Fv_Offline/Fv_realtime Projeto Fraudview - Microsoft Windows 2000 Copyright IBM Corporation, 199, !""! # $ll %ights %eserve& 'ersion ()! #*ovember 1+, !""! 'ersion # %elease ,evels- Microsoft .in&o/s !""" Server Microsoft .in&o/s !""" $&vance& Server Microsoft .in&o/s !""" 0rofessional AJ! "#stem "etu$ AJ!! %nitial "#stem "etu$ AJ!!! "#stem "ettin&s "#stem 'alue/ Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Services 1isable all services not use&) 1isable all services not use&) 1isable all services not use&) AJ!!2 *etwor+ "ettin&s "#stem "ettin&s "#stem "ettin&s "#stem "ettin&s "#stem "ettin&s "#stem "ettin&s Prioridade (es$onsi,le -ffort .)P/%P Post Office Protocol /POP0 0ost 2ffice 0rotocol 30204 authentication If activate&, 020 services must be configure& to re5uire users to authenticate) 020 services that &o not support authentication must be &isable&) 6C07I0 0ost 2ffice 0rotocol 30204 is not allo/e& !)1)1 *o IBM 1one .)P/%P *et *ews .ransfer Protocol /**.P0 *et *e/s 6ransfer 0rotocol 3**604 authentication 8 i&entification If activate&, must be configure& to re5uire authentication an& i&entification of all users if any of the ne/sgroups on 6C07I0 *et *e/s 6ransfer 0rotocol 3**604 is not allo/e& !)1)1 *o IBM 1one Microsoft .in&o/s7!""" 0latform 1 IBM Global Services Information Security Controls for Embratel the server are classifie& confi&ential) .)P/%P 1-Windows 9#.in&o/s access control Must not be &isable& Must not be &isable& !)1)1 *o IBM 1one .)P/%P (-12 %E91 &aemon Must be &isable& Must be &isable& !)1)1 *o IBM 1one .)P/%P Anon#mous F.P 1irectories enable& for $nonymous :60 access $ccess via anonymous :60 may be grante& only to &irectories containing unclassifie& &ata) IBM confi&ential &ata is not permitte& in &irectories accessible via $nonymous :60) 2nly 0;B,IC 3Internet an& others4 an& I*6E%*$, 3%CC4 for $nonymous $ccess !)!)! *o IBM 1one $ccess permissions for &irectories accessible via $nonymous :60 Each &irectory may allo/ rea& access or /rite access to anonymous users, but not both Each &irectory may allo/ rea& access or /rite access to anonymous users, but not both !)!)< *o IBM 1one .)P/%P .rivial F.P /.F.P0 1irectories enable& for 6:60 36rivial :ile 6ransfer 0rotocol4 access$=) $ccess via 6:60 may be grante& only to &irectories containing unclassifie& &ata) IBM confi&ential &ata is not permitte& in &irectories accessible via 6:60 or any sub&irectories of the &irectory) 6C07I0 6rivial :60 36:604 must be &isable !)!)! *o IBM 1one 2enial of "ervice $revention Internet Servers- Services to be &isable& EC>2, C>$%GE*, :I*GE%, 1ISC$%1, S?SS6$6, 1$?6IME, *E6S6$6, .>2 Services to be &isable& on Internet Servers- EC>2, C>$%GE*, :I*GE%, 1ISC$%1, S?SS6$6, 1$?6IME, *E6S6$6, .>2 <)@)1 *o IBM 1one Services to be &isable& EC>2, C>$%GE*, Services to be &isable& if <)@)1 *o IBM 1one Microsoft .in&o/s7!""" 0latform ! IBM Global Services Information Security Controls for Embratel if not re5uire& to support an application %S6$6, 6:60, %.$,,, %;SE%, 1ISC$%1, 1$?6IME, B2260S, :I*GE%, S0%$?1, 0C*:S1 not re5uire& to support an application- EC>2, C>$%GE*, %S6$6, 6:60, %.$,,, %;SE%, 1ISC$%1, 1$?6IME, B2260S, :I*GE%, S0%$?1, 0C*:S1 S*M0 service Community names of ApublicA an& AprivateA are not permitte& if the S*M0 service is active) Community names of ApublicA an& AprivateA are not permitte& if the S*M0 service is active) <)@)1 *o IBM 1one AJ!2 "#stem )ontrols AJ!2! 3o&&in& "#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Prioridade (es$onsi,le -ffort Audit Polic# - minimum lo&&in& re4uirements5 Event $u&iting enable& *o $u&iting $u&iting enable& $ccount logon events Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium $ccount management Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium 1irectory service access :ailure *o $u&iting :ailure !)()< IBM Me&ium ,ogon events Success 8 :ailure *o $u&iting Success 8 :ailure !)()1 IBM Me&ium 2bBect access :ailure *o $u&iting :ailure !)()! 8 !)