WIN2K Checklist v2111 - Section 2 MSE安全攻防资料

UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 1 UNCLASSIFIED SECTION 2 UNCLASSIFIED UNTIL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY mark each page CONFIDENTIAL and SECRET mark each page and each finding Classification is based on classification of system reviewed Unclassified System FOUO Checklist Confidential System CONFIDENTIAL Checklist Secret System SECRET Checklist Top Secret System SECRET Checklist UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 2 UNCLASSIFIED 2 1SRR Result Report Reviewer Date System Finding Totals Comments Category I Category II Category III Category IV Total 2 2Site Information Site System Administrator Information Name E mail Address Phone Commercial DSN ISSO Information Name E mail Address Phone Commercial DSN UNCLASSIFIED Windows 2000 Security Checklist 2 1 11Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 3 UNCLASSIFIED 2 3System Information System Information Asset Name Domain Standalone Asset Description Registered in VCTSVCTS Asset ID TCP IP Address es DHCP Hardware Make Model Manufacturer Barcode Serial No System Location building room System Classification UNCLASSIFIED SECRET CONFIDENTIAL TOP SECRET Operating System s used on this system Windows 2000 Server Other Windows 2000 Advanced Server Windows 2000 Professional System Role System Workload Domain Controller DC DMS Server Member Server DMS Workstation Workstation Exchange Mail Server Standalone System CD ROM Server Dial in Server Web Server Other A next to a check indicates a Platinum Standard item A symbol appearing on a check indicates that the SRR script may return a false finding Refer to the corresponding item in section 5 of the checklist for additional information UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 5 UNCLASSIFIED 2 4Finding Details Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 3 01 Admin Finding Not a Finding Not Applicable Not Reviewed 1 001Physical security of the Windows NT Server Workstation does not meet DISA requirements II 3 02 Admin Finding Not a Finding Not Applicable Not Reviewed Administrators use the built in administrator account Personal administrator accounts are not maintained Administrators don t have separate accounts for normal user tasks A list of all users belonging to the Administrator s group and any other group with special privileges is not maintained 1 006Users with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks II 3 03 Admin Finding Not a Finding Not Applicable Not Reviewed Users who are members of the Backup Operators group do not have separate accounts for normal operational tasks 1 007Members of the Backup Operators group do not have separate accounts for backup duties and normal operational tasks II Vulnerability is only partially evaluated through this procedure The manual procedures will be required to provide completeness UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 6 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 3 04 Admin Finding Not a Finding Not Applicable Not Reviewed The following shared accounts exist on the local system 1 008Shared user accounts permitted on the system are not documented and justified II 3 05 Admin Finding Not a Finding Not Applicable Not Reviewed An Auditor s group whose members can view and archive the Security Event Log has not been created 1 010Access to the Windows NT Security Event Log has not been restricted to an Auditors group II 3 06 Admin Finding Not a Finding Not Applicable Not Reviewed The CMOS allows booting off floppy or CD ROM devices The CMOS is not password protected 1 012The CMOS configuration does not conform to DISA requirements III 3 07 Admin Finding Not a Finding Not Applicable Not Reviewed Emergency system recovery data is not routinely maintained Emergency system recovery data is not stored in a secure location 1 013Emergency Repair Disk s ERD or System information backups are not created updated and protected according to DISA requirements III 3 08 Admin Finding Not a Finding Not Applicable Not Reviewed The Microsoft Security Configuration Tool Set is not used for securing WIN2K platforms 1 016The Microsoft Security Configuration Manager SCM is not being used to configure platforms to C2 compliance III UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 7 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 3 09 Admin Finding Not a Finding Not Applicable Not Reviewed The Active Directory is not being backed daily up as part of the regular backup process WIN2K domains only 1 023The Active Directory is not being backed up according to DISA requirements II 5 02 1 Expl Finding Not a Finding Not Applicable Not Reviewed Service Pack is installed No service pack is installed 2 005The required Windows 2000 service pack is not installed II 5 02 2 Expl Finding Not a Finding Not Applicable Not Reviewed The DOS directory exists on the partition 2 002The DOS directory exists II 5 02 3 Expl Finding Not a Finding Not