Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For Windows

Transcription

1 Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For Windows

2 Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright Notice Portions Copyright 2004 Visa U.S.A. Inc. All Rights reserved. All information that is made available by Visa is the copyrighted work of Visa U.S.A. Inc. and is owned and reprinted with permission, and is provided AS-IS with NO WARRANTY. Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit cisp for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa. Copyright 2004 Symantec Corporation. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec, the Symantec logo, and LiveUpdate, are U.S. registered trademarks of Symantec Corporation. Symantec Enterprise Security Manager and Symantec Security Response are trademarks of Symantec Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Visa is a registered trademark of Visa in the United States and other countries. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America.

3 3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. Technical Support s primary role is to respond to specific questions on product features and the function, installation, and configuration, as well as to author content for the Knowledge Base. Technical Support collaborates with the other areas within Symantec to answer your questions in a timely fashion. Symantec Technical Support offers: A range of support options that gives you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week, worldwide, in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support Please visit our Web site for current information on support programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using. If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to go to the Symantec licensing and registration site at: You can also go to: Select the product that you wish to register. From the Product Home Page, select the Licensing and Registration link. Customers with a current support agreement may contact Technical Support by phone or online at:

4 4 Customers with Platinum support agreements may contact Platinum Technical Support at: www-secure.symantec.com/platinum/ When contacting the Technical Support group, please have the following information available: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local vendors) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

5 Symantec Software License Agreement Symantec Enterprise Security Manager SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ( SYMANTEC ) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS YOU OR YOUR ) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE I DO NOT AGREE OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE. 1. License: The software and documentation that accompanies this license (collectively the Software ) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a License Module ) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows. You may: A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine. B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes; C. use the Software to assess no more than the number of Desktop machines set forth under a License Module. Desktop means a desktop central processing unit for a single end user; D. use the Software to assess no more than the number of Server machines set forth under a License Module. Server means a central processing unit that acts as a server for other central processing units; E. use the Software to assess no more than the number of Network machines set forth under a License Module. Network means a system comprised of multiple machines, each of which can be assessed over the same network; F. use the Software in accordance with any written agreement between You and Symantec; and G. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license. You may not: A. copy the printed documentation which accompanies the Software; B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module; C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement; E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance; F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed; G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version; H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license. 2. Content Updates: Certain Software utilize content that is updated from time to time (including but not limited to the following

6 Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as Content Updates ). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates. 3. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. 4. Disclaimer of Damages: SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software. 5. U.S. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are Commercial Items, as that term is defined in 48 C.F.R. section 2.101, consisting of Commercial Computer Software and Commercial Computer Software Documentation, as such terms are defined in 48 C.F.R. section (a)(5) and 48 C.F.R. section (a)(1), and used in 48 C.F.R. section and 48 C.F.R. section , as applicable. Consistent with 48 C.F.R. section , 48 C.F.R. section , 48 C.F.R. section through , 48 C.F.R. section , and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, Stevens Creek Blvd., Cupertino, CA 95014, United States of America. 6. Export Regulation: Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited. 7. General: If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the

7 laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Authorized Service Center, Postbus 1029, 3600 BA Maarssen, The Netherlands, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

8 8

9 Contents Symantec ESM Policy Manual for Visa CISP for Windows Introducing the policy About the policy About Visa CISP Where to get more information about CISP Installing the policy Before you install Installing the policy LiveUpdate installation...14 Manual installation Account Information Account Integrity Active Directory File Attributes File Attributes template files...24 File Watch File Watch template files...26 Login Parameters Network Integrity Object Integrity OS Patches Patch template files...32 Password Strength Registry Registry template files...36 Startup Files Symantec Product Info System Auditing Security events auditing (success and failure) name lists

10 10 Contents

11 Symantec ESM Policy Manual for Visa CISP for Windows This document includes the following topics: Introducing the policy Installing the policy Note: Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa.

