安徽省商品住宅销售ile

BuildingYourITSecurityChecklistSamplechecklist/auditplansforUnix,NTandWindows2000ActiveDirectory1Whathavewejustdone?TheTop20threatsmeetourriskcriteria:HaveahighprobabilityofoccurringResultinthelossofacriticalserviceBeextremelyexpensivetofixlaterResultinheavy,negativepublicity2ApplyingTBStotherealworld!TBS=TimeBasedSecurityTopTenVulnerabilities,thevulnerabilitiesresponsibleformosthacksApplyTBSasanapproachtoaneffectiveunderstandablesecuritypolicyBasicsPerimeterUnixNTWindows20003TheTBSAuditLayersAcompleteITaudit/securitychecklistisasetofcomponentaudits/checklists.YoushouldbeabletomeasureE,DandRtimesforeachlayerofthesecurityarchitecture.ComponentsProcedural:E=D+RPerimeter(Firewall):E=D+RUNIX:E=D+RNT/Windows2000:E=D+R4CISRulers5CISRulers:ASecurityandAuditChecklistLevel1

MandatoryActionsrequiredregardlessofthehost’slocationorfunction.Level2DependentonyournetworktopologyDifferentforswitchednetsvs.sharednetsvs.wirelessnets,etc.6CISRulers:SecurityChecklist&AuditPlanFTPWWWDBMailSwitchedWirelessNonSwitchedLEVEL1Level3Level27CISRulers:ProceduralGeneralAdministrationPoliciesKeysecuritytoolinstalledUserAccountsandenvironmentSystemLogsNetworkFilesharingGeneralEmailIssuesThisreviewisdoneduringtheAuditPlanningPhaseoftheauditprocess8CISRuler:ProceduralGeneralAdministrationPoliciesAcceptableUsePolicyBackupPolicySecurityAdministratordutiesWhoisContactInformation(Tech/Admin)Systemchangelogs(SourceRevisionControl)IncidentResponseMinimumsoftwarerequirementsUser,temp,systemaccountpoliciesPatches9CISRulerExample:Backups·

