1. Copyright 2001 Marchany1 Building Your IT Security Checklist Sample checklist/audit plans for Unix, NT and Windows 2000 Active Directory

2. Copyright 2001 Marchany2 What have we just done? u The Top 20 threats meet our risk criteria: Have a high probability of occurring Result in the loss of a critical service Be extremely expensive to fix later Result in heavy, negative publicity

3. Copyright 2001 Marchany3 Applying TBS to the real world! TBS = Time Based Security Top Ten Vulnerabilities, the vulnerabilities responsible for most hacks Apply TBS as an approach to an effective understandable security policy Basics Perimeter Unix NT Windows 2000

4. Copyright 2001 Marchany4 The TBS Audit Layers A complete IT audit/security checklist is a set of component audits/checklists. You should be able to measure E, D and R times for each layer of the security architecture. Components Procedural: E = D+R Perimeter(Firewall): E = D+R UNIX: E = D+R NT/Windows 2000: E =D+R

5. Copyright 2001 Marchany5 CIS Rulers Rulers list a set of minimal actions that need to be done on a host system. This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others) Can’t develop your own set? Use these! http://www.cisecurity.org

6. Copyright 2001 Marchany6 CIS Rulers: A Security and Audit Checklist Level 1 Mandatory Actions required regardless of the host’s location or function. Level 2 Dependent on your network topology Different for switched nets vs. shared nets vs. wireless nets, etc.

7. Copyright 2001 Marchany7 CIS Rulers: Security Checklist & Audit Plan Level 3 Application Specific (WWW, FTP, DB, Auth) Procedural Examines the policies in place. This is the policy review checklist. FTP WWW DB Mail Switched Wireless Non Switched LEVEL 1 Level 3 Level 2

8. Copyright 2001 Marchany8 CIS Rulers: Procedural General Administration Policies Key security tool installed User Accounts and environment System Logs Network File sharing General Email Issues This review is done during the Audit Planning Phase of the audit process

9. Copyright 2001 Marchany9 CIS Ruler: Procedural General Administration Policies Acceptable Use Policy Backup Policy Security Administrator duties Whois Contact Information (Tech/Admin) System changelogs (Source Revision Control) Incident Response Minimum software requirements User, temp, system account policies Patches

10. Copyright 2001 Marchany10 CIS Ruler Example: Backups · Does a backup policy exist? · Do backup logs exist? · What data is backed up · How often data is backed up · Type of backup (full, differential, etc.) · How the backups are scheduled and verified · How the backup media is handled and labeled · How the backup media is stored · How long the backup media is retained · How backup media is rotated and expired · How backup data is recovered

11. Copyright 2001 Marchany11 CIS Ruler: Procedural Key security tools installed Network routers implement minimum filtering requirements Verify network routers are properly configured and monitored for in/out traffic Are all firewalls properly configured and monitored for in/out traffic The above rules prevent DDOS attacks from affecting other nets.

12. Copyright 2001 Marchany12 CIS Ruler: Procedural User Accounts and Environment Remove obsolete user entries from system System Logs How long are they kept? Are they secured? Network file sharing Review what filesystems this system can access Review what filesystems this system exports Email Policy Abuse Policy?

13. Copyright 2001 Marchany13 CIS Ruler: Written Documentation, Policies u Where is it? u Is it available to anyone that needs it? u Is it up to date? u Is anything major missing (SGI policies, but no HP policies)?

14. Copyright 2001 Marchany14 CIS Ruler Example: Security Policy Purpose - the reason for the policy. Related documents – lists any documents (or other policy) that affect the contents of this policy. Cancellation - identifies any existing policy that is cancelled when this policy becomes effective. Background - provides amplifying information on the need for the policy.

15. Copyright 2001 Marchany15 CIS Ruler: Scope - states the range of coverage for the policy (to whom or what does the policy apply?). Policy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be prudent, expedient, and/or advantageous to the organization. Action - specifies what actions are necessary and when they are to be accomplished. Responsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be reviewed and updated.

