detailed s~eci~cat ions ,efer to h

control list,



S Unix commands, system calls, and sub-, his section identifies issues criticalo us-h access controlists are implemented. For

the detailed specifications, refero the Unix ~ e ~ e ~ e ~ c e~ n ~ a 2or the specific entry.The general purpose commands and systemalls are:

I

dl) is executed. Usestore the p e ~ s s i o nits of ACL

hose ACL entries

match or include specificACL patterns.

h file’s p e ~ s s i o nits.indicates the existence of ACLs by displaying a+ fter

ilx does not support optional CL entries on l u5 r l

These programs copy optionalCL entries to the new files they create.

he file chive commands are:

1 Use only these progrms to selectively recover andbackup files. However,use the - option when b a c ~ n gup and recovering filesor use on systems that o notimplement ACLs.

S do not retain ACLs when archiving

The configuration ~ o n t r o ~ c o ~ a n d sre:

The c o ~ a n d sn these packages do not support ACLs.As a general practice, o not place optional ACL entrieson system software. They are not preserved across

updates.



~ccess cQ~trQ1ists use

Q ~ s i ~ e rhem hen usi

~ a n u ~ ~n ~ i e su n ~ e rhese cir



n t e ~ r e the pr e~ e~ in gisting as follows:

user (%I)rom any o

per~ssions- -)

The following section

rectory to be accessible to on1c o ~ a n ~o grant or estrict

Since both thean a ~ ~ e n e s sfow interact is ne cess^.

I c omand is a supersetof the

or e~ample, u ~ ~ o s ~ou useallow only yourselfmake an exception and llother than yourself andoously specifiedby the



CreateewACLntryllowingheser CYC in anyroup (%) chacl ‘cyc.%=rw’ nyfile

write (=rw) access to rngfil

Modify an existing ACL entry allowing all users94) n all groups(%)(+r) access tofooflle.

Modify an existing ACL entry denying all users%) n thecurite [-W)access to afile.

L entry denying user on in the mktgroup read, write,

rchaccess toolddir.

To S ecifhatyour r,who is in a d i ~ e r e n ~access to

If a directory is writ le, anyone can remove its files, ~ardless f the perS. The only way to ensure that n files can be removed fromdirectory is top e ~ s s i o nrom that directory. r ~ a s i ~ u mrotectionhis technique can

be lied to the d ~ r e c t o ~f a user accou~t.

hide the directory’s name fromouti~eiew, use a



. ist the ~ e ~ i s s i o n sn the directory.

rectory.

tools that one can useo:

mess s y s t e ~iles for ~ot~nt ial s~cur i tyis

iew s y s t e ~iles for routine security

Locate sus~iciousiles in case of securit~ r e ~ c ~ .

suspect any breach of sec

ote whichp r o ~ r ~ sse

tay vi~ilant f any



ate further any programs that appear to b

hange the pe ~ i s s i onf any unn

programs in the hierarchy, list the files returned by thefind command:

programs in system directories:

~ v i ~ whe output for the following unexpected results:

me per ~ss ion ss shown

programs are the mostignificant,

ow what that programmay be doing.

x~minehe code of all programs importedrom external sources or destructi~ero-

ow ~ ~ a c t l ~hat they do.

sword file should be perrnitted. The conver-

is leavesapotential for security breach

ord fields or fields that force

nce the system has been converted to a trusted system, periodical~y ook for pass-



ome dire~toriesho~ld not be w r e ~ o v efiles from them,To fin

‘\

me~ber se denie

files should not be r i tabley an one other t h ~se that are writable by

. ” e ~ shat theuser does not



as pre~enting nyonereadableorwritable .r

’\

readable orwritable by anyone other than its owner.files, run:

ome systems aintainn I

takes severalm o m ~ ~ t so~~,ret~rnsnode and ile ~ a m e s

listing of the ~ n ~ o ~ n t eIf decidin

cia1 file with its

I

~onsiderhis only a temporelete the file f it t~ea tensystem s e c ~ ~ t y .



ers sons, ~rocesses,or devices that cause i n ~ o ~ a t i o no flowe the s ~ s t e ~tate.Allsubjects are a



ects are passiveentities: files, directory trees, programs, bits, bytes,iisters, video displays, keyboards, clocks, printers, network nod

that contains or receives n fo~a t ionn a system. ecause access to an

cess to the information he object contains, objects re~uire ~rotect io~.objects require special attention:

oot directory.

ensitive files such asF

onfiguration files such

ublic directories.

og files.

To ensuresecurity,set U asrestrictivelyaspossibleandassignl i ~ t .or urther direction^, r

he principle of least privil requires each subject in a system o be granted only as muchprivile~e s is needed to pe authori~edasks. Users should be able to access i n f o ~ a -tion based only on a valid “needo h o w . ” These criteria help to limit daxna

accident, error, or nauthori~ed se.

ensure that individual users are held ccounta~leor heir activities online, he conver-ustedystemreatesnuditdentifiesveryserniquelyuserithveryrocess invndnix. auditingunctional-edersonnelovaluate au w ~ i c ~re actionsotentially

capable of allowing access to, generatin

tion on auditing including auditIDS,

programs have the followingh~acteristics. hese c o ~ e n t slso

) osition of the file erm mission modes.

the is set to its owner^ r



bit is set to its group,

cess with four numbers: real and effec-

with the owner to that f the object. Thee object, giving the user the ~ ~ eccess

f the process are seto that of the owner

of the file.

of the file,

bit isw e d on, the privileges of the process arec h ~ ~ e

ystem are due o operator error! owever, a system attackerprogra~s,most often in onef

rogram execute c o ~ a n d sefined by the attacker,

e data createdby a pr og ra ~.



y those values necessaryor the proper operation

t e ~ i n e dalues:

ard output, and s t a n d ~drror are

hese sa~eguardsncreas~he assurance thatsnown programs are executed in a known en-viron~ent.

me programs because too so would inhibit theirgrams have been carefullyx ~ n e dor flaws:

re t~ned hen the

er than standard input, standard output,

e envi~o n~ents passed along unchanged.

, nce ~a vi ngogged in the user has accesso virtu-

h nix has nu ~erous uilt-in software rest~ctionsgroup ~ a n a g e ~ e n t ,nd accesscon~ol),t i

r~ctionrcompro~ise f ater rial or data,

hostile program as a system program., clas-y captu~nghe person’s login and password.

query for their passwordonce logged in.



circu~vents ystem otec-

ly useful c o ~ p u t e ~roa ~ a ~ i l i t i e ~o the d e t ~ ~ e

Trojanhorses als

~ i l i t a t ~osts, and



0 Protecting passwords when using RFA.

et: to restrict outside access.

0 Denying access with I

0 ~oun t ingiles in an NFS environment.

0 Safeguarding ink-levelaccess.

An a d ~ ~ s t r a t i v eomain is a group of systems connectedby network services that allowusers to access one another without password ve~fication.An a~~ nis t ra t iv eomain as-sumes their host machine has already verified systemvices assume securitys established at he system level.ministrative domains.

d not enter a password to read anverified the password when the use

ad~nis tra tive omain.

the user to providepasistrative domain.

administrative domain.

in

A d ~ i n i s t r a t i v ~omains

' \

LA



syntax and use of this file.

the file transfer protocol seice request is received at

stricted account name must appear alone online in the fi

skips the security heck,

aintain consistent ile usage.

rovide a ean, cooperative user environment,

le-sh~ng bet nd clientystems by controlli

file. ~ n ~ i e snrovide pe~issionoountexisting on he server onto ny client machine. Once file system s put into I

ailable to anyonewho can do an NFS mount.client user can access server file system without having logged in to

and disklessclustersalsoprovide access to filesooke~p toa re-, ut do not bypass password authentication.

erver security is maintained by setting restrictive e ~ i s s i o n s n themaintained across Net System (NFS). Thus, having rootstem does not provide special access to the server.

The server performs he same p e ~ s s i o nhecking remotely or the clientas it doesr side controls access to server filesy the clientby com-

which it receives viahe network with the useroccurs within the kernel,

lient can exploit that privilegeoany file system to a node on W

granted more leniently than from yourwn node’s policy.

In earlier releasesstem for workstationadoesideonhelientisk. m now allows for theninghea-jor and rninor numbers of a cl ient-~ounted evice to exist on he server side. This opensthe possibility for someone to create a Trojan horse that overrides permissions et on the



client’s ~ o ~ n t e dserver side.

~ s s i o n s :

orother misc~ief).

and table only by root.

rovides t e c h ~ i ~ ~ e sor c

i ~ e n t i ~ ynd control andministr~tive o~ain.n each on your network are namedor cor-



at you are working onma-

e of a file system followeduters. Any entry consist-me is a file ~ystemvail-associated with specific

com uters. You can find

ists the names of computers with equivalent password files.

trative d o ~ a i ~ .

e in the a~ministrative o m ~ n . user



can be com~ared -

aintain consistency am0 in the ad~nistrative o-workingon syste sistency with system

m is remotely mounte

les are inco~sistent. heone or both f the files,

n both cases, ifou seeno ou files are consistentnd you areone.

heir correct values areom these values should

sho~ld ne~ere writableby the public.am on^ hese are:

emote hosts allowed access ~uival t to the local host

ervices name~ ~ t a ~ a s e

ist of file systems bein

rotocol n ~ eatabase



Internet configuration ile

List of networkwide groups

file defines which file systems can be exported to other systems.ave at least two fields: the firsts the name ofhe file system bein

the second and subsequent name the systems to which the file system can be exportthan two fields are present, the file system can be shipped anywhere in the world.

Verify that nofile system can be universally exported:

i

This commandxamines I removes all comment lines, removesllullines(lines containing only spacesor tabs), and then searches the ile for lines with fewer thantwo fields.

If a network security breach occurs becausef an unknown cause:

* Shut down the network and telephone access to he computer.

Inform the network administrator ~e d i a t e l y .

problem.

e Allow external access to the computer only after identifying an

A security breach can present itself in many different ways:

* Someone might report unexpected r destructive behaviorby a conlmon program.

* The user might notice a sudden increase in the system’s load averacomputer not to respond well.

e permissionsrwnershipmight be changedromwhat i sexpected.

* The byte count of any system files changes unex~ectedly.

Anything that seems to deviate from normal system behavior mightug

one suspects a security breach, such as a virus or worm, one should handle ity l i ~ t i n gtsimmediate impact.

Shut down the system.f users can be given a warning, use the moreo~lrteous hut-down command:

or

. ring the system to a sudden haltis actively corrupting the systemmight allowmore time for furthesystem load.

: nce rebooted, some systems would ask to autoboot from the ~rimary ootpath enabled. Others would return without asking, Pressny key wit~in 0 seconds



only. thin^ in t e ~ sf what wentlogin files or clues.

c o ~ ~ d s ,s desc~bedn ste

been found and

ad~isableo rein-

et have a lot to do with the Unix~eratingmore features and utilitynct ionshan an

allof these powerful features madet a secu



un: You can run the command line i at any time to see a list of inter-ces cu~en tly confi g~ednd their par

: The sending host specifies how long ( ) in seconds live. Oncee packet s discarded.

O~tions: he options that are infrequently used in datagrams follow:: list of internet addresses through which the d a t a g r ~ ust

pass.

: he nodes which the datagram passes through are n s ~ c t e doreturn their Internet address. Thus, wemay d e t e ~ n ehe route takenby a data-grans.

: he time it takes for the d a t a g r ~o pass ~oughhe nodes is re-host. This allows measurement and comp~sons f network per-

formance.

ot : hostanendhe Ia remote system's Internet Protocol is up and opmand uses this message.

Provides a login to a remote system.Providesa remote login to a remote system and asuite of commands to perform special unctionssuch as copying iles over the network.

oes remote copying f files over the network.

Executes commands on a remote system overhenetwork.

A file transfer program that provides auite of file

transfer utilities.Provides statistics that measure he load andefficiency of the network's hardware and datatransfer environments.

Examines network connectivity and efficiencyfthe network inransfe~ing ackets.

Some other commonlyused 7" applications hatprovideservices o heuser's inter-active processes are:

omain Name Services (DNS) aps IP addresses to the names assignedo the

Network File System (NFS) Allows file systems and rectories to be shared by

network devices.

various hosts on the net

outing ~nformation rotocol( ing of datagransshroughhenetwork t ~ o u g hesignated devices assigned y~nternet ddress.



he three network name services that provide the~eceding apabilities and provide

ervices m a y be in use, the

host table may still be needed to:

ide in fo ~a ti onbout impo~antosts (including tself) whenDNS or NIS is not

ing.ad~itional info~ation.

is to be connected twork, onemusthave a rangeof

d to the machine^ et Central Network ~u t h o r i t ~ .



networ~must be as

e ~ t e ~ ~ e ~e t w o r ~ .

tive: f

of the li st e~iles are security threats.



B

invoked,ooksnystem file, getshoneumber

I)

For hese systems,figured into the ker-

rvices at multiuseroot times. Whichconfiguration of the system and the

time butmay be invoked on’),ometimes called he Int

on demand, hus sav-cess completes its ex-n o invoke processes

The ~oint-to-point rotocol only startsf con~guring nfile.

The Simple Networkonly be startedf confiles are configured,

nter.net. The I n t e ~ e t n willonly start if anfile has been created.

This line printer will only start if any of the p~ntersave beenconfigured aseither print serversor clients and thus have an

file on the system.



d

le.



securityriskbecausenopassword is required o re

all takes the proper attention torotocols such as:

Never have a gateway broadcast or rebroadcast (withtside theenterprize network (i.e., on o the Internet).

S from outside your enterprise networknto your network.

irectoryccess by e ~ s u r i n ~ startedwithhergumentsf is the ame of the direct0 ins nly ownloaded files.

