WIN2KChecklistv2111-Section1MSE安全攻防資料

1、UNCLASSIFIEDWINDOWS 2000 SECURITY CHECKLISTVersion 2, Release 1.1113 December 2002DISAFIELD SECURITY OPERATIONSUNCLASSIFIEDUNCLASSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyThis page is intentionally left blank.iiUNCLASSIFIEDUNCLASS

2、IFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyTABLE OF CONTENTSRecord Of Changes.v1Introduction .1-11.1Authority .1-11.2Organization of the Checklist .1-11.3Supported Versions of Windows 2000 .1-21.4Document Effective Date.1-21.5Window

3、s 2000 Professional and Member Server.1-31.6ACL Deviations .1-31.7Gold Standard .1-31.8Review Method .1-31.9Referenced Documents .1-32SRR Result Report 2-13System Administrator/ISSO Interview Questions 3-14 Command-Script Check Procedures 4-15 Manual System Check Procedures 5-1Appendix A: Object Per

4、missionsA-1Appendix B: IAVM ComplianceB-1Appendix C: SRR Command-ScriptsC-1Appendix D: Password Strength Verification - Standard Operating ProceduresD-1iiiUNCLASSIFIEDUNCLASSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyThis page is in

5、tentionally left blank.ivUNCLASSIFIEDUNCLASSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyRECORD OF CHANGESThis appendix summarizes the changes made to this document._Version 2.1.11December 13, 2002All SectionsChanged the version numbe

6、rs.Updated dates accordingly.Section 1Added paragraph 1.1 Authority to reference DoDD 8500.1Removed reference for DoDD 5200.28 and added DoDD 8500.1Updated references to the NT/WIN2K Addendum.Section 2Added check for IAVM 2002-B-0007.Modified details field for account lockout findings.Added item to

7、details field for 4 Halt on audit failure.Section 3Removed references for DoDD 5200.28.Updated references to the NT/WIN2K Addendum.Section 5Modified Section 4 Halt On Audit Failure to change requirements.Added Section 5.13“ ORACLE Security Checks ”.Removed references for DoDD 5200.28.U

8、pdated references to the NT/WIN2K Addendum.Appendix BAdded check for IAVM 2002-B-0007.Version 2.1.10October 25, 2002All SectionsChanged the version numbers.Updated dates accordingly.General updates to wording and added additional explanations.Introduced the concept of“ Future Checks ”checks,whereare

9、nwmarked toidentify them as becoming active in the near future. This will give sites agrace period prior to being held responsible for new checks in an SRR.Section 2Added check for IAVM 2002-B-0004Added totals by category at end of sectionSection 3Added note about the Future Check ” labelAdded Secti

10、on 3.10“ System Configuration Changes (Future Check)”Added Section 3.11“ Unencrypted Remote Access (Future Check)”Added Section 3.12“ Intrusion Detection (Future Check)”Section 5Added note about the Future Check ” labelChanged section 5.2.1,“ Service Packs ” to require Service Pack 3 as theminimum l

11、evel.Added Section “ Auto Updates Service (Future Check)”Added Section “ Background Intelligent Transfere Servic(BITS)Service (Future Check)”Added Section 5.3.3“ File Shares (Future Check)”Added Section “ Decoy Administrator Account Not Disabled (FutureCheck) ”vUNCLASSIFIEDUNCLA

12、SSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyAdded Section 5.12.1“ Weak Passwords (Future Check)”Appendix BAdded check for IAVM 2002-B-0004Version 2.1.9September 27, 2002All SectionsChanged the version numbers.Updated dates accordin

13、gly.Section 2Changed wording for cached profiles PDI.Added checks for IAVMs 2002-A-0003, 2002-B-0002 and 2002-T-0013.Section 5Changed section ,“ Schedule ” to remove the requirement to run under alocal account. Changed to include new PDI wording.Changed section 9,“ Caching of Logon Cre

14、dentials” to conformto Gold Standard requirements.Changed section to conform to the Gold Standard s minimum log sizesetting for workstationsChanged section ,“ Registry Key Auditing” to conformto Gold Standard requirements.Changed section ,“ File and Directory Auditing” to con

15、formto Gold Standard requirements.Appendix AAdded check for ACL settings on the AT.EXE program to conformto Gold Standard requirements.Appendix BAdded checks for IAVMs 2002-A-0003, 2002-B-0002 and 2002-T-0013.Version 2.1.8August 23, 2002All SectionsChanged the version numbers.Updated dates according

