Fraudview - Win2K

IBM Global Services
Information Security Controls for Embratel

Fv_Offline/Fv_realtime Projeto Fraudview - Microsoft Windows 2000
Copyright IBM Corporation, 199, !""! # $ll %ights %eserve&
'ersion ()! #*ovember 1+, !""!
'ersion # %elease ,evels-
Microsoft .in&o/s !""" Server
Microsoft .in&o/s !""" $&vance& Server
Microsoft .in&o/s !""" 0rofessional
AJ! "#stem "etu$
AJ!! %nitial "#stem "etu$
AJ!!! "#stem "ettin&s
"#stem 'alue/
Parameter
(ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference
Services 1isable all services not use&) 1isable all services not use&) 1isable all services not use&)
AJ!!2 *etwor+ "ettin&s
"#stem "ettin&s "#stem "ettin&s "#stem "ettin&s "#stem "ettin&s "#stem "ettin&s Prioridade (es$onsi,le -ffort
.)P/%P Post Office Protocol /POP0
0ost 2ffice 0rotocol
30204 authentication
If activate&, 020 services
must be configure& to
re5uire users to
authenticate) 020 services
that &o not support
authentication must be
&isable&)
6C07I0 0ost 2ffice
0rotocol 30204 is not
allo/e&
!)1)1 *o IBM 1one
.)P/%P *et *ews .ransfer Protocol /**.P0
*et *e/s 6ransfer
0rotocol 3**604
authentication 8
i&entification
If activate&, must be
configure& to re5uire
authentication an&
i&entification of all users if
any of the ne/sgroups on
6C07I0 *et *e/s
6ransfer 0rotocol
3**604 is not allo/e&
!)1)1 *o IBM 1one
Microsoft .in&o/s7!""" 0latform 1
IBM Global Services
the server are classifie&
confi&ential)
.)P/%P 1-Windows
9#.in&o/s access
control
Must not be &isable& Must not be &isable& !)1)1 *o IBM 1one
.)P/%P (-12
%E91 &aemon Must be &isable& Must be &isable& !)1)1 *o IBM 1one
.)P/%P Anon#mous F.P
1irectories enable& for
$nonymous :60 access
$ccess via anonymous :60
may be grante& only to
&irectories containing
unclassifie& &ata) IBM
confi&ential &ata is not
permitte& in &irectories
accessible via $nonymous
:60)
2nly 0;B,IC 3Internet
an& others4 an&
I*6E%*$, 3%CC4 for
$nonymous $ccess
!)!)! *o IBM 1one
$ccess permissions for
&irectories accessible
via $nonymous :60
Each &irectory may allo/
rea& access or /rite access
to anonymous users, but not
both
Each &irectory may
allo/ rea& access or
/rite access to
anonymous users, but
not both
!)!)< *o IBM 1one
.)P/%P .rivial F.P /.F.P0
1irectories enable& for
6:60 36rivial :ile
6ransfer 0rotocol4
access$=)
$ccess via 6:60 may be
grante& only to &irectories
containing unclassifie& &ata)
IBM confi&ential &ata is not
permitte& in &irectories
accessible via 6:60 or any
sub&irectories of the
&irectory)
6C07I0 6rivial :60
36:604 must be &isable
!)!)! *o IBM 1one
2enial of "ervice $revention
Internet Servers-
Services to be &isable&
EC>2, C>$%GE*,
:I*GE%, 1ISC$%1,
S?SS6$6, 1$?6IME,
*E6S6$6, .>2
Services to be &isable&
on Internet Servers-
EC>2, C>$%GE*,
:I*GE%, 1ISC$%1,
S?SS6$6, 1$?6IME,
*E6S6$6, .>2
<)@)1 *o IBM 1one
Services to be &isable& EC>2, C>$%GE*, Services to be &isable& if <)@)1 *o IBM 1one
Microsoft .in&o/s7!""" 0latform !
IBM Global Services
if not re5uire& to
support an application
%S6$6, 6:60, %.$,,,
%;SE%, 1ISC$%1,
1$?6IME, B2260S,
:I*GE%, S0%$?1,
0C*:S1
not re5uire& to support
an application-
EC>2, C>$%GE*,
%S6$6, 6:60, %.$,,,
%;SE%, 1ISC$%1,
1$?6IME, B2260S,
:I*GE%, S0%$?1,
0C*:S1
S*M0 service Community names of
ApublicA an& AprivateA are not
permitte& if the S*M0
service is active)
Community names of
ApublicA an& AprivateA are
not permitte& if the
S*M0 service is active)
<)@)1 *o IBM 1one
AJ!2 "#stem )ontrols
AJ!2! 3o&&in&
"#stem
'alue/Parameter
(ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Prioridade (es$onsi,le -ffort
Audit Polic# - minimum lo&&in& re4uirements5
Event $u&iting enable& *o $u&iting $u&iting enable&
$ccount logon events Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium
$ccount management Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium
1irectory service
access
:ailure *o $u&iting :ailure !)()< IBM Me&ium