Applicable Not Reviewed The following files supporting the OS 2 subsystem exist OS2 EXE OS2SRV EXE OS2SS EXE 2 003OS 2 subsystem file components are installed II 5 02 4 Expl Finding Not a Finding Not Applicable Not Reviewed The following files supporting the POSIX subsystem exist POSIX EXE PSXDLL DLL PSXSS EXE 2 004POSIX subsystem file components are installed II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 8 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 02 5 Expl Finding Not a Finding Not Applicable Not Reviewed The required file does not exist 2 009The current approved DLL for strong password filtering is not installed II 5 02 6 Expl Finding Not a Finding Not Applicable Not Reviewed Share permissions are not properly set for the following printers 3 027Printer share permissions are not configured as recommended III 5 03 1 CMC Finding Not a Finding Not Applicable Not Reviewed The following volumes are not formatted using NTFS 2 008Local volumes are not formatted using NTFS I 5 03 2 1 CMC Finding Not a Finding Not Applicable Not Reviewed The service is still active 5 008 Remote Shell Service is not disabled II 5 03 2 2 CMC Finding Not a Finding Not Applicable Not Reviewed The service is not required and not disabled 5 009The Task Scheduler service is either not controlled or not disabled II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 9 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 03 2 3 CMC Finding Not a Finding Not Applicable Not Reviewed The service is still active 5 010 Simple TCP IP Services are not disabled II 5 03 2 5 CMC Finding Not a Finding Not Applicable Not Reviewed The service is not disabled The service is running as the user 5 012The Browser service on a workstation has not been disabled III 5 03 2 6 CMC Finding Not a Finding Not Applicable Not Reviewed Virus protection software is not installed The following virus protection software used that is not sponsored by DISA is listed as follows 5 007An approved DISA virus scan program is not used and or updated I 5 03 2 7 CMC Finding Not a Finding Not Applicable Not Reviewed The service is not disabled The service is running as the user 5 013The Telnet service has not been disabled II 5 04 01 1 MMC Finding Not a Finding Not Applicable Not Reviewed The local system requires users to change passwords after days 4 011Maximum password age does not meet minimum requirements II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 10 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 01 2 MMC Finding Not a Finding Not Applicable Not Reviewed The local system allows users to change passwords in days 4 012Minimum password age does not meet minimum requirements II 5 04 01 3 MMC Finding Not a Finding Not Applicable Not Reviewed The local system requires passwords to be at least characters in length 4 013Minimum password length does not meet minimum requirements II 5 04 01 4 MMC Finding Not a Finding Not Applicable Not Reviewed The local system is configured to remember passwords 4 014Password uniqueness does not meet minimum requirements II 5 04 01 5 MMC Finding Not a Finding Not Applicable Not Reviewed The EnPasFlt or PPE password filter is not installed The password policy Passwords must meet complexity requirements is enabled when the above filters are installed 3 028Strong password filtering is not enabled II 5 04 01 6 MMC Finding Not a Finding Not Applicable Not Reviewed Password policy Store password using reversible encryption for all users in the domain is not set to disabled 3 057Reversible password encryption is not disabled II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 11 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 02 1 MMC Finding Not a Finding Not Applicable Not Reviewed The local system will allow consecutive bad logons before locking down the account 4 002The number of allowed bad logon attempts does not meet minimum requirements II 5 04 02 2 MMC Finding Not a Finding Not Applicable Not Reviewed The bad logon counter is reset after minutes 4 003Time before the bad logon counter is reset does not meet minimum requirements II 5 04 02 3 MMC Finding Not a Finding Not Applicable Not Reviewed The lockout duration is specified to be minutes 4 004Lockout duration does not meet minimum requirements II 5 04 03 1 MMC Finding Not a Finding Not Applicable Not Reviewed The Kerberos policy option Enforce user logon restrictions is not set to enabled Domain Controllers only 4 029Kerberos user logon restrictions are not enforced II 5 04 03 2 MMC Finding Not a Finding Not Applicable Not Reviewed The Kerberos policy option Maximum lifetime for service ticket is not set to a maximum of 600 minutes or less It is set to minutes Domain Controllers only 4 030Kerberos service ticket maximum lifetime does not meet minimum standards II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 12 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 03 3 MMC Finding Not a Finding Not Applicable Not Reviewed The Kerberos policy