System Security Policy Management: Advanced Audit Tasks

Transcription

1 System Security Policy Management: Advanced Audit Tasks White Paper October 6, Altiris Inc. All rights reserved.

2 ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, service and asset, server and infrastructure, and security and compliance management solutions natively integrate via a common Web-based console and repository. For more information, visit NOTICE The content in this document represents the current view of Altiris as of the date of publication. Because Altiris responds continually to changing market conditions, this document should not be interpreted as a commitment on the part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of publication. Copyright 2005, Altiris, Inc. All rights reserved. Altiris, Inc. 588 West 400 South Lindon, UT Phone: (801) Fax: (801) BootWorks U.S. Patent No. 5,764,593. RapiDeploy U.S. Patent No. 6,144,992. Altiris, BootWorks, Inventory Solution, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks of Altiris, Inc. in the United States. Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a registered trademark of Altiris, Inc. in other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and names are the property of their respective owners. Information in this document is subject to change without notice. For the latest documentation, visit

3 CONTENTS Introduction... 1 Advanced Audit Tasks... 2 Industry Best-practices System Security Policy 2 Patch Management 2 Identification of Unauthorized Hardware and Software 2 Additional Audit Checks / Actions Needed for Comprehensive System Security... 3 USERS 3 ADMINISTRATOR ACCOUNTS 4 SYSTEM 5 FILES 6 IDENTIFY SOFTWARE OR SERVICES 7 IDENTIFY HARDWARE 8

4

5 INTRODUCTION This white paper details the components necessary to achieve comprehensive system security. Specifically, it illustrates many types of audit checks/actions that are critical to maintaining good system security, but are above and beyond implementing an industry best-practices system security policy, patch management solution, and unauthorized hardware/software identification protocol. System Security Policy Management: Advanced Audit Tasks > 1

6 ADVANCED AUDIT TASKS Industry Best-practices System Security Policy System security policies typically consist of a base security policy such as SANS, NIST, NSA, Microsoft, or other industry standard best practices system security policies. These industry best practices system security policies address users and groups, registry settings, privileges, passwords, rights, and other system security settings. Most companies edit the base industry best practices policy to meet their own corporate standards by changing, deleting or adding certain system setting audit and compliance rules. Some companies create their own system security policies, but even those usually draw from industry best practice security policies. Patch Management In addition to the base system security policy, software patches need to be checked for most recent revisions and critical updates. Given the high frequency of new patch releases and the time-consuming process required to manually research each patch, it is almost impossible for companies to ensure ongoing system security compliance without the aid of an automated tool. Identification of Unauthorized Hardware and Software All organizations have a long list of unauthorized hardware and software that is critical to maintaining compliance with their corporate system security policy. Identifying and removing unauthorized hardware and software is critical to managing security risks because both could function as security vulnerabilities if exploited by a malicious user. 2 < System Security Policy Management: Advanced Audit Tasks

7 ADDITIONAL AUDIT CHECKS / ACTIONS NEEDED FOR COMPREHENSIVE SYSTEM SECURITY USERS Show all users with default, blank, weak or expired passwords. Check for login activity. Find user accounts that have not been used in <n> days. Ensure user logins are disabled after a period of inactivity. Identify disabled or locked out accounts. Ensure guest accounts are disabled. Check Microsoft Internet Explorer settings against policy. Disable running Java applets in Internet Explorer. Ensure screen saver is password protected. Identify and delete cached roaming profiles. Ensure recycle bin is configured to remove files immediately upon deletion. Ensure anonymous, guest, and default login IDs are renamed, deleted, disabled or use strong authentication. Ensure login IDs are disabled after three consecutive failed login attempts. Run against L0phtcrack to check for weak passwords. If weak passwords are found and not corrected, this presents a security risk. Ensure users whose status has changed are not logging in. Ensure all active employees are logging in. Ensure temporary user accounts are not available and/or old accounts are no longer in existence. Ensure old accounts are no longer in existence. Identify accounts that may have been attacked. Guest accounts are open points of attack because they often have well-known passwords. If not properly configured, Microsoft Internet Explorer introduces many vulnerabilities. Java applets can be vulnerable to attack. If not, a logged in system is vulnerable when the user is away from it. Cached roaming profiles can be used to log in when not connected to the network. If not, sensitive data that was meant to be deleted is left in the recycle bin and therefore accessible. These login IDs are vulnerable because they often use shared or well-known passwords. Prevent password guessing attacks. System Security Policy Management: Advanced Audit Tasks > 3