This preventsalicious p publiclyeadable,etet-

ensure that it is not installedby default and review the

use such as control of what kindrevent users from access in^

e accounts. Also account names presented

* Nothaveanullassword.

Trusted Access allows userso utilize the enterprise network in aay that is more conven-ient and more secure via the rl in command. If trusted access is not confi~uredor the

incommand, it will prompt users or a password, This passwords transnitted acrossthe network andmay even be on he Internet. Packets containing these passwords are rela-

tively easy o intercept and identify nd thus cancompronise the securityof the enterpriseep in nind the following:

If trusted access s set up, no pass

If trustedccess is notetp, the ds do notvenork.

Trusted Access can e set up at the host or user level or both.



c o ~ a n d s ~ i t h o u tro-can be created for users

S for users or hey can do it for themselves byin the user’s home directo~. he format is the

same as in he I

lemsssociated wi areypicallyheesult ofcause of the traffic c involve several factors:

ysical layer perform

e t ~ o r ~ n ~ard pe rfo ~an ce .

ata co ~p t i on .

tion of resources to a p ~r o p ~a t eodes and networks.

If the network a ~ p e ~ so be p e ~ o ~ noorly, any combination of themay be the cause.

a echoes.

perly t e r ~ n a t ~ dable.

etect in~ choes with a able scanner.

§mitted toa host faster thants networ~ncard can buffer the

e problemsmay also be due to overload in^ ~hysicalayer capa-



stribute a d ~ n i s ~ a t i v eccounts if the passwe same on ll machines ~ ~ i n gpassword on one machine on th

nes on the network. f my m S allowed to sethe binding

uld send the hosts a command thatcauses themserver. This person e account namesll ready

(i.e., rootp~vileges). his person cannow control the hosts.

ctionality is con~guredy the following:

le in initializing the

be tuned for better p e ~ o ~ a n c end functionality.

cord user access o objects. The resulting record can show suchS by a user to assume a levelf privilege that exceedshe user’s

and conversion to a ecure ( ~ s t e d )ystem, you are readyto

subsystem allows one to audit selected userserforming se-

(a number ranging fromto60,000)

is kept in thefile, which can only be read by super users. Whenn audited useriting) p e ~ o ~ e dy that user is traceable to the user

r such as ile deletions. Choose to auditny action

either succeeds or fails.



To simplify the selection of actions to be audited, systemgrouped together in categories calledvent types. Selectinautomatically turns auditing on for all processesn that c

diting canbe selected without selecting the event type thlected for auditing becausef their a s s ~ i a ~ o ~ith a p

Exhibit 6.5 shows the event types (andhe procbe selected for a u ~ i t i n ~ .

vent Type escri~tionf ~ct ion

Create

Delete

Log all creations f objects (files,directories, other file objects)

Log all deletionsof objects(files, directories, otherile objects)

Moddac

Nodaccess

Open

Close

Process

Remova~ l~

Login

Adrnln

Ipccreate

lpcopen

Ipcclose

lpcdgfam

uevent l,uevent2

Log all modificationsof objects’Discretionary Access Controls

Logall access ~o di ~c at i on stherthan Discretionary Access Controls

Log all openings of objects (fileopen, other objects open)

Log allclosings of objects (fileclose, other objects close)

Log all operationson processes

Log all removable media events

(mounting and unmounting events)

Log all loginsand logouts

Log all ad~inistrativendprivileged events

Log all ipccreateevents

Log all lpcopenevents

Log all ~pcclosevents

Log [PC datagram transactions

Log user-defined events

Ilnk(21, unIlnk(~1,hdc~root(2),etgroups(rename~21, ~mctl(2),

open(21, execv(2),p

close(2)

ipcfecvcn(~)

udp[71user datagram

See the following section “Streamlining u



write their ownpro~ramso streamli~eu-

system calls to sus end rocess-~ process

"I

I"



*I

"I

t*l

"l

eimehe ~ r o ~ r ~s run, r~ tur ns

efer tohe ~~~~ ~ e ~ e r e ~ c ationnoworite self-s ~ c c e s s f ~ l l ~ ,ut no a u ~ i t i n ~ecor



For each event audited, the followingnf o~ a t ions recorded in the audit log file:

ate and timeof event.

of the user generating the event.ubject (user/process).

Type of event.

uccess andlor ailure of event.

) or identificatio~authentication vents.

Name of an object introducedo or deleted from a user’s address space.

~escriptionf modifications made y the system d~nistratoro the user/system se-curity databases.

ther in fo ~a ti onelevant to he event.

All auditing datas written to an audit log file. One can specify two files to collect auditingdata, the ~ ~ m a r yog file and the option^) auxiliary log file. These files should reside ontwo different ile systems. The growth of these files (and theile systems on which they re-

side) is closelymonitored by the audit overflow monitor n ,that no audit data is lost.

proaches a predefined capacity (itstem on which it resides approachessize), the auditing subsystem issues a warning. When eiprimary log file is reached, the auditing subsystem attefile for recording audit data. If no auxiliary log file is

The primaryog file is where be collected.Whenhis file a -

hibits 6.7 and 6.8 show what happens as thisile grows.The example assumes that:

nly the p r i m ~ yudit log ile has been specified.

0 It resideson a file system withno other user filesCO

auditoghas eached 90percent of its M S si a,which is monitor-ing the statef the auditing system, issues the warning message shown to the sys

The primary auditlog has passed the first warning pointand reachedThe system attempts o switch to an auxiliary audit log file, but finding nonedicated m~ssage pe~odicallyo the system console.

In Exhibit 6.9, the primary audit log has grown past its size and reached90 per-

cent of the space allocated to it on the file system. The mess ent indicates that the au-dit file S stem is approaching capacity.

6.10, he primary og file hasreached . he message shown s sent pe-system console. f other activities on space on the file system, or the

file system chosen hasnsu~cient itch

point could be reached before the



AF

90% of Log Fileilled

Primary Audit LogFile

Message: Currentaudit ilesize is kilobytes.An a ~ e ~ p to switch to the b

S and users o audit decided?

ncy to evaluate he

nt of an overall security policy.

re the security re~uirements f the W

re the written guidelinesat bothfleet the realistic needsof the work site establi§hed?

W were all perso~el-adminis~ator§n

hat procedures weren.place to keep se

.Were all existing files on the system inspected forthe first time a secure (trusted) system s installed.ined r e g ~ l ~ l yr when a ecu~tyreach is su



A ~ e ~ p t i n ~o switch toauxiliary audit ile

ile ~y st em

S % reepace I ~emptowitch to theackup



ded since it focuses choices

or dis ~la ysudit file

~ ~ r n a r yog file pathname = .

nitor w ~ e - ~ ~nterval= 1

owable free space ~ n i r n u m

onal area win-, nd whenau-



Secure the system and performhe following steps:

. ake one of the following actions:

To turn auditingon, from the “Actions” menu9 hoose

To turn auditing08 rom the “Actions” menu, choose

You are informedby a message boxof the change you have requested. Activate

. he ‘‘User Audit Status” window now indicates the change requested.

to turn auditing on and ff when audit log file and monitor pa-hen changing audit log ile and monitor parameters, choosehe. enu item to make the changes and turn auditing onr off.

An audit flag is set to on for all existing users at initial conversion to a trusted system.o

change the selection of audited userson the systemdo the following procedure.

Secure the system and o l l ~ ~hese steps:

S of the highli~hted sers, choose one of the following

of each hi~hlighted ser will be hanged to reflect them are automatically audited.ou must enter this screen

that youdo not wish to have audict at next login. For example,



ecure the s~stemnd follow these steps:

ose one of the fol-

iting a ~ c ~ ~ u l a t e slot of data.want to view.

Follow these steps:



Use the default settings on this screen orlter them tosuit particular needs.

:t ay take a ew ~ n u t e so prepare the record for viewing when working withargeaudit logs.

The following sample record from an audit logile shows a failed attempt to openhe se-cure password file:

Users and aids:

elected the following events:

The initial lines identify in fo~a t ionor which the audit log ile was searched. Followingin t a ~ u l ~orm the record shows:

he year, month, and day (inhis case 1989,June, 20th).

ime of day (in this case 1400hours, 31 ~ n u t e s ,0 seconds).

d (in thiscase F for failed).

Event number denti~ed ith the event type (in this case 5).

Eectlve UserID (in this case 9).



ounts of data, be d iscr i~ i~at in

of all events andall usersell as a very rapid l l ~ n ~ffor the operation can helpe a w ~ ef the fo l~ ow in ~

when p r o ~ r ~ shat call auditabl

nts and users for a~di tin

Swhen ad~iniste~n



eview the audit log or unusual activities such as:

4 Late hours login.

* Login ailures.

Failed access to systemiles.

* Failed attempts to perform secu~ty-relatedasks.

ickly remove users who no longer have accesso the system.

nt overflow of the audit file by archiving daily.

e current selectable events periodically.

Revise audited users periodically.

t follow any patternr schedule for event or user selection.

. et site guidelines. Involve users nd management in d e t e ~ n i n ghese guidelines.

Auditing increases he system overhead. Whene~ormances a concern (such as inreal-time environment), the system administrator haso weigh security versus e ~ o ~ a n c e .ing selective about what events and users are auditedan help reduce the impact f audit-ing to an acceptable level.

Auditogilesreontextkless dusclients, each cluster nodeuditata. All

merged into a single auditwhen using the View Audit Files’, windify thecdf wanted. For example, type/.

Since implementing Unix securityeatures requires thatone completely install (not update)Unix pera at in^ System, one needs to back up and recover he entire file s y s t e ~ .tion provides security guidance toupple~ent ther in fo ~a ti onources and pcurity guidelines or file system manage~entasks such as:

ackup and recovery.

ounting and unmounting aile system.

For basic nst~ctions n backing up systemiles, refer to the y s t e ~~ ~ i n i ~ t r ~ t i ~~ s

1 n theUnix ~ e ~ e r e ~ c e~ i ~ e .



user error. Ensure that

retain access control listsben backing up and recove

it should be ensured that he user’s

rial. Allow access to the media only

e sure that the tapes ~ o u n t e dn the correct output device.

ars the user to coworkersy, recovery of c ~ e n tata is critical to ~~ otec t in

the ~ollowing preca~tions:

tain access controlist in -



1"- allows one to overwrite a file. owever, the file retains the pemis-Ls set when the file was backed up.

en ecovering iles romanothermachine,onemighthave to execute hen[l)command to set the user ID and group or the system on which theyow

reside if the userand group do not exist on theew system, If files are recovered to anew system that does not have he specified group, the files will take on the groupownership of the person unning Fr 1. If ownerandgroupnameshavedif-ferent meaningson different systems, recoveryesults might be unexpected.

ep the recovery system tape locked up or otherwise physically secured. Allowc-cess to the archive onlyon the basis of proven need.

Power failure should not cause file loss. ever, if someone reports a lost file afterapowerailure, look for it in /I fore restoring it frombackupape.

To verify contents of the tape being recovered, use the-Ioption of

preview the index of files on the tape. Note, howev that existing p e ~ s s i o n sf afile systemarekept intact by thebackup; fr preventsone from reading hefile if the permissions onhe file forbid it.

9 E x ~ n ehe file listing for overly ibChange attributesf warranted, using theACLs might be present. See the Un

Never recover in place an criticalstead, restore the file to

preventing anyoneelseverifying their dentities and moving them to their final destinations. Comparehe re-stored files with thoseo be replaced, to ensure that all u ~ e n tata is preserved.

any necessary changes then move the filesnto place.

If thisrecaution is notollowed,ystemfterheystemasbeen acked p nd ossiblyfterhe / le has eenhangedwould beunable to log in unless the ~ u ~ e n tnd archival files had been econci~ed.

V files in place. f one does and then trieso reboot, the system is

evice files can be recovered in /t ne must then manually create any miss-hat is on the tape and recovered tot

very sc en ~o , su ~p os ehe disk had ed and one had no way

like1 to hang and willbe unable to reboot.

to recover from their own system. A coworker might have a ~ n n i n gystem.could then roll their disk over to their coworker's

t andwi th pe~ss ionset to -.Then one could

ensure to turn auditing on.

ountin~ file system can create security problems

f not done carefully.

f the media being mounted containo~promisingiles.



-confi~uredomputer enviro~ment.

is section is intend~d oprovIsystems and disks r disk p~i t ions .

The mount c o ~ a n dses a file c ~ l ~ deir per ~s si ons . he

ut readableby others.disk:

of the file system’s root direc

trol access o disks,

drives and disks.

quests thatyou mount a ~ersonalile system.

in its desired location.

sure to unmount all mo~ntedile systems of a user W ose account you are dis-

h ~ t d o ~ ns used to halt the system in an orderly fashion for ~aintenance,nstallation,down, without adversely a~ ec t in the file s y s t e ~ , fter a

11s all u ~ e c e s s ~rocesses.

Fo~ceshe contentsof the file sy st e~ ’s1 b u ~ ~ r so be W ~ t t e ~o thec o ~ a ~ d ) .

laces the systemninistrationode,r



hutd down can also abruptly alt or reboot the system. Since it is run only rom the systemconsole by a user logged in with oot privileges, shutdown mustbe performed conscien-tiously to ~ a i n t ~ nystem security.

Observe the following security precautions when bringing down the system:

I n s t ~ c tsers to og out before starting final shutdown procedures.

hen invoking the shutdown command, set a grace periodo allow stragglers o logout and processeso complete.

lwaysuserebootorshutdown o halt the yousimplypull the plug or pushthe esetbutton, all theprocesses halt andcannotwrite hememorybufferson to the disk.

Never leave the system in the syste~-ad~nistrationS ) run level any longer thannecessary. Shutdown does not self-audit, andt turns auditing off.