16. Copyright 2001 Marchany16 Procedural: Incident Response Plan Are the six Incident Response steps covered? Preparation Identification Containment Eradication Recovery Lessons Learned (if there are no lessons learned documents either the plan isn’t followed or no incidents have occurred).

17. Copyright 2001 Marchany17 Procedural: Training & Education Do technical people have the training to do their job competently? Are there standards their skills can be measured against? Are there standards of compliance that ensure they are using their training in accordance with policy?

18. Copyright 2001 Marchany18 Procedural: Physical Security Consoles in physically secure areas? Fire suppression? Backups? Offsite backups? Network components secured? Phone wiring secured?

19. Copyright 2001 Marchany19 Procedural: Windows 2000 These are based on the SANS “Securing Windows 2000” booklet. Least Privilege Principle Avoid granting unnecessary Admin privs. Limit Domain Trust. Restrict modems in workstations and servers. Limit access to sniffer software (Network Monitor).

20. Copyright 2001 Marchany20 Procedural: Windows 2000 Keep system software updated. Update and Practice a Recovery Plan. Require strong passwords. Require password protected screen savers. Establish Auditing and Review Policies. Require Administrators to have a User and Administrator account. Require antivirus software. Install host based IDS. Perform periodical low-level security audits.

21. Copyright 2001 Marchany21 CIS Procedural Ruler Review Procedural rulers give you a starting point for determining your site’s policy pie These policies include acceptable use, privacy, incident response, accountability, backup and any other appropriate action The CIS procedural ruler is a consensus list of practices done at the charter members sites.

22. Copyright 2001 Marchany22 CIS Rulers for Solaris and Linux This section explains the items listed in the CIS Security Benchmarks for Solaris and Linux. The commands are very similar and the strategy is the same for both OS. We’ll be hardening the Solaris system in the lab portion of this course.

23. Copyright 2001 Marchany23 CIS Level 1 Ruler: Unix Patches Key Security Tools Installed System Access, authentication, authorization User Accounts and Environment Kernel Level TCP/IP tuning Kernel Tuning

24. Copyright 2001 Marchany24 CIS Level 1 Ruler: Unix Batch Utilities: at/cron UMASK issues File/Directory Permissions/Access System Logging SSH Minimize network services

25. Copyright 2001 Marchany25 CIS Level 1 Ruler: Unix Minimize RPC network services Minimize standalone network services General Email Issues X11/CDE General Administration Policies Specific Servers www, ftp, DB, Mail, NFS, Directory, Print, Syslog

26. Copyright 2001 Marchany26 CIS Level 1 Unix Ruler - Patches Define a regular procedure for checking, assessing, testing and applying the latest vendor recommended and security patches. Keep 3 rd party application patches updated. Why? The first line of defense is proper patch/Service Pack installation. Patches are living and need to be updated regularly

27. Copyright 2001 Marchany27 CIS Level 1 Unix Ruler: Security Tools These tools help decrease your detection time, D Install the latest version of TCP Wrappers on appropriate network services SSH for login, file copy and X11 encryption Install crypto file signature function to monitor changes in critical system binaries and config files (tripwire)

28. Copyright 2001 Marchany28 CIS Level 1 Unix Ruler: Security Tools Install Portsentry or similar personal FW software Run NTP or some other time sync tool Run “logcheck” or similar syslog analysis or monitoring tool Install the latest version of sudo

29. Copyright 2001 Marchany29 CIS Level 1 Unix Ruler: Access, Authorization No trusted hosts features:.rhosts,.shosts or /etc/hosts.equiv Create appropriate banner for any network interactive service Restrict direct root login to system console Verify shadow password file format is used Verify PAM configuration

30. Copyright 2001 Marchany30 CIS Level 1 Unix Ruler: Kernel TCP/IP Tuning System handling of ICMP packets is secured System handling of source routed packets secured System handling of broadcast packets secured Use strong TCP Initial Sequence Numbers Harden against TCP SYN Flood attacks

31. Copyright 2001 Marchany31 CIS Level 1 Unix Ruler: Kernel, Batch Utilities Enable kernel level auditing Enable stack protection Ensure ulimits are defined in /etc/profile and /etc/.login Restrict batch file access to authorized users Ensure cron files only readable by root or cron user

