SANS - Windows 2000 Security Standards.pdf
(
147 KB
)
Pobierz
If you need to electronically communicate with others,
INTRODUCTION
If you need to electronically communicate with others, whether it be for business or other purposes, your computer
has to be networked. This exposes your computer to various attacks. Typically a user would like to ensure the
following when connected to a network:
Availability
which will ensure that information; resources and services are there for the business as and when
required.
Integrity
which ensures that data residing on a user’s machine has not been tampered with and that it is
correct.
Access control
to protect critical resources by limiting access to only authorised and authenticated users,
principals, programs or processes.
Confidentiality
which protects sensitive information from disclosure.
Compliance (Auditability)
to ensure protected and reliable records of system activity with security
significance (e.g., logins, logouts, file accesses, security violations) must be available.
This document attempts to touch on a few of standards that can assist in ensuring that the above objectives are met
when using a Windows 2000 operating system.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003,
As part of the Information Security Reading Room.
Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Continuity and availability
1.
Appropriate measures should be implemented to offer protection against physical access
and tampering.
Requirement
To protect system against unauthorised physical access and tampering. Without these
restrictions other system controls may be compromised.
How
Locate system in physically secure areas that implement restrictive access control. Restrictions
may include locked doors or access cards to computer labs.
Where possible, BIOS level tamper detection options should be enabled.
Removable hard disks and essential peripherals should be locked down if possible to protect
against their removal by unauthorised personnel.
Additional
Notes
Theft of easily removable systems such as laptops and devices such as printers may be reduced
with the use of cable locks.
2.
Create a copy of the data on the hard disk.
Requirement
The Backup utility helps you create a copy of the data on your hard disk. In the event that the
original data on your hard disk is accidentally erased or overwritten, or becomes inaccessible
because of a hard disk malfunction, you can use the copy to restore your lost or damaged data.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
How
Click
Start
, point to
Programs
, point to
Accessories
, point to
System Tools
, and then click the
appropriate icon.
You can also use the
Backup
utility to create an Emergency Repair Disk (ERD), which will
help you recover or repair your system.
A full system back-up to off-line storage media, should be performed at least once a week. A
copy of the backup should be kept on site in secure storage while a second copy of this backup
should be sent to an off-site secure storage warehouse.
Additional
Notes
Ensure that the Automatically reboot option in the
Startup/Shutdown
tab of the System applet
in the
Control Panel
is disabled. This will prevent damage to databases caused by repeated
reboots of the operating system due to failures.
User accounts - Guest
3.
Ensure that you have disabled the guest account.
Requirement
The guest account may allow anonymous access to the machine.
How
This can be done by pointing to
Control
Panel, click
Administrative Tools
,
Computer
Management
,
Local Users and Groups
. Double click on the
Guest
and check the
Account is
disabled
box.
Additional
Notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003,
As part of the Information Security Reading Room.
Author retains full rights.
Password Policies
4.
Passwords should be carefully selected.
Requirement
Passwords are the primary method of authenticating users who require access to a system. A
poor password selection may be compromised to gain unauthorised access to the system.
How
Ensure that passwords are suitably complex with an appropriate character mix being employed.
The character mix should include at least two of each of the following character types: Upper
case, lower case, numeric and non alpha numeric.
Your password should also not be:
i) Dictionary words;
ii) Directly related to you (name, girlfriend’s name or password);
iii) Blank
iv) Your birthdate
Additional
Notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Shared resources
5.
Limit access and minimise the number of network shares.
Requirement
Network share directories are the primary mechanism for sharing files between computers in an
Windows 2000 compliant network and should be appropriately set up to ensure that access to
sensitive data is limited to trusted groups and users and that the integrity of all shared data can
be maintained.
How
Open Windows Explorer, and then locate the shared folder or drive on which you want to set
permissions.
Right-click the shared folder or drive, and then click
Sharing
.
On the
Sharing
tab, click
Permissions
.
To set shared folder permissions, click
Add
. Type the name of the group or user you want to set
permissions for, and then click
OK
to close the dialog box.
To remove permissions, select the group or user in
Name
, and then click
Remove
.
In
Permissions
, click
Allow
or
Deny
for each permission, if necessary.
Additional
Notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003,
As part of the Information Security Reading Room.
Author retains full rights.
Auditing
6.