Doesabackuppolicyexist?·

Dobackuplogsexist?·

Whatdataisbackedup·

Howoftendataisbackedup·

Typeofbackup(full,differential,etc.)·

Howthebackupsarescheduledandverified·

Howthebackupmediaishandledandlabeled·

Howthebackupmediaisstored·

Howlongthebackupmediaisretained·

Howbackupmediaisrotatedandexpired·

Howbackupdataisrecovered

10CISRuler:ProceduralKeysecuritytoolsinstalledNetworkroutersimplementminimumfilteringrequirementsVerifynetworkroutersareproperlyconfiguredandmonitoredforin/outtrafficAreallfirewallsproperlyconfiguredandmonitoredforin/outtrafficTheaboverulespreventDDOSattacksfromaffectingothernets.11CISRuler:ProceduralUserAccountsandEnvironmentRemoveobsoleteuserentriesfromsystemSystemLogsHowlongaretheykept?Aretheysecured?NetworkfilesharingReviewwhatfilesystemsthissystemcanaccessReviewwhatfilesystemsthissystemexportsEmailPolicyAbusePolicy?12CISRuler:WrittenDocumentation,PoliciesWhereisit?Isitavailabletoanyonethatneedsit?Isituptodate?Isanythingmajormissing(SGIpolicies,butnoHPpolicies)?13CISRulerExample:SecurityPolicyPurpose-thereasonforthepolicy.Relateddocuments–listsanydocuments(orotherpolicy)thataffectthecontentsofthispolicy.Cancellation-identifiesanyexistingpolicythatiscancelledwhenthispolicybecomeseffective.Background-providesamplifyinginformationontheneedforthepolicy.14CISRuler:Scope-statestherangeofcoverageforthepolicy(towhomorwhatdoesthepolicyapply?).Policystatement-identifiestheactualguidingprinciplesorwhatistobedone.Thestatementsaredesignedtoinfluenceanddeterminedecisionsandactionswithinthescopeofcoverage.Thestatementsshouldbeprudent,expedient,and/oradvantageoustotheorganization.Action-specifieswhatactionsarenecessaryandwhentheyaretobeaccomplished.Responsibility-stateswhoisresponsibleforwhat.Subsectionsmightidentifywhowilldevelopadditionaldetailedguidanceandwhenthepolicywillbereviewedandupdated.15Procedural:IncidentResponsePlanArethesixIncidentResponsestepscovered?PreparationIdentificationContainmentEradicationRecoveryLessonsLearned(iftherearenolessonslearneddocumentseithertheplanisn’’tfollowedornoincidentshaveoccurred).16Procedural:Training&EducationDotechnicalpeoplehavethetrainingtodotheirjobcompetently?Aretherestandardstheirskillscanbemeasuredagainst?Aretherestandardsofcompliancethatensuretheyareusingtheirtraininginaccordancewithpolicy?17Procedural:PhysicalSecurityConsolesinphysicallysecureareas?Firesuppression?Backups?Offsitebackups?Networkcomponentssecured?Phonewiringsecured?18Procedural:Windows2000ThesearebasedontheSANS““SecuringWindows2000”booklet.LeastPrivilegePrincipleAvoidgrantingunnecessaryAdminprivs.LimitDomainTrust.Restrictmodemsinworkstationsandservers.Limitaccesstosniffersoftware(NetworkMonitor).19Procedural:Windows2000Keepsystemsoftwareupdated.UpdateandPracticeaRecoveryPlan.Requirestrongpasswords.Requirepasswordprotectedscreensavers.EstablishAuditingandReviewPolicies.RequireAdministratorstohaveaUserandAdministratoraccount.Requireantivirussoftware.InstallhostbasedIDS.Performperiodicallow-levelsecurityaudits.20CISProceduralRulerReviewProceduralrulersgiveyouastartingpointfordeterminingyoursite’’spolicypieThesepoliciesincludeacceptableuse,privacy,incidentresponse,accountability,backupandanyotherappropriateactionTheCISproceduralrulerisaconsensuslistofpracticesdoneatthechartermemberssites.21CISRulersforSolarisandLinuxThissectionexplainstheitemslistedintheCISSecurityBenchmarksforSolarisandLinux