32. Copyright 2001 Marchany32 CIS Level 1 Unix Ruler: UMASK, File Perms, Access Set daemon umask to 022 or stricter Set user default umask (022 or 027) Console EEPROM password enabled? Check /dev entries for sane ownership and permissions Mount all filesystems RO or NOSUID All filesystems except / mounted NODEV

33. Copyright 2001 Marchany33 CIS Level 1 Unix Ruler: File Perms and Access Verify passwd, group, shadow file perms Verify SUID, SGID system binaries Disable SUID, SGID on binaries only used by root No World-write dirs in root’s search path Sticky bit set on all temp directories No NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled

34. Copyright 2001 Marchany34 See what we can find  / usr/bin/find / -local -type f -name '.rhosts' -exec ls -al {} \; -exec cat {} \; 2 (.rhosts) /usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal {} \; 2 (SUID files) /usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal {} \; 2 (SGID files) find /\(-local –o –prune\) -perm –000002 –print find /name.netrc -print find / -perm –1000

35. Copyright 2001 Marchany35 Audit Report Example Audit Method Ls –la (list files) against critical files to determine their permissions Finding Several system configuration files in /etc are writable Risk Level: High Security Implication The /etc directory is critical for establishing the operating configuration of many system services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands. Recommendation  Change permissions of all files in /etc to be writable by root or bin only.

36. Copyright 2001 Marchany36 /dev Permissions Exhibit # ls –l /dev total 72 -rwxr-xr-x 1 root root 26450 Sep 24 1999 MAKEDEV crw------- 1 root sys 14, 4 Apr 17 1999 audio crw------- 1 root sys 14, 20 Apr 17 1999 audio1 brw-rw---- 1 root disk 32, 0 May 5 1998 cm206cd crw--w--w- 1 root root 5, 1 May 26 15:17 console brw------- 1 root floppy 2, 1 May 5 1998 fd1 brw-rw---- 1 root disk 16, 0 May 5 1998 gscd brw-rw---- 1 root disk 3, 0 May 5 1998 hda brw-rw---- 1 root disk 3, 1 May 5 1998 hda1 brw-rw---- 1 root disk 3, 10 May 5 1998 hda10 brw-rw---- 1 root disk 3, 11 May 5 1998 hda11 brw-rw---- 1 root disk 3, 12 May 5 1998 hda12 brw-rw---- 1 root disk 3, 13 May 5 1998 hda13 brw-rw---- 1 root disk 3, 14 May 5 1998 hda14 brw-rw---- 1 root disk 3, 15 May 5 1998 hda15 brw-rw---- 1 root disk 3, 16 May 5 1998 hda16

37. Copyright 2001 Marchany37 World-Writeable and SUID/SGID Files Audit Method Find commands were executed on the servers to locate all files with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropriate files for later analysis. Finding A large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all users to have write permission. Security Implication World-writeable files allow any user or an intruder to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized user or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: High Recommendation  Review all world-writeable and SUID/SGID files on the system. Using freeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to identify changes and ensure that such changes are approved.  NFS shared files, especially files in /usr, /opt and /var should be exported ‘read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of SUID privilege on NFS mounted files.

38. Copyright 2001 Marchany38 CIS Level 1 Unix Ruler: System Logging and SSH Capture messages sent to syslog AUTH facility (enable system logging) Copy syslogs to central syslog server Audit failed logins and SU attempts Enable system accounting Logins allowed via SSH only (no rsh, rlogin, ftp or telnet)

39. Copyright 2001 Marchany39 CIS Level 1 Unix Ruler: Reduce /etc/inetd.conf Disable name (UDP) Disable exec/rexec (TCP) Disable login/rlogin (TCP) Disable uucp (TCP) Disable systat (TCP) Disable netstat (TCP) Disable time (TCP/UDP)

40. Copyright 2001 Marchany40 CIS Level 1 Unix Ruler: Reduce /etc/inetd.conf Disable echo (TCP) Disable discard (TCP/UDP) Disable daytime (TCP/UDP) Disable chargen (TCP/UDP) Disable rusersd (RPC) Disable sprayd (RPC) Disable rwall (RPC)

41. Copyright 2001 Marchany41 CIS Level 1 Ruler: Reduce /etc/inetd.conf Disable rstatd (RPC) Disable rexd (RPC) Use TCP Wrappers for all enabled network services (TCP/UDP)

42. Copyright 2001 Marchany42 Sample /etc/inetd.conf # Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd This is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of the file is in the notes pages.