,ogon events Success 8 :ailure *o $u&iting Success 8 :ailure !)()1 IBM Me&ium
2bBect access :ailure *o $u&iting :ailure !)()! 8 !)()< IBM Me&ium
0olicy change Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium
0rivilege use Success 8 :ailure *o $u&iting Success 8 :ailure !)()< IBM Me&ium
0rocess 6racCing 3not re5uire& to be set4 3not re5uire& to be set4 3not re5uire& to be set4 IBM 1one
:ailure :ailure !)()< IBM 1one
Security logs retaine& @" &ays 3minimum4 &ays @" &ays 3minimum4
BacCup %etention
1 ?ear 3@ bacCups4
!)( IBM ,o/
AJ!22 %dentif# and Aut6enticate 7sers
"#stem
'alue/Parameter
(ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference Prioridade (es$onsi,le -ffort
7serids
Creating ne/ Set an initial pass/or& an& Set an initial pass/or& an& Set an initial pass/or& an& force the !)1)1 IBM 1one
Microsoft .in&o/s7!""" 0latform <
IBM Global Services
useri&s force the user to change it)
6he checC boD A;ser Must
Change 0ass/or& at *eDt
,ogonA must be selecte&)
force the user to change it)
6he checC boD A;ser Must
Change 0ass/or& at *eDt
,ogonA must be selecte&)
user to change it) 6he checC boD A;ser
Must Change 0ass/or& at *eDt ,ogonA
must be selecte&)
A0ass/or& never
eDpiresA
May not be enable& for
any useri&s eDcept on-
%eplicate
Guest
I;S%EFsystemG an&
I.$MEFsystemG user
accounts create& by
Internet Information
Server 3IIS4H
;ser accounts that are
only associate& /ith a
starte& process3es4 an& are
set to A1isable&A status, so
they can not be logge&
onto) 3eDample- tmersrv&4
;ser accounts that satisfy
all of the follo/ing
criteria-
") A,ogon locallyA user
right is &isable&
1) ;seri& is not a member
of the $&ministrators
group
!) $ll interactive login
metho&s 3:60, telnet,
reDec, SS>, etc4 are
&isable& for the useri&
May not be enable& for
any useri&s eDcept on-
%eplicate
Guest
I;S%EFsystemG an&
I.$MEFsystemG user
accounts create& by
Internet Information
Server 3IIS4H
;ser accounts that are
only associate& /ith a
starte& process3es4 an& are
set to A1isable&A status, so
they can not be logge&
onto) 3eDample- tmersrv&4
;ser accounts that satisfy
all of the follo/ing
criteria-
") A,ogon locallyA user
right is &isable&
1) ;seri& is not a member
of the $&ministrators
group
$ll interactive login
metho&s 3:60, telnet, reDec,
SS>, etc4 are &isable& for
the useri&
May not be enable& for any useri&s
eDcept on-
%eplicate
Guest
I;S%EFsystemG an&
I.$MEFsystemG user accounts
create& by Internet Information
Server 3IIS4H
;ser accounts that are only
associate& /ith a starte& process3es4
an& are set to A1isable&A status, so
they can not be logge& onto)
3eDample- tmersrv&4
;ser accounts that satisfy all of the
follo/ing criteria-
") A,ogon locallyA user right is
&isable&
1) ;seri& is not a member of the
$&ministrators group
!) $ll interactive login metho&s
3:60, telnet, reDec, SS>, etc4 are
&isable& for the useri&
!)1)1 IBM 1one
Passwords - minimum re4uired $assword-related $olic# settin&s
Enforce pass/or&
historyI
( pass/or&s remembere& " pass/or&s remembere& @ pass/or&s remembere& !)1)! IBM ,o/
MaDimum
pass/or& age
1+@ &ays (! &ays @" &ays !)1)! IBM ,o/
Minimum
pass/or& length
@ characters < characters + characters !)1)! IBM ,o/
Store pass/or& 1isable& 1isable 1isable& !)1)! IBM 1one
Microsoft .in&o/s7!""" 0latform (
IBM Global Services
using reversible
encryption
$ccount locCout
threshol&
J " J !)1)! IBM ,o/
$ccount locCout
&uration
:orever *ot 1efine& :orever !)1)! IBM ,o/
AJ!28 Protectin& (esources - O"(s
"#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference
2S% General user authority 3Everyone,
;sers or e5uivalent group4 ##
maDimum authority permitte&
General user authority
3Everyone, ;sers or
e5uivalent group4 ##
maDimum authority
permitte&
General user authority
3Everyone, ;sers or
e5uivalent group4 ##
maDimum authority
permitte&
!)( IBM 1one
