Symantec Enterprise Security Manager Policy Manual for Visa Cardholder Information Security Program (CISP) For Windows

(1)

Symantec Enterprise Security Manager™

Policy Manual for Visa® Cardholder

Information Security Program (CISP)

(2)

Symantec Enterprise Security Manager™ Policy

Manual for Visa

®

Cardholder Information Security

Program (CISP)

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

041027

Copyright Notice

All information that is made available by Visa is the copyrighted work of Visa U.S.A. Inc. and is owned and reprinted with permission, and is provided AS-IS with NO WARRANTY. Use of the Symantec ESM policy for Visa CISP does not constitute compliance with merchant obligations under the Visa CISP program. Please visit http://www.visa.com/ cisp for full information on the Visa CISP program and compliance requirements. Symantec ESM and the Symantec ESM policy for Visa CISP have not been tested by Visa and are not endorsed by Visa.

Copyright  2004 Symantec Corporation.

Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec, the Symantec logo, and LiveUpdate, are U.S. registered trademarks of Symantec Corporation. Symantec Enterprise Security Manager and Symantec Security Response are trademarks of Symantec Corporation.

Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

(3)

3

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support

group maintains support centers throughout the world. Technical Support’s

primary role is to respond to specific questions on product features and the

function, installation, and configuration, as well as to author content for the

Knowledge Base. Technical Support collaborates with the other areas within

Symantec to answer your questions in a timely fashion.

Symantec Technical Support offers:

■

A range of support options that gives you the flexibility to select the right

amount of service for any size organization

■

Telephone and Web support components that provide rapid response and

up-to-the-minute information

■

Upgrade insurance that delivers automatic software upgrade protection

■

Content updates for virus definitions and security signatures that ensure

the highest level of protection

■

Global support from Symantec Security Response experts, which is

available 24 hours a day, 7 days a week, worldwide, in a variety of languages

■

Advanced features, such as the Symantec Alerting Service and Technical

Account Manager role, that offer enhanced response and proactive security

support

Please visit our Web site for current information on support programs. The

specific features that are available may vary based on the level of support

purchased and the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license

key, the fastest and easiest way to register your service is to go to the Symantec

licensing and registration site at:

■

www.symantec.com/certificate

You can also go to:

■

www.symantec.com/techsupp/ent/enterprise.htm

Select the product that you wish to register. From the Product Home Page, select

the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact Technical Support by

phone or online at:

(4)

4

Customers with Platinum support agreements may contact Platinum Technical

Support at:

■

www-secure.symantec.com/platinum/

When contacting the Technical Support group, please have the following

information available:

■

Product release level

■

Hardware information

■

Available memory, disk space, NIC information

■

Operating system

■

Version and patch level

■

Network topology

■

Router, gateway, and IP address information

■

Problem description

■

Error messages/log files

■

Troubleshooting performed prior to contacting Symantec

■

Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select

the Global Site for your country, then choose Service and Support. Customer

Service is available to assist with the following types of issues:

■

Questions regarding product licensing or serialization

■

Product registration updates such as address or name changes

■

General product information (features, language availability, local vendors)

■

Latest information on product updates and upgrades

■

Information on upgrade insurance and maintenance contracts

■

Information on Symantec Value License program

■

Advice on Symantec's technical support options

■

Nontechnical presales questions

(5)

Symantec Software License Agreement

Symantec Enterprise Security Manager

SYMANTEC CORPORATION AND/OR ITS

SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN

INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE

(REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT

ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.

1. License:

The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and

obligations with respect to the use of this Software are as follows.

You may:

A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine.

B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes;

C. use the Software to assess no more than the number of Desktop machines set forth under a License Module.

“Desktop” means a desktop central processing unit for a single end user;

D. use the Software to assess no more than the number of Server machines set forth under a License Module. “Server” means a central processing unit that acts as a server for other central processing units;

E. use the Software to assess no more than the number of Network machines set forth under a License Module. “Network” means a system comprised of multiple machines, each of which can be assessed over the same network;

F. use the Software in accordance with any written agreement between You and Symantec; and

G. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license.

You may not:

A. copy the printed documentation which accompanies the Software;

B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module;

C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software;

D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;

E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance; F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed;

G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;

H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license.

2. Content Updates:

(6)

Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.

3. Limited Warranty:

Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF

INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.

4. Disclaimer of Damages:

SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW

LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR

DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

5. U.S. Government Restricted Rights:

RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.

6. Export Regulation:

Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited.