12 12 Symantec ESM Policy Manual for Visa CISP for Windows Introducing the policy Introducing the policy About the policy Visa announced the launch of its Cardholder Information Security Program (CISP) in April CISP defines a standard of due care for securing Visa cardholder data. CISP compliance is required of all entities that store, process, or transmit Visa cardholder data. The Symantec ESM policy for Visa CISP assesses compliance with many technical requirements and also provides information needed to assess compliance with many of the manual requirements of the Visa CISP Security Audit Procedures and Reporting guidelines. This Symantec ESM policy for Visa CISP assesses compliance with many of the standard s compliance requirements. This policy can be installed on Symantec ESM 5.5. and 6.0 managers running Security Update 18 or later on the following operating systems: About Visa CISP Microsoft Windows NT Server Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows XP Professional Microsoft Windows Server 2003 Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa. In April 2000, Visa announced the launch of its Cardholder Information Security Program (CISP). Because the payment industry places a high priority on maintaining the confidentiality and integrity of account and personal data, CISP was developed to ensure that merchants and service providers adequately protect Visa cardholder data. Mandated in June 2001, CISP compliance has been required of all entities storing, processing, or transmitting Visa cardholder data. Intended to protect Visa cardholder data, this program establishes requirements

13 Symantec ESM Policy Manual for Visa CISP for Windows Introducing the policy 13 for safeguarding personally identifiable information with a list of 12 security requirements and detailed sub-requirements. The CISP Requirements 1. Install and maintain a working firewall to protect data 2. Keep security patches up-to-date 3. Protect stored data 4. Encrypt data sent across public networks 5. Use and regularly update anti-virus software 6. Restrict access by need to know 7. Assign unique ID to each person with computer access 8. Don t use vendor-supplied defaults for passwords and security parameters 9. Track all access to data by unique ID 10. Regularly test security systems and processes 11. Implement and maintain an information security policy 12. Restrict physical access to data Where to get more information about CISP The full text of these references is available on the VISA Web site,

14 14 Symantec ESM Policy Manual for Visa CISP for Windows Installing the policy Installing the policy Before you install Installing the policy Decide which Symantec ESM managers require the policy. Policies run on managers. They do not need to be installed on agents. The policy runs only on Symantec ESM 6.1, 6.0 and 5.5 managers and agents with Security Update 18 or later. Update any managers that do not meet these requirements. The standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a CD or the Internet to install the policy manually. LiveUpdate installation Install the policy by using the LiveUpdate feature in the Symantec ESM console. To install the policy 1 Connect the Symantec ESM Enterprise Console to managers where you want to install the policy. 2 Click the LiveUpdate icon to start the LiveUpdate wizard. 3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next. 4 In the Welcome to LiveUpdate dialog box, click Next. 5 Do one of the following: 6 Click Next. To install all checked products and components, click Next. To omit a product from the update, uncheck it, and then click Next. To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next. 7 Click Finish. 8 Ensure that all managers that you want to update are checked. 9 Click Next. 10 Click OK. 11 Click Finish.

15 Symantec ESM Policy Manual for Visa CISP for Windows Installing the policy 15 Manual installation If you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a CD or the Internet. To obtain files 1 Connect the Symantec ESM Enterprise Console to managers that you want to update. 2 From the Security Response Web site ( download the executable files for the following operating systems: Microsoft Windows NT Server Microsoft Windows 2000 Professional, Server, domain controller Microsoft Windows XP Microsoft Windows Server 2003 Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files\Symantec\LiveUpdate. To install the policy on a Symantec ESM manager 1 On a computer running Windows NT/2000/XP/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site. 2 Click Next to close the Welcome dialog box. 3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes. 4 Click Yes to continue installation of the best practice policy. 5 Type the requested manager information. 6 Click Next. If the manager s modules have not been upgraded to Security Update 18 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 18 or later, then rerun the install program. 7 Click Finish.

16 16 Symantec ESM Policy Manual for Visa CISP for Windows Account Information The VISA CISP policy includes the following modules to manage compliance with many of the technical and some administrative aspects. The enabled checks of each module are listed with the standards that they address and a brief rationale for enabling the check. Associated name lists and templates are also listed. Because the standard does not require specific values, default values and templates have been provided. The policy is read-only but can be copied or renamed according to the needs of your corporate security policy. See the current Symantec Enterprise Security Manager Security Update User s Guide for Windows for check and message information. The Account Information module reports requested account information such as a list of locked out accounts, account folder permissions, and users that are in specified security groups. Check User rights for accounts Disabled accounts CISP section Rationale Develop a data control policy that limits access to computing resources and cardholder information to only those users whose jobs require such access. Ensure proper user authentication and password management for nonconsumer users. Control the addition, deletion, and modification of user IDs, credentials or other identifier objects. Confirm by examination of authorization forms that all administrators are authorized and have active accounts. Select a sample of general users and confirm by examination of authorization forms that those users are authorized and have active accounts. This check lists all users (active and inactive) and their user privileges. Therefore, this check must be used with the Disabled accounts check to exclude inactive users. This check lists all disabled or inactive users.

