Computer Security and Control Objectives List of Control Objectives Please find enclosed several control objectives that should help meet the minimum level of security and control of a computer network. A. Desktop The user should be required to sign on to their computer with a user id and password. The password for any server other than the personal computer should not be stored on the personal computer in any file in any format Directory and files on the personal computer should be restricted to authorized users only. A legal notice should be displayed to inform the user of the sensitive nature of the information and their responsibility to keep it safe. The last authenticated user should not be displayed on the sign on screen A system policy should be in place that prevents the sharing of resources on the local Windows 95 workstation. A user policy should be applied to the Domain Users group, which removes any common icon groups from the Start Menu. A standard security and control configuration should be established and approved by management. The enforcement of the standard configuration should be controlled by a network management product through periodic inventory control. Standard applications should be established to reduce the errors and omissions that occur when supporting multiple end user configurations. In addition, the establishment of a standard application environment on the desktop should reduce the support and maintenance effort required. For the best overall security the Windows NT 4.0 workstation operating system should be the recommended standard. 1 B. File Servers Should be physically secured Corporate authentication standards should be met Challenge Handshake Authentication Protocol (CHAP) Password length of at least 8 characters Password aging of 30 days Password minimum age of 1 day Password construction of a mixture of alpha and numeric characters Password history file is established Invalid sign on attempts of 3 with the user account being locked after reaching this threshold Reset invalid sign on attempts after 1440 (one day) Lockout duration 3 days Lock out of user accounts for inactivity Re-evaluation of a user's privileges when a user's job status changes Corporate authorization standards should be met Guest account should be disabled Administration user account should be protected by passprop (resource kit) which will force the Administrator account to lock up after the same number of invalid attempts as any normal user. The difference is that even in this case the Administrator account can still sign on at the system console. Everyone group should have restricted directory access All other users and groups should only have the directory and file permissions required by their job responsibilities NTFS should be installed All group accounts should only have valid users as their members All user rights should be restricted to users that require this level of responsibility for their job function. Trusted Domains should be used sparingly All services should be removed unless required to operate the server Configure the protocol bindings between TCP/IP, NetBIOS, Server and Workstation services. By removing the bindings between NetBIOS and TCP/IP, the native file sharing services will not be accessible via TCP/IP and hence the Internet. These and other NetBIOS services will still be accessible via a local LAN-specific, non-routable protocol (ex: NetBEUI). Corporate accountability standards should be met Adequate audit trails should be established for: Logon and logoffs File and object access User and group management 2 Security policy changes Change control All changes to the operating environment should be properly tested and documented Backup An adequate backup schedule should be established Backup files should be stored in a secured off-site location Contingency planning An adequate contingency plan that allows the file server and the associated applications can be restored within a reasonable time frame (determined by a risk analysis and management approval). Service Packs Ensure that there is a mechanism to ensure that all devices including the File Server have the latest patches/service pack. 3 C. LAN & WAN Information that travels over the network should be classified as to a level of sensitivity. Based on this classification the network transmission should not permit the transfer of clear text sensitive data. This would include: Passwords Legal documents Data that is protected by state or federal law Where possible sensitive data transfer should be protected by using one of the following: CHAP - for user id and password authentication Secured hubs Encryption Cisco's IPSec technology Redundancy should be built into the network to allow for the uninterrupted network services. Vendor access should be clearly defined and controlled. Secured sign on Audit trail of activity No administration rights on the production server No generic passwords (individual accountability) Controls should be in place to prevent session hi-jacking. 4 D. Network Components All network components should met the following control objectives: Secured authentication (CHAP) for remote administration Proper security configuration SNMP alarms Access Control List (ACLs) if appropriate Audit trail of configuration changes Change control for configuration changes Testing Backup copy Secured dialup access (CHAP) if present Physically secured to prevent theft or unauthorized access 5 E. Firewall The installed firewall(s) should met the following control objectives: Secured authentication (CHAP) for remote administration Restricted list of users that can administrate the firewall Proper security configuration Rules Self security checks such as Tripwire Audit trails of configuration changes Change control for configuration changes Testing Backup copy Operational configuration Connection tracking Prevention of IP Spoofing and denial of service attacks Prevention of access to host computers by IP address Restriction to only required services Single point of network entry Violation reporting of unauthorized users Real time alerts of security breaches 6 F. Proxy The installed proxy(ies) should met the following control objectives: Secured authentication (CHAP) for remote administration Restricted list of users that administrate the proxy Proper security configuration Rules Self security checks such as Tripwire Audit trails of configuration changes Change control for configuration changes Testing Backup copy Operational