16、ly.Section 2Added Platinum Icons for two additional checks, and .Removed the Platinum Icon for .Section 5Added Platinum Icons for two additional checks, and .Removed the Platinum Icon for .Appendix BAdded IAVMs for 2002-A-SNMP-005, 2002-A-SNMP-006,2002-B-0

17、01.Updated IAVMs related to Office 97 to require upgrading to a supportedversion of Office.Version 2.1.7July 26, 2002All SectionsChanged the version numbers.Updated dates accordingly.Section 4Updated for the new SRRDB asset information requirements.Added the pop-up box for the new MQSeries checks.Ap

18、pendix ACorrected the location for the %SystemRoot%debugUserMode directory.Appendix BModified the criteria for checking IAVM 1999-T-0007.viUNCLASSIFIEDUNCLASSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyAdded a note requiring the use

19、of the Microsoft uninstall function for removing Internet Explorer from a box.Version 2.1.6June 28, 2002All SectionsChanged the version numbers.Updated dates accordingly.Section 1Updated reference for Guide to Securing Microsoft Windows 2000 GroupPolicy: Security Configuration Tool Set.Section 2Remo

20、ved check for Server service being disabled.Expanded the MQSeries checks.Added indicators to identify potentially false SRR script findings.Section 5Removed check for Server service being disabled ().Expanded the MQSeries checks (0.8).Added indicators to identify potentially false SR

21、R script findings.Appendix AModified permissions for the %SystemDirectory% to conform to the NSAWIN2K Guides .Added a note about exceptions to recommended settings.Version 2.1.5May 24, 2002All SectionsChanged the version numbers.Updated dates accordingly.Section 1Added reference for DOD 5200.28Secti

22、on 2Added IAVM notices IAVA 2002-T-0007,and IAVA 2002-A-0002.Removed superceded IAVM notice 2001-A-0010.Section 3Added references to DOD 5200.28.Section 5Added references to DOD 5200.28.Appendix BUpdated IAVM notices with IAVA 2002-T-0007,and IAVA 2002-A-0002.Removed superceded IAVM notice 2001-A-00

23、10.Appendix DPassword Strength Verification Modified text to clarify the contents of theoutput files.Version 2.1.4April 26, 2002All SectionsChanged the version numbers.Updated dates accordingly.Added “ Unclassified” markingsSection 1Changed date and version of NSA NT Guide.Section 2Added IAVM notice

24、s IAVA 2002-T-0003,and IAVA 2002-A-SNMP-003.Added symbols to identify Platinum-Standard items.Section 3Added notes to checks for CMOS password, ERD, and SCM.Added symbols to identify Platinum-Standard items.Section 5Added symbols to identify Platinum-Standard items.viiUNCLASSIFIEDUNCLASSIFIEDWindows

25、 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyAppendix BUpdated IAVM notices with IAVA 2002-T-0003,and IAVA 2002-A-SNMP-003.Version 2.1.3March 29, 2002All SectionsChanged the version numbers.Updated dates accordingly.Section 2Added IAVM notices IA

26、VA 2002-T-0001.Removed IAVM notices IAVA 2001-A-0001, 20001-T-0014.Appendix BUpdated IAVM notices with IAVA 2002-T-0001.Removed IAVM notices IAVA 2001-A-0001, 20001-T-0014.Appendix DAdded - Password Strength VerificationProcedures for running thepassword verification tool.Version 2.1.2Section 1-Chan

27、ged version.Section 2-Updated to reflect changes in Section 3,4,5.Section 3-Updated to add check for AD backup.Section 4-Rewrote to give procedures for running WinBatch SRR Scripts.Section 5-Added additional checks to conform with the final versions of theNSA WIN2K guides.Added password policy excep

28、tion data for DISANET boxes.Appendix A-Added and replaced checks to conform with draft NSA Guidance.Appendix B-Updated IAVM checks.Appendix C-Updated to reflect the new WinBatch script executable and utilityroutines.Version 2.1.1 (Revised Version Numbering)Section 1-Changed versionAdded Record of Ch

29、angesSection 5-Updated item added a note on a procedure for checking the date of antivirus signature files.Updated item to say that anonymous logon did not apply to dedicatedFTP servers that are outside the protected perimeter.Appendix B-Added checks for new IAVAsAppendix D-RemovedAl

30、l Sections-Removed FOUO markingsviiiUNCLASSIFIEDUNCLASSIFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems Agency1INTRODUCTION1.1AuthoritySites are required to secure the Microsoft Windows 2000 operating system in accordance with DOD Directive 850