43. Copyright 2001 Marchany43 CIS Level 1 Unix Ruler: Restrict RPC Restrict NFS client request to originate from privileged ports No filesystem should be exported with root access Export list restricted to specific range of addresses Export RO if possible Export NOSUID if possible

44. Copyright 2001 Marchany44 CIS Level 1 Unix Ruler: Email, X11/CDE Use Sendmail v8.9.3 or later. (v8.11.6 is current 6/01/02) Restrict sendmail ‘prog’ mailer Verify privileged and checksums for mail programs Ensure X server is started with Xauth Use SSH to access X programs on remote hosts

45. Copyright 2001 Marchany45 CIS Level 1 Unix Ruler: User Accts, Environment Enforce strong passwords No null passwords Remove root equivalent users (UID=0) No “.” in root PATH No.files world or group writable Remove.netrc,.exrc,.dbxrc files User $HOME dirs should be < 755

46. Copyright 2001 Marchany46 TBS Example Using E=D+R Security policy: automated script to check password file for users with UID 0 (superuser access) returns user ”zippy”. Syslog is checked: Apr 15 21:07:59 6C: goodnhacked.com telnetd[5020]: connect from some.com Apr 15 21:08:18 6E: goodnhacked.com login[5021]: ?@some.com as zippy IDS returns: 21:07:16.63 badguy.com.26617 > goodnhacked.com.5135: udp 21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp 69 5135 is SGI Object Server with a known vulnerability

47. Copyright 2001 Marchany47 CIS Level 1 Ruler Review The previous action items should be done on any Unix system on your network regardless of its function A similar checklist is being developed for Windows 2000. The Level 1 rulers impose a minimum security standard on all Unix and Windows 2000 systems.

48. Copyright 2001 Marchany48 CIS Level 2 Rulers Once Level 1 rulers have been applied, you pick the appropriate Level 2 ruler. This is very organization specific. What works at my site might not apply at yours. Additional service may be disabled if they aren’t needed.

49. Copyright 2001 Marchany49 CIS Level 2 Ruler: Unix Kernel-level TCP/IP tuning Physical Console Security SSH Minimize network services Minimize RPC network services General email issues X11/CDE

50. Copyright 2001 Marchany50 CIS Level 2 Ruler: Unix Kernel Tuning Network options for non-router machines Disable multicast Physical Console Security Enable EEPROM password. Who knows it? SSH Restrictively configure it

51. Copyright 2001 Marchany51 CIS Level 2 Ruler: Unix Minimize Network Services Disable inetd entirely Disable FTP Disable Telnet Disable rsh/rlogin Disable comsat Disable talk Disable tftp

52. Copyright 2001 Marchany52 CIS Level 2 Ruler: Unix Minimize network services Disable tftp Disable finger Disable sadmin Disable rquotad Disable CDE Tooltalk server (ttdbserverd) Disable RPC/UDP/TCP ufs Disable kcms_server

53. Copyright 2001 Marchany53 CIS Level 2 Ruler: Unix Disable fontserver Disable cachefs service Disable Kerberos server Disable printer server Disable gssd Disable CDE dtspc Disable rpc.cmsd calendar server

54. Copyright 2001 Marchany54 CIS Level 2 Ruler: Unix Minimize Network Services If FTP service is enabled, see additional level 3 requirements for FTP servers If tftp is enabled, use the security option If sadmind is enabled, use the security option

55. Copyright 2001 Marchany55 CIS Level 2 Ruler: Unix Minimize RPC network services Disable NFS server Disable Automounter Disable NFS client services Add ports 2049, 4045 to privileged port list Disable NIS Disable NIS+ Replace rpcbind with more secure version