.ThecommandsareverysimilarandthestrategyisthesameforbothOS.We’llbehardeningtheSolarissysteminthelabportionofthiscourse.22CISLevel1Ruler:UnixPatchesKeySecurityToolsInstalledSystemAccess,authentication,authorizationUserAccountsandEnvironmentKernelLevelTCP/IPtuningKernelTuning23CISLevel1Ruler:UnixBatchUtilities:at/cronUMASKissuesFile/DirectoryPermissions/AccessSystemLoggingSSHMinimizenetworkservices24CISLevel1Ruler:Unix25CISLevel1UnixRuler-PatchesDefinearegularprocedureforchecking,assessing,testingandapplyingthelatestvendorrecommendedandsecuritypatches.Keep3rdpartyapplicationpatchesupdated.Why?Thefirstlineofdefenseisproperpatch/ServicePackinstallation.Patchesarelivingandneedtobeupdatedregularly26CISLevel1UnixRuler:SecurityToolsThesetoolshelpdecreaseyourdetectiontime,DInstallthelatestversionofTCPWrappersonappropriatenetworkservicesSSHforlogin,filecopyandX11encryptionInstallcryptofilesignaturefunctiontomonitorchangesincriticalsystembinariesandconfigfiles(tripwire)27CISLevel1UnixRuler:SecurityToolsInstallPortsentryorsimilarpersonalFWsoftwareRunNTPorsomeothertimesynctoolRun““logcheck”orsimilarsysloganalysisormonitoringtoolInstallthelatestversionofsudo28CISLevel1UnixRuler:Access,AuthorizationNotrustedhostsfeatures:.rhosts,.shostsor/etc/hosts.equivCreateappropriatebannerforanynetworkinteractiveserviceRestrictdirectrootlogintosystemconsoleVerifyshadowpasswordfileformatisusedVerifyPAMconfiguration29CISLevel1UnixRuler:KernelTCP/IPTuningSystemhandlingofICMPpacketsissecuredSystemhandlingofsourceroutedpacketssecuredSystemhandlingofbroadcastpacketssecuredUsestrongTCPInitialSequenceNumbersHardenagainstTCPSYNFloodattacks30CISLevel1UnixRuler:Kernel,BatchUtilitiesEnablekernellevelauditingEnablestackprotectionEnsureulimitsaredefinedin/etc/profileand/etc/.loginRestrictbatchfileaccesstoauthorizedusersEnsurecronfilesonlyreadablebyrootorcronuser31CISLevel1UnixRuler:UMASK,FilePerms,AccessSetdaemonumaskto022orstricterSetuserdefaultumask(022or027)ConsoleEEPROMpasswordenabled?Check/deventriesforsaneownershipandpermissionsMountallfilesystemsROorNOSUIDAllfilesystemsexcept/mountedNODEV32CISLevel1UnixRuler:FilePermsandAccessVerifypasswd,group,shadowfilepermsVerifySUID,SGIDsystembinariesDisableSUID,SGIDonbinariesonlyusedbyrootNoWorld-writedirsinroot’’ssearchpathStickybitsetonalltempdirectoriesNoNIS/NIS+featuresinpasswdorgroupfilesifNIS/NIS+isdisabled33Seewhatwecanfind¨/usr/bin/find/-local-typef-name'.rhosts'-execls-al{}\;-execcat{}\;2(.rhosts)/usr/bin/find/-local-typef-userroot-perm-4000-execls-dal{}\;2(SUIDfiles)/usr/bin/find/-local-typef-userroot-perm-2000-execls-dal{}\;2(SGIDfiles)find/\(-local––o––prune\)-perm––000002–printfind/rc-printfind/-perm––100034AuditReportExampleAuditMethodLs––la(listfiles)againstcriticalfilestodeterminetheirpermissionsFindingSeveralsystemconfigurationfilesin/etcarewritableRiskLevel:HighSecurityImplicationThe/etcdirectoryiscriticalforestablishingtheoperatingconfigurationofmanysystemservicesincludingstartupandshutdown.Ifanattackerisabletomodifythesefiles,itmaybepossibletosubvertprivilegedoperatingsystemcommands.Recommendation¨Changepermissionsofallfilesin/etctobewritablebyrootorbinonly.35/devPermissionsExhibit#ls–l/devtotal72-rwxr-xr-x1rootroot26450Sep241999MAKEDEVcrw1rootsys14,4Apr171999audiocrw1rootsys14,20Apr171999audio1brw-rw1rootdisk32,0May51998cm206cdcrw--w--w-1rootroot5,1May2615:17consolebrw1rootfloppy2,1May51998fd1