Ensure that Auditing is enabled for sensitive files and folders.
Requirement
Audit logs may further may provide evidence of wrongdoing in the event of an intrusion.
How
Open Windows Explorer, click
Start
, point to
Programs
, point to
Accessories
, and then click
Windows Explorer
.
Open Windows Explorer, and then locate the file or folder you want to audit
Right-click the file or folder, click
Properties
, and then click the
Security
tab.
Click
Advanced
, and then click the
Auditing
tab.
Do one of the following:
To view or change auditing for an existing group or user, click the name, and then click
View/Edit
.
To remove auditing for an existing group or user, click the name, and then click
Remove
.
If necessary, in the
Auditing Entry
dialog box, select where you want auditing to take place
in the
Apply onto
list. The
Apply onto
list is available only for folders.
Under
Access
, click
Successful
,
Failed
, or both for each access you want to audit.
If you want to prevent files and subfolders within the tree from inheriting these audit entries,
check the
Apply these auditing entries
box.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Additional
Notes
You can set file and folder auditing only on drives formatted to use NTFS.
Since the security log is limited in size, you should select the files and folders to be audited
carefully. You should also consider the amount of disk space you are willing to devote to the
security log.
7.
Set up an independent audit group of which you are the only member
Requirement
It is essential to partially segregate administrative functions from audit functions. An audit
group should thus be created, granting and ensuring that only this group has access to the audit
logs for sensitive files and folders.
How
Open Windows Explorer, and then locate the file or folder you want to audit
Right-click the file or folder, click
Properties
, and then click the
Security
tab.
Click
Advanced
, and then click the
Auditing
tab.
To set up auditing for a new group or user, click
Add
. In
Name
, type the name of the user you
want, and then click
OK
to automatically open the
Auditing Entry
dialog box.
Additional
Notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003,
As part of the Information Security Reading Room.
Author retains full rights.
Access Controls
8.
Access to sensitive files and folders should be restricted.
Requirement
Any user can gain access to your computer over a network or the Internet if the user knows
your computer name, and the user name and password of a user who is a member of the
Administrators, Backup Operators, or Server Operators group. A user who gains access to your
drive over the network or Internet can view all folders and files on that drive, even those that
are protected using NTFS permissions, provided the NTFS permissions allow access to
members of the Administrators, Backup Operators, or Server Operators group.
How
Open Windows Explorer, click
Start
, point to
Programs
, point to
Accessories
, and then click
Windows Explorer
Open Windows Explorer, and then locate the file or folder for which you want to set
permissions
Right-click the file or folder, click
Properties
, and then click the
Security
tab.
Do the following:
To set up permissions for a new group or user, click
Add
. Type the name of the group or user
you want to set permissions for using the format
domainname\name
, and then click
OK
to close
the dialog box.
To change or remove permissions from an existing group or user, click the name of the group
or user.
In
Permissions
, click
Allow
or
Deny
for each permission you want to allow or deny, if
necessary. Or, to remove the group or user from the permissions list, click
Remove
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Additional
Notes
You can set file and folder permissions only on drives formatted to use NTFS.
9.
Screen saver locking mechanisms should be employed
Requirement
This would facilitate the automatic locking of an unattended computer, which would add to the
security of the system.
How
Open the Control Panel item, click
Start
, point to
Settings
, click
Control Panel
.
Open
Display
.
Under
Screen Saver
, choose a screen saver from the drop down list.
Select the
Password protected
check box.
Additional
Notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003,
As part of the Information Security Reading Room.
Author retains full rights.
Plik z chomika:
adszy1
Inne pliki z tego folderu:
Syngress - Creating Security Policies And Implementing Identity Management With Active Directory.pdf
(2878 KB)
Syngress - Configuring Windows 2000 Server Security (1999).pdf
(4058 KB)
SANS - Windows 2000 Security Standards.pdf
(147 KB)
Realtimepublishers - The Administrator Shortcut Guide to Active Directory Security (2004).pdf
(765 KB)
MS Press - Microsoft Windows Server 2003 PKI and Certificate Security (2004).pdf
(8806 KB)
Inne foldery tego chomika:
Active Directory
MS Windows Server 2003
MS Windows Small Business Server
MS Windows Vista
MS Windows XP
Zgłoś jeśli
naruszono regulamin