WIN2K Checklist v2111 - Section 1 MSE安全攻防资料

UNCLASSIFIED UNCLASSIFIED WINDOWS 2000 SECURITY CHECKLIST Version 2 Release 1 11 13 December 2002 DISA FIELD SECURITY OPERATIONS UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency ii UNCLASSIFIED This page is intentionally left blank UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency iii UNCLASSIFIED TABLE OF CONTENTS Record Of Changes v 1Introduction 1 1 1 1Authority 1 1 1 2Organization of the Checklist 1 1 1 3Supported Versions of Windows 2000 1 2 1 4Document Effective Date 1 2 1 5Windows 2000 Professional and Member Server 1 3 1 6ACL Deviations 1 3 1 7Gold Standard 1 3 1 8Review Method 1 3 1 9Referenced Documents 1 3 2SRR Result Report2 1 3System Administrator ISSO Interview Questions3 1 4Command Script Check Procedures 4 1 5Manual System Check Procedures5 1 Appendix A Object PermissionsA 1 Appendix B IAVM ComplianceB 1 Appendix C SRR Command ScriptsC 1 Appendix D Password Strength Verification Standard Operating ProceduresD 1 UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency iv UNCLASSIFIED This page is intentionally left blank UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency v UNCLASSIFIED RECORD OF CHANGES This appendix summarizes the changes made to this document Version 2 1 11December 13 2002 All SectionsChanged the version numbers Updated dates accordingly Section 1Added paragraph 1 1 Authority to reference DoDD 8500 1 Removed reference for DoDD 5200 28 and added DoDD 8500 1 Updated references to the NT WIN2K Addendum Section 2Added check for IAVM 2002 B 0007 Modified details field for account lockout findings Added item to details field for 5 4 6 34 Halt on audit failure Section 3Removed references for DoDD 5200 28 Updated references to the NT WIN2K Addendum Section 5Modified Section 5 4 6 34 Halt On Audit Failure to change requirements Added Section 5 13 ORACLE Security Checks Removed references for DoDD 5200 28 Updated references to the NT WIN2K Addendum Appendix BAdded check for IAVM 2002 B 0007 Version 2 1 10October 25 2002 All SectionsChanged the version numbers Updated dates accordingly General updates to wording and added additional explanations Introduced the concept of Future Checks where new checks are marked to identify them as becoming active in the near future This will give sites a grace period prior to being held responsible for new checks in an SRR Section 2Added check for IAVM 2002 B 0004 Added totals by category at end of section Section 3Added note about the Future Check label Added Section 3 10 System Configuration Changes Future Check Added Section 3 11 Unencrypted Remote Access Future Check Added Section 3 12 Intrusion Detection Future Check Section 5Added note about the Future Check label Changed section 5 2 1 Service Packs to require Service Pack 3 as the minimum level Added Section 5 3 2 8 Auto Updates Service Future Check Added Section 5 3 2 9 Background Intelligent Transfer Service BITS Service Future Check Added Section 5 3 3 File Shares Future Check Added Section 5 7 1 8 Decoy Administrator Account Not Disabled Future Check UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency vi UNCLASSIFIED Added Section 5 12 1 Weak Passwords Future Check Appendix BAdded check for IAVM 2002 B 0004 Version 2 1 9September 27 2002 All SectionsChanged the version numbers Updated dates accordingly Section 2Changed wording for cached profiles PDI Added checks for IAVMs 2002 A 0003 2002 B 0002 and 2002 T 0013 Section 5Changed section 5 3 2 2 Schedule to remove the requirement to run under a local account Changed to include new PDI wording Changed section 5 4 6 19 Caching of Logon Credentials to conform to Gold Standard requirements Changed section 5 2 7 1 to conform to the Gold Standard s minimum log size setting for workstations Changed section 5 4 10 3 Registry Key Auditing to conform to Gold Standard requirements Changed section 5 4 11 2 File and Directory Auditing to conform to Gold Standard requirements Appendix AAdded check for ACL settings on the AT EXE program to conform to Gold Standard requirements Appendix BAdded checks for IAVMs 2002 A 0003 2002 B 0002 and 2002 T 0013 Version 2 1 8August 23 2002 All SectionsChanged the version numbers Updated dates accordingly Section 2Added Platinum Icons for two additional checks 5 4 6 5 and 5 4 6 6 Removed the Platinum Icon for 5 4 6 1 Section 5Added Platinum Icons for two additional checks 5 4 6 5 and 5 4 6 6 Removed the Platinum Icon for 5 4 6 1 Appendix BAdded IAVMs for 2002 A SNMP 005 2002 A SNMP 006 2002 B 