1.0 2008-05-19T00:00:00 Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. Note: Critical servers should be located in rooms, or locked cabinets, that are accessible only to authorized systems personnel. User workstations containing sensitive data should be in access controlled areas. ocil:mitre.org:testaction:11 Using a privileged account to perform routine functions makes the computer vulnerable to attack by any virus or Trojan Horse inadvertently introduced during a session that has been granted full privileges. The rule of least privilege should always be enforced. ocil:mitre.org:testaction:21 ocil:mitre.org:testaction:22 ocil:mitre.org:testaction:23 ocil:mitre.org:testaction:24 ocil:mitre.org:testaction:25 Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to cirvumvent the file access restrictions present on NTFS disk drives for the purpose of backup and restore. Members of the Backup Operators group should have special logon accounts for performing their backup duties. ocil:mitre.org:testaction:31 ocil:mitre.org:testaction:32 ocil:mitre.org:testaction:33 Default and backup administrator passwords are not changed as required. ocil:mitre.org:testaction:41 Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to cirvumvent the file access restrictions present on NTFS disk drives for the purpose of backup and restore. Members of the Backup Operators group should have special logon accounts for performing their backup duties. ocil:mitre.org:testaction:51 ocil:mitre.org:testaction:52 ocil:mitre.org:testaction:53 ocil:mitre.org:testaction:54 This check verifies that all shared accounts on the system are documented and justified. Any shared account must be documented with the IAO as shared accounts do not provide individual accountability for system access and resource usage. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account, which provides no individual identification and accountability is mitigated. ocil:mitre.org:testaction:61 The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group. Note: The administrator, who is responsible for an individual system, should be added to the local auditors group, since he needs the audit user right to perform his tasks. ocil:mitre.org:testaction:71 To be of value, audit logs will be reviewed on a regular basis to identify security breaches and potential weaknesses in the security structure. ocil:mitre.org:testaction:81 To be of value, audit logs will be archived on a regular basis to ensure data is not being lost. (and also save space) ocil:mitre.org:testaction:91 Recovery of a damaged or compromised system will be difficult without an up-to-date Emergency Repair Disk (ERD). An ERD also allows recovery of a damaged or corrupted system that cannot be rebooted. The ERD, when used in the recovery process, can restore the local systems user database to the version that existed when the ERD was previously made. In particular, if the ERD contained an administrator account without a password, then that exposed account may be attacked. As a valuable system resource, the ERD should be protected and stored in a physically secure location. ocil:mitre.org:testaction:101 ocil:mitre.org:testaction:102 ocil:mitre.org:testaction:103 The Microsoft Security Configuration Toolset that is integrated in Windows 2000 should be used to configure platforms for security compliance. The SCM allows system administrators to consolidate all security related system settings into a single configuration file. These settings can then be applied consistently to any number of Windows Machines. The SCM can use the same configuration file to check platforms for compliance with security policy. If an alternate method is used to configure a system (e.g. manually), that achieves the same configured result, then this is acceptable. Note: The DISA FSO Gold Disk for Windows 2000 can be used to configure a system to meet security requirements. ocil:mitre.org:testaction:111 System files should be checked for unauthorized changes. ocil:mitre.org:testaction:121 Encryption of Userid and Password information is required. Encryption of the user data inside the network firewall is also highly recommended. Encryption of user data coming from or going outside the network firewall is required. Encryption for Administrator data is always required. Refer to the Enclave Security STIG section on “FTP and Telnet” for detailed information on their use. ocil:mitre.org:testaction:131 ocil:mitre.org:testaction:132 Each Server should have a host-based Intrusion Detection System. ocil:mitre.org:testaction:141 PASS FAIL PASS FAIL PASS FAIL FAIL PASS PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL FAIL PASS PASS FAIL PASS FAIL Has equipment been relocated to a controlled access area? Does each System Administrator have a unique userid dedicated for administering the system? Does each System Administrator have a separate account for normal user tasks? Is the built-in Administrator account used to administer the system? Have System Administrators been properly trained? Does the IAO maintain a list of users belonging to the Administrators group? Does each Backup Administrator have a unique userid dedicated for backup duites? Does each Backup Administrator have a separate account for normal user tasks? Has the IAO stored details about the backup administrator account in a secure location? Is a policy in place for changing the default and backup administrator account passwords at least on an annual basis, and when any member of the administrative team leaves the organization? Does each Backup Operator have a unique userid dedicated for backing up the system? Does each Backup Operator have a separate account for normal user tasks? Have Backup Operators been properly trained? Does the IAO maintain a list of users belonging to the Backup Operators group? Has the IAO documented and justified all shared accounts on the system? Has the site has created an Auditors group to restrict access to the Event Logs? Does the site have a policy in place that defines procedures for reviewing audit logs? Does the site have a policy in place that defines procedures for archiving audit logs? Does the site maintain emergency system recovery data? Is the emergency system recovery data protected from destruction and stored in locked storage container? Has the emergency system recovery data been updated following the last system modification? Is the Security Configuration Toolset (or an acceptable alternative) used to configure the Windows systems to meet security requirements? Does the site use a tool to compare system files (*.exe, *.bat, *.com, *.cmd and *.dll) on servers against a baseline on a weekly basis? Does the User account used for unencrypted remote access within the Enclave (premise router) have administrator privileges? Is User ID and Password information used for remote access to system services from outside the Enclave encrypted? Does each Server have a host-based intrusion detection (HID) system installed and enabled?