()< IBM Me&ium 0olicy change Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium 0rivilege use Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium 0rocess 6racCing 3not re5uire& to be set4 3not re5uire& to be set4 3not re5uire& to be set4 IBM 1one :ailure :ailure !)()< IBM 1one Security logs retaine& @" &ays 3minimum4 &ays @" &ays 3minimum4 BacCup %etention 1 ?ear 3@ bacCups4 !)( IBM ,o/ AJ!22 %dentif# and Aut6enticate 7sers "#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Prioridade (es$onsi,le -ffort 7serids Creating ne/ Set an initial pass/or& an& Set an initial pass/or& an& Set an initial pass/or& an& force the !)1)1 IBM 1one Microsoft .in&o/s7!""" 0latform < IBM Global Services Information Security Controls for Embratel useri&s force the user to change it) 6he checC boD A;ser Must Change 0ass/or& at *eDt ,ogonA must be selecte&) force the user to change it) 6he checC boD A;ser Must Change 0ass/or& at *eDt ,ogonA must be selecte&) user to change it) 6he checC boD A;ser Must Change 0ass/or& at *eDt ,ogonA must be selecte&) A0ass/or& never eDpiresA May not be enable& for any useri&s eDcept on- %eplicate Guest I;S%EFsystemG an& I.$MEFsystemG user accounts create& by Internet Information Server 3IIS4H ;ser accounts that are only associate& /ith a starte& process3es4 an& are set to A1isable&A status, so they can not be logge& onto) 3eDample- tmersrv&4 ;ser accounts that satisfy all of the follo/ing criteria- ") A,ogon locallyA user right is &isable& 1) ;seri& is not a member of the $&ministrators group !) $ll interactive login metho&s 3:60, telnet, reDec, SS>, etc4 are &isable& for the useri& May not be enable& for any useri&s eDcept on- %eplicate Guest I;S%EFsystemG an& I.$MEFsystemG user accounts create& by Internet Information Server 3IIS4H ;ser accounts that are only associate& /ith a starte& process3es4 an& are set to A1isable&A status, so they can not be logge& onto) 3eDample- tmersrv&4 ;ser accounts that satisfy all of the follo/ing criteria- ") A,ogon locallyA user right is &isable& 1) ;seri& is not a member of the $&ministrators group $ll interactive login metho&s 3:60, telnet, reDec, SS>, etc4 are &isable& for the useri& May not be enable& for any useri&s eDcept on- %eplicate Guest I;S%EFsystemG an& I.$MEFsystemG user accounts create& by Internet Information Server 3IIS4H ;ser accounts that are only associate& /ith a starte& process3es4 an& are set to A1isable&A status, so they can not be logge& onto) 3eDample- tmersrv&4 ;ser accounts that satisfy all of the follo/ing criteria- ") A,ogon locallyA user right is &isable& 1) ;seri& is not a member of the $&ministrators group !) $ll interactive login metho&s 3:60, telnet, reDec, SS>, etc4 are &isable& for the useri& !)1)1 IBM 1one Passwords - minimum re4uired $assword-related $olic# settin&s Enforce pass/or& historyI ( pass/or&s remembere& " pass/or&s remembere& @ pass/or&s remembere& !)1)! IBM ,o/ MaDimum pass/or& age 1+@ &ays (! &ays @" &ays !)1)! IBM ,o/ Minimum pass/or& length @ characters < characters + characters !)1)! IBM ,o/ Store pass/or& 1isable& 1isable 1isable& !)1)! IBM 1one Microsoft .in&o/s7!""" 0latform ( IBM Global Services Information Security Controls for Embratel using reversible encryption $ccount locCout threshol& J " J !)1)! IBM ,o/ $ccount locCout &uration :orever *ot 1efine& :orever !)1)! IBM ,o/ AJ!28 Protectin& (esources - O"(s "#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference 2S% General user authority 3Everyone, ;sers or e5uivalent group4 ## maDimum authority permitte& General user authority 3Everyone, ;sers or e5uivalent group4 ## maDimum authority permitte& General user authority 3Everyone, ;sers or e5uivalent group4 ## maDimum authority permitte& !)