31、0.1, Section 4.18 (and related footnote). The checks in this document were developed from DISA and NSA guidelines specified in the above reference.1.2Organization of the ChecklistThe Windows 2000 Security Checklist is composed of five major sections and four appendices.The organizational breakdown p

32、roceeds as follows:Section 1IntroductionThis section contains summary information about the sections and appendices that comprise theWindows 2000 Security Checklist, and defines its scope. Supporting documents consulted are listed in this section.Section 2SRR Result ReportThis section is the matrix

33、that allows the reviewer to document vulnerabilities discovered during the SRR process. The entries in this table, sorted by Potential Discrepancy Item (PDI), are mapped to proceduresreferenced by paragraph number in Sections 3, and 5.Section 3System Administrator/ISSO Interview QuestionsThis sectio

34、n contains the administrative issues that are discussed between the reviewer and the System Administrator or the Information Systems Security Officer (ISSO). The interview outlined in this section may be performed independent of the technical review discussed in Sections 4 and 5.Section 4Script Chec

35、k ProceduresThis section documents the procedures that instruct the reviewer on how to perform an SRR using the automated scripts, and to interpret the script output for vulnerabilities. Each procedure maps to a PDI tabulated in Section 2.Section 5Manual System Check Procedures1-1UNCLASSIFIEDUNCLASS

36、IFIEDWindows 2000 Security Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems AgencyThis section documents the procedures that instruct the revieweron how to perform an SRR manually, and to interpret the programoutput for vulnerabilities. Each procedure maps to a PDI tabul

37、ated in Section 2.Appendix AObject PermissionsThis appendix documents the allowed Access Control Lists (ACLs) for file and registry objects. The tables contained in thissection are referenced in Sections 4 and 5.Appendix BInformation Assurance Vulnerability Management (IAVM)ComplianceThis appendix c

38、ontains checks for IAVM compliance to be done against a Windows 2000 machine.Appendix CSRR ScriptsThis appendix documents the WinBatch scripts used to perform anSRR. The scripts documented here are referenced in Section 4.Appendix DNT Password Strength Verification - Standard OperatingProceduresThis

39、 appendix documents the procedures for using the“ John theRipper ” password integrity utility.1.3Supported Versions of Windows 2000The vulnerabilities discussed in Section 2 of this document are applicable to all versions of Windows 2000. To reduce the complexity of the manual procedures, however, t

40、hese sections are designed around the Windows 2000 desktop.1.4Document Effective DateThis document is current as ofDecember 13, 2002. All STIG and IAVM compliance requirements on or before this date are to be in compliance with the STIG and IAVM notices, Bulletin, and Technical Advisories. Any STIG

41、and IAVM updates after this date are strongly suggested, but will not be checked for compliance until this document has been updated to reflect these new requirements. This document will be updated by the end of each month pending that updates are required.1-2UNCLASSIFIEDUNCLASSIFIEDWindows 2000 Sec

42、urity Checklist 2.1.11Field Security OperationsSection 1Defense Information Systems Agency1.5Windows 2000 Professional and Member ServerThis document is designed to instruct the reviewer on how to assess both the Professional and Member Server configurations in a Windows NT 4 domain. In addition, th

43、e security settings recommended can also be used to configure Group Policy in a Windows 2000 Active Directory environment1.6ACL DeviationsThe Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in Appendix A. If the reviewed ACL is more restrictive, or

44、if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site ISSO.1.7Gold StandardThe Gold Standard is the minimum level of security configuration that a system must meet in order to be connected

45、to the network. The Platinum standard is the security level that must be reached to achieve certification and accreditation. This checklist measures a system configuration against the Platinum Standard.To distinguish configuration settings that are required to meet Platinum level standards, a symbol

46、 will appear next to that item.1.8Review MethodTo perform a successful Security Readiness Review (SRR), this document provides two methods to assess vulnerabilities on a Windows 2000 operating systemWinBatch SRR scripts and manual procedures. These methods need to be performed in this sequence, as r

47、esources are available. The manual procedures should be performed if the SRR scripts are not available, ifthey are not permitted, or if there is a discrepancy in the tools reporting.1.9Referenced DocumentsThe following table enumerates the documents and resources consulted:DateDocument Description22 October 2002DOD Directive 8500.1, Information Assurance (IA)26 November 2002Addendum to the NSA Gu