56. Copyright 2001 Marchany56 CIS Level 2 Ruler: Unix General Email Issues Don’t run sendmail on machines that don’t receive mail Remove mail aliases which send data to programs (Vacation) X11/CDE Disable CDE if not needed Use the SECURITY extension for X-Server to restrict access

57. Copyright 2001 Marchany57 CIS Level 2 Ruler Review Level 2 rulers are site specific. They are more sensitive to vendor software requirements. For example, a vendor product may require that you enable the dreaded r-commands. You have no choice so you keep an eye on that vulnerability. They may impose stricter standards.

58. Copyright 2001 Marchany58 CIS Unix Ruler Review CIS Rulers are a good starting point for developing a Unix audit plan. Solaris, Linux, HP-UX available, AIX under review, CISCO router under review Level 1 ruler defines minimum security standards for all Unix systems Level 2-3 rulers are more network and function specific Procedural rulers address policy issues

59. Copyright 2001 Marchany59 Summary The CIS benchmark document and scanning tool is an excellent resource you should use immediately to strengthen the security of your Solaris and Linux systems. The scanning tool provides you with a simple score that you can use to present to management.

60. Copyright 2001 Marchany60 Lab Exercise Let’s apply the steps in the CIS benchmark to the demonstration system. We’ll run the scanning tool to get a baseline, make our mods and rerun the scanning tool to measure our progress.

61. Copyright 2001 Marchany61 Appendix 1 Audit Checklists for Windows The SANS Institute

62. Copyright 2001 Marchany62 W2K CIS Rulers CIS Rulers have been developed for Windows 2000 and NT systems Format is similar to the Unix rulers (levels 1-3) Level 2, IIS benchmarks are in test at present. They’re free!

63. Copyright 2001 Marchany63 Sample Windows 2000 Level 2 Ruler Rules of Engagement for Active Directory Developed at VA Tech for our AD structure Marc Debonis, www.w2k.vt.eduwww.w2k.vt.edu Allows lower level admins to control their own domains Not for everyone Somewhat draconian

64. Copyright 2001 Marchany64 Sample VT Level 2 Ruler: Active Directory ROE The Child domain must have at least 1 fulltime peer BDC for the child domain The child domain controllers must meet Microsoft’s minimum computer hardware requirements No 3 rd party of Microsoft add-on software are allowed on child domain controllers IIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services

65. Copyright 2001 Marchany65 Sample VT Level 2 Ruler: Active Directory ROE The child domain controllers must be in a backup program and have full recoverability tested The child domain controllers must allow and not block global policy objects replicated from the root All W2K hosts must follow prescribed DNS naming conventions (xxx.yyy.vt.edu)

66. Copyright 2001 Marchany66 Sample VT Level 2 Ruler: Active Directory ROE All W2K hosts within the child domain will use root AD DDNS server settings. Child DC will use static IP and not run DHCP servers Child domain will not attempt to create child domains “below” theirs. They will use OU to do this.

67. Copyright 2001 Marchany67 Sample VT Level 2 Ruler: Active Directory ROE No non-administrative local logins will be allowed to the child domain controllers. The CDC will be housed in secure areas with controlled access 2 week backups of event/audit logs will be kept and access to them will be given to the AD enterprise admins for security/debugging purposes.

68. Copyright 2001 Marchany68 Sample VT Level 2 Ruler: Active Directory ROE All service packs will be installed in a timely manner, coordinated with root AD controller upgrades Will people buy into this? Some will, some won’t but those that do are more secure.

69. Copyright 2001 Marchany69

70. Copyright 2001 Marchany70 Sample W2K level 1 Ruler – Physical Data Security Enable the end user to protect laptops. Physically secure servers. Protect the server from Unattended Reboot. Protect the SAM with SYSKEY Protect the Backup Tapes. Use NTFS disk partitions. Use Encrypting File System

71. Copyright 2001 Marchany71 Sample W2K Level 1 Ruler – Security Policy Configuration Configure the Local Security Policy. Configure the Account Policy. Secure Administrator/Guest accounts. Configure Local Policies. Enable Audit Policies. Customize User Rights.

