NT4 Generic Security Standard LCZ-NT4-GSS 1.1 16 May 2009 This document specifies generic technical security policy for implementations of Microsoft Windows NT4.0, and applies to workstation, server and domain controller implementations of NT4.0, whether standalone or part of a domain. This standard contains 36 baseline controls, and 3 above baseline controls, for a total of 39 controls. 1.1 16 May 2009 FOD Revised for re-release 1.0 04 February 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer All of these Security Standards and Security Policies are copyrighted. THEY ARE NOT IN THE PUBLIC DOMAIN. They are however distributed under a liberal open-source license, see Publishing these Security Standards and Policies.Frank O'Dwyer Introduction
ObjectivesThe objectives of this document are: To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0.
Scope Controls specified in this document apply to workstation, server, and domain controller implementations of NT4.0, whether used standalone or part of a domain. All of the organisation's NT4.0 information systems will be subject to the policies specified within this generic security standard. The policies will be applied to new and existing installations.
Not In Scope Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is a generic standard. Controls specific to workstation, server, or domain controller implementations are not defined here but will be the subject of additional standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt.
Giving FeedbackYour feedback to improve this document is welcome. Please let me know of your experiences in applying the controls and guidance in this standard. Are the controls effective, easy to implement, too onerous, clear, unclear, something missing? Does an exceptional case need to be covered? Let me know. Please send your comments to frankodwyer AT netscape.net. Your comments will be used to produce better free security standards for the IT community.I also request that you give feedback where you think the controls and guidance is correct. This will let us gauge whether or not specific controls are controversial or broadly acceptable to the community, and will help us to resolve cases where we have conflicting feedback on particular content.
Publishing these Security Standards and PoliciesThis document may be reproduced and distributed in whole or in part, free of charge, subject to the following conditions:All copyright and trademark notices, and this permission notice must be preserved complete on all complete or partial copies.Any translation or derivative work of this document must be approved by Frank O'Dwyer in writing before distribution.If you distribute this guide in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given.Neither Frank O'Dwyer's name nor the names of any contributors may be used to endorse or promote products derived from this document without specific prior written permission.THIS DOCUMENT IS PROVIDED BY FRANK O'DWYER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FRANK O'DWYER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I would like to be informed of any plans to publish or distribute these documents, just so I know how they're being used and where they are becoming available. If you are publishing or distributing or planning to publish or distribute any of these documents, please send mail to frankodwyer AT netscape.net
Related DocumentsThis document should be read and applied in conjunction with the technology specific security standards that are available from the frankodwyer.com web site. Please note that some of the documents below are currently under development and as such may not as yet be available. Check back frequently for updates to this document and those documents listed below.
Generic Security StandardsGeneric Security Standardshttp://www.frankodwyer.com/standards/index.html#genericData Protection European Union Security Standardhttp://www.frankodwyer.com/standards/index.html#genericApplication Service Provider Security Standardshttp://www.frankodwyer.com/standards/index.html#generic
Operating System Security StandardsGeneric Unix Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Generic Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Workstation Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Server Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Domain Security Standardshttp://www.frankodwyer.com/standards/index.html#os
Database Security StandardsOracle Security Standardshttp://www.frankodwyer.com/standards/index.html#db
Definitions An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believes that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion.
User Configuration
User Administration
Restrict access to login scripts and profilesIDVersionLevelEnforcementNT4GEN-UC-11.0baselinemandatory
StandardLogin scripts and profiles must be accessible only by their user and administrators.
Detailed Steps Ensure the ACLs for login scripts and profiles grant access only to their user and administrators.
Risks AddressedWhere this control is not applied, the following residual risks exist: Users will be able to run programs using the privileges of other users. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Default Accounts
Rename the administrator accountIDVersionLevelEnforcementNT4GEN-DA-21.0baselinerecommended
StandardRename the administrator to an attributable account name and assign a new password.
Detailed Steps Rename the administrator account to an individuals name Assign a new password
Risks AddressedWhere this control is not applied, the following residual risks exist: As the admin account is certain to exist on every system it is a priority for attack Changing the password from the default helps prevent unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Disable Guest AccountIDVersionLevelEnforcementNT4GEN-DA-11.0baselinemandatory
StandardThe guest account must be disabled.