Do not physically writ tect a mounted file system, since this prevents syncfrom updating he hard

Complete the shutdown before taking off-line any disk drivesr other peripherals.Donot takea disk off-line without syncing and unmounting theile system on the disk.

f the computer is halted and he last command involving outputo the file system wasnot a reboot orhutdo~n, superblock mighte corrupted. The fstk program can eused to detect superblock inconsistency.



udit

iscretion~y ccess co n ~ o l (

he auditing system monitor

means of restric

ne cess^ to p e r f o ~heir tasks.

system- define^ saturation

private c ~ ~ a c t e rtring used to ui~ e ~ t i t y .

The current file used y audata.

ven ~ a ~ ~ a g ehat s i ~ ~ l

rograms that can susce ~a in rocesses.



Trap door

Trojan horse

Trusted computingbase (TCB)

Trusted system

Virus

VVOlXl

A.program whose group is set to grant a userprivileges e~uivalento thatof the program

A program whose user D is set to rant a userprivileges equivalent o that of the

owner.A hidden softwareor hardware me ch ~i s mhatcircumvents system security.

ram c o n t ~ ~ n gdditional~nctionalityhat exploits he program’scapabilities for destructive ends.

All protectionmecha~sms ithin a computersystem (including hardware,ware, and

software) responsible or enforcpolicy. Securitye~ectivenesss

by system adminis~ativeersonnel.mechanisms and ts correct implementation

A. system that employs uf~cient ardware andsoftware security measures to allowts use forprocessing sensitive material.

Code segments hat replicate themselves ~ o u ~ ha system destructively.

A program that migrates through a system forharmful purposes.



n ~ r o ~ e n to n t r o l ea tu res

1 Checkorhe NI5 is a distributed databaseexistence of NIS with system that letsmany computer/usr/~in/~puthlch. systems share password files,

group files, and other files overthe network.

2 Review theutput of Domainnamesnd MS Serverames Domainn~ehouldeard tocommand: domalflnam~. areasyouess.uess.tanesedithISo

grab password files.

3 Review NI5 passwordllserdentificationodeshisncreasesheiskhat

filewithommand:efinednhe N I5 passwordilenauthorizedsersognohesegpcat pa5swd. have aassword.nprotectedccounts.ncehis

access is achieved, the unauthorizeduser has access o a user’sconfiguration filesand any systemprocesses owned y that user.Inaddition, the usermay then attemptto gain further accesso the systemby exploiting other weaknesses.

4 Reviewhe NZS passwordRootevel identi~cationodesreThisncreasesheiskhatfilewithheprecedingdefinedonocal ervers nd renot ad~nist rative sershaveprivileged

command ooking oranyprovideddomainwideaccess hroughaccess osystems hatarenotuserccounthatashe NI5 asswordile.equired for their job functions.UID of 0. Usershataveccessohese

systems asroothave the ability tomodify or delete systemconfiguration files, systemprocesses, and modify or deletesensitive user data files.

5 Duplicate UIDs are not permitted Duplicate UIDs increase the riskand should not exist in theI that unauthorized users will modify

password file. or delete files createdy anotheruser, and accountability is injeopardy.

6 Review thecript utput Only users who require omainwideUserswith omainwideccess mayof the gptatpassutd accessrencludednhe N I5 haverivilegeshat goeyondheircommand.oteheasswordile. job responsibilities.hey maynumber of usersistedserformnauthorizedunctions orcomparedithheuser population.Reviewthe list with the systema d ~ n i s ~ a t o rnd verifythat the level f access is

appropriate for thelisted users.



Avoid using obviousdom~nname.

The system ad~n is tratorhouldimmediately assign passwords o these

accounts, then notify each userf theirassigned password and sk hat theylog in and change their password. If nouser is associated with the userD, theuser ID should be removed from theN I5 password file.

The system administrator should removeany privileged identification codes from

The system administrator should deleteany duplicate UIDs and create newunique identification codes for eachuser. The ownershipof any files ownedby the duplicate users should be changed

to match the newly created IDs.

The system administrator should restrictusers access where appropriate yremoving users from the I5password file.



0 .

7 Review thecriptutput End users are not provided command Access to the command ine via aat p a 5 5 ~ d line accessto the Unix operating shell (the commandine inte~reter )Identify users system. increases the risk that users access

thataveccess to thenauthorized co ma nds, data, andshell (i.e., access to configurationiles.

password file. Review thelist with the systemad~nistratornd verify

that users with shell accessrequire that access or theirjob functions.

8 Review the criptoutput The use of genericuser identifica~onsurd codes is not ermitted nd no t

commandnddentifyvidentwithinheystem.generic user identificationcodes, Review the listofgeneric users with thesystem a d ~ n i s ~ a t o ro

define their useand purpose.

Generic user identification codeslimit accountability n user actionperformed while logged in asgeneric user. Evenf the system slogging allevents of the genericuser. In addition, default, generic

identi~cation ode aren o ~ a l l ytargeted by intruders atte~ptingo

gain accessto a system.

10 Review output of command: Verify hat here are no

! r ~ u p . duplicate GIDs.

'This increases the risk thatunau~orized sers will modify ordelete files created y another user.

11 Review output of Verify that only authorized and Identi~cationodes listed in

g p c a t group. of privileged groups. 0 have access to groupapprovedserodesremembersivilegedroupsuchs

writable files created nd ownedbyot user. This increases the risk

that sensitive system configurationfiles willbe changed or deleted.



In orderof eEectiveness:

1.Replace the shell located in the lastfield of the NI5 password file witha menu program.

2. Give usersa estricted shell with noaccess to cd, rm, cat, nd othersensitive commands.

The system ad~nis tr atorhoulddeactivate the generic usersndremove them from theNI5password file.

It should be investigated whether ornot allusers who currently accessthe system via the genericD can bemoved to individualI D S with a

similar env~onment.

The systemad~nistratorhould deleteany duplicate GIDs and create new uniquegroup identification codesor each group.The group ownership f any files ownedby the duplicate groups shoulde changed

to match the newly created IDs.

The system administrator should removeany user codes that do not need accessto the GID= roup.



0.

port”of 21.

is configuredon the “well-knownport”of 23.

The mailorsrntp service defined

“well-known port”of 25.

port other than the “well-knownport” increases the risk thatunauthorized users will bypass thecontrols of the routerACLs. Manypublicly available programs called“‘port scanners” will identify openports and the service to which they

are assignedon the host.

13eviewheutput of only properlyonfigurednd Many ~ r d - p ~ yoftwareackagesapprovedservicesarebeingprovided equire heability to ~ o ~ u ~ i c a t einhenonprivilegedportange.ootherhosts on thenetworkwithin(Ports greater than 1,023.)

ports increase the risk thatunauthorjzed users willgainaccessto the system.

~ .~

14 Reviewnlyalid,uthorize

file. Review the listW

a d ~ n i s ~ a t o rnd verify that alla approvedoe

with the system administrator.Verify thatallhosts are witkin theNI5 domain.

Unneeded or unauthorized hosts in

riskess

l6 nning of gives anabout the host,

including when the machine was

last booted, how muchCPU t isusing, how many disks it has, ndhow many packets have reachedt,load average, network Ira&, etc.

17 Reviewutput therovides ~ f o ~ a ~ o nnpmxding. theost.trovides infor-

mationon how busy the machine isand on login accounts an intruder canuse in an attack. b t ~ccounti ~ o r ~ a ~ o nan be used bya scanneror attacker n a brute force attack.

(Network ~ f o m a t i o nervice)contains data suchs host files, pass-word files, and mail aliasesforentire

map info~ation. n i n ~ d e r ho~ssessesheM S o ~ ~ ~ eoftensetup s a derivative of the publicdomainname) can stealnfoma-tion helpful n guessing passwordsand gaining unauthorized access.



If the FTF?Telnet, andSNTP servicesare configured on ports 0 and 21,23 and25 respectively, no ecom~endationsrequired. However, if the service s

configured onany other port, the systemad~nistratorhould reconfigure theservice on to the standard ports.

If the open ports are required, noreco~endat ions required. However,the system administrator should removeunnecessary ports from the list.

If all hosts are required, noeco~endat ionis required. However, the systema d ~ ~ s t r a t o rhould remove any

unnecessary hosts from the list.

If all hosts are required,o recommendationis required. However, the systema d ~ n i s ~ a t o rhould remove anyunnecessary hosts from the list.

Disable serviceby com ~enti ng ut therstat entry in theetc/inetd.canf file.Restart the netd process.

Disable serviceby commenting out therusers entry in theetc/inet~.canfile.

If possible a different approach shouldetaken to the distributionof this type ofinformation to servers. There are severalcommercial packages s well as manyhomegrown systems that accomplish thesetasks in a more secureway.



0 . sk

19 Review theutput of Theasswordilehouldenshadowedasswordilesshadowedanddoes not include increase the riskhat unautho~~ed

encry~ted asswords. users will attempto gain access o

Note if theecondieldheystem by r a c ~ n ~serin the file contajns passwords.“ X,*,” or an encry~ted

access is achieved theunautho~zeduser has accesso a user%configuration files,andany systemprocesses owned y that user. Inaddition, the usermay then attem~tto gain further accesso the systemby exploiting other weaknesses.

22 O f Verifyhatuplicate UlDs are not Duplicatereaseheiskw d for p e r ~ t t e ~nd do not exist in the that unautsersillodify

localasswordile.releteilesreated by anotheruser, and accoun~abi li ~s injeopardy.

23 Review the criptoutput End usersarenotprovided command Access to the command line via a

Sers system, increasesheisk thatusersccessthat haveccess to thenauthorized c o ~ a n d s ,ata, and

line ccess to the Unix operating hellthe ommandinenterpreter)

confi~urationiles.

last field of the passwordfile. Review the list withthe system ad ~i ni s~ at orandverify that users withshell access require thataccess for their job

functions.



The system administrator shouldhadowthe password file.

The systemad~nistratorhouldimmediately assign passwords to theseaccounts, then notify each userf theirassigned password and ask that they log

in and change their password.f no useris associated with the user ID, the userID should be removed from the localpassword file.

The system administrator should remove= dentification codes, except

root.Users should be required to log into theirown unprivileged identificationcodes and“su” to root.

The system administrator should deleteany duplicate UIDs and create new uniqueiden~ificationodes for each user. Theownership of any files ownedby theduplicate users should be changedomatch the newly created IDs .

~ . ~

In order of effectiveness:

1.Replace the shell locatedn the lastfield of the password file with a menuprogram.

2. Give users a restricted shell withoaccess to cd, rm, cat, and othersensitive commands.



NO.

24 Review the criptoutputof the

mm f Yneric user identification

codes. Review the listof

generic user with thesystem adminis~atorodefine theiruse andpurpose.

The useof generic user identification Generic user denti~cationodescodes is not permittedndnot limit accountabilityon user actionevident within the system. er formed while logged inas a

generic user. Evenf the system slogging allevents of the genericuser. In addition, default, generic

identification code are o ~ a l l ytargeted by intruders at tem~t in~ogain access toa system.

25 Duplicate GIDs are notpermitted and should notexist in the group file.

Duplicate G D s increase the is kthat unau~orized sers willmodify or delete files createdyanother user,and accountabilityis in jeopardy.

26 Review output oE Verifyhatnlyuthorizednd Identi~cation odesistednapproved user codes are mem privileged groups, suchof privilegedroups.uch as . have access to group wr

createdandowned by the root user.This increases the isk that sensitivesystem con ~ ~u ra t i o~iles willbechanged or deleted.



The system administrator shoulddeactivate the generic usersndremove them from the password file.

It shouldbe investigated whether or notall users who currently access the systemvia the generic ID can be moved toindividualI D S with a similar environment.

The systema d ~ n i s ~ a t o rhould

delete any duplicate GIDsandcreate new unique identi~cationcodes for each group. Theownership of any files ownedby theduplicate groups should be changedto match the newly created D s.

The system a ~ n i s ~ a t o rhouldremove any user codes that do notneed access to the ID=O group.



27 The rootpartition of a Unixost is ot access to exported filenot exported or use by any other tems may allowa privileged user

system, on a remote system unrestrin is accessohexportediles.

noteingxported.erany files on the exported filesystem.

Only authorized file systems are Unauthorized exported file systemsexported by use for other systems. being exportedmay allow users on

h o s t n ~ eor the remote systems unrestricted accessexportshatheachine to thexportediles.hesesersis elling.anhen any files

on the exported system.

29 Review theoutput of File system partitions, such asU

- .

X P O ~ ~ .erify houldbeexported ead-only.the risk that nautho~zed sers will

con~gurationiles. These changes

may lead to additional ~nauthorizedaccess ora denial of the servicesbeing provided by the system.

thexported file systems.akehangesoystem

30 Application or user filesystems should beexported with then o s ~ i ~ption.

Exporting file systems without the

that non~rivileged sers on theuldoption increases he risk

By obt ~ni ngrivilegeson thesystem the userwould be able tomodify or delete files.

31

~"Exporting to hosts without fully

that a comp ro ~s ed NS server willallow access to the exportedilesystems.

qualified domai nn~es . qualifiedamesncreasesheisk

32 GeneralW S



Finding ControlT ~ c h ~ ~ ~ e s

If a requirement existso export the ootpartition the system administrator shouldexport the file system with read-onlypermissions. However,f the file systemis not required o be exported the systemadministrator should remove the file fromthe letcl~xpartsile.

If these file systems are required,fpossible, explicitly specify each node

All exported file systems should be listedin letclexports preferably withReadaccess. If the file systems have not beenapproved, they should be removedfrom /etclexpa~s.

If the file systems required to be exportedthe system administrator shouldon~gurethe export to e read-only within theletclexparts file.