17 Symantec ESM Policy Manual for Visa CISP for Windows 17 Account Integrity The Account Integrity module creates and maintains user and group snapshot files on each agent where the module runs. The module reports new, changed, and deleted accounts as well as account and account privilege information. Check CISP Section Rationale Disabled/expired/ locked accounts Remove inactive user accounts at least every 90 days. New users Control the addition, deletion and modification of User IDs, credentials or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Deleted users Control the addition, deletion, and modification of user IDs, credentials, or other identifier objects and immediately revoke access of terminated users. Verify that the terminated users IDs have been disabled or removed. Changed users Control the addition, deletion and modification of User IDs, credentials or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. New groups Control the addition, deletion and modification of user IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Deleted groups Control the addition, deletion and modification of user IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges. Changed groups Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects. Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges.

18 18 Symantec ESM Policy Manual for Visa CISP for Windows Check CISP Section Rationale Act as part of the operating system Add workstations to domain (Windows NT Server, Windows 2000 Server, Windows Server 2003) Back up files and directories Bypass traverse checking Change the system time Create permanent shared objects Enable computer and user accounts to be trusted for delegation (Windows 2000) Force shutdown from a remote system Generate security audits Configure system security parameters to prevent This privilege should be reserved for the Local System account Configure system security parameters to prevent This privilege should be reserved for Domain Administrators Configure system security parameters to prevent This privilege should be reserved for Administrators and Backup Operators Configure system security parameters to prevent This privilege should be reserved for Administrators Configure system security parameters to prevent This privilege should be reserved for Administrators Configure system security parameters to prevent This privilege should be reserved for Administrators Configure system security parameters to prevent An account with this user right may be able to conduct sophisticated attacks to gain access to network resources Configure system security parameters to prevent This privilege should be reserved for Administrators and Domain Administrators Configure system security parameters to prevent This privilege should be reserved for auditors and security personnel.

19 Symantec ESM Policy Manual for Visa CISP for Windows 19 Check CISP Section Rationale Load and unload device drivers Allow log on locally Configure system security parameters to prevent This privilege should be reserved for Administrators Configure system security parameters to prevent This privilege should be reserved for Administrators and Domain Administrators. Manage auditing and security log Configure system security parameters to prevent Secure audit trails so that they cannot be altered. Only users who have a job-related need can view audit trail files. This privilege should be reserved for security personnel. Restore files and directories Shut down the system Synchronize directory service data (Windows 2000 Server, Windows Server 2003) Take ownership of files or other objects Configure system security parameters to prevent This privilege should be reserved for Administrators and Backup Operators Configure system security parameters to prevent This privilege should be reserved for Administrators, or Domain Administrators for Domain Controllers Configure system security parameters to prevent This privilege should be reserved for Administrators Configure system security parameters to prevent This privilege should be reserved for Administrators.

20 20 Symantec ESM Policy Manual for Visa CISP for Windows Active Directory The Active Directory module for Windows reports group policy objects (GPOs) that apply to users, groups, and computers in the Active Directory Service (ADS). GPOs are active directory objects that contain group policies such as the Windows security policy. GPO settings can be applied to sites, domains, and organizational units. Check Computers with applied GPOs (Windows 2000 Server, Windows Server 2003) Computers without applied GPOs (Windows 2000 Server, Windows Server 2003) Users with applied GPOs (Windows 2000 Server, Windows Server 2003) CISP section Rationale Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing

21 Symantec ESM Policy Manual for Visa CISP for Windows 21 Check Users without applied GPOs (Windows 2000 Server, Windows Server 2003) Security groups with applied GPOs (Windows 2000 Server, Windows Server 2003) Security groups without applied GPOs (Windows 2000 Server, Windows Server 2003) CISP section Rationale Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent GPOs can play a role in data control, restricting user access and preventing

22 22 Symantec ESM Policy Manual for Visa CISP for Windows File Attributes The File Attributes module reports changes to file creation and modification times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of the file permission settings that are specified in template files. Check File ownership (Windows NT, Windows 2000) File and folder ownership (Windows XP, Windows 2003) CISP section Rationale Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper file ownership may allow unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper file ownership may allow unauthorized access. File attributes Changed file (times) Changed file (size) Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Improper file attributes may allow unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files may indicate unauthorized access. Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files may indicate unauthorized access.