option Maximum lifetime for user ticket is not set to a maximum of 10 hours or less It is set to hours Domain Controllers only 4 031Kerberos user ticket maximum lifetime does not meet minimum standards II 5 04 03 4 MMC Finding Not a Finding Not Applicable Not Reviewed The Kerberos policy option Maximum lifetime for user ticket renewal is not set to a maximum of 7 days or less It is set to days Domain Controllers only 4 032Kerberos user ticket renewal maximum lifetime does not meet minimum standards II 5 04 03 5 MMC Finding Not a Finding Not Applicable Not Reviewed The Kerberos policy option Maximum tolerance for computer clock synchronization is not set to a maximum of 5 minutes or less It is set to minutes Domain Controllers only 4 033Computer clock synchronization tolerance does not meet minimum standards II 5 04 04 1 MMC Finding Not a Finding Not Applicable Not Reviewed System level auditing is not enabled 4 007Auditing is not enabled II 5 04 04 2 MMC Finding Not a Finding Not Applicable Not Reviewed System level auditing is not enabled The following events are not audited 4 008System auditing configuration does not meet minimum requirements II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 13 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 05 1 MMC Finding Not a Finding Not Applicable Not Reviewed Discrepancies between the checklist and the local system are listed as follows 4 010User and advanced user rights settings do not meet minimum requirements II 5 04 05 2 MMC Finding Not a Finding Not Applicable Not Reviewed The Guests group is not denied this user right 4 025Guests group is not denied the right to Access this computer from the network I 5 04 05 3 MMC Finding Not a Finding Not Applicable Not Reviewed The Guests group is not denied this user right 4 026Guests Group is not denied the right to Log on Locally II 5 04 05 4 MMC Finding Not a Finding Not Applicable Not Reviewed The following user and user groups are assigned this privilege 4 009Unauthorized users are granted right to Act as part of the operating system I 5 04 06 01 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 018Anonymous shares are not restricted I UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 14 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 06 02 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 007The system allows shutdown from the logon dialog box IV 5 04 06 03 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 052Ejection of removable NTFS media is not restricted to Administrators II 5 04 06 04 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 4 028The amount of idle time before disconnecting an SMB session is improperly set III 5 04 06 05 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 053Global system objects are not audited III 5 04 06 06 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 016Auditing use of backup rights is not enabled II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 15 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 06 07 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to Local setting 4 006Users are not forcibly disconnected when logon hours expire III 5 04 06 08 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 003System pagefile is not cleared upon shutdown II 5 04 06 09 MMC Finding Not a Finding Not Applicable Not Reviewed No screen saver is configured The timeout value is specified as minutes The Password protected option is not enabled 3 006Default user configuration is not set with a password protected screen saver II 5 04 06 10 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 045The Windows 2000 SMB client is not enabled to perform SMB packet signing when possible II 5 04 06 11 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 046The Windows 2000 SMB server is not enabled to perform SMB packet signing when possible II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 16 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Script StatusDetailsPDIDescriptionCat 5 04 06 12 MMC Finding Not a Finding Not Applicable Not Reviewed Domain Controllers only The Security Options value is set to 3 058The Server Operators group can schedule tasks II 5 04 06 13 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 032The Ctrl Alt Del security attention sequence is Disabled II 5 04 06 14 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 059The system is configured to autoplay removable media III 5 04 06 15 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 014The option to delete cached roaming profiles is not enabled III 5 04 06 16 MMC Finding Not a Finding Not Applicable Not Reviewed The Security Options value is set to 3 017Strong password filtering is not enabled II UNCLASSIFIED Windows 2000 Security Checklist 2 1 11 Field Security Operations Section 2Defense Information Systems Agency Category I Category II Category III Category IV 2 17 UNCLASSIFIED Procedure Section Headings Finding InformationPDI Information Man Scri