configuration Connection tracking Prevention of IP Spoofing Prevention of access to host computers by IP address Restriction to only required services Blocking unwanted sites 7 F. Remote Communication Server Secured administration authentication process (CHAP) Secured user authentication process (CHAP) Should met the authentication standards of the organization Should be physically secured Should contain audit trails of changes to configuration Change control for configuration changes G. Single Sign On The bank should implement, if at all possible, a single sign on solution for end users CiscoSecure may have the capability to meet this objective H. Host Access I. All host access should use a secure authentication process (CHAP) All host access should meet the authentication standards of the Bank Only authorized users should have access to host applications All host access should contain an adequate audit trail by user of their activities on the host. Change Control The bank should establish an adequate change control policy for the complete production environment. This would include the separation of the following environments: Development Test (Quality Assurance) Production Testing standards should be developed to ensure that any change is adequately tested and that proper test coverage is completed prior to the movement to the production environment. 8 J. Incident Reporting An incident reporting system should be established for all production: Outages Problems The incident reporting system should tract both the problem and the resolution of the problem. K. Physical Security All computers and components should have an inventory control number A database of each components location should be established Any critical component should be physically secured L. Contingency Planning A risk analysis to determine the following risk factors should be completed: Sensitivity Risk Sensitive data Data protected by laws Criticality Risk Availability of data and the impact to the Bank M. Dynamic Alarms Alarms should be established to determine the following: Changes to any security configuration for any device Attacks Insider Outsider Trend analysis should be used by collecting the audit files and looking for suspicious activity REAL Secure is a product that can be configured to check for certain type of attacks. 9 N. Audit Reporting Adequate audit reports need to be designed into each device to allow for the complete and proper review of the current configuration evolution process. Audit reporting should be dynamic on sensitive devices and manual on others. Tailored reports may be required to meet audit objectives which include but are not limited to: Access control reports Who access what, when including Internet access Integrity reports that demonstrate that any process or change to a process what properly tested to ensure that it only performs the activity required by its function. Output control Who receives what report(s) that are sensitive? How are spools controlled to prevent unauthorized users from seeing or changing sensitive reports? Audit trails of any change to the network by delineating the who, why, when, what was changed on a specific device. The Axent product may provide many of the audit and security reports for the NT, Novell, and Unix environments. Key Audit and Security Reports Daily Attack Report - a daily report of any suspicious internal or external attack. Daily violation report - This report should be compilation of all violation attempts to any network device. This report should be available for review if requested by Auditing. The daily review of this report would be the responsibility of the Security Administrator or System/Network Administrator. Daily change log - This report should be a compilation of all changes to the devices within the network Daily incident report - This report would indicate any operational problems that occur with the network. This would include all of the network devices and their operational status. A timely resolution report with appropriate solution sets should follow or be included as part of the report. 10 O. Security Certification A secured configuration based should be established for each device and the system should automatically identify any new device. Any new device would be immediately interrogated to ensure that it meets the minimum security and control requirements of the Bank P. Port Filtering A complete listing of all ports that are listening should be compiled Using a port listening tool to accomplish this task, any unnecessary port should be turned off. This tool should be run on a scheduled basis Port filtering should be installed for sensitive listening program 11 IIS Ensure that there is limited administration access to maintain the IIS servers Ensure that any special services running on the server are required Ensure that proper authentication standards are being met for system administration to the server Ensure that all maintenance activity is properly recorded Ensure that any configuration changes are properly tested and approved Ensure that the proper sheets for configuration are established Property Sheets Service - the following services should be set Connection Timeout Maximum Connections Anonymous Logon Username Password Password Authentication Allow Anonymous Windows NT Challenge/Response Directories Directories allowed Enable Default Document Directory Browsing Allowed When adding a new directory you can Edit Properties which allows you to set: Alias Account Information - User Name & Password Virtual Server Access Rights Read Execute Secured Socket Layer (SSL) Logging Enable Logging Log To File Automatically Log to SQL/ODBC DBMS Log file directory Log file name Advanced Access IP Address Subnet Mask Limit Network Use by all Internet Services on this computer Backup files should be secured if sensitive data such as encrypted passwords are on the files. 