( IBM 1one KSystem%ootK %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& IBM 1one KSystem%ootKL%epair no specific authoriMations grante& 3normally implemente& via omitting Everyone or ;sers groups from the $C,4 no specific authoriMations grante& 3normally implemente& via omitting Everyone or ;sers groups from the $C,4 no specific authoriMations grante& 3normally implemente& via omitting Everyone or ;sers groups from the $C,4 IBM ,o/ KSystem%ootKLSystem %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& IBM 1one KSystem%ootKLSystem<! %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& IBM 1one KSystem%oot KLSystem<!LConfig ,ist :ol&er 7 %ea& 1ata ,ist :ol&er 7 %ea& 1ata ,ist :ol&er 7 %ea& 1ata IBM 1one KSystem%oot KLSystem<!L1rivers %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& IBM 1one KSystem%oot KLSystem<!LSpool %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& %ea& 8 EDecute ,ist :ol&er Contents %ea& IBM 1one KSystem1riveKLBoot)Ini %ea& %ea& %ea& IBM ,o/ KSystem1rive %ea& %ea& %ea& IBM ,o/ Microsoft .in&o/s7!""" 0latform J IBM Global Services Information Security Controls for Embratel KL*61etect)Com KSystem1riveKL*6,1% %ea& %ea& %ea& IBM KSystem1rive KL$utoEDec)Bat %ea& %ea& %ea& IBM ,o/ KSystem1rive KLConfig)Sys %ea& %ea& %ea& IBM ,o/ Certain privilege& i&s7groups 3e)g) Server 2perator, 0o/er ;ser, 0rint 2perator, S?S6EM4 are grante& &efault permissions to some 2S%s) 6hese &efaults are acceptable an& nee& not be change&) (e&istr# )ontrols re4uired on Windows .erminal "ervers 9 WinFrame "ervers5 hCeyEclassesEroot MaDimum authoriMation allo/e& for Everyone or other general user groups such as ;sers 8 I*6E%$C6I'E is %ea& MaDimum authoriMation allo/e& for Everyone or other general user groups such as ;sers 8 I*6E%$C6I'E is %ea& AJ!2: Protectin& (esources - 7ser (esources "#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Creating ne/ user home &irectories $t creation time, the home &irectory must be o/ne& by the resource o/ner, an& the maDimum allo/e& permissions grante& on the home &irectory to anyone other than the resource o/ner an& a&ministrators is- 6raverse :ol&er 7 EDecute :ile %ea& $ttributes %ea& 0ermissions $t creation time, the home &irectory must be o/ne& by the resource o/ner, an& the maDimum allo/e& permissions grante& on the home &irectory to anyone other than the resource o/ner an& a&ministrators is- 6raverse :ol&er 7 EDecute :ile %ea& $ttributes %ea& 0ermissions $t creation time, the home &irectory must be o/ne& by the resource o/ner, an& the maDimum allo/e& permissions grante& on the home &irectory to anyone other than the resource o/ner an& a&ministrators is- 6raverse :ol&er 7 EDecute :ile %ea& $ttributes %ea& 0ermissions !)!)< *ote- If home &irectories are &esigne& /ith sub&irectories un&er them such as a ApublicA fol&er or a fol&er for storing /eb pages that are rea&able by general users, the above permissions /oul& be nee&e& for users to traverse through an& access the sub&irectories) 2ther/ise granting no access to general users /oul& be the more common approach for initial home &irectory permission settings set by the 0rovi&er of Service) Guest account If the Guest account is enable&, it must comply /ith the follo/ing- 2nly one I1 of Guest allo/e& per &omain *o access to confi&ential &ata ,iste& only in the Guests an&7or 1omain Guests account group an& not inclu&e& in any other groups Guest account 1isable Guest account 1isable !)!)! I;S%EFsystemG account If the I;S%EFsystemG account is enable&, it must comply /ith the follo/ing- *o access to confi&ential &ata ,iste& only in the Guests an&7or 1omain If the I;S%EFsystemG account is enable&, it must comply /ith the follo/ing- *o access to confi&ential &ata ,iste& only in the Guests an&7or 1omain If the I;S%EFsystemG account is enable&, it must comply /ith the follo/ing- *o access to confi&ential &ata ,iste& only in the Guests an&7or 1omain !)!)! Microsoft .in&o/s7!""" 0latform @ IBM Global Services Information Security Controls for Embratel Guests account group an& not inclu&e& in any other groups Guests account group an& not inclu&e& in any other groups Guests account group an& not inclu&e& in any other groups AJ!2; <usiness 7se *otice (ecommended "ettin& )urrent "ettin& A&reed to "ettin& =ow im$lemented (eference *o ?es 6o &isplay a legal notice on your !""" system, use the %egistry E&itor to create or assign the follo/ing registry Cey values) =ive5 >NE?E,2C$,EM$C>I*E >e#5 LSoft/areLMicrosoftL.in&o/sLCurrent'ersionL 0oliciesLSystemL,egal*oticeCaption *ame5 ,egal*oticeCaption 2ata .