7. General:

(7)

laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and

representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and

(8)

(9)

Symantec ESM Policy Manual for Visa® CISP for Windows

Introducing the policy ... 12

About the policy ... 12

About Visa CISP ... 12

Where to get more information about CISP ... 13

Installing the policy ... 14

Before you install ... 14

Installing the policy ... 14

LiveUpdate installation ...14

Manual installation ...15

Policy modules ... 16

Account Information ... 16

Account Integrity ... 17

Active Directory ... 20

File Attributes ... 22

File Attributes template files ...24

File Watch ... 25

File Watch template files ...26

Login Parameters ... 27

Network Integrity ... 28

Object Integrity ... 30

OS Patches ... 30

Patch template files ...32

Password Strength ... 32

Registry ... 34

Registry template files ...36

Startup Files ... 36

Symantec Product Info ... 37

System Auditing ... 38

Security events auditing (success and failure) name lists ...39

(10)

(11)

Symantec ESM Policy

Manual for Visa® CISP for

Windows

This document includes the following topics:

■

Introducing the policy

■

Installing the policy

■

Policy modules

(12)

12 Symantec ESM Policy Manual for Visa® CISP for Windows Introducing the policy

Introducing the policy

Visa announced the launch of its Cardholder Information Security Program

(CISP) in April 2000. CISP defines a standard of due care for securing Visa

cardholder data. CISP compliance is required of all entities that store, process,

or transmit Visa cardholder data.

The Symantec ESM policy for Visa® CISP assesses compliance with many

technical requirements and also provides information needed to assess

compliance with many of the manual requirements of the Visa® CISP Security

Audit Procedures and Reporting guidelines.

About the policy

This Symantec ESM policy for Visa CISP assesses compliance with many of the

standard’s compliance requirements. This policy can be installed on Symantec

ESM 5.5. and 6.0 managers running Security Update 18 or later on the following

operating systems:

■

Microsoft Windows NT Server

■

Microsoft Windows 2000 Server

■

Microsoft Windows 2000 Professional

■

Microsoft Windows XP Professional

■

Microsoft Windows Server 2003

Use of the Symantec ESM policy for Visa CISP does not constitute compliance

with merchant obligations under the Visa CISP program. Please visit http://

www.visa.com/cisp for full information on the Visa CISP program and

compliance requirements. Symantec ESM and the Symantec ESM policy for

Visa CISP have not been tested by Visa and are not endorsed by Visa.

About Visa CISP

(13)

13 Symantec ESM Policy Manual for Visa® CISP for Windows

Introducing the policy

for safeguarding personally identifiable information with a list of 12 security

requirements and detailed sub-requirements.

Where to get more information about CISP

The full text of these references is available on the VISA Web site,

http://www.visa.com/cisp.

The CISP Requirements

1. Install and maintain a working firewall to protect data 2. Keep security patches up-to-date

3. Protect stored data

4. Encrypt data sent across public networks 5. Use and regularly update anti-virus software 6. Restrict access by need to know

7. Assign unique ID to each person with computer access

8. Don’t use vendor-supplied defaults for passwords and security parameters 9. Track all access to data by unique ID

10. Regularly test security systems and processes

(14)

14 Symantec ESM Policy Manual for Visa® CISP for Windows Installing the policy

Installing the policy

Before you install

Decide which Symantec ESM managers require the policy. Policies run on

managers. They do not need to be installed on agents. The policy runs only on

Symantec ESM 6.1, 6.0 and 5.5 managers and agents with Security Update 18 or

later. Update any managers that do not meet these requirements.

Installing the policy

The standard installation method is to use the LiveUpdate feature in the

Symantec ESM console. Another method is to use files from a CD or the Internet

to install the policy manually.

LiveUpdate installation

Install the policy by using the LiveUpdate feature in the Symantec ESM console.

To install the policy

1 Connect the Symantec ESM Enterprise Console to managers where you want

to install the policy.

2 Click the LiveUpdate icon to start the LiveUpdate wizard.

3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and

then click Next.

4 In the Welcome to LiveUpdate dialog box, click Next.

5 Do one of the following:

■

To install all checked products and components, click Next.

■

To omit a product from the update, uncheck it, and then click Next.

■

To omit a product component, expand the product node, uncheck the

component that you want to omit, and then click Next.

6 Click Next.

7 Click Finish.

8 Ensure that all managers that you want to update are checked.

9 Click Next.

(15)

Installing the policy

Manual installation

If you cannot use LiveUpdate to install the policy directly from a Symantec

server, you can install the policy manually, using files from a CD or the Internet.

To obtain files

1 Connect the Symantec ESM Enterprise Console to managers that you want

to update.

2 From the Security Response Web site

(

http://securityresponse.symantec.com)

,

download the executable files for the following operating systems:

■

Microsoft Windows NT Server

■

Microsoft Windows 2000 Professional, Server, domain controller

■

Microsoft Windows XP

■

Microsoft Windows Server 2003

Note: To avoid conflicts with updates that are performed by standard

LiveUpdate installations, copy or extract the files into the LiveUpdate

folder, which is usually Program Files\Symantec\LiveUpdate.

To install the policy on a Symantec ESM manager

1 On a computer running Windows NT/2000/XP/Server 2003 that has

network access to the manager, run the executable that you downloaded

from the Symantec Security Response Web site.