brw-rw1rootdisk16,0May51998gscd

brw-rw1rootdisk3,0May51998hdabrw-rw1rootdisk3,1May51998hda1brw-rw1rootdisk3,10May51998hda10

brw-rw1rootdisk3,11May51998hda11brw-rw1rootdisk3,12May51998hda12brw-rw1rootdisk3,13May51998hda13

brw-rw1rootdisk3,14May51998hda14brw-rw1rootdisk3,15May51998hda15brw-rw1rootdisk3,16May51998hda1636World-WriteableandSUID/SGIDFilesAuditMethodFindcommandswereexecutedontheserverstolocateallfileswithworld-writeablepermissionsandSUID/SGIDpermissions.Theoutputwasredirectedtoappropriatefilesforlateranalysis.FindingAlargenumberofworld-writeableandSUID/SGIDfileswerefoundontheserverXYZ.Further,anumberoffilesinthe/usr,/optand/vardirectoriesallowalluserstohavewritepermission.SecurityImplicationWorld-writeablefilesallowanyuseroranintrudertochangethecontentsofafile,effectinginformationintegrity.Also,forexecutablefiles,anintrudermayreplacethefilewithatrojanhorsethatcandamagethesystemanditsintegrity.SUID/SGIDfilesexecutewiththeprivilegeoftheowner/group.Thesecanbesubvertedbyanunauthorizeduserorintrudertoescalatetheirprivilegetothoseoftheowner/groupoftheSUID/SGIDfile.RiskLevel:HighRecommendation¨Reviewallworld-writeableandSUID/SGIDfilesonthesystem.Usingfreewaretoolslikefix-modesorYASSPcanfacilitateidentifyingandcorrectingthepermissionsonfiles.Afterthereview,createalistofalltheremaining“approved”World-writeableandSUID/SGIDfilesonthesystemandstoreinasecureplace.Periodically,checkthesystemagainstthislisttoidentifychangesandensurethatsuchchangesareapproved.¨NFSsharedfiles,especiallyfilesin/usr,/optand/varshouldbeexported‘read-onlytospecifichosts.Further,through/etc/vfstab,theexportedfilesystems(exceptspecialcaseslike/tmp,/devand/)shouldbemountedwiththenosuidoptiontopreventtheinadvertentgrantingofSUIDprivilegeonNFSmountedfiles.37CISLevel1UnixRuler:SystemLoggingandSSHCapturemessagessenttosyslogAUTHfacility(enablesystemlogging)CopysyslogstocentralsyslogserverAuditfailedloginsandSUattemptsEnablesystemaccountingLoginsallowedviaSSHonly(norsh,rlogin,ftportelnet)38CISLevel1UnixRuler:Reduce/etc/inetd.confDisablename(UDP)Disableexec/rexec(TCP)Disablelogin/rlogin(TCP)Disableuucp(TCP)Disablesystat(TCP)Disablenetstat(TCP)Disabletime(TCP/UDP)39CISLevel1UnixRuler:Reduce/etc/inetd.confDisableecho(TCP)Disablediscard(TCP/UDP)Disabledaytime(TCP/UDP)Disablechargen(TCP/UDP)Disablerusersd(RPC)Disablesprayd(RPC)Disablerwall(RPC)40CISLevel1Ruler:Reduce/etc/inetd.confDisablerstatd(RPC)Disablerexd(RPC)UseTCPWrappersforallenablednetworkservices(TCP/UDP)41Sample/etc/inetd.conf#Shell,login,exec,comsatandtalkareBSDprotocols.#shellstreamtcpnowaitroot/usr/sbin/tcpdin.rshdloginstreamtcpnowaitroot/usr/sbin/tcpdin.rlogind#execstreamtcpnowaitroot/usr/sbin/tcpdin.rexecd#comsatdgramudpwaitroot/usr/sbin/sattalkdgramudpwaitnobody.tty/usr/sbin/tcpdin.talkdntalkdgramudpwaitnobody.tty/usr/sbin/tcpdin.ntalkdThisisafragmentof/etc/inetd.confwhereshell,login,talk,andntalkprobablyshouldbecommentedout.Notethe/usr/sbin/tcpdsothissystemisprobablyrunningtcpwrappers.Moreofthefileisinthenotespages.42CISLevel1UnixRuler:RestrictRPCRestrictNFSclientrequesttooriginatefromprivilegedportsNofilesystemshouldbeexportedwithrootaccessExportlistrestrictedtospecificrangeofaddressesExportROifpossibleExportNOSUIDifpossible43CISLevel1UnixRuler:Email,X11/CDEUseSendmailv8.9.3orlater.