操作系统审计检查表

然后操作系统审计检查表WINDOWSspsp3平安审核被审核部门审核人员审核日期2013-12-21陪同人员序号审核工程审核步骤/方法审核结果补充说明改良建议补丁安装情况1securityupdatesaremissing.113securityupdatesaremissing.4servicepacksorupdaterollupsaremissing.没有更新设置自动更新主要帐户策略审查密码长度最少8位，密码周期最长为90天0没有设置密码策略设置密码策略，把密码长度最小值设置为8，密码最长存储期设置为90审核策略对所有帐户登录事件进行审核对所有的帐户管理事件进行审核对所有登录事件进行审核审核失败访问的组件对策略更改事件进行审核审核失败的特权事件审核所有系统事件未审查没有设置进行策略审查平安设置帐户策略最小密码历史：1天最长密码周期:90天最小密码长度:8个字符密码复杂度:Enabled密码历史:24PasswordsRemembered存储的密码是否可用于可逆加密：Disabled最小密码历史：0天最长密码周期:0天最小密码长度:0个字符密码复杂度:已停用密码历史:0PasswordsRemembered存储的密码是否可用于可逆加密：已停用没有设置账户策略按照要求进行账户策略设置帐户锁定策略帐户锁定周期:15Minutes(minimum)帐户锁定条件:3次失败登录复位时间:15Minutes(minimum)帐户锁定周期:不适用帐户锁定条件:0次失败登录复位时间:不适用没有进行用户锁定策略设置进行平安设置事件日志审核对于系统、平安、应用系统日志，审核下面的工程：最大日志容量:80Mb(minimum)限制GUEST帐户访问日志:Enabled日志保持方法：“必要时候重写日志”最大日志容量:512kb(minimum)限制GUEST帐户访问日志:Enabled日志保持方法：改写久于7天的日志按要求进行事件查看器进行主要平安设置审核对外在的匿名用户禁止访问。Guest平安选项允许系统在未登录前关闭计算机：Disabled允许格式化和弹出可移动媒体：AdministratorsAmountofIdleTimeRequiredBeforeDisconnectingSession:30Minutes(maximum)在超过登录时间后强制注销：Enabled系统关闭时去除虚存页面文件：Enabled数字签名客户端通信〔如可能〕：Enabled数字签名效劳器端通信〔如可能〕：Enabled不需要按CTRL+ALT+Delete登录取：Disabled不显示上次登录的用户名：EnabledLANManagerAuthentication标准l:“SendNTLMv2responseonly”(最少)用户登录时显示的消息文字：CustomMessageor“Thissystemisfortheuseofauthorizedusersonly.用户登录时显示的消息标题：“Warning:”orcustomtitle.可被缓存保存的前次登录个数：0禁止用户安装打印驱动:Enabled在密码到期前多少天提示用户更改密码:14Days(minimum)恢复控制台〔允许自动管理级登录〕：Disabled恢复控制台〔允许对所有的驱动器和文件夹进行软盘拷贝和访问〕：Disabled重命名管理员帐户：除‘Administrator’外的其它任何名称重命名Guest帐户：除‘GUEST’外的其它任何名称限制只有本地登录用户才允许访问软盘：Enabled对平安通道数据进行数字加密(如可能):Enabled对平安通道数据进行数字签名〔如可能〕：Enabled发送为加密的密码连接第三方SMB效劳器：Disabled智能卡移除操作：“锁定工作站”6StrengthenDefaultPermissionsofGlobalSystemObjects(e.g.SymbolicLinks):Enabled对未经过签名的驱动安装行为：“警告,但允许安装”或者“不允许安装”.允许系统在未登录前关闭计算机：已启用允许格式化和弹出可移动媒体：AdministratorsAmountofIdleTimeRequiredBeforeDisconnectingSession:15Minutes(maximum)在超过登录时间后强制注销：已停用系统关闭时去除虚存页面文件：已停用数字签名客户端通信〔如可能〕：已停用数字签名效劳器端通信〔如可能〕：已停用不需要按CTRL+ALT+Delete登录取：没有定义不显示上次登录的用户名：已停用LANManagerAuthentication标准l:发送LM&NTML用户登录时显示的消息文字：无用户登录时显示的消息标题：没有定义可被缓存保存的前次登录个数：10禁止用户安装打印驱动:已停用在密码到期前多少天提示用户更改密码:14Days(minimum)恢复控制台〔允许自动管理级登录〕：已停用恢复控制台〔允许对所有的驱动器和文件夹进行软盘拷贝和访问〕：已停用重命名管理员帐户：除‘Administrator’外的其它任何名称重命名Guest帐户：除‘GUEST’外的其它任何名称限制只有本地登录用户才允许访问软盘：已停用对平安通道数据进行数字加密(如可能):Enabled对平安通道数据进行数字签名〔如可能〕：已启用发送为加密的密码连接第三方SMB效劳器：Disabled智能卡移除操作：“锁定工作站”6StrengthenDefaultPermissionsofGlobalSystemObjects(e.g.SymbolicLinks):Enabled对未经过签名的驱动安装行为：“警告,但允许安装”或者“不允许安装”.配置不完全按照要求进行平安选项配置注册表平安设置审核审核效劳Alerter–DisabledClipbook–DisabledComputerBrowser–DisabledFaxService–DisabledFTPPublishingService–Disabled–Warning:将禁止FTP效劳IISAdminService–Disabled–Warning:ThiswilldisableInternetInformationServices!InternetConnectionSharing–DisabledMessenger–DisabledNetMeetingRemoteDesktopSharing–DisabledRemoteRegistryService–DisabledRoutingandRemoteAccess–DisabledSimpleMailTransferProtocol(SMTP)–Disabled–Warning:禁止在IISServers上的SMTP效劳。