23 Symantec ESM Policy Manual for Visa CISP for Windows 23 Check Changed file (signature) CISP section Rationale Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files may indicate unauthorized access. File ACL Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Changes to these files may indicate unauthorized access. Files giving all users Full Control Do not notify if file permissions are increased in security Automatically update snapshots (Windows 2000, Windows XP, Windows Server 2003) N/A N/A Configure system security parameters to prevent Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. World writable files may allow unauthorized access. N/A N/A

24 24 Symantec ESM Policy Manual for Visa CISP for Windows File Attributes template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer. You can edit the template files by copying and renaming them. Each File Attributes template is for a specific operating system. The default File Attributes template files have the following extensions. OS File name Template name Windows 2000 Server fileatt_policy.s50 File Windows NT Server fileatt_policy.s40 File Windows Server 2003 fileatt_policy.s50 File Windows 2000 Professional fileatt_policy.w50 File Windows XP fileatt_policy.w51 File All Windows windows.fkl File Keywords - All

25 Symantec ESM Policy Manual for Visa CISP for Windows 25 File Watch The File Watch module creates and maintains a snapshot file for each agent where you run the module that stores file information. The File Watch template specifies the files or directories to be checked, the depth of directory reversal. Check CISP section Rationale Changed files (ownership) Changed files (signature) Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated. Ownership changes may be an indication of unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated. Changes to the listed files may indicate unauthorized access. New files Removed files Malicious files Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated. Files added to the watched directories may indicate unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated. Files removed from the watched directories may indicate unauthorized access. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated. Malicious code may cause unauthorized modification of critical files.

26 26 Symantec ESM Policy Manual for Visa CISP for Windows Check CISP section Rationale Automatically update snapshots (Windows 2000, Windows XP, Windows Server 2003) N/A N/A Note: Malicious File Watch templates identify known attack signatures for malicious file checks. File Watch template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer. You can edit the template files by copying and renaming them. OS File name Template name Windows NT Server nt_policy.fw File Watch Windows 2000 w2k_policy.fw File Watch Windows XP xp_policy.fw File Watch Windows Server 2003 w3s.fw File Watch Windows NT Server nt.mfw Malicious File Watch Windows 2000 w2k.mfw Malicious File Watch Windows XP xp.mfw Malicious File Watch Windows Server 2003 w3s.mfw Malicious File Watch Note: Do not edit Malicious File Watch files.

27 Symantec ESM Policy Manual for Visa CISP for Windows 27 Login Parameters The Login Parameters module checks to see if the control setting for account lockout is enabled, if the lockout threshold is properly set, if locked accounts must be reactivated by an administrator, and if the autologon feature is disabled. Check CISP section Rationale Account lockout threshold Monitor system access attempts. Limit repeated attempts by locking out the user ID after a specific number of attempts. Configure system security parameters to prevent This policy ships with a default setting of 6 unsuccessful attempts, but you can change it to reflect your corporate policy. Account lockout duration Shutdown without logon Autologon disabled Set the lockout duration to 30 minutes or until the Administrator enables the user ID. This policy ships with a default setting of 0 (meaning Administrator intervention is required to reset the account) but you can change it to reflect your corporate policy Configure system security parameters to prevent Prevent denial of service by remote shutdown commands. 7.1 Uniquely identify all users before allowing them to access system resources or cardholder information. Autologon does not uniquely identify the user who is logging on. Inactive accounts Remove inactive user accounts at least every 90 days. Inactive accounts are user accounts that have been created but never used. New accounts are often created with weak passwords that are communicated insecurely. Therefore, this policy ships with a default setting of 45 days.

28 28 Symantec ESM Policy Manual for Visa CISP for Windows Network Integrity The Network Integrity module reports system configuration settings that pertain to authentication and remote access. Check CISP section Rationale Trusted domains (Windows NT, Windows 2000, Windows Server 2003) Shared folders giving all users Full Control 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Trusted domains provide broad access and should be reviewed to determine if they meet the need to know requirement. 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. World writable folders may be used to gain unauthorized access. Hidden shares Configure system security parameters to prevent Hidden shares may allow unauthorized access to system resources and cardholder data. Anonymous LANMan access disabled Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Configure system security parameters to prevent Configure the networking subsystems to protect against known attacks. Anonymous LANMan access may result in unauthorized access. LANMan authentication is often misused and exploited. Plain text authentication 3.6 Encrypt all passwords. Plain text authentication is easily defeated and exposes the password. LANMan Authentication (Windows NT) Encrypt all passwords. Configure system security parameters to prevent Configure the networking subsystems to protect against known attacks. LANMan authentication is often misused and exploited and the password is not encrypted. RRAS/RAS enabled Remove all unnecessary functionality, e.g., drivers, features, subsystems, file systems, and so on. RRAS/RAS is an insecure remote access service.