The system administrator should exportapplication or userile systems with the"nosuld"parameter.

Ensure that only fully qualified hostnamesare used n d e ~ ~ n gosts in theletc/export~ile.

Ensure that export lists do not exceed256 characters.



NO.

33 Review theoutput ofthe c o ~ ~ d :

Verify that there are noentries within this file.In addition, verify thatthere isno "+" ntry inthis file, whichwouldallow any user on anyhosts unauthenticated

access to the system.

Ensurehathere re no trusted Any entriesn this file increasehehostsithinheetwork.iskhat an unauthorizedserill

gain access to the system fromremote system withoutnter in^ a

uses could modify or delete filesand may have access o sensitiveprocesses ~ ~ i n gn the system.

34 Review theoutput of the

Verify that thesewas nofile found in the rootdirectory. ~dditionally,review the policies andprocedures surround in^these files with thesystem ad ~i ni st r~ ~o s.

The existenceof this file increasesthe risk that unauthorized users will

nintended purposes.For example, hackers who break intocomputer systems frequentlydd

easily break into the systems in thefuture.

35 Review theoutput of theTheuse and creation of .hosts ilesTheexistence of these iles ncreaseshouldnotbepermittedwithin he he isk hatunauthorizeduserswillenvironment.ainccessoserccountsnhe

system.Verify that there werenotiles foundon he system.

36 Review the ilesoutputof the individual ho5tfiles from the prior step.

The existenceof these files increasethe risk that nautho~zed sers willgain access to user accounts on the

system.



The system adminis~atorhould either

all entries from withint.

The system a d ~ ~ s ~ a t o rhould remove

The system adminis~atorhould removeall . ~ ~ s t siles locatedon the system. naddi~on,he system administrator shouldcreate acrcm job which searchesor andremoves these files on a regular basis(i.e., weekly).

Ensure thatany , ~ ~ ~ t siles that arerequired on the system contain onlyhostnames that are directly controlledwithin the same network. The systemsAdminis~atorhould remove any hoststhat do not fit this criteria.



37erify theperatingiscussithhe a ~ i ~ s t r a t o rhelderersionsrnpatchedsystemevelndpplicationndchedule of securityersions of operatingsystemsftenhostnme withheatchespgrades.aveecurityulnerabilitieshatrecommand: name -a. exploitableitheremotelyr

locally on the server.

38 Review the ervicesoutputThe FrP servicedefined is configured Many outer-basedaccesscontrolwithheommand:nhewell-knownort” of 21.istsACLs)ilter TCPflP packetscat / e t c / s e ~ ~ ~ e ~ basednheorteingccessed.netstat-a. The teln~terviceefined is Configuringheseervices onny

Anderifyf the services of 23.ort”ncreasesheiskhat

areunning ornot,nauthorizedsersillypassheespecially if hey areonThemailor srntp servicedefined is controls of the outerACLs. Manytheonstandardorts.onfigurednhewell-knownort”ubliclyvailable progrms called

of 25.portcanners”illdentifypenports and the service to which theyare assigned on the host.

configuredon he“well-knownport”portother han he“well-known

39 Review theutput ofOnlyroperlyonfigurednd Many t h i r d - p ~ ~oftware packagescat/e t c /~ e ~ i c e s approvedervicesreeingrovided require the ability to communicate

in the nonprivileged port range. to other hosts n the network within

(Ports greater than 1,023) the nonp~vileged ort range. Openports increase the risk that

unauthorized users will gain accessto the system.

40 Review theoutput of Ensure that only necessary services are The standard Unix “outf the box”the command: running on the hostut of the con~gurationeaves manycat /et~~ne~d,con~. netd daemon . unnecessary services running which

could open the serverp to denial ofservice failures as wells additionalentry or nfo~ationatheringpoints to an intruder.

41 Ensure that the fingerservice is not running.

The fingerdaemon increases the riskthat unauthorized users obtain

sensitive in fo~ at io nbout users onthe network that could enable themto gain unauthorized accesso useraccounts.



It isr e c o ~ e n d e dhat the operatingsystem be upgraded or thatllsecuritypatches be applied.

, elnet and 5 services areconfigured on ports20 and 21,23 and 25respectively, no eco~endations required.However, if the services configured onmyother port, the system d ~ n i s ~ a t o rhouldr~con~gurehe serviceon to the

standard ports.

If the open ports are required, nor e c o ~ e n d a ~ o ns required. However, thesystem a ~ i n i s ~ a t o rhould removeunnecessary ports from he list, and adddefinitions for needed ones to e t c / s e ~ ~ ~ e 5 .

Limit the number f services that are~ n n i n gn the server to those that are

secure r~~lacemen ts.any services have more

The systemadminis~atorhouldremove the finger ernon on from

the system start-up files or



0. st

42 Ensurehattrivial file Use ofttransferroeenisablednauthor is runningithheecureption.cross if

the/et edAIX flags:crossheet, a userould run a

cracker p r o g r ~n the password-1 Logs the IPaddress of thecalling ile and obtainunauthorizedmachineithrroressages.asswords.

-n Allows the remote user to createfiles onyour machine.

-r Attempts to convert thethe appropriate host name before itog smessages.This flag must be used withthe -l Rag or the-v flag.

-S Turns on soc~et-levelebug gin^.

-v Logs information messageswhen anyfile is successfully transferred y thetftpd daemon.This logging keeps trackof who is remotely ans sf erring files toandfrom the system with theftpd d

43 Review output of This is potentially ancommand: TFTP reads throughcat /etc/tftpac ce~ ~.c tl that start with l lou:

trol lines are ignored. If thaccess is allowed.

The allowed directories and files minusthe denied directories and files can beaccessed.

For example, the lusr directorymight be allowed and the u~r/uc~directory mightbe denied.This meansthat any directory or filen the lusrdirectory, except the/u~r/uc~irectory,can be accessed. The entries in the filemust be absolute athn~es.



s y s t e ~ a d ~ n i s ~ a t o rhould removet

restricts its use to a specific directory.

reco~nizehe existen~ef the file and allowsaccess to the entire system.

absolute ~a t h n a ~ e .t seaches the

const~ctedy adding the next om~onentfrom the file pa thn a~e. he Ionmatched is the one allowed.t then does thesame with denied names, t ~ t i n ~ith thelongest allowed pathname a t c h e ~ .

For example,f the file ~ a ~ n a l n eere I

be allowed.

one de~ ie d atch st ~ t i n g ith I

and also contained

allowed namesare searched irst.



0 . st Risk

eview theoutput of theTheuse of the FTP (file ransferWithout heexistence of thecommand:atetclftpusersrotocol)houldeestricted. /etc/ftpusers file any useristednto review thetpccesshe /e t c/p a s s ~~ileanransferrestrictions.iles

increases the risk that unauthorizedfiles are transferred across thenetwork.

iew theaboveoutput.System dentificationcodes houldSystemuserswhoarenot isted in

Noteheystemserseestrictedromsing F T P , the /e tc /~~usersileanransferinclu~edwithint.eviewilescrosshetheistithhea ~ ~ n i s t r a t o ro determineilesreransferredcrosshewhich systemsers

46 Review the boveoutput.Users whodo nots ~ e c i ~ c ~ l l yequire useofP hould be identified

and restricted from using

system administrator tod e t e ~ n e hich users

End users not listed in the/e tc /~p~sersile can transfer filesacross the network. This increasesthe risk that unauthorized files aretransferred across the network.

unauthorized users delete or modifyconfigurationilesuch as theseiles.

of the systembut arenot writableby anyuser other thanoot.

writableonlyby root. theseiles,ncludingilesreated byother users.



The systema d ~ n i s ~ a t o rhould create thei-5file and ata m i ~ m umhe

following identification codes should beincluded: This includes the root account,any guest accounts, uucp accounts, accountswith restricted shell, nd any other accountwhich should not be copying files acrossthe network.

The systema d ~ n i s ~ a t o rhould include the

following system users in thee t ~ f t ~ ~file: root, bin, uucp, nuucp, sync, hpdb,ndsys aswell as other systemds.

The system adminis~atorhould include thefollowing users in theany guest accounts, accounts with restrictedshells, an d any other account which shouldnot be copying filescross he network.

The systema d ~ n i s ~ a t o rhould reduce thepermission settingson these files o bewritable onlyby root.

The systemad~nistratorhould reducethe permission settings n these files o

~-

The systemadminis~atorhould reducethe permission settings on these fileso

be writeable only yroot.



0. st ~ontrol ~ j e c t i v e sk

50 Review theoutput of the X11-based softwarehasbeenconfiguredUnsecured X Windows accesscommands: xhort and in a securemanneryxplicitlyllows an unauthorizedndividualo

tC/X~.hO~t~ a l lowingccess to onlyhoseapturesereystrokes to obtainew Xll-basedddressesnheetworkhatogin IDS ndasswords.n

settings.equireccess.ddition, annauthorizedserouldissue keystrokesas f the user on the

the entireX screen to a emoteco~ put er n the network.

51 Review theutput of the SUlD filesreuthorized,nventoried.ileshatncreaseheiskthathe U ngheilewillescape to a shell. Once at the shellprompt, the user would retain thesame accessas the actual owner fthe file.

52 Reviewheutput of theApplicationnd serileshould This increasesheiskhatcommand: find notritable byny usertherhannauthorizedsersmodifyrelete

rm -2 I -type I -print. owner. these files.

Review the list with thesystem adm~s tratoroidentify any files that areproprietary, sensitive, or

confidential.

53 Review theoutput of theTheuse of scriptsor eference ilesTheexistence of reference ilesorc o ~ a n d :ind l c ~ n t a i ~ n gnencryptedasswordscriptsithnencryptedasswords-name.netrcprint. shouldot be permittedwithinncreasesheiskhatnauthorized

Review theilesutput by identificationodes on theystem.this command.

thenvironment.sersillainccessoser

54 Review theoutput of theUser ilecreationdefaultsettingsare Improperly setting the mas^com~ands:at letclprofile configured to restrict write access to vhable in the user’s profile,

and the ilesoutputby: iles by otherusers. .loginor .chsrcfile increases thefind l -namE! .profile- risk that unauthori~ed sers willprint modify or delete files createdy

print

findl name.cshrc-printfindl name ttashrc-print

other users.



The systema d ~ n i s ~ a t o rhould executethe command:xhost -.

Other security steps include:l.~pecifyi~gndividual computers that are

permitted to access the -Windows server.2. Protecting the command host by making

the ownerrootand giving t the permissionsof 700, this will allowead, curite, and

secure manner.Do not execute thenoauth

command when starting the windows.4. If ~ ~ i n ghe NIT X server use

IC-CO~~IEy entering the followingcommand:

The systema d ~ n i s ~ a t o rhould verify thatthese files are propernd needed for thefunctioning of the system, reducingpe~issions here possible, Additionally,the systemadminis~atorhould createastatic inventory list f the remaining files

and create a cron ob that searches or andreports any newly created SUlD files on aregular basis (i.e. weekly).

The system a d ~ n i s ~ a t o rhould reducethe pe ~i ss io nettings on these fileswhere possible.

The systema d ~ n i s ~ a t o rhould removetrc files located on the system. In

addition, the system d ~ n i s ~ a t o rhouldcreate a cron ob that searches for andremoves these files on egular basis(i.e., weekly).

The system a d ~ ~ s ~ a t o rhould correctany problems notedby changing the

umask command in the.login, .cr;hrc,or.profile script file or these users to 027.This results in the following access tonyfiles createdby the user: Owner:read,

write, @xecut@: roup: rWorld: no access.



0 . it Test

55 Review theoutput of the Users are restricted from exiting Improperly set traps allow users to

preceding commands. start-up scripts prior to their completion.reak out of login shells or scriptsand access the o~mandine. Oncecommand line access s achievedusers can read sensitivecon~gurationiles and attemptogain urther system privileges.

56 Review theutput of theblesonfiguredpreceding commands.

bogus IS program could be executed.

57 Review the of theUsersreequired to lognsS: unprivilegedsersromvery

terminalxceptheonsole.ost on the networ~,ncludingPCsincreases the risk that an

t a te t c / ~ e f ~ u l ~ l o ~ ~ ~ unauthorizedserillainHPUX: privilegedccessoheystem.cat / ~ t ~ / 5 ~ t u r ~ t t ~ .

58 Review theoutput of the Onlyknown RPCprograms hould beUnkaownorunauthorizedc o ~ a n d :pci~fop. running on TCPandUDPports.

Verifyhat al l RPC unauthorizedsersillainccessprogramsrepriate.



s

e system ~ d ~ i n i s ~ a t o rhould correct

The system a d ~ n i s ~ a t o rhould c o n s ~ c tvariable so that directories are

(if neede~).t no time should a world w~ ta hl e

directory he included in any user

Proper setup should include:the opera tin^ system the method to securethis function will vary.For those systems otspecified the control must be placed in the

individu~l ser’s profile.

file, only the console entry

e script output f th

has been un co ~m ~n te d.

eview the script output of th

the file.

e s y s t e ~d~inistrator sableany u n ~ o w nr unaut~oriz

rams ~ n n i n ~n the system.



0 . t sk

59 Reviewheutput of thelletworknterfacesrehisncreasesheiskhat a

commands:onfiguredppropriatelyi.e.,etworkniffer is activerouldepromiscuousmode is notenabled),activated by anunauthorizeduser.

Verify that all networkaddress co n~ g~ at io nsreappropriate.

60 Rev~ewhe utput of theEnsureetwork traffk is properlymproperlyoutedetworkrafficc o ~ a n d : r o u t e dhroughheorporate mayllownauthorizedsers to

view the network traffic.

Verify that all routesare appropriate.