SimpleNetworkManagementProtocol(SNMP)Service–DisabledSimpleNetworkManagementProtocol(SNMP)Trap–DisabledTelnet–DisabledWorldWideWebPublishingServices–Disabled–Warning:将禁止InternetInformationServices!AutomaticUpdates–NotDefinedBackgroundIntelligentTransferService–NotDefined无审核无审核无审核无审核无审核无审核无审核无审核无审核无审核无审核无审核用户权利审核从网络访问此计算机:Users,Administrators(ornone)4.2.2Actaspartoftheoperatingsystem:None增加工作站到域：Notapplicable备份文件和目录:Administrators4.2.5Bypasstraversechecking:Users更改系统时间:Administrators创立页面文件：Administrators创立全局对象：None创立永久共享对象：None诊断程序：None拒绝从网络访问此计算机：Guests拒绝作为批处理进行登录：Nonebydefault(othersallowableasappropriate)NotDefined拒绝作为效劳登录：Nonebydefault(othersallowableasappropriate)NotDefined拒绝本地登录:Nonebydefault(othersallowableasappropriate)NotDefined从远端强制关机：Administrators管理和审核平安日志：None增加内存配额：Administrators增加进度优先级Administrators安装和卸载设备驱动程序：Administrators内存中锁定页：None作为批作业登录：None(“NotDefined”)作为效劳登录：None(“NotDefined”)本地登录：Administrators(otherspecificusersallowable)管理审核和平安日志：Administrators更改防火墙环境选项：Administrators配置单一进程：Administrators配置系统性能：Administrators从插接工作站中取出计算机：Administrators替换进程级记号：None恢复文件和目录：Administrators关闭系统：Administrators同步目录效劳数据：NotApplicable取得文件和其他对象的所有权：AdministratorsAdministrators,BackupOperators,Everyone,PowerUsers,UsersAdministrators,BackupOperatorsAdministrators,PowerUsersAdministratorsAdministrators,INTERACTIVE,SERVICRGuestGuestAdministratorsAdministratorsAdministratorsAdministratorEETWORKSERVICEAdministratorsAdministrators,PowerUsersAdministratorsAdministrators,PowerUsers,UsersLOCALSERVICE,NETWORKSERVICEAdministrators,BackupOperatorsAdministrators,BackupOperators,PowerUsers,UsersAdministrators其他系统需求确保磁盘卷为NTFS文件系统。是ntfs;建议使用NTFS文件系统文件权限%SystemDrive%\-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemDrive%\autoexec.bat–Administrators:Full;System:Full%SystemDrive%\boot.ini–Administrators:Full;System:Full%SystemDrive%\config.sys-Administrators:Full;System:Full%SystemDrive%\io.sys–Administrators:Full;System:Full%SystemDrive%\msdos.sys–Administrators:Full;System:Full%SystemDrive%\ntbootdd.sys-Administrators:Full;System:Full%SystemDrive%\ntdetect–Administrators:Full;System:Full%SystemDrive%\ntldr-Administrators:Full;System:Full%SystemDrive%\DocumentsandSettings–Administrators:Full;System:Full;Users:ReadandExecute,List%SystemDrive%\DocumentsandSettings\Administrator–Administrators:Full;System:Full%SystemDrive%\DocumentsandSettings\AllUsers–Administrators:Full;System:Full;Users:ReadandExecute,List%SystemDrive%\DocumentsandSettings\AllUsers\Documents\DrWatson