001 Updated IAVMs related to Office 97 to require upgrading to a supported version of Office Version 2 1 7July 26 2002 All SectionsChanged the version numbers Updated dates accordingly Section 4Updated for the new SRRDB asset information requirements Added the pop up box for the new MQSeries checks Appendix ACorrected the location for the SystemRoot debug UserMode directory Appendix BModified the criteria for checking IAVM 1999 T 0007 UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency vii UNCLASSIFIED Added a note requiring the use of the Microsoft uninstall function for removing Internet Explorer from a box Version 2 1 6June 28 2002 All SectionsChanged the version numbers Updated dates accordingly Section 1Updated reference for Guide to Securing Microsoft Windows 2000 Group Policy Security Configuration Tool Set Section 2Removed check for Server service being disabled Expanded the MQSeries checks Added indicators to identify potentially false SRR script findings Section 5Removed check for Server service being disabled 5 3 2 4 Expanded the MQSeries checks 5 10 1 5 10 8 Added indicators to identify potentially false SRR script findings Appendix AModified permissions for the SystemDirectory to conform to the NSA WIN2K Guides Added a note about exceptions to recommended settings Version 2 1 5May 24 2002 All SectionsChanged the version numbers Updated dates accordingly Section 1Added reference for DOD 5200 28 Section 2Added IAVM notices IAVA 2002 T 0007 and IAVA 2002 A 0002 Removed superceded IAVM notice 2001 A 0010 Section 3Added references to DOD 5200 28 Section 5Added references to DOD 5200 28 Appendix BUpdated IAVM notices with IAVA 2002 T 0007 and IAVA 2002 A 0002 Removed superceded IAVM notice 2001 A 0010 Appendix DPassword Strength Verification Modified text to clarify the contents of the output files Version 2 1 4April 26 2002 All SectionsChanged the version numbers Updated dates accordingly Added Unclassified markings Section 1Changed date and version of NSA NT Guide Section 2Added IAVM notices IAVA 2002 T 0003 and IAVA 2002 A SNMP 003 Added symbols to identify Platinum Standard items Section 3Added notes to checks for CMOS password ERD and SCM Added symbols to identify Platinum Standard items Section 5Added symbols to identify Platinum Standard items UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency viii UNCLASSIFIED Appendix BUpdated IAVM notices with IAVA 2002 T 0003 and IAVA 2002 A SNMP 003 Version 2 1 3March 29 2002 All SectionsChanged the version numbers Updated dates accordingly Section 2Added IAVM notices IAVA 2002 T 0001 Removed IAVM notices IAVA 2001 A 0001 20001 T 0014 Appendix BUpdated IAVM notices with IAVA 2002 T 0001 Removed IAVM notices IAVA 2001 A 0001 20001 T 0014 Appendix DAdded Password Strength Verification Procedures for running the password verification tool Version 2 1 2 Section 1 Changed version Section 2 Updated to reflect changes in Section 3 4 5 Section 3 Updated to add check for AD backup Section 4 Rewrote to give procedures for running WinBatch SRR Scripts Section 5 Added additional checks to conform with the final versions of the NSA WIN2K guides Added password policy exception data for DISANET boxes Appendix A Added and replaced checks to conform with draft NSA Guidance Appendix B Updated IAVM checks Appendix C Updated to reflect the new WinBatch script executable and utility routines Version 2 1 1 Revised Version Numbering Section 1 Changed version Added Record of Changes Section 5 Updated item 5 3 2 6 added a note on a procedure for checking the date of anti virus signature files Updated item 5 8 1 1 to say that anonymous logon did not apply to dedicated FTP servers that are outside the protected perimeter Appendix B Added checks for new IAVAs Appendix D Removed All Sections Removed FOUO markings UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency 1 1 UNCLASSIFIED 1INTRODUCTION 1 1Authority Sites are required to secure the Microsoft Windows 2000 operating system in accordance with DOD Directive 8500 1 Section 4 18 and related footnote The checks in this document were developed from DISA and NSA guidelines specified in the above reference 1 2Organization of the Checklist The Windows 2000 Security Checklist is composed of five major sections and four appendices The organizational breakdown proceeds as follows Section 1Introduction This section contains summary information about the sections and appendices that comprise the Windows 2000 Security Checklist and defines its scope Supporting documents