61 of thenlyuthorizedostshould benknownostsnheetworkavailable to communicate nhencreasesheiskhat nauthorized

Verifyhatllostsreetwork.sersillainccessoheystem.appro~riate.

6 eutput of thensurehatsers who access root Usersccessingootavehebilityhave hat access ogged and hat he to modify or delete any file on he

m / ~ u l o ~og is reviewedn a regularasis.ystem.with theAdm~istratoroensure that only authorizedusers are accessing oot.

63 Review the utput of theTheystem is restarted nly when Unauthorizedystemestarts mayindicate an unauthorized user

policy of systemestarts,ttemptingoainrivilegedccessnote any discrepancies.rhateriousonfigurationr

application problem exists.

64 Review heoutput of theEnsure hat here is adequate ogging nsufficient oggingwill esult n a

c o ~ ~ ~ d : of systemctivities.ack ofn auditrailnhevent ofan unau~orized ccess. With goodlogging and monitoringAdmi~strators re often given earlywarnings for hardware and softwareerrors or problems.

65 Review theoutput of theEnsurehathe orrectnameserversThewrongnformation ouldanddomainnamearebeingused on substantially slowdownmanytheachine.etworkequestsfeverseookups

are used.



Finding

The system administrator should reconfigureany network interface that has been~ s c o n ~ g u r e d .

The system administrator should work withthe network group (or administrator) toconfigure the network routing appropriately.

The system administrator should investigateand remove any unknown and unauthorizedhosts on the network.

The system administrator should change theroot password and ensure that onlyauthorized users receivet.

The system administrator should review thesystem messages on a regular basis andinvestigate any unplanned system restarts.

The administrator shouldeview the systemlog messageson an active basis with alertsbeing sentoff if there are problems.

Ensure that theON5 ookup inf o~ at io nin /etc/resolv,conf is correct.



at

at



etting more than one computerbuil~ing lock function y transpo~in

(~icrochannel c ~ t e c ~ eus-based on the originalBM’s P52)S (~c~itectureor the ~acintosh)



I~nshieldedwistedair Low Easy if inside walls, outside

walls, around corners

band wid^ capacity:amount of info~at ionhatcan be~ a n s ~ t t e dt thesame time

Fiberoptic High DifIicult tr ans~ss ionf wire is

broke-no ~ ~ s ~ s s i o n

I

(ii) Satellite

1 5Infrared-la se^

(i) Pointooint Very highifficult

(ii) Highower,ingleighfrequency

" "Diffcult

(iii)Spreadpectrumoderate



~ a ~ a c i t y

10 Mbps 30 nodeserow,hereforeong-oderateulnerabilitysegment of cableistanceransmission

Up to 10Mbps;an 2 nodeseregmentigh,hereforehort-igh vulner~bilitygo to 155bpsi.e., 2 connections,i s tance ~ans~ssion

one at each endfcable, point o point)

l Mbpspo55 2 nodeseregment,igh,hereforehort-oderateulnerabilityMbpspointont trans~ssion

hub)

Resistance to traffic nthe network. Highattenuation means owdistances, lowattenuation means longdistances

EM1 (interference):noise gets in or~ o ~ ~ o nniEedout

Up to2 Gbps Point to point2 Low, therefore logon Not vulnerable to(typically 100 Mbps nodes per segment) distance uph2 km sniffing, good for

1-10bpse.g., 2 nodesbetween two largebuildings)

Dependson tmosphericHigh vulnerabilityconditions (e.g.,~ ~ d e ~ t o ~ )

1-10bps,arger 2 nodes

distances

Depends on Highulnerability

atmospheric conditions

Applicationepends on lightulnerability = , onlydependentualityffected by intense

light vulnerable ointerception.

Lesshan 1Mbpspplicationepends on lightulnerability = , onlydependentualityndurityffectedyntenseight

vulnerable to interception.

1-10 Mbps

1-10 Mbps

2-43Mbpssecure than (i)r (ii)above



he second building block g is interoperability.co~passeshe ability to e tion on between siS stems. The most well- ability solution is the In

er ability solution is

e t e ~ i n eow much thought was put intohe esign of the netwoselected and how?

The first networks were ti~e-sharing etworks that used~ainframes nuch environments were ~plemented y both

cess shared esour~esuch as file servers.

is an interconnected groupof systems that coversa single geograp~cocation orS areypicallyused for data ervices an voice. ~xamples f solutions

include:

ernet (10, 100,1000

de rea etworks ( S) interconnected L

r media), thereby inter~onnectin ~ogra ~h icall y ~i sp erse ~sers.

ation system that interconnectsS are ty~ically sed for voice, d

tions include:

elay



e

* TI,T3

Today, high-speedLANs and switched internetworks are becoming widelyscause they operate at very high speeds and support such high-b~dwi

voice and videoconferencing.Internetwor~ngvolved as a solution to threeey problems:

. solatedLANs

.Duplication of resources

. ack of network management

Isolated LANs made electronic c o ~u n i c a t i o netween different offices orimpossible. Duplicationof resources meant that the same hardwarsupplied toeach office or department, as did a separate supporttmanagement meant that o centralized methodof managing andexisted.

Implementing a functional internetworks no simple tially in the areas of connectivity, reliability, networkarea is key in establishing an efficient and effectiventReliable comm~cati ons the first consideration

ious systems is to support co~un ica t i on etween disparate technofor example, may use different typesf media, or

Another essential consideration, reliableework. Individual users andntire or g~ za ti on sepenwork resources.

ana age ability is the ability to manage and O

see the conditions as they work. u~ermore , etworkized support and troubleshooting capabilities in anntpe~ormance, nd other issues must be adequately a

tion smoothly.Flexibility, the final concern, is necessary fo

tions and services among ther factors.

Large networks typically are organized as hierarchies.such advantages as ase of management, flexibility, ndThus, the~ t e ~ a t i o n a l ~ r g ~ z a t i o nor Standardization

rninology conventionsor addressing network entities.tion include end systemES), intermediate system (IS

An ES is a network device that does not performtions.The typicalES includes such devices as termin

An IS is a network device that performs routiThe typical IS includes such devices as routers, swiworks exist: intradomain S and in terdom~nS.



454 NETWORKS

An intradomain IS communicates within a single autonomous system.

An interdomain IS communicates within and between autonomous systems.

An area is a logical group of network segments and their attached devices. Areas aresubdivisions of autonomous systems.

An AS is a collection of networks under a common administration that share a com-mon routing strategy. Autonomous systems are subdivided into areas, and an AS is some-times called a domain.

Networking is a complex endeavor, and breaking it into digestible pieces is why a lay-ered network model was developed. The OSI model enables the network to be broken downinto logical layers (i.e., the seven layers), which ideally specifies and groups the functions

that need to be performed at each layer. These functions within each layer are further bro-ken down into tasks.

The layered network task model facilitates specialization by the age-old concept ofdivision of labor, and this in turn enhances simplicity and increases standardization, which

further helps competition and drives costs down. More importantly, this layered approachfacilitates intervendor product interoperability. Now one can determine what products arein use and how much interoperability is taking place.

OSI MODEL

OSI (Open Systems Interconnection) is a standard description or reference model for how

messages should be transmitted between any two points in a telecommunications network.Its purpose is to guide product implementors so that their products will consistently work

with other products. The reference model defines seven layers of functions that take placeat each end of a communication. Although OSI is not always strictly adhered to in terms ofkeeping related functions together in a well-defined layer, many, if not most, products in-

volved in telecommunication make an attempt to describe themselves in relation to the OSImodel. It is also valuable as a single reference view of communication that furnishes every-

one a common ground for education and discussion.Developed by representatives of major computer and telecommunications compa-

nies in 1983, OSI was originally intended to be a detailed specification of interfaces. In-

stead, the committee decided to establish a common reference model for which others

could develop detailed interfaces that in turn could become standards. OSI was officiallyadopted as an international standard by the ISO. Currently, it is Recommendation X.200of the ITU-TS.

The ITU-T (for Telecommunication Standardization Sector of the International

Telecommunications Union) is the primary international body for fostering cooperativestandards for telecommunications equipment and systems. It was formerly known as the

CCITT. It is located in Geneva, Switzerland.The V Series Recommendations from the ITU-TSare summarized below. They in-

clude the most commonly used modem standards and other telephone network stan-

dards. Prior to the ITU-T standards, the American Telephone and Telegraph Companyand the Bell System offered its own standards (Bell 103 and Bell 212A) at very low

transfer rates. Another set of standards, the Microcom Networking Protocol, or MNPClass 1 through Class 10 (there is no Class 8), has gained some currency, but the devel-opment of an international set of standards means these will most likely prevail and con-tinue to be extended.



OSI MODEL

The V Series Recommendations from the ITU-TS

455

Standardv.22

V.22bis

V.32V.32bis

V.32terbo

v.34

V.34bis

v.35

V.42

V.90

Meaning

Provides 1200 bits per second at 600 baud (state changes per second)

The first true world standard, it allows 2400 bits per second a t 600 baud

Provides 4800 and 9600 bits per second at 2400 baudProvides 14,400 bits per second or fallback to 12,00 0,960 0,72 00, and 4800bits per second

Provides 19,200 bits per second or fallback to 12,00 0,960 0,72 00, and 4800bits per second ; can operate at higher data rates with compression; was not a

CCITTDTU standard

Provides 28,800 bits per second or fallback to 24,000 and 19,200 bits per

second and backward com patibility w ith V.32 and V.32bis

Provides up to 33,600 bits per second o r fallback to 31,200 o r V.34 transferrates

Th e trunk interface between a network access device and a packet networkat data rates greater than 19.2 Kbps. V.35 may use the bandw idths of

several telephone circuits as a group. The re are V.35 G ender C hangers and

Adapters.

Sam e transfer rate as V.32, V.32bis, and other standards but w ith better errorcorrection and therefore more reliable

Provides up to 56,000 bits per second downstream (but in practice somew hat

less). Derived from the x2 technology of 3C om (US Robotics) and Rockw ell’s

K56flex technology.

An industry standard, Integrated Services Digital Network (ISDN) uses digitally encoded

methods on phone lines to provide transfer rates up to 128,000bits per second. Anothertechnology, Digital Subscriber Line, provides even faster transfer rates.

The main idea in OSI is that the process of communication between two end

points in a telecommunications network can be divided into layers, with each layeradding its own set of specially related functions. Each communicating user or program

is at a computer equipped with these seven layers of function. So, in a given messagebetween users, there will be a flow of data through each layer at one end down throughthe layers in that computer and, at the other end, when the message arrives, anotherflow of data up through the layers in the receiving computer and ultimately to the end

user or program. T he actual programming and hardware that furnishes these seven lay-ers of function is usually a comb ination of the computer op erating sy stem, applications(such as the Web browser), TCPIIP or alternative transport and netw ork protocols, an d

the software and hardware that en able a signal to be put on one of the lines attached tothe computer.

OSI divides a telecommunications network into seven layers. The layers are in twogroups. The upper four layers are used whenever a message passes from or to a user. Thelower three layers (up to the network layer) are used when any message passes through thehost computer. Messages intended for this computer pass to the upper layers. Messages

destined fo r som e other host are not passed up to the upper layers but are forwarded to an-other host.



7 A~~iic~tionayer

~resentati~n

a field of the layer below it. This eon-be split up into multiple s ~ a l l e rec-

the network, and he destination

sical Layer,which consistsof the h ~ d wat echmical level. It

ivi

ng and syn ~hr oni ~~t ion

s ~ s s i o nistm



V35 The trunk in te ~aceetween a network access device and a packet network at

data rates greater than 19.2 PS. V35 may use the bandwidths of severaltelephone circuits as a group.There are V.35 Gender Changers and Adapters.

(ISDN), there are two levelsf serviced for the home and small enterprise, and the Prim

r larger users. Both ratesnclude a number ofa rry data, voice, and other services.heD channel carries con-

64-Kb s B channels and one 16-Kbps D

service. The PR1 consists of 2es or 30 B channels and 1D ch

Rate usage in a cityike Kingston, New York, s about $125for phone company installation,~ 3 0 0or the ISDN adapter, and anxtra $20 a month or aline that supports ISDN.

ed Serial Interface (HSSI) s a TEDCE interface developedby Cisco Syus Networ~ngo address the n for high-speed c o ~ u n ic a t i o nver ~

I specification s available to any organSS1 is now in the * anNationalStandard

0.2 cormnittee for formal stand~diza timoved into the ITU-T (formerly the Consultative ~ommitteeor Inte ~at i o~a l~legraph

ne[GCITT])and the IS0 and is expected to dardized by thesebodies.definesboth the electrical and the physical CE inte~aces.t therefore

c o ~ e s ~ o n d so the Physical Layer f the OS1 reference model. HSSI technical characteris-tics are summarized below.

~ a x i m umignaling rate

~ ~ i m u mable length

Number of connector pins

Interface

Electrical technology

Typical power consumption

Topology

Cable type

~ a l ~ e

52 &%bps

50 feet

50

D'IB-DCE

Differential ECL

610 mW

Point to point

Shielded twisted pair wire



rror ~o di ~ ca t i onend s t ~ t i o ~ s )

in today’s r e ~ l - ~ o r l det-

a y ~ r ~and 2 c o m ~ i n ~ d



low control~ontrols info~at ion

o ~ r ~n the ne twor~ omputer to use the

in which multiple data channels are combined into a single dataultiplexing canbe imp mented at any of the

lexing is the process of separati multiple~eddata chle of multiplex in^ is when d from ~ul t ip le p~lications is

er-layer data packetcombined into a sin

a ~ultiplexer).es multiple data streams intoemultiple~he channels intothe use of the andw width of

traffic sources. ome meth-

y a calculation that s

. irst, the source device



+ ranspo~. he upper-l

This layer sets up, coordinates, andtween the applicationst each end. It

S tasks associated withstablistation Layer (Layer ) entities.

mat~on ~rotocol),hich coordinates

This is a layer, usuallypart of andata from one presentation fodow with the newlyLayer handles tasks associat

task items i ~ c l u ~ e :

ata representation o

)

ata co~pressio~deco~pression

ata encryption and deencry tion o~municationS

This is the layer at whichc o ~ u n i cer authentication and p~vacyre

tified. (This ayer is not the applicalication Layer functions.)

lication Layer is thethe ~ e t w o r ~esource

~ ~ e n t i f y i ~ ~ommunication

e t e ~ i n i n ~esou~ces vailabley n c h r o n i z i ~ ~ c o ~ m u ~ i c a t i o ~



S

e

10Base 7 :

10BaseF 10Mbs

S0 m s

30Base 5 S0Mbs

10Base T- E ~ e ~ e t etwork

Star

us

Bus

UTI?