KSystem%ootK %ea& 8 EDecute
,ist :ol&er Contents
%ea&
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
IBM 1one
KSystem%ootKL%epair no specific authoriMations grante&
3normally implemente& via omitting
Everyone or ;sers groups from the
$C,4
no specific authoriMations
grante& 3normally
implemente& via omitting
Everyone or ;sers groups
from the $C,4
no specific
authoriMations grante&
3normally implemente&
via omitting Everyone or
;sers groups from the
$C,4
IBM ,o/
KSystem%ootKLSystem %ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
IBM 1one
KSystem%ootKLSystem<! %ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
IBM 1one
KSystem%oot
KLSystem<!LConfig
,ist :ol&er 7 %ea& 1ata ,ist :ol&er 7 %ea& 1ata ,ist :ol&er 7 %ea& 1ata IBM 1one
KSystem%oot
KLSystem<!L1rivers
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
IBM 1one
KSystem%oot
KLSystem<!LSpool
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
%ea& 8 EDecute
%ea&
IBM 1one
KSystem1riveKLBoot)Ini %ea& %ea& %ea& IBM ,o/
KSystem1rive %ea& %ea& %ea& IBM ,o/
Microsoft .in&o/s7!""" 0latform J
IBM Global Services
KL*61etect)Com
KSystem1riveKL*6,1% %ea& %ea& %ea& IBM
KSystem1rive
KL$utoEDec)Bat
%ea& %ea& %ea& IBM ,o/
KSystem1rive
KLConfig)Sys
%ea& %ea& %ea& IBM ,o/
Certain privilege& i&s7groups 3e)g) Server 2perator, 0o/er ;ser, 0rint 2perator, S?S6EM4 are grante& &efault permissions to some 2S%s) 6hese &efaults are acceptable an& nee& not be
change&)
(e&istr# )ontrols re4uired on Windows .erminal "ervers 9 WinFrame "ervers5
hCeyEclassesEroot MaDimum authoriMation allo/e& for
Everyone or other general user groups
such as ;sers 8 I*6E%$C6I'E is
%ea&
MaDimum authoriMation
allo/e& for Everyone or
other general user
groups such as ;sers 8
I*6E%$C6I'E is %ea&
AJ!2: Protectin& (esources - 7ser (esources
"#stem 'alue/Parameter (ecommended "ettin& )urrent "ettin& A&reed to "ettin& (eference
Creating ne/ user home
&irectories
$t creation time, the home &irectory must
be o/ne& by the resource o/ner, an& the
maDimum allo/e& permissions grante& on
the home &irectory to anyone other than
the resource o/ner an& a&ministrators is-
6raverse :ol&er 7 EDecute :ile
%ea& $ttributes
%ea& 0ermissions
%ea& $ttributes
%ea& 0ermissions
%ea& $ttributes
%ea& 0ermissions
!)!)<
*ote- If home &irectories are &esigne& /ith sub&irectories un&er them such as a ApublicA fol&er or a fol&er for storing /eb pages that are rea&able by general users, the
above permissions /oul& be nee&e& for users to traverse through an& access the sub&irectories) 2ther/ise granting no access to general users /oul& be the more
common approach for initial home &irectory permission settings set by the 0rovi&er of Service)
Guest account If the Guest account is enable&, it must
comply /ith the follo/ing-
2nly one I1 of Guest allo/e& per &omain
*o access to confi&ential &ata
,iste& only in the Guests an&7or 1omain
Guests account group an& not inclu&e& in
any other groups
Guest account 1isable Guest account 1isable !)!)!
I;S%EFsystemG account If the I;S%EFsystemG account is enable&,
it must comply /ith the follo/ing-
If the I;S%EFsystemG account is enable&,
If the I;S%EFsystemG account is enable&,
!)!)!
Microsoft .in&o/s7!""" 0latform @
IBM Global Services
any other groups
any other groups
any other groups
AJ!2; <usiness 7se *otice
(ecommended "ettin& )urrent "ettin& A&reed to "ettin& =ow im$lemented (eference
*o ?es 6o &isplay a legal notice on your !""" system, use the %egistry E&itor to create or assign the
follo/ing registry Cey values)
=ive5 >NE?E,2C$,EM$C>I*E
>e#5 LSoft/areLMicrosoftL.in&o/sLCurrent'ersionL
0oliciesLSystemL,egal*oticeCaption
*ame5 ,egal*oticeCaption
2ata .#$e5 %EGESO
'alue5 -M<(A.-3
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
=ive5 >NE?E,2C$,EM$C>I*E
>e#5 LSoft/areLMicrosoftL.in&o/sLCurrent'ersionL
0oliciesLSystemL,egal*otice6eDt
*ame5 ,egal*otice6eDt