8 ADMINISTRATOR ACCOUNTS List existing administrator accounts. Rename administrator accounts. Ensure administrator account password has been changed in the last <n> days. View of all administrator accounts to understand magnitude of access rights. If the administrator account uses the default name, an attacker knows it. Decrease chance of a password cracking tool compromising an administrator account. Decrease useful life of a compromised password. Check for rogue administrator accounts. Ensure event log is tracking particular events. Ensure all activities performed by privileged IDs or roots are logged. Eliminate administrator accounts that are suspect.are disabled after a period of inactivity. Log information may be needed for investigation or repair of security incidents. These accounts have high privilege and therefore all account activities must be tracked. 4 < System Security Policy Management: Advanced Audit Tasks

9 SYSTEM Drive should have at least 10% free. System should have at least two drives configured. Make sure disk space is available for smooth operation. Many systems separate the OS drive from the application and data drive. System programs are kept in a secure file system and protected from inappropriate use. Ensure system is member of the appropriate domain. Ensure workstation, diskette, hard drive, and other drives are not shared. Ensure Network Monitor Agent is not installed. Ensure time service is installed and running. Ensure OS is not configured to auto-start executables on CDs or diskettes upon introduction to reader device. Ensure all servers or devices configured to serve multiple entities are not being used as personal workstations. Domains serve as the basis for all access control. If any of these are shared, they can be compromised over the network. The system should not be allowed to sniff packets on the network. Proper time should be maintained by the system clock for software licenses and time-based authentication products. Prevent unintentional use of program on CDs or diskettes. Servers should not be used as personal users systems and/or desktops should not be shared to prevent the unintentional or unauthorized sharing of sensitive files. System Security Policy Management: Advanced Audit Tasks > 5

10 FILES Show all variations of a worm or virus. Show all files with a given list of owners. Show all files with the following owner having access rights (permissions). Monitor access control list (ACL) to track who has access to particular files. Check for NTFS versus FAT file systems. Check for encrypted file system files (EFS). Identify presence of the file in order to delete or disable. Identify files on all systems owned by a particular user(s). This is particularly important if a user s status changes or if a user is suspected of inappropriate activity. Identify files on all systems where a particular user(s) has access rights. This is particularly important if a user s status changes or if a user is suspected of inappropriate activity. Important for the identification of unauthorized users who have access to critical files. NTFS provides access controls and is a more stable and secure file system than FAT. Make sure encryption policy is followed. This can mean data is required to be encrypted or data is required NOT to be encrypted. 6 < System Security Policy Management: Advanced Audit Tasks

11 IDENTIFY SOFTWARE OR SERVICES Ensure virus detection software is on and at the latest version and definition. If virus detection software is not on, then detection and correction will not occur. If not the latest virus detection version, then ineffective virus detection. Time of last full antivirus run and result. Check for Kazaa downloader. Check for Instant Messaging. Check for P2P file-sharing programs. Check for FTP services. Check for MP3 player. Check for media player activities. Check for spyware and malware. Check for personal firewall. Ensure UPS or backup software is installed and running on servers. Report all services activated by particular software. Ensure Web servers (IIS, Apache, iplanet, WebSphere) are secure. Check for Sendmail. Ensure virus scanning is occurring to proactively detect problems. Prevent unauthorized work activities and unnecessary bandwidth utilization. Insecure or archived communications create vulnerabilities. Open up desktop and file access to a wide audience (desktop sharing, collaboration, etc.). FTP services can function as an unauthorized file transfer portal on an individual system. Prevent unauthorized work activities and unnecessary bandwidth utilization. Prevent unauthorized work activities and unnecessary bandwidth utilization. Identify and eliminate programs that are tracking activities on systems by looking for particular files, programs, or services. Identify systems with or without personal firewalls, per corporate security policy. Ensure critical servers are protected in the event of a power outage. Certain services are required for a server s mission and must be running; services not required utilize resources and may introduce vulnerabilities. Remove vulnerabilities introduced by default server configuration settings and included sample Web applications. The UNIX mail service is often started by default and has many vulnerabilities. System Security Policy Management: Advanced Audit Tasks > 7

12 IDENTIFY HARDWARE Check for PDA software to identify who has a PDA. Check for modem. Check for wireless access network interface card (NIC). Check for wireless devices connected in a promiscuous manner. Check for enabled USB drives. List hardware component attributes. Unauthorized PDAs allow data out to be taken out of corporate control. Unauthorized modems present easy entry access, especially with auto-answer set to on. Unauthorized wireless communication devices allow for easy entry access, especially if WEP is not turned on. Run a scan for open channels. Wireless devices, such as b NIC, open up wireless access entry points. Identify and disable USB drivers. This prevents unauthorized copying of files on secured servers that do not have floppy or CD drives. Check for system operational attributes such as processor, memory, system utilization, etc. 8 < System Security Policy Management: Advanced Audit Tasks