Fibero~tic

50-ohm thin coax

50-hm hin coax



tokeningetwork is a ocalllomputersreonnectedna ing or star topology andbinary digit- orthe collision f data between two computers

stand~d versio~,pecified as

a ransfer rates of either 4 or

n frames are onti~uous~yirculated on theing,has a message to send, it inserts a token in an emptychanging a 0 to a 1 in the tokenbitpart of the frame) agend a destina-tion identifier in the frame.

The frame s then examinedby each successive workstation.f the workstation seesthat it is the destinati it copieshemessage from the frame andhangesthe token back to0.

terfaceshave a p t

tolerance, and the usef ~beroptics.

de area networkec~ol og ie s onsist of two ty



stics



serial links,

), etw work Control

eci~cationsnclude:

ee cells.

103\&D

ala Link l~entifieror er~anent irtual Circuits (PVC)



e

= e r~ i n

1 =Term

I



The basic i n t e ~ ~ t ~ o r ~ n ~evices are:

router § ~~ c i~ c a ti o n§re:

7 an



S

Y

103and 10

ress ort etric

210,157.64.1 1

210.1~7.64.2 2

210.157.64.3 3

10

10

10



\

Layer 1-

Layer 2- tru



owest level ofaccess

o ~ p l e t ec~esso all c o ~ a n d snd con ~~u rat ion

for router buffer pools.

-Shows all selected interface nfor-~ a t i o ~ .

* ~ o n ~ g u r ~ ~ i o negistervalue:

~on~gurat ion re~isters

Visible in resultsof 66show version” inprivilege^ mode



ayers 3 and 4 sensiti~ity



11.

t a

of t



Stop connections thatdo

moment at he need forument that details an eup a rew wall withouta

The best approach s usuall~ combination of allfour.

here arecores of threats on the inte a fewf themore insidio~srob-lems that a firewall will attempt to fix:

ort service. There are

i I has often been the hacker’s choice of entry (via its securitytion that han~les ll



c o n ~o l connection ed on the source and estination d-used in that ession, acket-~lter r e w ~ lwhich is one of

one that inspects each

ssion d e s o grantora second destination ad

l, but it makes up or that int have to do any thin^ special,fined as accepting traffic, the

rough. This also means thate port number could pass through the firewall.

the “’state’,and “context” of the user’s request so that when the data are returned via thefirewall, it is able to verify whetheror not the data was speci~callyequested.spection attempts to track open, valid connection without the need to process a rule foreach packet.

enerally less expensive



ort user authentication

tically hide netwo

b, Java, andoon)

n a ~l te rsnvironm~nt such as

time of day accesscontrol

rect connectio~etween i n t e ~ a ~nd ~xternal

enerally offers higher levelof secu~ty

reat deal of c u s t o ~ z ~ t i omands, protocols,orservices

rect connection betwe

d user authentication

an automatically hide network and system addressesrom public view

ble to provide ime of day accesscontrol

enerally more complex



e wants to use throughhe fi re~ all

bandwidth canbe a tati ion

ore secure than stan

plication level attack

system addresses from

11vendor would make suchr h ~ l e n ~ eoes not prove

t have a baseline testingnot mean that no roblems xist. And

would not wanto ~ublicizehe security vul-want the vendor to ship a defective product

awards that the firewall vendor has. Even

Show9’ award, hat does not neces s~ lyt for an organi~ation,

ecision about thea~~ropr ia teirewall is with a security audit.Azation9s nternal security staff,or an external staE, p e ~ o ~ n g



had the p~vilegeso dothe need to connect macwhat it was originally ~ e a n to be.

isk ordata~aseile

lowing securityproble~s:

es stealing the supe

quires sup e~s er rit ~ o ~ ~ ~ o u the netwretaliation.

a sec ~reevelby lixni-

These software and hardware barriers standetw wee^ the private ~ t e ~ ~ letwork and

its connection to the outside worl such as then te~e t .he ~ ~ e w a l l ~ ~ o v i d e sn extra layerof protectio~nd regulates andcontrols co ~un icat ion .



ow do users who have an internet connection ensure that tr c between their net-d the outside worlds secure and controlled? If one can tolerate the restrictionsm-

posed with this typeof connection, use it to reduce the eronment.

Numerous options are availableor co~ecting personal modem on an existing network.Theseptionsncludenalog, I ous flavors of digital subscriber lines-

n a robust firewall? Cable modems,or exmple, use a fixed,-allocated address range nomore about network security

resources, such as personaliles, are available or public consumption.

hat about the browser? Hackers spendispropo~ioucts like terne et Explorer ( ).There are a numberoand malicious Web sites to sh the browser orworNavigator is safe either.

ny problems by steering clear f,nd ActiveX unless absolutely

the browser version that uppo~strong enc)whenever personal nfo~ations sent.

Leased line networks and remote access ~uipment ave been replaced n favor of virtualprivate networksVPNs) offering substantial n~rast~cturend suppo~inenable secure private o~unica t ions ,mplement the following:

* Authentication

Enc~ption

Key management technologies

ecause these technologies are not~battle-hardened~9will remainso until the emerging protocols, standards, and products mature.

Three criticalVPN components are:

e Security (access control, authentication9 nd enc~ption)

. raffic management (making ure that critical applications are delivered reliably andwith the highest possiblep e ~ o ~ a n c e )

. olicy-based network management (the ability to manage the entire network fromone central console to one easy-to-install turnkey solution).

ow does one stay familiar withhe latest viruses and fixes as well as other security issueb sites such as www.ce~.org r www.NTSecurity.net? The enemy is likely more ex-

perienced, but aittle prevention can o a longway. Often the technology,ike firewalls that



ess have not been



process that also offers the opportunity to qualifyr authenticate the request or matcht to a

previousequest. NAT alsoonserves o addresseshat a companyneeds and lets the company usesing1

NAT is included aspart of a rou is often part of a CO

ad~nis tra tors reate a NAT table that does the global-to-local and ocaldress mapping.NAT can alsobe used in conjunction with policy routiically defined, r it can be setp to dy na ~c al lyranslate from and to a O

allows internal internet addresses or internet protocols to be hifirewall will appear to have been sentrom the ~ e w ~ ' sxternal ad-ender invisible to the internet, which makest d i~ cu l tor hackers o

track down the network ~ o ~ a t i o nnd addresses required.Statefix1 inspection is the most sophisticated technology availab

around this technology interrogate the packets based on source, destco~un ica t i onsort. Is stateful inspection tec

based on source, destination, protocol,oesheesignrovideothouterndrations?Theouteretup is

most c o ~ o nor c o ~ e r c i a lirewalls that receivepacket, comparet to the rules defined,and either permit r deny access to another network. This scenario oftenequ~eseveral net-work changes including managing static routing tables,nd it can make t an easy targetorhackers. To address these issues, the firewallas built on top of s e c ~ eperating system.

Another signi~cantequirement is monitoritools is incre~iblymportant to reacting o a

three crucial~uestions:

hat is being detected?

ow quickly can t be detected?

ow often is the detection tool updated?

Even with detection, few ~ompaniesave idea what to do if

has become c o ~ o nnowledge that most do veryittle, except perhapcurity system. Few companies legally pursue hackers according to inThus, there have tobe procedures available to react to breach even if it will not be pur-sued legally.

The critical security tasks include network protocol analysis and security andetwor~ an-agement solutions.

These tasks should be followed during all sta es of network development and sefrom planning nd design to mple~entation nd ongoing management. They include:

per at ion^ tasks

oftware distributions

Event alerts

System monitorsof Total Virus Defense from within theT env~onment



e they reside on the system witho ~ n e r sf the a~ ~~i ca t io nsndusers,



locking distributionof viruses, spam, and ther inappropriate message content.

E-mail can ow be used to i s~bu t eonfidential or inapprop~atenfocan raise a numberf serious legalssue Can di~e rentilters be applied toof people at different timesof the day? ow is the corporate policy implemented and cen-

trally controlled by the company’s IT that the filter is effective and has-

S and digital “sledgehammers.,’

~ t t empto bypass it withbasicscans,fragmentedpacketscans,and

~ t t empto overwhelm t with

les are well designed andd y n ~ cort selectiall s often di~lcul t, ut solutions i~clude e

masks let you define the nexte uence o

ea

etennine that the connection o an external network, such as thenternet, is se-

cured with an application gateway firewall and that the firewalls properly configured tosecure internet rfllc.

in a detailed network diagramf the firewall network O

server, firewall host system, eb server, and o on) with hos

etemine that all of the physical and ogical componentare managed by the same group and that the control procedures and policies arewell documented and updated regularly.

eview the firewall network operations andcontrol proce res to ensure that pro-cedures are documented and in placeo back up security and confito properly restore these files after systemailures and softwaretern upgrades.

Using the network diagram as guide, observe the physical connections between

the various components noting proper labelingf all physical co~ect ionsnd thatall physical connectio~s re consistent with the diagram. ~vestigate ny connec-tions that ink portions of the firewall network to networks rinks not documentedin the network diagram.

nal network andhe link to the nternal network.etemine that the firewall has only two networknte~aces:he li



password controls-autho~~ations for

viewandassess the use of groups oassignserviceaccesscapabilities ousers.

For generic proxy programs that may be in use, review thesource and destination est~ct ionso ensure that they areCO

strict this traffic. Assess the need and implementation ofsuch as router filters.

For each proxy, e t e ~ n ehat adequand that logs are reviewed on aime1

e t e ~ n ehat audit alerts have beende~uatelya real-time basis of security events that require

traps, e-mail messages, pagers, and

and assess heappropriateness of s~a tor s ithaccess o viewandmodify the firewall configuration.wall products supporthis) and investigto ensure they are utho~~edhanges.

ore detailed n ~ o ~ a t i o nn a t, refer to the sectiontwork ~ecurity’,n Chapter6. te the subsections “Technic

anaging ~ e t w o r ~ithI



n f o ~ a t i o nuicklyained on their ocal

c ~ o ~ cata interchange(€331)sig~fi~antlyn the past five

replace paper ansactions ithroutine business nctions ay

ystem is not operating.

orks, and ~c rocomput -

no longer the domainbusiness assets rests

ecause today's~utomatednfor-in momentsof a d i s ~ ~ t i o nn sys-

pecifically, the plan should' S responsibilities, the distribu-feasi~ility, lan testing, recov-

ency in fo ~a ti onhat maycific statements regarding each f these

lete enough to~ n i ~ z e

overy plan, the direct supportbility for disaster recovery ul-

sponsi~ility or the assetse resources are availablerecovery planning tobe

ining its c o ~ i t m e n to

ader dis~ ib ~t io nfr the sole provider

no longer isolated in the controlled environ-



sources affected.It is possiw orst-case s c e n ~ o s .his

covery p l ~ n e r sh o u l ~olici

to resources and assi~nrnentwith r n ~ a ~ e r n e ~ to c o ~ r n u n ~ c ~ t

plan, avai la~ i~ ityf approp~ate

w e ~ e s s e sn. the e~istin



~ ~ n ~ ~ r she o ~ ~ ~ n i z ~ t i o ~n ~ ~ l ~o se its i n f o ~ a t i o n t e c ~ n o l o ~ y~~ c ~ ~ s e s s i ~ n

loss of ~ s s ~ ~ ~ i ~ l s ~ ~ i c ~ s .

h it might be perceived as such. Thus,hereare classificationsof exposu~e:

ant in te~pt ion, epending on its duration anda1 of the o~ganization.

ing a disaster nclude the degree of dependency placed on

er canp e ~ o ~equired recovery tasks.uld be as co~prehensives possible and shouldocu~entreestablished

ions in a crisis atmosphere. The plan should also provide

e ~ p h a s i ~ ehe actions intended to protect the organiza-se who would take ad-

sic ~ t e ~ ~ ~ o n shat, if not ad~ ess ed e~c ien t~y ,ntial causesof business ~ t e ~ p t i o n snclude:

Fraud

Te~oristctions

Theft

00

e t e ~ n i ~ ghe potentia~mpact of a disaster is to i~entifyhe es-at need pro t~ ct io ~. e way to do this is to p e ~ o ~n impact study. Some



498 DISASTERRECOVERY PLANNING

essential assets (e.g., facilities, hardware, and software) might be tangible and easily iden-

tified and their value easily calculated. However, the value of data is more difficult to as-

sess because it depends on its relative value to management. The following categories

should be considered when developing an inventory of essential assets requiring protection:

FacilitiesData

Software

Personnel

Data processing hardware

Communications circuits

Communications hardware

These assets are susceptible to any of the threats listed as probable causes of business in-

terruptions. Management is responsible for recognizing the probable causes of business

interruptions and, to the extent possible, taking steps necessary to protect critical infor-

mation technology operations. Auditors should assess the risk of exposure and the ade-

quacy of precautionary steps to prevent or minimize the effects of disaster. It can be ex-

pensive to develop and maintain a DRP. Designing a DRP is a labor-intensive task and can

take a year or more to complete.