12 Q. MicroSoft's Exchange Exchange Security Using NT security as it basis. Advanced Security Signing This technique uses a digital signature on a message to certify the message's origin. Sealing (Encryption) This process scrambles the contents of a message to make it difficult for anyone without a decryption key to read it. You can configure advanced security settings for clients by opening the Options menu and clicking the Security tab. Security Options Encrypt Message Contents and Attachments Add Digital Signature to Message Logoff Security Turns off password prompt Set Up Advanced Security Permissions Mailbox Permission More than one or user account can have permission on a mailbox Public Folder Permission Permission to access public folder can be granted by the owner of a public folder. Directory Permissions Permissions to use the directory are granted to Windows NT user accounts. Auditing All audited events are recorded in NT's Event Log. 13 R. Gateways Ensure that there is limited administration access to maintain these servers Ensure that any special services running on the server are required Ensure that proper authentication standards are being met for system administration to the server Ensure that all maintenance activity is properly recorded Ensure that any configuration changes are properly tested and approved Ensure that any connection logging does not record the user id and password of the connection in clear text. If it does ensure that these passwords are encrypted or removed from the log file. Backup files should be secured if sensitive data such as encrypted passwords are on the files. S. Directory Servers Ensure that there is limited administration access to maintain these servers. Ensure that any special services running on the server are required Ensure that proper authentication standards are being met for system administration to the server Ensure that all maintenance activity is properly recorded Ensure that any configuration changes are properly tested and approved T. SQL/Server A risk analysis to determine where the sensitive data is located should be performed All default user ids and passwords should be changed Limit the number of Database administrators Ensure that users only have access to tables that are required by their job responsibilities Ensure that users only have the privileges to these tables based on their job responsibilities Ensure that all direct connect programs are authorized to perform the connect Ensure that all direct connect programs meet the authentication standards of the Bank Ensure that all connections to the database provide the actual user id that is performing the activity/transaction to allow for a proper audit trail. No generic user ids and passwords No public defined access Meets authentication standards 14 U. H.P. OpenView Security/Operational alarms/reports should be established such as: Complete network diagram of logical components with addresses and contact points Alarms of violation attacks for network components Alarms for network errors to help ensure the reliability of the network Alarms for personal computer configuration changes Alarms for changes within the network End-to-end management of all components of a business process including application and operating system software, database and transaction systems, servers and mainframes, and wide area and local network elements should be monitored as a unit. Service level agreements should be established to help to meet user's expectations. Any RMON, RMON-2 devices should be used to track and troubleshoot the network components. This devices, if independent, should be properly secured by conforming to the authentication standards of the Bank Multiple levels of reports based on the availability of available products such as the SMS, Optivity, HP-OpenView, and CiscoWorks should be established using the Web technology for secured browsing. This would allow for event correlation and de-duplication of events. The use of these platforms for software distribution and inventory services as well as file, print, and user administration functions. V. Optivity SNMP alarms established to notify security of any attacks W. System Management Server (SMS) Ensure that SMS is set to provide inventory control of the desktop Ensure that the remote control mode is properly secured Ensure that remote administration of the user's registries is properly secured to authorized administrator only. Ensure that proper audit reports are generated for the distribution of software to the workstations. 15 X. ActiveX and Java ActiveX should be discouraged if possible. If not, third party products to protect the ActiveX execution. Products such as Finjan, which inspect the ActiveX and java, contents at the Internet gateway level. Other products such as Digitivity detects incoming applets and then uploads a proxy applet to the user rather than the original applet. Then, the proxy connects with the company's CageServer product, which runs the java applets. This means whenever a user downloads an applet from the Web, the code is diverted to a separate server instead of going to the user. Another company Security-7 Software makes a product called SafeGate, which performs real-time analysis of java and ActiveX As a minimum the browser should be set to allow for the following checks: Byte code verification Class loader Java security manager Digital signatures and Certificate Authority Y. Viruses A comprehensive virus detection system should be in place to include: Email attachments New files/programs on the desktop New files/programs on the server 16 Z. In all of this there should be a clear security policy that delineates management's objectives for the Bank. This policy would be the driving force to establish detail procedures and guidelines for the operational staff. A code of conduct should be available and signed by each employee, which will delineate their security responsibilities including the use of the Internet. AA. Other products that may aid in the security and control of the network Site Scan - Monitors environment equipment. Air conditioning, UPS's battery, Halon Missing Link - Monitors IPX traffic for the Novell file servers connected to the LAN BMC - Is a database monitoring tool that reports performance on database queries. BB. System Administration All activity to any network device by any administrator should be tracked in an audit file. CC. Other products already recommended by Kevin Our preliminary review of the network design by Kevin Kasperek takes into consideration many of the security and control issues facing the industry today. His overall design is quite sound and insightful on the issues of security and control. His solution for VPNs and Internet traffic appears to meet many of the control concerns that are present with the use of Internet access. Internet Scanner Toolset - is an excellent set of programs that will identify vulnerabilities within the Bank's networked environment. These tools should be run on periodic bases including each time a major change is concluded within the environment. 17