Detailed Steps Select account disabled on the main account window. Give the guest account a long random password that is not retained by anyone. Set its login hours to none. Set its expiration date to a date past.
Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised network access to the NT system may be possible. Unauthorised access to NT objects may result Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Privileges
The advanced user right to load and unload device drivers must not be assigned to any usersIDVersionLevelEnforcementNT4GEN-PRIV-131.0baselinemandatory
StandardThe advanced user right to load and unload device drivers must not be assigned to any users
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Replacing a device driver may be used to gain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to create a page file must not be assigned to any usersIDVersionLevelEnforcementNT4GEN-PRIV-71.0baselinemandatory
StandardThe advanced user right to create a page file must not be assigned to any users
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to bypass traverse checking must not be assigned to any usersIDVersionLevelEnforcementNT4GEN-PRIV-61.0baselinemandatory
StandardThe advanced user right to bypass traverse checking must not be assigned to any users
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: This right permits access control on an object path to be disregarded and may result in unintended access being obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to profile single process must be assigned only to administrators.IDVersionLevelEnforcementNT4GEN-PRIV-161.0baselinemandatory
StandardThe advanced user right to profile single process must be assigned only to administrators
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The ability to profile single processes may result in unauthorised disclosure of security sensitive information Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to repace a system level process token must be assigned to no userIDVersionLevelEnforcementNT4GEN-PRIV-191.0baselinemandatory
StandardThe advanced user right to repace a system level process token must be assigned to no user
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Such access may be used to subvert the security controls on the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to create permanent shared objects must not be assigned to any usersIDVersionLevelEnforcementNT4GEN-PRIV-91.0baselinemandatory
StandardThe advanced user right to create permanent shared objects must not be assigned to any users
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to generate security audits must not be assigned to any users other than administrators or security teamsIDVersionLevelEnforcementNT4GEN-PRIV-111.0baselinemandatory
StandardThe advanced user right to generate security audits must not be assigned to any users other than administrators or security teams
Detailed Steps Identify all users who hold this right and revoke it where appropriate Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The security audit will contain disclosure sensitive information Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to debug programs must be assigned only to adminisrators and developersIDVersionLevelEnforcementNT4GEN-PRIV-101.0baselinemandatory
StandardThe advanced user right to debug programs must be assigned only to adminisrators and developers
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Security sensitive information may be obtained such as passwords Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The user right to shutdown the system should be assigned to local groups and not to individual usersIDVersionLevelEnforcementNT4GEN-PRIV-41.0baselinerecommended
StandardThe user right to shutdown the system should be assigned to local groups and not to individual users
Detailed Steps Assign the right to a local group Assign users to the group
Risks AddressedWhere this control is not applied, the following residual risks exist: Adnministration should be performed using roles supported through membership of groups Complex individual admin often leads to unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to profile system performance must be assigned only to administrators.IDVersionLevelEnforcementNT4GEN-PRIV-171.0baselinemandatory
StandardThe advanced user right to profile system performance must be assigned only to administrators.
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The ability to profile system performance may result in a denial of service Business information and applications may be unavailable.
The advanced user right to receive unsolicited device input must be assigned to no users.IDVersionLevelEnforcementNT4GEN-PRIV-181.0baselinemandatory
StandardThe advanced user right to receive unsolicited device inpurt must be assigned to no users.
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: This right can be used to obtain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The user right to force shutdown from a remote system should be assigned to local groups and not to individual usersIDVersionLevelEnforcementNT4GEN-PRIV-21.0baselinerecommended
StandardThe user right to force shutdown from a remote system should be assigned to local groups and not to individual users
Detailed Steps Assign the right to a local group Assign users to the group
Risks AddressedWhere this control is not applied, the following residual risks exist: Security administration is simplified by the use of roles This privilege may allow a denial of service to be executed Business information and applications may be unavailable.
