Computer Security and Control Objectives

List of Control Objectives

Please find enclosed several control objectives that should help meet the minimum level
of security and control of a computer network.

A. Desktop

• The user should be required to sign on to their computer with a user id and
password.
• The password for any server other than the personal computer should not be
stored on the personal computer in any file in any format
• Directory and files on the personal computer should be restricted to authorized
users only.
• A legal notice should be displayed to inform the user of the sensitive nature of
the information and their responsibility to keep it safe.
• The last authenticated user should not be displayed on the sign on screen
• A system policy should be in place that prevents the sharing of resources on
the local Windows 95 workstation.
• A user policy should be applied to the Domain Users group, which removes
any common icon groups from the Start Menu.
• A standard security and control configuration should be established and
approved by management. The enforcement of the standard configuration
should be controlled by a network management product through periodic
inventory control.
• Standard applications should be established to reduce the errors and omissions
that occur when supporting multiple end user configurations. In addition, the
establishment of a standard application environment on the desktop should
reduce the support and maintenance effort required.
• For the best overall security the Windows NT 4.0 workstation operating
system should be the recommended standard.

B. File Servers

• Should be physically secured

• Corporate authentication standards should be met
• Challenge Handshake Authentication Protocol (CHAP)
• Password length of at least 8 characters
• Password aging of 30 days
• Password minimum age of 1 day
• Password construction of a mixture of alpha and numeric characters
• Password history file is established
• Invalid sign on attempts of 3 with the user account being locked after
reaching this threshold
• Reset invalid sign on attempts after 1440 (one day)
• Lockout duration 3 days
• Lock out of user accounts for inactivity
 • Re-evaluation of a user's privileges when a user's job status changes
• Corporate authorization standards should be met
• Guest account should be disabled
• Administration user account should be protected by passprop (resource
kit) which will force the Administrator account to lock up after the
same number of invalid attempts as any normal user. The difference is
that even in this case the Administrator account can still sign on at the
system console.
• Everyone group should have restricted directory access
• All other users and groups should only have the directory and file
permissions required by their job responsibilities
• NTFS should be installed
• All group accounts should only have valid users as their members
• All user rights should be restricted to users that require this level of
responsibility for their job function.
• Trusted Domains should be used sparingly
• All services should be removed unless required to operate the server
• Configure the protocol bindings between TCP/IP, NetBIOS, Server
and Workstation services. By removing the bindings between
NetBIOS and TCP/IP, the native file sharing services will not be
accessible via TCP/IP and hence the Internet. These and other
NetBIOS services will still be accessible via a local LAN-specific,
non-routable protocol (ex: NetBEUI).
• Corporate accountability standards should be met
• Adequate audit trails should be established for:
• Logon and logoffs
• File and object access
• User and group management
• Security policy changes
• Change control
• All changes to the operating environment should be properly tested
and documented
• Backup
• An adequate backup schedule should be established
• Backup files should be stored in a secured off-site location
• Contingency planning
• An adequate contingency plan that allows the file server and the
associated applications can be restored within a reasonable time frame
(determined by a risk analysis and management approval).
• Service Packs
• Ensure that there is a mechanism to ensure that all devices including
the File Server have the latest patches/service pack.

C. LAN & WAN

• Information that travels over the network should be classified as to a level of

sensitivity. Based on this classification the network transmission should not
permit the transfer of clear text sensitive data. This would include:
 • Passwords
• Legal documents
• Data that is protected by state or federal law
• Where possible sensitive data transfer should be protected by using one of the
following:
• CHAP - for user id and password authentication
• Secured hubs
• Encryption
• Cisco's IPSec technology
• Redundancy should be built into the network to allow for the uninterrupted
network services.
• Vendor access should be clearly defined and controlled.
• Secured sign on
• Audit trail of activity
• No administration rights on the production server
• No generic passwords (individual accountability)
• Controls should be in place to prevent session hi-jacking.