2ata .#$e5 %EGESO
'alue5 ?-ste sistema destina-se a atender e@clusivamente aos $ro$Asitos e interesses
da -m,ratel e nBo $oderC ser utiliDado $ara outras finalidades sem $rEvia e e@$ressa
autoriDaFBo nesse sentido "eu uso indevido sujeitarC o infrator Gs sanFHes $revistas no
Iuia de )onduta e na PolJtica de "e&uranFa da %nformaFBo vi&entes na -m,ratelK sem
$rejuJDo da a$licaFBo das $enalidades civis e criminais ca,JveisL
!)1)<
,o/
AJ!2M -ncr#$tion
"#stem 'alue/Parameter (ecommended "ettin& )urrent
"ettin&
A&reed to "ettin& (eference
See GS1<<1 # !)1)! 8 !)!)J for
re5uirements criteria)
>o/ implemente& /ill &epen& on the &ata transfer services in use in the particular
environment)
>o/ implemente& /ill
&epen& on the &ata
transfer services in use
in the particular
environment)
!)!)J
AJ2 =ealt6 )6ec+in&
(e4uirement 2escri$tion
Confirm that man&atory access control system options are
as specifie&
'ali&ate-
0ass/or& settings in Section $=)1)!)!
Guest account restrictions in Section $=)1)!)(
Microsoft .in&o/s7!""" 0latform
IBM Global Services
'ali&ate that only approve& users hol& security
a&ministrative an& system authority
System 8 Security $&ministrative useri&s inclu&e accounts /ithin the follo/ing groups, as /ell as any others locally
&efine& or that ship /ith services7applications, /hich have privileges as &efine& in I6CS!"( # !)<-
$&ministrators
BacCup 2perators
0o/er ;sers
$ccount 2perators
0re#.in&o/s !""" Compatible $ccess
0rint 2perators
Server 2perators
1omain $&mins
Enterprise $&mins
Group 0olicy Creator 2/ners
Schema $&mins
ChecC that all 2S% access controls are set- 'ali&ate settings in Section $=)1)!)<
'erify that only approve& users are inclu&e& in the access
lists of 2S%s beyon& that allo/e& to general users)
%eference $=)1)!)<
Ensure >armful co&e &etection programs are installe& an&
operational
Stan&ar& re5uirements apply
ChecC that the re5uire& access an& activity logs &ata &o
eDist
'ali&ate security logs as per Section $=)1)!)1
AJ8 Process )ontrols
Anon#mous F.PK Process for (eceivin& Files from Anon#mous 7sers
:iles that have been store& into a /riteable &irectory must be eDamine& 3scanne& for viruses, checCe& for Confi&ential information, checCe& for inappropriate material, etc)4 before
being move& to a rea&able &irectory)
AJ: Process -@ce$tions
Protectin& (esources - O"(s
In environments /here the 0rovi&er of Service can guarantee that no useri& is able to access the file 8 &irectory 2S%s 3non#registry 2S%s4, the file7&irectory permissions &efine& in
the 2S% table in section $=)1)!)< nee& not be applie&) 2ne acceptable eDample of this /oul& be an environment /here both of the follo/ing apply-
*o general users are active at the *6 2perating System layer 3no shares are open to general users, users are not allo/e& to logon locally, etc4
$ll Guest, I;S%EFsystemG an& $nonymous useri&s have been &isable&
%<M Ilo,al "ervices - "ection Owner5 2P-
"$ecial )onsiderations for t6is section5 %nformations a,out ?)urrent "ettin&sL for t6is a$$endi@ are documented in ot6ers documents for eac6 ?s#stemL li+e /M'"K .-3)OK
"A"K etc N0
Microsoft .in&o/s7!""" 0latform +
IBM Global Services
2ate (eviewed *ame/s0 of %ndividuals (eview )omments
P6ransitionQ %obson Me&eiros 32S4 0rovi&e of informations for PCurrent 'aluesQ
"J7"J7!""( ?anis Car&oso Stoyannis 3Embratel4 6emplate fille& /ith P$gree& to SettingQ
"J7"J7!""( :Rbio %) BraMSo
3I76 Security4
6emplate fille& /ith P$gree& to SettingQ
"@7!J7!""( 1ilson Mes5uita
3I76 Security4
Internal %evie/
"+7"<7!""( ?anis Car&oso Stoyannis 3Embratel4
:Rbio %) BraMSo
3I76 Security4
:inal %evie/

Microsoft .in&o/s7!""" 0latform 9

Fraudview - Win2K

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Fraudview - Win2K

Încărcat de

Drepturi de autor:

Formate disponibile

IBM Global Services

Information Security Controls for Embratel

S-ar putea să vă placă și