(v8.11.6iscurrent6/01/02)Restrictsendmail‘prog’mailerVerifyprivilegedandchecksumsformailprogramsEnsureXserverisstartedwithXauthUseSSHtoaccessXprogramsonremotehosts44CISLevel1UnixRuler:UserAccts,EnvironmentEnforcestrongpasswordsNonullpasswordsRemoverootequivalentusers(UID=0)No“.”inrootPATHNo.filesworldorgroupwritableRrc,.exrc,.dbxrcfilesUser$HOMEdirsshouldbe<75545TBSExampleUsingE=D+RSecuritypolicy:automatedscripttocheckpasswordfileforuserswithUID0(superuseraccess)returnsuser”zippy””.Syslogischecked:Apr1521:07:596C:telnetd[5020]:connectApr1521:08:186E:login[5021]:?@aszippyIDSreturns:21:07:16.63.26617>.5135:udp21:07:16.66.5135>.26617:udp695135isSGIObjectServerwithaknownvulnerability46CISLevel1RulerReviewThepreviousactionitemsshouldbedoneonanyUnixsystemonyournetworkregardlessofitsfunctionAsimilarchecklistisbeingdevelopedforWindows2000.TheLevel1rulersimposeaminimumsecuritystandardonallUnixandWindows2000systems.47CISLevel2RulersOnceLevel1rulershavebeenapplied,youpicktheappropriateLevel2ruler.Thisisveryorganizationspecific.Whatworksatmysitemightnotapplyatyours.Additionalservicemaybedisablediftheyaren’tneeded.48CISLevel2Ruler:UnixKernel-levelTCP/IPtuningPhysicalConsoleSecuritySSHMinimizenetworkservicesMinimizeRPCnetworkservicesGeneralemailissuesX11/CDE49CISLevel2Ruler:UnixKernelTuningNetworkoptionsfornon-routermachinesDisablemulticastPhysicalConsoleSecurityEnableEEPROMpassword.Whoknowsit?SSHRestrictivelyconfigureit50CISLevel2Ruler:UnixMinimizeNetworkServicesDisableinetdentirelyDisableFTPDisableTelnetDisablersh/rloginDisablecomsatDisabletalkDisabletftp51CISLevel2Ruler:UnixMinimizenetworkservicesDisabletftpDisablefingerDisablesadminDisablerquotadDisableCDETooltalkserver(ttdbserverd)DisableRPC/UDP/TCPufsDisablekcms_server52CISLevel2Ruler:UnixDisablefontserverDisablecachefsserviceDisableKerberosserverDisableprinterserverDisablegssdDisableCDEdtspcDisablerpc.cmsdcalendarserver53CISLevel2Ruler:UnixMinimizeNetworkServicesIfFTPserviceisenabled,seeadditionallevel3requirementsforFTPserversIftftpisenabled,usethesecurityoptionIfsadmindisenabled,usethesecurityoption54CISLevel2Ruler:UnixMinimizeRPCnetworkservicesDisableNFSserverDisableAutomounterDisableNFSclientservicesAddports2049,4045toprivilegedportlistDisableNISDisableNIS+Replacerpcbindwithmoresecureversion55CISLevel2Ruler:UnixGeneralEmailIssuesDon’trunsendmailonmachinesthatdon’treceivemailRemovemailaliaseswhichsenddatatoprograms(Vacation)X11/CDEDisableCDEifnotneededUsetheSECURITYextensionforX-Servertorestrictaccess56CISLevel2RulerReviewLevel2rulersaresitespecific.Theyaremoresensitivetovendorsoftwarerequirements.Forexample,avendorproductmayrequirethatyouenablethedreadedr-commands.Youhavenochoicesoyoukeepaneyeonthatvulnerability.Theymayimposestricterstandards.57CISUnixRulerReviewCISRulersareagoodstartingpointfordevelopingaUnixauditplan.Solaris,Linux,HP-UXavailable,AIXunderreview,CISCOrouterunderreviewLevel1rulerdefinesminimumsecuritystandardsforallUnixsystemsLevel2-3rulersaremorenetworkandfunctionspecificProceduralrulersaddresspolicyissues58SummaryTheCISbenchmarkdocumentandscanningtoolisanexcellentresourceyoushoulduseimmediatelytostrengthenthesecurityofyourSolarisandLinuxsystems.Thescanningtoolprovidesyouwithasimplescorethatyoucanusetopresenttomanagement.59LabExerciseLet’’sapplythestepsintheCISbenchmarktothedemonstrationsystem.We’’llrunthescanningtooltogetabaseline,makeourmodsandrerunthescanningtooltomeasureourprogress.60Appendix1AuditChecklistsforWindowsTheSANSInstitute61W2KCISRulersCISRulershavebeendevelopedforWindows2000andNTsystemsFormatissimilartotheUnixrulers(levels1-3)Level2,IISbenchmarksareintestatpresent.They’’refree!62SampleWindows2000Level2Ruler63SampleVTLevel2Ruler:ActiveDirectoryROETheChilddomainmusthaveatleast1fulltimepeerBDCforthechilddomainThechilddomaincontrollersmustmeetMicrosoft’’sminimumcomputerhardwarerequirementsNo3rdpartyofMicrosoftadd-onsoftwareareallowedonchilddomaincontrollersIIS,CertificateServices,IndexingService,WindowsMediaServices,DNS,DHCP,WINS,printer/fileservices64SampleVTLevel2Ruler:ActiveDirectoryROEThechilddomaincontrollersmustbeinabackupprogramandhavefullrecoverabilitytestedThechilddomaincontrollersmustallowandnotblockglobalpolicyobjectsreplicatedfromtherootAllW2KhostsmustfollowprescribedDNSnamingconventions()65SampleVTLevel2Ruler:ActiveDirectoryROEAllW2KhostswithinthechilddomainwilluserootADDDNSserversettings.ChildDCwillusestaticIPandnotrunDHCPserversChilddomainwillnotattempttocreatechilddomains““below””theirs.TheywilluseOUtodothis.66SampleVTLevel2Ruler:ActiveDirectoryROENonon-administrativelocalloginswillbeallowedtothechilddomaincontrollers.TheCDCwillbehousedinsecureareaswithcontrolledaccess2weekbackupsofevent/auditlogswillbekeptandaccesstothemwillbegiventotheADenterpriseadminsforsecurity/debuggingpurposes.67SampleVTLevel2Ruler:ActiveDirectoryROEAllservicepackswillbeinstalledinatimelymanner,coordinatedwithrootADcontrollerupgradesWillpeoplebuyintothis?Somewill,somewon’’tbutthosethatdoaremoresecure.6869SampleW2Klevel1Ruler––PhysicalDataSecurityEnabletheendusertoprotectlaptops.Physicallysecureservers.ProtecttheserverfromUnattendedReboot.ProtecttheSAMwithSYSKEYProtecttheBackupTapes.UseNTFSdiskpartitions.UseEncryptingFileSystem70SampleW2KLevel1Ruler––SecurityPolicyConfigurationConfiguretheLocalSecurityPolicy.ConfiguretheAccountPolicy.SecureAdministrator/Guestaccounts.ConfigureLocalPolicies.EnableAuditPolicies.CustomizeUserRights.71Win2kAudit(RunMMC->CTRLM->SecurityTemplates->SetupSecurity)72UserRights73SampleW2KLevel1Ruler––SecurityPolicyConfigurationCustomizeSecurityOptionsRestrictAnonymousConnectionsAllowserveroperatorstoscheduletasks(DConly).ClearvirtualMemoryPagefileonshutdown.AuditaccessofGlobalSystemObjects.DoNotDisplaylastusernameinloginscreen.ConfigurePublicKeyPolicy.ConfigureIPSecurityPolicy.74FileSystemConfiguration.(__)DefineSystemConfigurationandServicePackLevel