D. Network Components

• All network components should met the following control objectives:

• Secured authentication (CHAP) for remote administration
• Proper security configuration
• SNMP alarms
• Access Control List (ACLs) if appropriate
• Audit trail of configuration changes
• Change control for configuration changes
• Testing
• Backup copy
• Secured dialup access (CHAP) if present
• Physically secured to prevent theft or unauthorized access

E. Firewall

• The installed firewall(s) should met the following control objectives:

• Secured authentication (CHAP) for remote administration
• Restricted list of users that can administrate the firewall
• Proper security configuration
• Rules
• Self security checks such as Tripwire
• Audit trails of configuration changes
• Change control for configuration changes
• Testing
• Backup copy
• Operational configuration
• Connection tracking
• Prevention of IP Spoofing and denial of service attacks
 • Prevention of access to host computers by IP address
• Restriction to only required services
• Single point of network entry
• Violation reporting of unauthorized users
• Real time alerts of security breaches

F. Proxy

• The installed proxy(ies) should met the following control objectives:

• Secured authentication (CHAP) for remote administration
• Restricted list of users that administrate the proxy
• Proper security configuration
• Rules
• Self security checks such as Tripwire
• Audit trails of configuration changes
• Change control for configuration changes
• Testing
• Backup copy
• Operational configuration
• Connection tracking
• Prevention of IP Spoofing
• Prevention of access to host computers by IP address
• Restriction to only required services
• Blocking unwanted sites

F. Remote Communication Server

• Secured administration authentication process (CHAP)

• Secured user authentication process (CHAP)
• Should met the authentication standards of the organization
• Should be physically secured
• Should contain audit trails of changes to configuration
• Change control for configuration changes

G. Single Sign On

• The bank should implement, if at all possible, a single sign on solution for end
users
• CiscoSecure may have the capability to meet this objective

H. Host Access

• All host access should use a secure authentication process (CHAP)

• All host access should meet the authentication standards of the Bank
• Only authorized users should have access to host applications
 • All host access should contain an adequate audit trail by user of their activities
on the host.

I. Change Control

• The bank should establish an adequate change control policy for the complete
production environment.
• This would include the separation of the following environments:
• Development
• Test (Quality Assurance)
• Production
• Testing standards should be developed to ensure that any change is adequately
tested and that proper test coverage is completed prior to the movement to the
production environment.

J. Incident Reporting

• An incident reporting system should be established for all production:

• Outages
• Problems
• The incident reporting system should tract both the problem and the resolution
of the problem.

K. Physical Security

• All computers and components should have an inventory control number

• A database of each components location should be established
• Any critical component should be physically secured

L. Contingency Planning

• A risk analysis to determine the following risk factors should be completed:

• Sensitivity Risk
• Sensitive data
• Data protected by laws
• Criticality Risk
• Availability of data and the impact to the Bank

M. Dynamic Alarms

• Alarms should be established to determine the following:

• Changes to any security configuration for any device
• Attacks
• Insider
• Outsider
• Trend analysis should be used by collecting the audit files and looking for
suspicious activity
 • REAL Secure is a product that can be configured to check for certain type of
attacks.

N. Audit Reporting

• Adequate audit reports need to be designed into each device to allow for the
complete and proper review of the current configuration evolution process.
• Audit reporting should be dynamic on sensitive devices and manual on others.
• Tailored reports may be required to meet audit objectives which include but
are not limited to:
• Access control reports
• Who access what, when including Internet access
• Integrity reports that demonstrate that any process or change to a
process what properly tested to ensure that it only performs the activity
required by its function.
• Output control
• Who receives what report(s) that are sensitive? How are spools
controlled to prevent unauthorized users from seeing or changing
sensitive reports?
• Audit trails of any change to the network by delineating the who, why,
when, what was changed on a specific device.
• The Axent product may provide many of the audit and security reports for the
NT, Novell, and Unix environments.
• Key Audit and Security Reports
• Daily Attack Report - a daily report of any suspicious internal or external
attack.
• Daily violation report - This report should be compilation of all violation
attempts to any network device. This report should be available for
review if requested by Auditing. The daily review of this report would be
the responsibility of the Security Administrator or System/Network
Administrator.
• Daily change log - This report should be a compilation of all changes to
the devices within the network
• Daily incident report - This report would indicate any operational
problems that occur with the network. This would include all of the
network devices and their operational status. A timely resolution report
with appropriate solution sets should follow or be included as part of the
report.