72. Copyright 2001 Marchany72 Win2k Audit (Run MMC -> CTRL M -> Security Templates -> Setup Security)

73. Copyright 2001 Marchany73 User Rights

74. Copyright 2001 Marchany74 Sample W2K Level 1 Ruler – Security Policy Configuration Customize Security Options Restrict Anonymous Connections Allow server operators to schedule tasks (DC only). Clear virtual Memory Pagefile on shutdown. Audit access of Global System Objects. Do Not Display last username in login screen. Configure Public Key Policy. Configure IP Security Policy.

75. Copyright 2001 Marchany75 File System Configuration. (__) Define System Configuration and Service Pack Level (__) During Audit, set browser to see all files (__) System is configured as NTFS file system? (__) System Administrator has a current Emergency Recovery Disk in a locked storage area. (__) Wiping of system page file occurs at system shutdown.

76. Copyright 2001 Marchany76 Sample W2K Level 1 Ruler Group Policy MMC Snap-In System Tools Configure Event Log Settings System Information Performance Logs & Alerts Local Users & Groups Lock out unauth’d Floppy Disk use

77. Copyright 2001 Marchany77 Sample W2K Level 1 Ruler Disable unused services Remove OS2 and POSIX subsystems Secure Remote control programs (PC Anywhere) Disable Microsoft Network Client Additional Utilities W2K Suppot tools Resource Kit tools

78. Copyright 2001 Marchany78 Sample W2K Level 1 Ruler Freeware, Shareware and Commercial Tools Use Access Control List Auditing Tools Audit SP and HotFix levels Consider installing nmap, WinDump, PGP, Anti-Trojan, L0phtCrack 3, snort

79. Copyright 2001 Marchany79 Sample W2K Level 1 Ruler – The Registry Disable auto-run on CD ROM Drives. Control Remote Registry Access. Restrict Null User access to named pipes and shares. Disable Router discovery. Disable ICMP Redirects. Remove Administrative Shares.

80. Copyright 2001 Marchany80 Sample W2K Level 1 Ruler File Folder and Registry Permissions Security Analysis and Configuration Tool Apply standard Incremental Security Templates Create Custom Policies Perform analysis of computer Recovery Options Baseline System backup Regular System backup Remote System backup NTBackup.exe

81. Copyright 2001 Marchany81 Sample W2K Level 1 Ruler Recovery Options (Continued) Emergency Repair Disks Safe Mode with or without networking Safe Mode with command prompt Recovery Console Active Directory Services Domain Controllers and Trust The Trees vs. the Forest Enterprise Admins and Schema Admins

82. Copyright 2001 Marchany82 Sample W2K Level 1 Ruler Application Security IIS v5 – CRITICAL! Telnet Server File and Printer Sharing Windows Services for Unix 2.0 Exchange, Outlook, Outlook Express SQL These may be more suited to Level 2

83. Copyright 2001 Marchany83 A Sample NT Level 1 Ruler Installation Networking User Accounts Services/System Files/Directories Registry Applications Developed by Marc Debonis, VA Tech

84. Copyright 2001 Marchany84 Sample VT Level 1 NT Ruler Installation Physically secure machine Enable BIOS boot password, user/admin levels Install NT on C:, no dual boot, use NTFS Put bogus name for install Select only TCP/IP to install Do NOT install IIS Do NOT use DHCP Do NOT use WINS server entries

85. Copyright 2001 Marchany85 Sample VT Level 1 NT Ruler Installation Disable LMHOSTS lookup Login as Administrator Delete MyBriefCase, Install IIS, IE, Inbox icons Install post SP5/SP6 hotfixes Install in this order: Winhlp-I, Nddefixi, Lsareqi, Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1, Ipsrfixi

86. Copyright 2001 Marchany86 (__) Define Service Pack Level Start -> Run -> WINVER (works the same for NT 4.0)

87. Copyright 2001 Marchany87 Checking for Service Packs

88. Copyright 2001 Marchany88

89. Copyright 2001 Marchany89 (__) System does not have un-necessary devices Start -> Settings -> Control Panel -> Devices.