#$e5 %EGESO 'alue5 -M<(A.-3 EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE =ive5 >NE?E,2C$,EM$C>I*E >e#5 LSoft/areLMicrosoftL.in&o/sLCurrent'ersionL 0oliciesLSystemL,egal*otice6eDt *ame5 ,egal*otice6eDt 2ata .#$e5 %EGESO 'alue5 ?-ste sistema destina-se a atender e@clusivamente aos $ro$Asitos e interesses da -m,ratel e nBo $oderC ser utiliDado $ara outras finalidades sem $rEvia e e@$ressa autoriDaFBo nesse sentido "eu uso indevido sujeitarC o infrator Gs sanFHes $revistas no Iuia de )onduta e na PolJtica de "e&uranFa da %nformaFBo vi&entes na -m,ratelK sem $rejuJDo da a$licaFBo das $enalidades civis e criminais ca,JveisL !)1)< ,o/ AJ!2M -ncr#$tion "#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference See GS1<<1 # !)1)! 8 !)!)J for re5uirements criteria) >o/ implemente& /ill &epen& on the &ata transfer services in use in the particular environment) >o/ implemente& /ill &epen& on the &ata transfer services in use in the particular environment) !)!)J AJ2 =ealt6 )6ec+in& (e4uirement 2escri$tion Confirm that man&atory access control system options are as specifie& 'ali&ate- 0ass/or& settings in Section $=)1)!)! Guest account restrictions in Section $=)1)!)( Microsoft .in&o/s7!""" 0latform IBM Global Services Information Security Controls for Embratel 'ali&ate that only approve& users hol& security a&ministrative an& system authority System 8 Security $&ministrative useri&s inclu&e accounts /ithin the follo/ing groups, as /ell as any others locally &efine& or that ship /ith services7applications, /hich have privileges as &efine& in I6CS!"( # !)<- $&ministrators BacCup 2perators 0o/er ;sers $ccount 2perators 0re#.in&o/s !""" Compatible $ccess 0rint 2perators Server 2perators 1omain $&mins Enterprise $&mins Group 0olicy Creator 2/ners Schema $&mins ChecC that all 2S% access controls are set- 'ali&ate settings in Section $=)1)!)< 'erify that only approve& users are inclu&e& in the access lists of 2S%s beyon& that allo/e& to general users) %eference $=)1)!)< Ensure >armful co&e &etection programs are installe& an& operational Stan&ar& re5uirements apply ChecC that the re5uire& access an& activity logs &ata &o eDist 'ali&ate security logs as per Section $=)1)!)1 AJ8 Process )ontrols Anon#mous F.PK Process for (eceivin& Files from Anon#mous 7sers :iles that have been store& into a /riteable &irectory must be eDamine& 3scanne& for viruses, checCe& for Confi&ential information, checCe& for inappropriate material, etc)4 before being move& to a rea&able &irectory) AJ: Process -@ce$tions Protectin& (esources - O"(s In environments /here the 0rovi&er of Service can guarantee that no useri& is able to access the file 8 &irectory 2S%s 3non#registry 2S%s4, the file7&irectory permissions &efine& in the 2S% table in section $=)1)!)< nee& not be applie&) 2ne acceptable eDample of this /oul& be an environment /here both of the follo/ing apply- *o general users are active at the *6 2perating System layer 3no shares are open to general users, users are not allo/e& to logon locally, etc4 $ll Guest, I;S%EFsystemG an& $nonymous useri&s have been &isable& %<M Ilo,al "ervices - "ection Owner5 2P- "$ecial )onsiderations for t6is section5 %nformations a,out ?)urrent "ettin&sL for t6is a$$endi@ are documented in ot6ers documents for eac6 ?s#stemL li+e /M'"K .-3)OK "A"K etc N0 Microsoft .in&o/s7!""" 0latform + IBM Global Services Information Security Controls for Embratel 2ate (eviewed *ame/s0 of %ndividuals (eview )omments P6ransitionQ %obson Me&eiros 32S4 0rovi&e of informations for PCurrent 'aluesQ "J7"J7!""( ?anis Car&oso Stoyannis 3Embratel4 6emplate fille& /ith P$gree& to SettingQ "J7"J7!""( :Rbio %) BraMSo 3I76 Security4 6emplate fille& /ith P$gree& to SettingQ "@7!J7!""( 1ilson Mes5uita 3I76 Security4 Internal %evie/ "+7"<7!""( ?anis Car&oso Stoyannis 3Embratel4 :Rbio %) BraMSo 3I76 Security4 :inal %evie/