O. Security Certification

• A secured configuration based should be established for each device and the
system should automatically identify any new device.
• Any new device would be immediately interrogated to ensure that it meets the
minimum security and control requirements of the Bank
P. Port Filtering

• A complete listing of all ports that are listening should be compiled

• Using a port listening tool to accomplish this task, any unnecessary port
should be turned off.
• This tool should be run on a scheduled basis
• Port filtering should be installed for sensitive listening program
IIS

• Ensure that there is limited administration access to maintain the IIS servers
• Ensure that any special services running on the server are required
• Ensure that proper authentication standards are being met for system
administration to the server
• Ensure that all maintenance activity is properly recorded
• Ensure that any configuration changes are properly tested and approved
• Ensure that the proper sheets for configuration are established
• Property Sheets
• Service - the following services should be set
• Connection Timeout
• Maximum Connections
• Anonymous Logon
• Username
• Password
• Password Authentication
• Allow Anonymous
• Windows NT Challenge/Response
• Directories
• Directories allowed
• Enable Default Document
• Directory Browsing Allowed
• When adding a new directory you can Edit Properties which allows
you to set:
• Alias
• Account Information - User Name & Password
• Virtual Server
• Access Rights
• Read Execute Secured Socket Layer (SSL)
• Logging
• Enable Logging
• Log To File
• Automatically Log to SQL/ODBC DBMS
• Log file directory
• Log file name
• Advanced
• Access IP Address Subnet Mask
• Limit Network Use by all Internet Services on this computer
 • Backup files should be secured if sensitive data such as encrypted passwords
are on the files.

Q. MicroSoft's Exchange

• Exchange Security

• Using NT security as it basis.

• Advanced Security

• Signing

• This technique uses a digital signature on a message to certify the

message's origin.

• Sealing (Encryption)

• This process scrambles the contents of a message to make it difficult

for anyone without a decryption key to read it.
• You can configure advanced security settings for clients by opening
the Options menu and clicking the Security tab.

• Security Options

• Encrypt Message Contents and Attachments

• Add Digital Signature to Message
• Logoff Security
• Turns off password prompt
• Set Up Advanced Security

• Permissions

• Mailbox Permission
• More than one or user account can have permission on a
• mailbox
• Public Folder Permission
• Permission to access public folder can be granted by the owner of a
public folder.
• Directory Permissions
• Permissions to use the directory are granted to Windows NT user
accounts.
• Auditing
• All audited events are recorded in NT's Event Log.

R. Gateways
 • Ensure that there is limited administration access to maintain these servers
• Ensure that any special services running on the server are required
• Ensure that proper authentication standards are being met for system
administration to the server
• Ensure that all maintenance activity is properly recorded
• Ensure that any configuration changes are properly tested and approved
• Ensure that any connection logging does not record the user id and password
of the connection in clear text. If it does ensure that these passwords are
encrypted or removed from the log file.
• Backup files should be secured if sensitive data such as encrypted passwords
are on the files.

S. Directory Servers

• Ensure that there is limited administration access to maintain these servers.