90. Copyright 2001 Marchany90 Sample VT Level 1 Ruler Networking Use network control panel to remove RPC Configuration, NetBIOS Interface, Workstation, Server. Set service TCP/IP NetBIOS Helper to disabled Disable Windows NT Networking Disable WINS Client (TCP/IP) binding Disable WINS Client (TCP/IP) device

91. Copyright 2001 Marchany91 Sample VT Level 1 Ruler Accounts Set minimum password length to 8 Lockout after 3 bad attempts Under Policies-> User Rights Select Right/Access this computer from Network and remove ALL groups listed in the Grant To box Under Show Advanced Rights, select Bypass Traverse Checking, remove Everyone Select Log on Locally and disable guest

92. Copyright 2001 Marchany92 Sample VT NT Level 1 Ruler Accounts Select Policies -> Audit Enable audit events: logon/logoff, user/group mgt, security policy changed, restart, shutdown and system Open User Manager for Domains Rename Administrator account to Master Remove Description for Master Account Set Master account password to something VERY strong Rename Guest account to DEFUNCT Allow remote lockout of administrator account only

93. Copyright 2001 Marchany93 (__) Auditing is Enabled User Manager, Policies, Audit http://www.geek-speak.net/products/ntaudit1.html

94. Copyright 2001 Marchany94 Audit Best Practice

95. Copyright 2001 Marchany95 Audit Best Practice (2)

96. Copyright 2001 Marchany96 Passwords (__) NT password policies comply with Best Practices for NT Passwords. (__) User passwords are known only by the user. (__) Users are required to maintain unique passwords for each AIS. (__) Passcrack for Windows NT or other password tester is run at least yearly. (__) Password database (SAM) is encrypted. (__) Administrator password is protected to the same level as the data contained on the computer. (__) Password is enabled for screen saver. (Control Panel, Desktop)

97. Copyright 2001 Marchany97 Passfilt

98. Copyright 2001 Marchany98 NT 4.0 Start -> Programs -> Administrative Programs -> User Manager

99. Copyright 2001 Marchany99 Win2k, My Computer -> Control panel, Administrative Tools -> Local Security Policy -> Password Policy

100. Copyright 2001 Marchany100 Sample VT NT Level 1 Ruler Services/System Disable unnecessary system services Network DDE, Network DDE DDSM, Schedule, Spooler, Telephony service, distributed DCOM From System Control Panel, click Startup/Shutdown tab Uncheck Overwrite any Existing File? Uncheck Write debugging info to: Uncheck Automatically Reboot?

101. Copyright 2001 Marchany101 Sample VT NT Level 1 Ruler Services/System Click Display Control Panel Click Screen Save Tab, enable Blank Screen Screen Saver, modify wait to 5 minutes, check the Password Protected box. Event Logs Open Log->Log settings and increase max size of logs > 2048K

102. Copyright 2001 Marchany102 Log--> Log Settings

103. Copyright 2001 Marchany103 Event View 2000 My Computer -> Control Panel -> Administrative Tools -> Event Viewer

104. Copyright 2001 Marchany104 Using dumpel for audit logs

105. Copyright 2001 Marchany105 Sample VT NT Level 1 Ruler For the rest of the ruler, go to http://security.vt.edu and look in the Checklists section for Marc’s document http://security.vt.edu Some may consider his requirements to be really strict but some may like them.

106. Copyright 2001 Marchany106 Whew! u You’ve got a basic strategy for building security checklist/audit plans for – Perimeter – Unix – NT – Windows 2000 Please fill out your comment sheets!

107. Copyright 2001 Marchany107 Today’s Course Goals u Construct a high level Security Checklist from the CIS rulers for your site. – Unix. NT, Windows 2000 u Use TBS to provide a response to your internal auditors and secure your systems. u Use STAR to define the $$$ cost of implementing security features at your site. – This method can be used over time to show trends u Develop a set of reports/matrices that can be used to quickly identify the security status of a host at your site.