consulted are listed in this section Section 2SRR Result Report This section is the matrix that allows the reviewer to document vulnerabilities discovered during the SRR process The entries in this table sorted by Potential Discrepancy Item PDI are mapped to procedures referenced by paragraph number in Sections 3 and 5 Section 3System Administrator ISSO Interview Questions This section contains the administrative issues that are discussed between the reviewer and the System Administrator or the Information Systems Security Officer ISSO The interview outlined in this section may be performed independent of the technical review discussed in Sections 4 and 5 Section 4Script Check Procedures This section documents the procedures that instruct the reviewer on how to perform an SRR using the automated scripts and to interpret the script output for vulnerabilities Each procedure maps to a PDI tabulated in Section 2 Section 5Manual System Check Procedures UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency 1 2 UNCLASSIFIED This section documents the procedures that instruct the reviewer on how to perform an SRR manually and to interpret the program output for vulnerabilities Each procedure maps to a PDI tabulated in Section 2 Appendix AObject Permissions This appendix documents the allowed Access Control Lists ACLs for file and registry objects The tables contained in this section are referenced in Sections 4 and 5 Appendix BInformation Assurance Vulnerability Management IAVM Compliance This appendix contains checks for IAVM compliance to be done against a Windows 2000 machine Appendix CSRR Scripts This appendix documents the WinBatch scripts used to perform an SRR The scripts documented here are referenced in Section 4 Appendix DNT Password Strength Verification Standard Operating Procedures This appendix documents the procedures for using the John the Ripper password integrity utility 1 3Supported Versions of Windows 2000 The vulnerabilities discussed in Section 2 of this document are applicable to all versions of Windows 2000 To reduce the complexity of the manual procedures however these sections are designed around the Windows 2000 desktop 1 4 Document Effective Date This document is current as of December 13 2002 All STIG and IAVM compliance requirements on or before this date are to be in compliance with the STIG and IAVM notices Bulletin and Technical Advisories Any STIG and IAVM updates after this date are strongly suggested but will not be checked for compliance until this document has been updated to reflect these new requirements This document will be updated by the end of each month pending that updates are required UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 1Defense Information Systems Agency 1 3 UNCLASSIFIED 1 5Windows 2000 Professional and Member Server This document is designed to instruct the reviewer on how to assess both the Professional and Member Server configurations in a Windows NT 4 domain In addition the security settings recommended can also be used to configure Group Policy in a Windows 2000 Active Directory environment 1 6ACL Deviations The Access Control Lists ACLs on a system under review may differ from the recommendations specified in Appendix A If the reviewed ACL is more restrictive or if an equivalent user group is identified there is no problem If a specific application requires less restrictive settings these must be documented with the site ISSO 1 7Gold Standard The Gold Standard is the minimum level of security configuration that a system must meet in order to be connected to the network The Platinum standard is the security level that must be reached to achieve certification and accreditation This checklist measures a system s security configuration against the Platinum Standard To distinguish configuration settings that are required to meet Platinum level standards a symbol will appear next to that item 1 8Review Method To perform a successful Security Readiness Review SRR this document provides two methods to assess vulnerabilities on a Windows 2000 operating system WinBatch SRR scripts and manual procedures These methods need to be performed in this sequence as resources are available The manual procedures should be performed if the SRR scripts are not available if they are not permitted or if there is a discrepancy in the tools reporting 1 9Referenced Documents The following table enumerates the documents and resources consulted DateDocument Description 22 October 2002DOD Directive 8500 1 Information Assur