• Ensure that any special services running on the server are required
• Ensure that proper authentication standards are being met for system
administration to the server
• Ensure that all maintenance activity is properly recorded
• Ensure that any configuration changes are properly tested and approved

T. SQL/Server

• A risk analysis to determine where the sensitive data is located should be

performed
• All default user ids and passwords should be changed
• Limit the number of Database administrators
• Ensure that users only have access to tables that are required by their job
responsibilities
• Ensure that users only have the privileges to these tables based on their job
responsibilities
• Ensure that all direct connect programs are authorized to perform the connect
• Ensure that all direct connect programs meet the authentication standards of
the Bank
• Ensure that all connections to the database provide the actual user id that is
performing the activity/transaction to allow for a proper audit trail.
• No generic user ids and passwords
• No public defined access
• Meets authentication standards

U. H.P. OpenView

• Security/Operational alarms/reports should be established such as:

• Complete network diagram of logical components with addresses and
contact points
• Alarms of violation attacks for network components
• Alarms for network errors to help ensure the reliability of the network
 • Alarms for personal computer configuration changes
• Alarms for changes within the network
• End-to-end management of all components of a business process including
application and operating system software, database and transaction systems,
servers and mainframes, and wide area and local network elements should be
monitored as a unit.
• Service level agreements should be established to help to meet user's
expectations.
• Any RMON, RMON-2 devices should be used to track and troubleshoot the
network components. This devices, if independent, should be properly
secured by conforming to the authentication standards of the Bank
• Multiple levels of reports based on the availability of available products such
as the SMS, Optivity, HP-OpenView, and CiscoWorks should be established
using the Web technology for secured browsing. This would allow for event
correlation and de-duplication of events.
• The use of these platforms for software distribution and inventory services as
well as file, print, and user administration functions.

V. Optivity

• SNMP alarms established to notify security of any attacks

W. System Management Server (SMS)

• Ensure that SMS is set to provide inventory control of the desktop

• Ensure that the remote control mode is properly secured
• Ensure that remote administration of the user's registries is properly secured to
authorized administrator only.
• Ensure that proper audit reports are generated for the distribution of software
to the workstations.

X. ActiveX and Java

• ActiveX should be discouraged if possible. If not, third party products to

protect the ActiveX execution. Products such as Finjan, which inspect the
ActiveX and java, contents at the Internet gateway level. Other products such
as Digitivity detects incoming applets and then uploads a proxy applet to the
user rather than the original applet. Then, the proxy connects with the
company's CageServer product, which runs the java applets. This means
whenever a user downloads an applet from the Web, the code is diverted to a
separate server instead of going to the user. Another company Security-7
Software makes a product called SafeGate, which performs real-time analysis
of java and ActiveX
• As a minimum the browser should be set to allow for the following checks:
• Byte code verification
• Class loader
• Java security manager
• Digital signatures and Certificate Authority
Y. Viruses

• A comprehensive virus detection system should be in place to include:

• Email attachments
• New files/programs on the desktop
• New files/programs on the server

Z. In all of this there should be a clear security policy that delineates

management's objectives for the Bank. This policy would be the driving
force to establish detail procedures and guidelines for the operational staff.

• A code of conduct should be available and signed by each employee, which

will delineate their security responsibilities including the use of the Internet.

AA. Other products that may aid in the security and control of the network

• Site Scan - Monitors environment equipment. Air conditioning, UPS's

battery, Halon
• Missing Link - Monitors IPX traffic for the Novell file servers connected to
the LAN
• BMC - Is a database monitoring tool that reports performance on database
queries.

BB. System Administration

• All activity to any network device by any administrator should be tracked in

an audit file.

CC. Other products already recommended by Kevin

• Our preliminary review of the network design by Kevin Mr. Kasperek takes
into consideration many of the security and control issues facing the industry
today. His overall design is quite sound and insightful on the issues of
security and control. His solution for VPNs and Internet traffic appears to
meet many of the control concerns that are present with the use of Internet
access.
• Internet Scanner Toolset - is an excellent set of programs that will identify
vulnerabilities within the Bank's networked environment. These tools should
be run on periodic bases including each time a major change is concluded
within the environment.