The advanced user right to increase scheduling priority must be assigned only to administratorsIDVersionLevelEnforcementNT4GEN-PRIV-121.0baselinemandatory
StandardThe advanced user right to increase scheduling priority must be assigned only to administrators
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The ability to increase scheduling priority can be used to hog system resource This privilege may allow an enterprise wide denial of service Business information and applications may be unavailable.
The advanced user right to modify firmware environment variables must only be assigned to administrators.IDVersionLevelEnforcementNT4GEN-PRIV-151.0baselinemandatory
StandardThe advanced user right to modify firmware environment variables must be assigned only to administrators.
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Modification of such variables may result in abnormal or unauthorised function Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to act as part of the operating system must be assigned to no one.IDVersionLevelEnforcementNT4GEN-PRIV-51.0baselinemandatory
StandardThe advanced user right to act as part of the operating system must be assigned to no one.
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: Acting as part of the operating permits privileged action to be undertaken Privileged action may be used to subvert operating system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to create a token object must not be assigned to any usersIDVersionLevelEnforcementNT4GEN-PRIV-81.0baselinemandatory
StandardThe advanced user right to create a token object must not be assigned to any users
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The ability to create a token object may undermine the authentication system Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The user right to logon locally should be assigned to local groups and not to individual usersIDVersionLevelEnforcementNT4GEN-PRIV-31.0baselinerecommended
StandardThe user right to logon locally should be assigned to local groups and not to individual users.
Detailed Steps Assign the right to a local group Assign users to the group
Risks AddressedWhere this control is not applied, the following residual risks exist: Managing access rights by role simplfiies administration Complex administration often results in unauthorised access. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The user right to change the system time should be assigned to local groups and not to individual userIDVersionLevelEnforcementNT4GEN-PRIV-11.0baselinerecommended
StandardThe user right to change the system time should be assigned to local groups and not to individual users.
Detailed Steps Assign the right to a local group Assign users to the group
Risks AddressedWhere this control is not applied, the following residual risks exist: Reconstructing a set of events requires coinfidence in time sequencing Certain elements of security infrastructure are sensitive to time Changing the system time nay mask unauthorised activity Changing the system time may result in unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The advanced user right to logon as a service must be assigned only to administratorsIDVersionLevelEnforcementNT4GEN-PRIV-141.0baselinemandatory
StandardThe advanced user right to logon as a service must be assigned only to administrators
Detailed Steps Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious
Risks AddressedWhere this control is not applied, the following residual risks exist: The ability to create processes as a services can be used to subvert the security controls and gain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Security Compliance
Security Management
Antivirus software must be installed and maintained current on all machinesIDVersionLevelEnforcementNT4GEN-VIRUS-11.0baselinemandatory
StandardAnt-virus software must be installed and maintained on all mahines.
Detailed Steps Install anti-virus software on all machines. Ensure that the virus engine and signature data files are maintained up to date
Risks AddressedWhere this control is not applied, the following residual risks exist: Virus infections can often subvert system security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Ensure that a legal notice appropriate to your jurisdiction is displayed in the legal notice placeholded for display prior to logonIDVersionLevelEnforcementNT4GEN-LEGAL-11.0baselinemandatory
StandardEnsure that a legal notice appropriate to your jurisdiction is displayed in the legal notice placeholded for display prior to logon
Detailed Steps Determine the most appropriate legal noice to implement for your jurisdiction Populate the legal notice placeholder with this message for display prior to logon
Risks AddressedWhere this control is not applied, the following residual risks exist: Legal action following a subjected breach may prove problematic Monitoring of authorised use may prove problematic Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Network Security Configuration
Network Interface Considerations
FTP should not be installed or if part of the default image it should be disabledIDVersionLevelEnforcementNT4GEN-NETW-11.0above baselinerecommended
StandardFTP should not be installed or if part of the default image it should be disabled
Detailed Steps Build a server, w/s or domain controller image that does not include ftp by default Alternatively, disable ftp on w/s, servers and controllers where not needed
Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Configuration
Files and File Permissions
Use encryption for sensitive data filesIDVersionLevelEnforcementNT4GEN-FILE-11.0above baselinemandatory
StandardSensitive data files must be encrypted.