–Administrators:Full;System:Full;CreatorOwner:Full;Users:TraverseFolder/ExecuteFile,ListFolder/ReadData,ReadAttributes,ReadExtendedAttributes,ReadPermissions(Thisfolder,subfolders,andfiles);Users:TraverseFolder/ExecuteFiles,CreateFiles/WriteData,CreateFolder/AppendData(Subfoldersandfilesonly)%SystemDrive%\DocumentsandSettings\DefaultUser–Administrators:Full;System:Full;Users:ReadandExecute,List%SystemDrive%\SystemVolumeInformation–(Donotallowpermissionsonthisfoldertobereplaced)%SystemDrive%\Temp-Administrators:Full;System:Full;CreatorOwner:Full;Users:TraverseFolders/ExecuteFiles,CreateFiles/WriteData,CreateFolders/AppendData%ProgramFiles%-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemDrive%\ProgramFiles\ResourceKit–Administrators:Full;System:Full%SystemRoot%–Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemRoot%\$NtServicePackUninstall$–Administrators:Full;System:Full%SystemRoot%\CSC–Administrators:Full;System:Full%SystemRoot%\Debug-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemRoot%\Debug\UserMode-Administrators:Full;System:Full;Users:TraverseFolder/ExecuteFile,Listfolder/Readdata,Createfiles/Writedata(Thisfolder,only);Createfiles/Writedata,Createfolders/Appenddata(Filesonly)%SystemRoot%\OfflineWebPages–(Donotallowpermissionsonthiskeytobereplaced)%SystemRoot%\Registration-Administrators:Full;System:Full;Users:Read%SystemRoot%\repair-Administrators:Full;System:Full%SystemRoot%\security-Administrators:Full;System:Full;CreatorOwner:Full%SystemRoot%\system32-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemRoot%\system32\at.exe–Administrators:Full;System:Full0%SystemRoot%\system32\Ntbackup.exe–Administrators:Full;System:Full1%SystemRoot%\system32\rcp.exe–Administrators:Full;System:Full2%SystemRoot%\regedit.exe–Administrators:Full;System:Full%SystemRoot%\system32\regedt32.exe–Administrators:Full;System:Full%SystemRoot%\system32\rexec.exe–Administrators:Full;System:Full%SystemRoot%\system32\rsh.exe–Administrators:Full;System:Full%SystemRoot%\system32\secedit.exe–Administrators:Full;System:Full%SystemRoot%\system32\appmgmt–Administrators:Full;System:Full;Users:ReadandExecute,List%SystemRoot%\config–Administrators:Full;System:Full%SystemRoot%\system32\dllcache–Administrators:Full;System:Full;CreatorOwner:Full%SystemRoot%\system32\DTCLog-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadandExecute,List%SystemRoot%\system32\GroupPolicy-Administrators:Full;System:Full;AuthenticatedUsers:ReadandExecute,List%SystemRoot%\system32\ias-Administrators:Full;System:Full;CreatorOwner:FullTheCenterforInternetSecurityWindows2000Server-Level2BenchmarkforStand-AloneandDomain-MemberServersPage18of56%SystemRoot%\system