29 Symantec ESM Policy Manual for Visa CISP for Windows 29 Check CISP section Rationale Listening TCP ports Encrypt non-console administrative access. Use technologies such as SSH or VPN. Disable all unnecessary services. Review services and parameter files to determine that telnet and other remote login commands are not available for use. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats. Listening UDP ports Disable all unnecessary services. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats. New listening TCP ports Encrypt non-console administrative access. Use technologies such as SSH or VPN. Disable all unnecessary services. Review services and parameter files to determine that telnet and other remote login commands are not available for use. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats. New listening UDP ports Disable all unnecessary services. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats. New network shares Remove all unnecessary functionality, e.g., drivers, features, subsystems, file systems, and so on. Review new network shares since the last snapshot to ensure that they are authorized.

30 30 Symantec ESM Policy Manual for Visa CISP for Windows Check CISP section Rationale Modified network shares Remove all unnecessary functionality, e.g., drivers, features, subsystems, file systems, and so on. Review modified network shares since the last snapshot to ensure that they are authorized. Object Integrity The Object Integrity module reports volumes that do not have Access Control Lists (ACLs). Check CISP section Rationale Volumes without ACL control 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Volumes that are configured without access control lists may allow unauthorized access. Local accounts 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know. Local accounts other than the default administrators account may indicate a system compromise and/or provide a means for unauthorized access. OS Patches The OS Patches (Patch) module reports Windows patches that have been released by Microsoft Corporation but are not installed on the agent. Check CISP section Rationale All module checks Make sure all systems and software have the latest vendor-supplied security patches. Keep up with vendor changes and enhancements to security patches. Install new/modified security patches within one month of release. To protect the security or integrity of cardholder data against anticipated threats, all information technology resources must be regularly checked to ensure that known vulnerabilities have been patched.

31 Symantec ESM Policy Manual for Visa CISP for Windows 31 Check CISP section Rationale Consider registry keys (Windows NT) Consider file dates and versions (Windows NT) File versions (Windows 2000, Windows XP, Windows Server 2003) File dates (Windows 2000, Windows XP, Windows Server 2003) Registry keys (Windows 2000, Windows XP, Windows Server 2003) Strict (Windows 2000, Windows XP, Windows Server 2003) Superseded (Windows 2000, Windows XP, Windows Server 2003) N/A N/A N/A N/A N/A N/A N/A This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed. This option is enabled to determine whether patches are properly installed.

32 32 Symantec ESM Policy Manual for Visa CISP for Windows Patch template files Symantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your system. Note: Do not edit, move, or change your Patch template files. The Patch module uses the following template files OS File name Template name Windows NT Server patch.ps4 Patch Windows 2000 Professional patch.pw5 Patch Windows 2000 Server patch.ps5 Patch Windows XP patch.pwx Patch Windows Server 2003 patch.p6s Patch Windows NT Server windows.pkl Patch Keywords Windows 2000 Professional windows.pkl Patch Keywords Windows 2000 Server windows.pkl Patch Keywords Windows XP windows.pkl Patch Keywords Windows Server 2003 windows.pkl Patch Keywords Password Strength The Password Strength module examines system parameters that control the construction, change, aging, expiration, and storage of passwords. Check CISP section Rationale Minimum password length Require a minimum password length of at least seven characters. This policy ships with a default setting of seven characters. Accounts without passwords Ensure proper user authentication and password management for non-consumer users. Require a minimum password length of at least seven characters. Accounts without passwords may permit unauthorized access.

33 Symantec ESM Policy Manual for Visa CISP for Windows 33 Check Password = username Password = any username Password = wordlist word CISP section 7 (Best Practices) 7 (Best Practices) 7 (Best Practices) Rationale Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords are not well protected as required by the standard. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords are not well protected as required by the standard. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords are not well protected as required by the standard. MD4 hashes N/A Periodically use password-cracking software to identify weak passwords and require users to change them immediately. This option increases the effectiveness of ESM s protection against password guessing. Reverse order Double occurrences Plural forms 7 (Best Practices) 7 (Best Practices) 7 (Best Practices) Periodically use password-cracking software to identify weak passwords and require owners of weak passwords to change them immediately. Easily guessed passwords are not well protected as required by the standard. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords are not well protected as required by the standard. Periodically use password-cracking software to identify weak passwords and require users to change them immediately. Easily guessed passwords are not well protected as required by the standard. Password changes Change user passwords at least every 90 days. Users must be able to change their own passwords.