Detailed Steps Use an encryption tool or an encrypted file system to store sensitive data files.
Risks AddressedWhere this control is not applied, the following residual risks exist: Sensitive data files will be accessible using non-standard tools when the NT operating system does not have control. Sensitive data files which have been deleted may be accessible using non-standard tools when the NT operating system does not have control. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Administration
Clear Page File at ShutdownIDVersionLevelEnforcementNT4GEN-ADM-11.0baselinemandatory
StandardEnable clearing of the system page file at shutdown.
Detailed Steps Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\ClearPageFileAtShutdown to 1.
Risks AddressedWhere this control is not applied, the following residual risks exist: Sensitive information, including local and remote passwords and business information, may remain in the pagefile after shutdown. This may be recoverable by an attacker who has physical access to the machine. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Installation
Setup Choices
Do not use dual-bootIDVersionLevelEnforcementNT4GEN-SETUP-21.0baselinemandatory
StandardNT must be the only operating system installed. The system must not be set up to dual-boot other operating systems.
Detailed Steps Remove other operating systems by formatting partitions to NTFS prior to installation. Ensure that boot.ini automatically boots NT, and that it lists no other operating systems.
Risks AddressedWhere this control is not applied, the following residual risks exist: Filesystems will not be protected by NT ACLs. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Restrict access to alternate boot mechanismsIDVersionLevelEnforcementNT4GEN-SETUP-31.0above baselinemandatory
StandardOnly authorised users must be able to boot the system from alternative media (CD, floppy disk).
Detailed Steps Ensure that the BIOS boot order boots from the hard disk before CD, floppy, or other bootable devices. Assign a BIOS password to prevent changes to the boot order, and restrict access to the BIOS password to authorised personnel.
Risks AddressedWhere this control is not applied, the following residual risks exist: NT ACLs may be bypassed by booting an alternative operating system. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Delete $WinNT$.inf filesIDVersionLevelEnforcementNT4GEN-SETUP-41.0baselinemandatory
StandardFor unattended setups the $WinNT$.inf file should be deleted.
Detailed Steps Ensure any $WinNT$.inf files are removed after an unattended installation.
Risks AddressedWhere this control is not applied, the following residual risks exist: The username and password of the user used to add the machine to the domain may be exposed. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Installation disk image duplicationIDVersionLevelEnforcementNT4GEN-SETUP-51.0baselinemandatory
StandardDo not install by duplicating a previous disk image, unless the disk image copy tool used is NT-aware and capable of assigning a unique machine SID after duplication.
Detailed Steps Do not install using a disk image duplication. Or, if using disk image duplication, ensure that the disk image duplication tool is NT-aware and able to assign unique machine SIDs after duplication.
Risks AddressedWhere this control is not applied, the following residual risks exist: Machines and user accounts will have duplicate SIDs, undermining the security enforcement of NT. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Format all disk partitions with NTFSIDVersionLevelEnforcementNT4GEN-SETUP-11.0baselinemandatory
StandardAll filesystem partitions must be formatted prior to installation as NTFS.
Detailed Steps Choose Format as NTFS from setup menus. Do not use FAT partitions during installation, format as NTFS during installation.
Risks AddressedWhere this control is not applied, the following residual risks exist: Filesystems will not be protected by NT ACLs. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Do not use HPFS or FAT file structures. Always use NTFS.IDVersionLevelEnforcementNT4GEN-SETUP-61.0baselinemandatory
StandardDo not use HPFS or FAT file structures. Always use NTFS.
Detailed Steps Opt for using NTFS alone during system commissioning
Risks AddressedWhere this control is not applied, the following residual risks exist: Other file structures do not consistently support windows NT access control The use of other file structures may be used to subvert security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Auditing and Monitoring
Audit log destination and format
Security event logging must be enabled and not set to overwrite eventsIDVersionLevelEnforcementNT4GEN-AUDIT-41.0baselinemandatory
StandardSecurity event logging must be enabled and not set to overwrite events
Detailed Steps Switch security event logging on Configure event logging so as not to overwrite events
Risks AddressedWhere this control is not applied, the following residual risks exist: Reconstruction of a sequence of a sequence of events requires events to be recorded Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Events to be audited
Set up file auditing for group everyoneIDVersionLevelEnforcementNT4GEN-AUDIT-31.0baselinerecommended
StandardFile auditing for group everyone should be set up to record failed attempts for read, write, execute and success and failure for delete, change permissions and take ownership.