(__)DuringAudit,setbrowsertoseeallfiles(__)SystemisconfiguredasNTFSfilesystem?

(__)SystemAdministratorhasacurrentEmergencyRecoveryDiskinalockedstoragearea.(__)Wipingofsystempagefileoccursatsystemshutdown.75SampleW2KLevel1RulerGroupPolicyMMCSnap-InSystemToolsConfigureEventLogSettingsSystemInformationPerformanceLogs&AlertsLocalUsers&GroupsLockoutunauth’’dFloppyDiskuse76SampleW2KLevel1RulerDisableunusedservicesRemoveOS2andPOSIXsubsystemsSecureRemotecontrolprograms(PCAnywhere)DisableMicrosoftNetworkClientAdditionalUtilitiesW2KSuppottoolsResourceKittools77SampleW2KLevel1RulerFreeware,SharewareandCommercialToolsUseAccessControlListAuditingToolsAuditSPandHotFixlevelsConsiderinstallingnmap,WinDump,PGP,Anti-Trojan,L0phtCrack3,snort78SampleW2KLevel1Ruler––TheRegistryDisableauto-runonCDROMDrives.ControlRemoteRegistryAccess.RestrictNullUseraccesstonamedpipesandshares.DisableRouterdiscovery.DisableICMPRedirects.RemoveAdministrativeShares.79SampleW2KLevel1RulerFileFolderandRegistryPermissionsSecurityAnalysisandConfigurationToolApplystandardIncrementalSecurityTemplatesCreateCustomPoliciesPerformanalysisofcomputerRecoveryOptionsBaselineSystembackupRegularSystembackupRemoteSystembackupNTBackup.exe80SampleW2KLevel1RulerRecoveryOptions(Continued)EmergencyRepairDisksSafeModewithorwithoutnetworkingSafeModewithcommandpromptRecoveryConsoleActiveDirectoryServicesDomainControllersandTrustTheTreesvs.theForestEnterpriseAdminsandSchemaAdmins81SampleW2KLevel1RulerApplicationSecurityIISv5––CRITICAL!TelnetServerFileandPrinterSharingWindowsServicesforUnix2.0Exchange,Outlook,OutlookExpressSQLThesemaybemoresuitedtoLevel282ASampleNTLevel1RulerInstallationNetworkingUserAccountsServices/SystemFiles/DirectoriesRegistryApplicationsDevelopedbyMarcDebonis,VATech83SampleVTLevel1NTRulerInstallationPhysicallysecuremachineEnableBIOSbootpassword,user/adminlevelsInstallNTonC:,nodualboot,useNTFSPutbogusnameforinstallSelectonlyTCP/IPtoinstallDoNOTinstallIISDoNOTuseDHCPDoNOTuseWINSserverentries84SampleVTLevel1NTRulerInstallationDisableLMHOSTSlookupLoginasAdministratorDeleteMyBriefCase,InstallIIS,IE,InboxiconsInstallpostSP5/SP6hotfixesInstallinthisorder:Winhlp-I,Nddefixi,Lsareqi,Q234351I,Csrssfxi,Loctlfxi,Ntfsfix1,Igmpfix1,Ipsrfixi85(__)DefineServicePackLevelStart->Run->WINVER(worksthesameforNT4.0)86CheckingforServicePacks8788(__)Systemdoesnothaveun-necessarydevicesStart->Settings->ControlPanel->Devices.89SampleVTLevel1RulerNetworkingUsenetworkcontrolpaneltoremoveRPCConfiguration,NetBIOSInterface,Workstation,Server.SetserviceTCP/IPNetBIOSHelpertodisabledDisableWindowsNTNetworkingDisableWINSClient(TCP/IP)bindingDisableWINSClient(TCP/IP)device90SampleVTLevel1RulerAccountsSetminimumpasswordlengthto8Lockoutafter3badattemptsUnderPolicies->UserRightsSelectRight/AccessthiscomputerfromNetworkandremoveALLgroupslistedintheGrantToboxUnderShowAdvancedRights,selectBypassTraverseChecking,removeEveryoneSelectLogonLocallyanddisableguest91SampleVTNTLevel1RulerAccountsSelectPolicies->AuditEnableauditevents:logon/logoff,user/groupmgt,securitypolicychanged,restart,shutdownandsystemOpenUserManagerforDomainsRenameAdministratoraccounttoMasterRemoveDescriptionforMasterAccountSetMasteraccountpasswordtosomethingVERYstrongRenameGuestaccounttoDEFUNCTAllowremotelockoutofadministratoraccountonly92(__)AuditingisEnabled93AuditBestPractice94AuditBestPractice(2)95Passwords(__)NTpasswordpoliciescomplywithBestPracticesforNTPasswords.(__)Userpasswordsareknownonlybytheuser.(__)UsersarerequiredtomaintainuniquepasswordsforeachAIS.(__)PasscrackforWindowsNTorotherpasswordtesterisrunatleastyearly.(__)Passworddatabase(SAM)isencrypted.(__)Administratorpasswordisprotectedtothesamelevelasthedatacontainedonthecomputer.(__)Passwordisenabledforscreensaver.(ControlPanel,Desktop)96Passfilt97NT4.0Start->Programs->AdministrativePrograms->UserManager98Win2k,MyComputer->Controlpanel,AdministrativeTools->LocalSecurityPolicy->PasswordPolicy99SampleVTNTLevel1RulerServices/SystemDisableunnecessarysystemservicesNetworkDDE,NetworkDDEDDSM,Schedule,Spooler,Telephonyservice,distributedDCOMFromSystemControlPanel,clickStartup/ShutdowntabUncheckOverwriteanyExistingFile?UncheckWritedebugginginfoto:UncheckAutomaticallyReboot?100SampleVTNTLevel1RulerServices/SystemClickDisplayControlPanelClickScreenSaveTab,enableBlankScreenScreenSaver,modifywaitto5minutes,checkthePasswordProtectedbox.EventLogsOpenLog->Logsettingsandincreasemaxsizeoflogs>2048K101Log-->LogSettings102EventView2000MyComputer->ControlPanel->AdministrativeTools->EventViewer103Usingdumpelforauditlogs104SampleVTNTLevel1RulerFortherestoftheruler,gotoandlookintheChecklistssectionforMarc’sdocumentSomemayconsiderhisrequirementstobereallystrictbutsomemaylikethem.105Whew!You’vegotabasicstrategyforbuildingsecuritychecklist/auditplansforPerimeterUnixNTWindows2000Pleasefilloutyourcommentsheets!106Today’sCourseGoalsConstructahighlevelSecurityChecklistfromtheCISrulersforyoursite.Unix.NT,Windows2000UseTBStoprovidearesponsetoyourinternalauditorsandsecureyoursystems.UseSTARtodefinethe$$$costofimplementingsecurityfeaturesatyoursite.ThismethodcanbeusedovertimetoshowtrendsDevelo