BUILDING A C ASE FOR DISASTER RECOVERY

Audit has an opportunity to communicate the need for a DRP program to senior manage-

ment. Audit must emphasize the risks of not being ready and able to recover and continue

the firm’s critical business functions, not complying with regulatory requirements, not

meeting contractual obligations and service level agreements, and not providing an ade-

quate level of awareness within the organization.

Audit may also be well positioned to compile information throughout the organiza-

tion on risks and potential threats to facilities and business processes because of their close

examination of these areas during other scheduled audits. Furthermore, audit can often

compile and share DRP benchmarking data and leading-practices information across busi-

ness units and locations. Audit could also obtain information on DRP plans, strategies, andpractices from similar organizations or other firms within an industry grouping, which can

assist in a company’s DRP efforts.

BUSINESS IMPACT ANALYSIS

The business impact analysis (BIA) is the foundation of effective disaster recovery plan-

ning. It must originate from the individual business areas and should highlight business

strategy as well as inherent risks and critical threats to achieving business goals. As such,

it will represent the business area’s risk assessment of its financial, operational, competi-tive, and systems environments. The more defined the BIA is, the easier it will be to justify

the expense of the disaster recovery program to senior management.

Audit should help make this process less subjective and more quantifiable through the

use of appropriate measurement tools and risk assessment techniques. Remember, this is

what audit does regularly. This is an area of expertise.



KEY COMPONENTS OF A SUCCESSFUL DISASTER RECOVERY PLAN 499

Audit’s most significant contribution to the BIA process is one of validation. At aminimum, they should review and validate the following compo nents:

Business process inventories

Business process ownersResource listings, including systems inventories

Business impact information (financial and nonfinancial)

Critical time periods

Interdependencies

Recovery time frame objectives

Recovery resource requirements

Obtaining audit’s evaluation and validation of the preceding items will enhance the DR P’s

framework and serve to strengthen its effectiveness not only for the eyes of managem ent

but also in the event of a disruption.

STRATEGY SELECTION

Disaster recovery strategies range from providing fu lly functional alternate sites to “q uick

ship” programs, which may be internally or externally provided. Based on the BIA, a suit-

able strategy should be selected to provide the organization with the necessary recovery re-sources within its predeterm ined recovery time ob jectives (RTOs).

Aud it should review the strategy to ensure that it is in line with the ove rall business

process and fits the organization’s bigger picture. Audit can also perform independent re-

views of vendor contracts and agreem ents as well as liaise with procurem ent and legal de-

partmen ts during this process. Th e key is to ensure that the selected recovery strategies and

all assumptions surrounding those strategies have been adequately and independently re-

viewed.

These assump tions may include:

Assuming that the alternate facility will be available at crisis time.

Assuming that the alternate facility is a certain distance away and unlikely to be affected.Assuming that key personnel will be ava ilable to facilitate recovery.

Assuming that identified vendors and alternates will be av ailable to provide products

and services.

Audit should work with the disaster recovery planner to ensure that there a re no “surprise”

audit findings after the DRP program is implemented. It is far more efficient and effective

to build audit requirements into the D RP process during development than to retrofit a DR Pprogram with audi -required controls.

PLAN PREPARATION

Since individual business managers are ultimately responsible fo r the successful executionof the plan in the event of disruption, they should assume ownership of the plan. Theyshould provide the time and resources to clearly d ocument the detailed recovery proceduresnecessary to resum e and co ntinue critical business activities.



plans have never really beene

excuse with r~anizationsa s ~ ~ p ~ i e r a ~ r e e ~ e n torr

The ~e th od ol o~ yescribto prove the accuracy andis to keep pace with chan



testing is to verify he validity and functionality of the recovery procedurescomponents are combined, f you are able to testall modules, even if youe ~ o r m h11 test, then you can be confident thathe business will survive a

when aseries of co~ponen ts re combined without in-

les of m~ duleests are:

lternate site activatio~

~pplicationecovery

un production processing

The full test verifies that each component within everyo d u l es workable and satisfiesheirements detailed in the recovery plan.he test also verifies the

modules to ensure that progression from one module o m-

out problems oross of data.objectives associated with aull test:

ed time to establish that the productionnv~onmentmeets

the recovery plan tonsure a smooth flow from module to

To achieve the first objective, a computer systemf the similar capacity and speed must beavailable for the ~stimatedime frame as stipulated in the plan.his is not critical to achiev-

e second objective.

ned ~ o u n d worst-case scenarioor equipment since this wille ~ a ~ i n e dhile catering to all possible disastrous si~ations.

around best-case scenarioor stafing to ensure that all p~ic ipantsre involvedand to understand and resolve eachssue in the process f build-

sonnel should note any weaknesses or oppo~unitieso improve thece confident that the recovery plan is effective, other scenarios for

that the procedures are complete and can

when every requirement associated withnent has beenoc~mentednd verified can the recovery plane said to e com-

aspects of the test are properly x a ~ n e d

st, some considerations will be necessary that perhaps would noter example, a testmay require agreement with usiness nits to pre-

ction, or require that ll change controlbe frozen for a period, or



place. The role of the observer is to give an unbiased view and to com-ment on reas of success or concerno assist infuture testing.

There will need to e some assumptions made.his allows a test to achievehe results with-bound by other elementsf the recovery plan thatay not have been verified yet.ons allow prerequisitesof a particular componen~moduleo be established out-

All technical inforrnation documented inhe plan, including appendices,s completeand accurate.

11purchases (equipmen~furni~re,tc.) can be maden the time frame required.

es and other equipment recalledrom off-site are valid and usable.

efore any test is a~empted,t must be verified that the recovery plans fully documentedm all sections, includin~ ll appendices and attachrnents referencedo each process. Each

~ i c i p a t i n ~eams in a test must be aware of how their role relates to other teams,when and how they are expectedo perform their tasks, and what toolsre permissible. Itis the responsibility of each team leader to keep a logof the proceedings for further irn-

provement and to r e p ~ eetter for future tests.

o matter whether it is a hypothetic^, component, module,or full test, a briefing sessionr the teams s necessary. The boundaries of the test are explained, and the pp o ~n i tyo

discuss any technical un c e ~~n t i e s ,rovided.~epending n the complexity of the test, additional briefing sessions may be re-

quired, one to outline the general boundaries, another to discuss any technical queries,

nd perhaps one to brief senior ana ent on he test’s objectives. The size of the ex-rcise andumber o determine the time between the briefing ses-sion(s) and the test. me period must provide suf~c ient pportunity forperson~elo prepare a~equately, ~ icu la r lyhe technical staff. It is recom~endedhatthe final briefing be held nomore than two days prior toa est date to ensure that all ac-tivities are fresh in the minds of the p~ticipants nd the test is not impacted throu~hmis-

s or tardiness.da would be:

Team objectives

enario of the disaster

Location of each team

es~ct ionsn specific teams

Assumptions of the test

rerequisites for each team



S



Can you restore each subsystem and are they documentedn the plan?

o you h o w what time and day you have to recovero? Start of current day (SOD)?nd of previous day? idd day? Is this in the plan?

your recovery procedures reflect theorrect backup tapes to e used? (For exam-

, f recovering to SOD, the backup tapes will probably have the previous day’s

o you h o w the recovery point (e.g., OD or end of day [EOD] checkpoint recov-ery?) Is this documente~n the plan?

Can you recover the databases to theOD?

uestions to ask about the plan include:

*

you ~o~ ard -r eco verhe databases o the point of €ailwe? Is this documented in

o you b o w how to verify the i ~ t e ~ i t ynd currencyof the databases?

ho is to perfom this task and s it documented in the plan?

oes this person need o f o~ a l l y a u t ho ~z ehis fact?

Can youIPL the system ands it fully documented n the plan?

Are these roce~ures ccurate; that s, can your managerse them to load the system?

Are thereany processes thatare not included inhe recovery plan? f not, why not?

as yourvendor/supplier/mai~t~nerhecked and verified ll procedures?

o you have documented and verified procedures to:

* Initialize disk drives

* Restore system (reload)

eboot from stand-alone backup

* Perform estarts

estore other librariesInitialize catalogues

~pplicationestore

* Database estore

et unit addresses

Perfom restarts

uestions to ask about the coldite include:

oes everyoneh o w the locationof the recovery site?

ave all those who will be located there visitedhe site?

ave you checked he access to and rom the location?



Is the equipment st

oes the site have a security system ando you h o w how to p r o g r ~ u s et?

uan~tyo meet recovery needs?

ave you verified as functional,he air conditioners, i

Are all the cables, phones, ower, telex, and modems of the a

cient floor and office space to meet your needs?

ave you checked the access for en and exit of equipment and s t a ~ ?

o you have a d i a g r ~howing th tworkhystem c o n ~ g ~ r a ~ o nnd flo

o you h o w the e ency ~vacuation rocedures of the sit

hting equipment meet the requiredt ~ d ~ d s ,nd has t

Is all this documented in aite manual?

o you have a copy of theite manual in your possession?

oes the site satisfy all your recoveryco~unications/netwo

S anyone else situate

If so, are they totally isolated from your equiprnenmoves, security risk, physic

Is a method in lace to cheAre all critical consumable (special forms) located in con~olled onmultiple locations?

uestions to ask about h i r d - ~ ~ yot site checks include:

hat per ipher~ quipmentdo you require to meet your disaster needs as stated in

hat system si~e/capacity o you re~uireo run in disaster

recovery plan?

Is the hot site equipment (e.g., system, peripherals, corn

oes the site have tape library facilities?

o you regularly review he site to check all these items?

tion under recovery mode?



~uestionso ask about warrn/hotite checks include:

Do you have aDRP machine at this location?

Is the system a developmentr second production machine?Is the system large enough to allow the P system and all its re~uirements o beloaded (e.g., CPWdislc capacity, tape/cart drives, speed to meet user satisfaction)?

Do you h o w which ~les ~ibr ari esou need to remove from thevide sufficient space?

Do you wish to keephe data on theDRP machine and restoret after a testor actualdisaster?

If not, do you have a plan to clear or prepare this systemor both testing purposes andthe actual disaster?

Do you have procedures to perform this clearing function (backup andelete)?

Do you havecleanup procedures for the DRP machine t the completionof the test toenable return to normal processing?

While testing is in itself beneficial, an effective recovery plan can onlye achieved by con-structive analysisof each test and he test’s results through a postmortem. Thislso main-

tains the momentum gained fromhe test, whichs critical to theprocess of buildinable plan.

con~tructive nd regular involvement, staffs develop a greater commitment.any staffs see disaster recovery as an additional workload; however, with time

If the company has a dedicated D team or coordinator assigned pe~anent ly,hen thisteam or coordinator would havehe responsibility of conducting thebr ie~ngnd debrief-

ing sessions. If not, the responsibilityies with the command team leader.The format is to discuss the results and~ndingsf the test with aiew to improving

the recovery plan or future exercises. From these discussions, a setf objectives is devel-oped for later inclusion in the report. An agenda could be:

Overall performance

Team pe~ormance

~s~rvat ions

Areas of concern

e Next test (type and time)

Each team leader hashe responsibility of maintaining a og of events during eachest, Thein fo~a t ionat here^ from these logs, in addition to the postmortem report y the test man-



eas of i ~ ~ r o v e ~ e n tre nen a realistic o~p le tion

o test i s cons id ere^ a failure, as anynfor~ationenefit, even f the o~Jectives

an i ~ e d i a t pdate to the

controls.



As mentioned before, audit shoulde an ally in the disaster recovery process.the case, a reevaluation andede~nitionf roles mightbe in order. Audit should e the in-dependent group to monitornd report the progress and effectivenessf the disaster recov-

ery program. They should also confirm that senior managements receiving the right mes-sage and not a false sense of security when it comes to disaster recovery readiness. Thefollowing statements should e considered “warning signs” that ay indicate a alse senseof security among an rgani~ation’s manag~ment:

have a disaster recovery planor te~hnology.~’

conduct annual planests at our vendor facility.”

software package,”

Tf I am affectedby isaster, so are my competitor^.^^

Statementssuchas hese ndicate hat hecompany’sprogram maynotbecompre-hensive. Audit should recognize these symptoms ande c o ~ e n dolutions for b~ ngingheDRP pro~ramo the appropriate level. Audit should work with disaster recovery plannersand business managers to identify synergies with othernte~rise-wide ctivities, such ascorporate standards, self-assessment compliance r o g r ~ s , a w ~ e ~ e s s p r o ~ r ~ s ,RP ex-pense reporting, plan development, and the development and usef monitoring tools.

Audit may often feel like 6‘referees9’ in a largeco~ora teffort. They are re~ ~ l a r l yasked to “enforce the rules’’f a well-con~olled nd operated environment.ery planning s clearly one area in which audit can shed the “striped shirts,”

pany9s“team colors,” and participate and add valueo the critically import

embers of disaster recovery teams and senior managers should receive a copyf the com-sider providing copiesf the plan to external groupsat may help with disaster prevention and recovery.ed a prop~etary ocument, and they should note

distri~uted indisc~~nately,ither i n t e ~ a ~ l yr

As described n the previoussection, hehouldnot be dependenton the par-ticipation of any individual or eam, A disaster could resultn the unavailability, injury,rdeath of key recovery team members. t is also possible that essential members f the re-covery team may findhe recovery process o v e ~ h e l ~ n gnd resign from their positions.Therefore, to help prevent chaos following a disaster, the S should contain enough de-tail to allow available staff to begin implementing the recovery process as quickly as pos-sible f o l l ow i ~ ~disaster.A omplete, up-to-date et of plans should also e maintained inan accessible off-site location tonsure accessibility when needed.

saster Recovery Strategies



iate



site, notification requ~ed efore occupying the site, length of stay pe ~ i t t e d ,esting pro-cedures, assistance available fromhe backup site, and adequacy of office space.

adequately describe operations and procedures presently in use atnter, plus any unique procedures developed or use at the internal backup ite?

ati ion allowsstaffmembers ( than hosemostfamiliarwith the tasks) oesume critical processing. The shoulddefine critical data, documentation,

and supplies that are toe stored at the i n t e ~ ~ackup site. It should also nclude notifica-and how to move personnel, equipment, and supplies to the alter-Id address the adequacy of the computer room layouts, building

o the periodic tests f theDRP fulfill audit objectives by:e t ~ r ~ n i n ghe adequacy of the off-site storage facilities and existing recov-

ery procedures? n ~ o ~ a t i o nill be obtained concerning availabilityf off-sitefiles and he documentation necessary or efficient recovery.