Detailed Steps Set up file auditing for group everyone as follows; Read - Audit failed attempts Write - Audit failed attempts Execute - Audit failed attempts Delete - Audit failure and success Change Permissions - Audit failure and success Take Ownership - Audit failure and success
Risks AddressedWhere this control is not applied, the following residual risks exist: Reconstructing a sequence of events requires certain events to be recorded Failing to record certain events may allow a breach or a failure to go undetected Failing to record certain events may prevent successful recovery from a breach or a failure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Set up directory auditing for group everyoneIDVersionLevelEnforcementNT4GEN-AUDIT-21.0baselinemandatory
StandardSet up directory auditing for group everyone such that failed attempts are recorded for read, write, execute and failed and successful attempts are recorded for delete, change permissions and take ownership.
Detailed Steps Set up directory auditing for group everyone as follows; Read - Audit failed attempts Write - Audit failed attempts Execute - Audit failed attempts Delete - Audit failure and success Change Permissions - Audit failure and success Take Ownership - Audit failure and success
Risks AddressedWhere this control is not applied, the following residual risks exist: Without an audit trail of activity reconstructing misuse cannot be achieved A loss of accountability may occur Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Network alerts must be enabled for excessive login failuresIDVersionLevelEnforcementNT4GEN-AUDIT-51.0baselinemandatory
StandardNetwork alerts must be enabled for excessive login failures
Detailed Steps Configure network alerts for excessive login failures
Risks AddressedWhere this control is not applied, the following residual risks exist: Non-interactive/network login failures may be indicative of an attack Non-interactive/network login failures may be indicative of a failed service Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
The audit policy must be set up to record failure and success for Logon and Logoff, User and Group Management, Security Policy Changes, Restart, Shutdown and System and failure for File and Object AccessIDVersionLevelEnforcementNT4GEN-AUDIT-11.0baselinemandatory
StandardThe audit policy must be set up to record failure and success for Logon and Logoff, User and Group Management, Security Policy Changes, Restart, Shutdown and System and failure for File and Object Access
Detailed Steps Set up audit policy as follows; Logon and Logoff Audit failure and success File and Object Access Audit failure User and Group Management Audit failure and success Security Policy Changes Audit failure and success Restart, Shutdown and System Audit failure and success
Risks AddressedWhere this control is not applied, the following residual risks exist: Capturing events allows an audit trail of activity to be created A failure to capture events prevents abnormal activity from being identified This allows an attackers behviour to go unnoticed. Failing to record security events may result in a loss of accountability A loss of accountability makes it difficult to determine the nature of a breach This may result in regulatory compliance breaches This may make legal action problematic to pursue This may make reconstructing the system securely difficult to achieve Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
Set up registry key auditing for group everyoneIDVersionLevelEnforcementNTGEN-AUDIT-41.0baselinerecommended
StandardRegistry key auditing should be set up to not audit query value, create subkey, read control, to audit successful attempts to set value, enumerate subkeys, notify, create link, delete and to audit successful and unsucessful attempts to write DAC
Detailed Steps Set up registry key auditing as follows; Query Value - Not audited Set Value - Audit successful attempts Create Subkey - Not audited Enumerate Subkeys - Audit successful attempts Notify - Audit successful attempts Create Link - Audit successful attempts Delete - Audit successful attempts Write DAC - Audit successful and unsuccessful attempts Read Control - Not audited
Risks AddressedWhere this control is not applied, the following residual risks exist: Reconstructing a sequence of evnts requires events to be recorded Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.
ChecklistUser ConfigurationUser AdministrationControl IDChecklist QuestionYour AnswerNT4GEN-UC-1Is access to login scripts and profiles restricted only to their user and administrators? Default AccountsControl IDChecklist QuestionYour AnswerNT4GEN-DA-2Has the administrator account been renamed to an attributable account name and the password changed?NT4GEN-DA-1Has the guest account been disabled? PrivilegesControl IDChecklist QuestionYour AnswerNT4GEN-PRIV-13Is the advanced user right to load and unload device drivers assigned to any users?NT4GEN-PRIV-7Is the advanced user right to create a page file assigned to any users?NT4GEN-PRIV-6Is the advanced user right to bypass traverse checking assigned to any users?NT4GEN-PRIV-16Is the advanced user right to profile single process assigned only to administrators?NT4GEN-PRIV-19Is the advanced user right to repace a system level process token assigned to any user?NT4GEN-PRIV-9Is the advanced user right to create permanent shared objects assigned to any users?NT4GEN-PRIV-11Is the advanced user right to generate security audits assigned to any users other than the administrators or security users?NT4GEN-PRIV-10Is the advanced user right to debug programs assigned only to adminisrators and developers?NT4GEN-PRIV-4Is the user right to shutdown the system assigned to local groups and not to individual usersNT4GEN-PRIV-17Is the advanced user right to profile system performance assigned only to administrators?NT4GEN-PRIV-18Is the advanced user right to receive unsolicited device input assigned to no users?NT4GEN-PRIV-2Is the user right to force shutdown from a remote system assigned to local groups and not to individual users?NT4GEN-PRIV-12Is the advanced user right to increase scheduling priority assigned only to administrators?NT4GEN-PRIV-15Is the advanced user right to modify firmware environment variables assigned only to administrators?NT4GEN-PRIV-5Is the advanced user right to act as part of the operating system assigned to any one?NT4GEN-PRIV-8Is the advanced user right to create a token object assigned to any users?NT4GEN-PRIV-3Is the user right to logon locally assigned to local groups and not to individual users?NT4GEN-PRIV-1Is the user right to change the system time assigned to local groups and not to individual users?NT4GEN-PRIV-14Is the advanced user right to logon as a service assigned only to administrators?Security ComplianceSecurity ManagementControl IDChecklist QuestionYour AnswerNT4GEN-VIRUS-1Is ant-virus software installed and maintained on all machines?NT4GEN-LEGAL-1Ensure that a legal notice appropriate to your jurisdiction is displayed in the legal notice placeholded for display prior to logonNetwork Security ConfigurationNetwork Interface ConsiderationsControl IDChecklist QuestionYour AnswerNT4GEN-NETW-1Is FTP installed or if part of the default image is it disabled?ConfigurationFiles and File PermissionsControl IDChecklist QuestionYour AnswerNT4GEN-FILE-1Are sensitive data files encrypted? AdministrationControl IDChecklist QuestionYour AnswerNT4GEN-ADM-1Has clearing of the system page file at shutdown been enabled? InstallationSetup ChoicesControl IDChecklist QuestionYour AnswerNT4GEN-SETUP-2Is NT the only operating system installed? NT4GEN-SETUP-3Has access to alternative boot mechanisms been physically and/OR BIOS password restricted? NT4GEN-SETUP-4For unattended setups, has the $WinNT$.inf file been deleted after installation? NT4GEN-SETUP-5For installations using disk image duplication, has the machine been assigned a unique SID? NT4GEN-SETUP-1Are all partitions formatted as NTFS? NT4GEN-SETUP-6Are there any FAT or HPFS partitions on the system?Auditing and MonitoringAudit log destination and formatControl IDChecklist QuestionYour AnswerNT4GEN-AUDIT-4Is security event logging enabled and set so as not to overwrite events?Events to be auditedControl IDChecklist QuestionYour AnswerNT4GEN-AUDIT-3Has file auditing been set up for group everyone?NT4GEN-AUDIT-2Has directory auditing for group everyone been set up in accordance with policy?NT4GEN-AUDIT-5Are network alerts enabled for excessive login failures?NT4GEN-AUDIT-1Has the audit policy been set up to record the events defined in the audit policy?NTGEN-AUDIT-4Has registry key auditing been set up in accordance with policy?