32\NTMSData–Administrators:Full;System:Full%SystemRoot%\system32\reinstallbackups–Administrators:Full;System:Full;CreatorOwner:Full%SystemRoot%\system32\Setup–Administrators:Full;System:Full;Users:ReadandExecute,List%SystemRoot%\system32\spool\printers–Administrators:Full;System:Full;CreatorOwner:Full;Users:TraverseFolder,ExecuteFile,Read,ReadExtendedAttributes,Createfolders,AppendData%SystemRoot%\Tasks-(Donotallowpermissionsonthiskeytobereplaced)%SystemRoot%\Temp-Administrators:Full;System:Full;CreatorOwner:Full;Users:TraverseFolders/ExecuteFiles,CreateFiles/WriteData,CreateFolders/AppendData%SystemDrive%\ntbootdd.sys：缺省%SystemDrive%\DocumentsandSettings\AllUsers\Documents\DrWatson：缺省%SystemDrive%\Temp：缺省%SystemDrive%\ProgramFiles\ResourceKit：缺省%SystemRoot%\$NtServicePackUninstall$：缺省%SystemRoot%\CSC:缺省%SystemRoot%\system32\Ntbackup.exe：缺省%SystemRoot%\system32\secedit.exe：不能翻开文件%SystemRoot%\system32\DTCLog：缺省%SystemRoot%\system32\NTMSData：缺省按照审核方法进行文件权限设置文件和注册表审核%SystemDrive%-Everyone:Failures(thisfolder,propagateinheritablepermissionstoallsubfoldersandfiles)HKLM\Software–Everyone:Failures(thiskey,propagateinheritablepermissiontoallsubkeys)HKLM\System–Everyone:Failures(thiskey,propagateinheritablepermissiontoallsubkeys)%SystemDrive%：Everyone:SuccessHKLM\Software：Everyone:SuccessHKLM\System：Everyone:Success注册表权限HKLM\Software\Classes-Administrators:Full;System:Full;CreatorOwner:Full;Users:ReadHKLM\Software–AdministratorsFull;System:Full;CreatorOwner:Full;Users:ReadHKLM\Software\Microsoft\NetDDE–Administrators:Full;System:FullHKLM\Software\Microsoft\OS/2SubsystemforNT–Administrators:Full;System:Full;CreatorOwner:FullHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Asr\Commands–Administrators:Full;System:Full;CreatorOwner:Full;Users:Read;BackupOperators:QueryValue,SetValue,CreateSubkey,EnumerateSubkeys,Notify,Delete,Read(thiskeyandsubkeys)HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Perflib–Administrators:Full;System:Full;CreatorOwner:Full;Interactive:Read(thiskeyandsubkeys)HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy-Administrators:Full;System:Full;AuthenticatedUsers:ReadHKLM\Software\Microsoft\Windows\CurrentVersion\Installer-AdministratorsFull;System:Full;Users:ReadHKLM\Software\Microsoft\Windows\CurrentVersion\Policies-Administrators:Full;System:Full;AuthenticatedUsers:ReadHKLM\System-AdministratorsFull;System:Full;CreatorOwner:Full;Users:ReadHKLM\System\Clone–AllowinheritablepermissionstopropagatetothisobjectHKLM\System\ControlSet001-AdministratorsFull;System:Full;CreatorOwner:Full;Users:ReadHKLM\System\ControlSet00x-AdministratorsFull;System:Full;CreatorOwner:Full;Users:Read*Applythesepermissionst