* Identifying deficiencies in recovery capabilities and related internal controls?Plan testing will also help assessanageme~t’s ommand of the situation and

its ability to adapt to unusual situations.Identifying and evaluating the ost and effectiveness of continuing operationsat an alternate site?

Audit should compare the criticality of the controls being tested withhe strength of the testresults. If they are equal (i.e., ifhere is high criticality and a high levelf compliance), thenthe disaster recovery procedures shoulde considered adequate. Differences between com-pliance and criticality may suggest that resources associated with the control are being oused or underused

P adequately identify critical files necessary for operation and eE-cient recovery? It is important to verify that adequate procedures exist for backup, docu-mentation, and storage f critical files.

Is the DRP designed to protect and recover d all levels within the organiza-addition oaddressingmainframe-based data S shouldalsoprovidepolicies

and procedures or protecting and recovering programs andata developed by endsers foruse on personal computers.

. oes the organization maintain adequate insurance coverageo ensure restorationfollowing a disaster? The orga~zation’snsurance should also protect a ~ ~ n s tusinesslosses resulting fromhe inadequate performanceof a third-party vendor.



~ d e ~ ~ ~ c a t i o nf critical data?

sults pe r f o ~ e dnd a conclusion d r a ~ n ?

stat~mentf objectives andassu~ptions?

ifferent levelsof dis~ptionuch as disaster, lossf indivicomponents, ndemp loss of reso~rce~?

a ~ ~ l e sf potential disasters include:~ e s c ~ b e s c e n ~ o soreachpo

~ n t ~ ~ p t i o ~f c o ~ m ~ n i c a t i o n ~

e what a disaster is,who may declare one, d bow to i ~ ~ l e ~ ~



define proceduresfor each recovery area identified as a result f thecess? For example:

~pplicationystem recovery

Teleco~unications ystem recovery

* Systems software recovery

describe alternate operating and processing procedures f electronic

oes the DRP also describe maintaining communications with the value-added net-

Is there ana u ~ o r i ~ e dist for u~datinghe

How fre~uentlys it reviewed or revised?

o is responsible for updating the plan to reflect changes innel, software, and telecommunications?

enefits of a hot versus a cold ite processing facility?

Does theDEW require storage of at least one complete, current copyf the plan at asecure and accessible off-site location?

oes the D W identify the test team and the procedures the team should follow inoc~ment in~he physical testing f the plan?

specify procedures or conducting regularly scheduleocumentin~hose results?

oes the recovery team include key representatives from the following business

. Data processing management

. Data ad ~n is ~a t i on

e. User de p~ me nt s

. elecommunications (voice and data)

. acilitiesmanagementComputer operations

. ystems and applications p r o g r a ~ i n ~

Personnel, security, audit, and vendor representatives

e senior managers officially assigned the respon$ibility or initiating disaster re-covery procedures?

Does the DRP provideor assigned al te~atesor each p e ~ a n e n team member?the alternate team members know of this assi~nment?Do they know their job re-

sponsibilities?ses and telephone numbersf the team members, users,

ar procedure or notifying vendors andlte~ate-siteon-

ning recovery team members toulfill their assigned roles?

.Does the DRP address the defini~ion f team members functions at the task level?



si~il itie§ ould include:

nerd c o ~ ~ ~ n i t yrocedure§ desi~nedo notify he entire workforce, byin the event f a seriou§ disaster?



Are management personnel able to run the computer center in the event that non-management personnel are unavailable?

S a personal skills inventory been conducted to identify special employee skills

Is access to the data library restricted to designated i b r ~ a ~ s ,ven during disasterperiods?

as a recovery team been ssi~nedo that they can begin work immediately in theevent of a disaster?

Is user management heavily involvedn computer disaster recovery l ~n i ng ?

Are computer personnel iney positions of authority bonded?

at could be used during an mer~ency?

as the staff been trained inire alarm, bomb threat, and other emergency procedures?

Has the staff been adequately instructed in what to do when an emergency alarmsounds?

e computer center personnel been trainedo protect con~dential ata during pe-s of disaster recovery?

Do all security procedures remain in effect during a disaster recovery period?

Are disaster recovery responsibilities included inhe appropriate job desc~ptions?

Are new or transferred employees immediately trained in disaster recovery proce-dures and assigned appropriate responsibilities?

Is there a complete listingf allsupplies and copies ofll orms av~lablet a second site?been reviewed by senior management and approve by all responsible

managers?

If extra copies of the disaster recovery plan are maintained, are they regularlyupdated?

In the event f a disaster, have uEkient funds been allocatedfor transpo~ation,op-erating expenses,emer~ency upplies, andso on?

The following questions must be answere by member§ of mana~ementwho own a vitalbusiness process:

ave you ensured that the vital business process can fulfillts mission in he event ofa disaster?

(C) All processesevaluated

(A)Targetdate

(AE) Target date

ave you prepared disaster recovery plans that include vital business process recoverrequ~ementss well as service o ~ ~ i ~ e n tequ~ementsrom sL~p~liersf service?

isaster recovery plans prepared

(A)Targetdate

(AE) Target date



ave you planned conducted a review of the disaster recovery plan in the past

eviewed within the ast year

vin any de~ciencies iscovered during the review?

(A ) et date

(AE) T ~ g e tate

as a disaster re cove^ test been conducted withinhe last two years, resolving nyprob~ems r exposure iscovered dur in~he test?

sted within he past two years

(A)Targetdate

facility (i.e., local area networ~s,rting the vital business process, have you answeredhe Sup-

upplier of service sectiona~plicable/not pplicable

(A ) Targetdate

(AE) Target date

ction plan in progress, Ai3"ction plan ending date,

The following questions must be answeredy members of management who are suppliersof services essential to the recoveryf the vital business process (i.e., information systemsservices, site services, site security) and who must negotiate service level~reementswithowners of vital business processes defining services o ~ t t e dn the period followingadisaster untiln o ~ a lperations are restored.

ave you negotiated service levelgree~ents ith owners f vital business processes

ho are on your service/system?

(C)

are disaster recovery plans covering their service commitments and protect it

ou havea disaster recovery planor your servicelsystem that will recoverhe vi-

oE-site.

tal business processes as o ~ i t t e dn the service level agreement?

(6)



S your disaster recovery planor yupd~tedwithin the ast twelve mo

In a ~ ~ i t i o no the effort in

(C>

(A) Targetdate



e C10 when testing is not in compliance

(A) Targetdate

(AE) Target date

See E x ~ i ~ i t.1 for a sample disaster recovery plan.



U



b

E

E Y



Access, 129, 144, 145, 146Access control, 191Access control lists (ACL), 188

ACL entries, 360ACL notation, 358ACL patterns, 362ACCs and file ~ s s i o n s ,57file mode permissions, 358long form of ACES, 361operator form of ACL, 359

short form of ACL's, 360

c o ~ ~ d snd programs, 363network environment, 365Unix core programs, 364

ACL,(see Access control lists)Account policy, 202Accountability, 24Admi~strativeomains, 382Adopt authority, 109, 147

Airducts, 78Application development tools, 89Application layer, 462Architecture, 83Assumptions, 14, 16Attacks, 374Attacks and defenses, 224Attention program, 136Audit, 479Audit approach, 73

Audit checklist, 73,Audit policy, 204Audit tests,49,57, 153Auditing, 398,512

administering, 413audit record, 00,403,408auditing tasks, 406

ACL Functionality

diskless envi ro~ent,14enable auditing, 342event types, 399,410key concerns, 386mounting and unmounting file system, 416select users, 409system calls, 410system parameters, 404turn on oroff,408

Authority holders, 148Authority parameter, 89Authori~ation lists, 108, 146Automatic c o ~ g ~ a t i o n ,36Automatic sprinkler system, 66Auxiliary storage pools, 96

Backup and recovery, 96, 152Behaviors,norms & values, 5, 14

Build a case for disaster recovery, 498Business continuity, 130Business impact analysis, 498

rowser, 484

Carbon dioxide, 65CHACL commands, 367Change model,6,7Checklist, 5 15Checksum protection, 97Classification, 70C o ~ ~ e n t ,, 11

Compliance,5Computer room, 13Con~g~ation,85Conflict awareness, 33Conflict resolution, 2,33~onnection-oriented, 46Connectionless, 461



ontrol re~~rements,3,452ontrolled access areas,4

onv version plan, 341

us tom er satisfaction, 1, 14

evice sessions, 135

isabling and deleting user accounts, 216isaster ~re~aredness,96isaster recovery, 498iscretionary access control, 70, 183,373accountabi~ty,74least Privilege, 374objects, 374

subjects, 373

is~osingf media, 56,73ocumentation questions, 15omain objects, 133o m ~ n snd trusts, 222ropped ceilings, 77ust, 67

y n ~ culture, 1,2,4,6,8, 10

ynamic cultureat~ibutes,0ynamic culture self-assessment, 11

- c o ~ e r c e ,94lectrical noise, 60lectronic data interchange, 494

End-user c o ~ ~ u t i n ~ ,93Environmental controls, 59Ethernet, 463

buted Data Interface)

ile security, 368,369, 372

File system consistency, 345File system export, 385Filters, 477Fire, 65Firewall, 474,476

Focus inward,4FTTP, 470Function keys, 56

Gateways, 478General controls, 127,131Glass walls, 78Glossary of Unix terms, 419Ground rules, 36Group profiles,108

Guidelines:adding a group, 355,356network security breaches, 385overallrisk m~a~ement,73user account, 353,354,355

Hardware, 82High-risk utilities, 149Home directories, 2 18Hub, 474Human resources, 19,22,23,25Hu~difier,5

~ - s u ~ ~ l i e drofiles, 141Info~ationecurity, 1 , 2

~nstaIlin~he system, 341Integration, 85Interfaces, 464,465International 0rga~zationor

(Em),53Internet operating system, 472Internet threats, 475Internetwor~ng,48,453,468Intro~uction, 1I S 0 (see International 0rgani~ationor

§tandardi~ation)Issue ~oordinator, 4

Job descriptions, 147Job time-out, 139

Key subsystems, 350Key switches, 56



LAN (see Local access network)

Leading, 5,16, 18

Libraries, 94

Library, 140

Lighting, 62

Link-level access, 382

Local access network (LAN), 452

Logon process, 184

Logon scripts, 218

Management c o ~ t m e n tnd funding, 494

Manager~leaderoles, 2,5, 15, 17,24,25,31

~anaging,,16

M~ ag i n groups, 209

M~ ag i n getwork with /etc/hosts table, 389

Mana~ing ser accounts, 212Ma~ke~lace,4

Modem, 63,484

Name servers, 389

Narning nomenclature, 94

NAT (see Network Address Translation)

Network Address Translation (NAT), 485

Network file systemenviron~ent:

client ~lnerability, 8l

files mounted in network n v ~ o ~ e n t ,8 1s~eguarding, 82

server vulnerabi~ty, 8 1

Network Layer, 458

Network transfer protocols, 224

Network topologies, 463

Networks, 493

Number of device sessions, 135

Object and security, 185

Object ownership, 148Object-based operating system,88

Operating system, 369,373

Open Systems Inter-co~ectionOSI),454,456,

458,459,461,462

Orga~zationaltructure, 128

Password security, 346

encryption, 347

file security, 370

m ~ i p u l a ~ n gassword files, 349password aging, 354

protection, 380

pseudo accounts, 348

responsibilities, 346

Passwords, 133

Pdfs (seeProduct Description Files)

People, 69

Performance, 485

Per~ss ions, 86,200

Physical access controls, 42

Physical layer, 456

Physical protection of storage media,53Physical security, 41

Physical security Plan, 43

Physically securing company's installatio~, 2

Plan preparation, 499

Planning, 198

Policy planning, 202

Portable storage media, 8

Positive resolution, 34

Power supply, 62

Power, 59Presentatioll layer, 462

Preventing theft, 77

Process improvement, 4

Product Description Files (pdfs),344,346

Productivity, 15

Profiles, 141, 144

Program development, 129

Program m~ntenance, 29

Protecting backups, 54

Protecting data, 79

Raised floors, 77

RAID (seeRedund~trray of

independent disks)

Recog~zingraits, 8,26

Recovery team, 496

Eedundant array of independent

disks (RAID), 97

Reengineered processes, 4

Remote file access(RFA), 80Remote sign-on controls, 135

Residual inf o~ at ion ,5

RFA (see Remote file access)

Risk analysis and acceptance, 47

RisWexposure, 53,70

Risk management, 373

Root, 349

Routers, 473

SAM (see System Ad~nistrationManager)S ~ t i z i n g ,5

Secure (trusted) system, 341

Secure systemmainten~ce, 44,377

Secured area access,50

Secured area deter~nation,0

Secured area inspection,



ystem shut down, 417

ystem u t i l i ~ e s , 1

auditing and security - as400, disaster recovery plans

Documents