2 Click Next to close the Welcome dialog box.

3 In the License Agreement dialog box, if you agree to the terms of the

agreement, click Yes.

4 Click Yes to continue installation of the best practice policy.

5 Type the requested manager information.

6 Click Next.

If the manager’s modules have not been upgraded to Security Update 18 or

later, the install program returns an error message and aborts the

installation. Upgrade the manager to SU 18 or later, then rerun the install

program.

(16)

16 Symantec ESM Policy Manual for Visa® CISP for Windows Policy modules

Policy modules

The VISA CISP policy includes the following modules to manage compliance

with many of the technical and some administrative aspects. The enabled

checks of each module are listed with the standards that they address and a brief

rationale for enabling the check. Associated name lists and templates are also

listed. Because the standard does not require specific values, default values and

templates have been provided. The policy is read-only but can be copied or

renamed according to the needs of your corporate security policy. See the

current Symantec Enterprise Security Manager Security Update User’s Guide for

Windows for check and message information.

Account Information

The Account Information module reports requested account information such

as a list of locked out accounts, account folder permissions, and users that are in

specified security groups.

Check

CISP

section

Rationale

User rights for accounts

6.1 7.3 7.3.1

Develop a data control policy that limits access to computing resources and cardholder information to only those users whose jobs require such access. Ensure proper user authentication and password management for non-consumer users. Control the addition, deletion, and modification of user IDs, credentials or other identifier objects.

Confirm by examination of authorization forms that all administrators are authorized and have active accounts. Select a sample of general users and confirm by examination of authorization forms that those users are authorized and have active accounts.

This check lists all users (active and inactive) and their user privileges. Therefore, this check must be used with the Disabled accounts check to exclude inactive users. Disabled

accounts

6.1 7.3 7.3.1

(17)

Policy modules

Account Integrity

The Account Integrity module creates and maintains user and group snapshot

files on each agent where the module runs. The module reports new, changed,

and deleted accounts as well as account and account privilege information.

Check

CISP

Section

Rationale

Disabled/expired/ locked accounts

7.3.3 Remove inactive user accounts at least every 90 days.

New users 7.3.1 Control the addition, deletion and modification of User IDs, credentials or other identifier objects.

Select a sample of user IDs and verify that the IDs are implemented in accordance with the authorization form with specified user privileges.

Deleted users 7.3.1 7.3.2

Control the addition, deletion, and modification of user IDs, credentials, or other identifier objects and immediately revoke access of terminated users. Verify that the terminated users’ IDs have been disabled or removed.

Changed users 7.3.1 Control the addition, deletion and modification of User IDs, credentials or other identifier objects.

New groups 7.3.1 Control the addition, deletion and modification of user IDs, credentials, or other identifier objects.

Deleted groups 7.3.1 Control the addition, deletion and modification of user IDs, credentials, or other identifier objects.

Changed groups 7.3.1 Control the addition, deletion, and modification of User IDs, credentials, or other identifier objects.

(18)

Act as part of the operating system

8.2.4 Configure system security parameters to prevent misuse.

This privilege should be reserved for the Local System account. Add workstations to domain (Windows NT Server, Windows 2000 Server, Windows Server 2003)

This privilege should be reserved for Domain Administrators.

Back up files and directories

This privilege should be reserved for Administrators and Backup Operators.

Bypass traverse checking

This privilege should be reserved for Administrators. Change the system

time

This privilege should be reserved for Administrators. Create permanent

shared objects

This privilege should be reserved for Administrators. Enable computer

and user accounts to be trusted for delegation (Windows 2000)

An account with this user right may be able to conduct sophisticated attacks to gain access to network resources.

Force shutdown from a remote system

This privilege should be reserved for Administrators and Domain Administrators.

Generate security audits

This privilege should be reserved for auditors and security personnel.

Check

CISP

Section

(19)

Policy modules

Load and unload device drivers

This privilege should be reserved for Administrators. Allow log on

locally

This privilege should be reserved for Administrators and Domain Administrators.

Manage auditing and security log

8.2.4 9.4

Configure system security parameters to prevent misuse. Secure audit trails so that they cannot be altered.

Only users who have a job-related need can view audit trail files.

This privilege should be reserved for security personnel. Restore files and

directories

This privilege should be reserved for Administrators and Backup Operators.

Shut down the system

This privilege should be reserved for Administrators, or Domain Administrators for Domain Controllers. Synchronize directory service data (Windows 2000 Server, Windows Server 2003)

This privilege should be reserved for Administrators.

Take ownership of files or other objects

This privilege should be reserved for Administrators.

Check

CISP

Section

(20)

Active Directory

The Active Directory module for Windows reports group policy objects (GPOs)

that apply to users, groups, and computers in the Active Directory Service

(ADS). GPOs are active directory objects that contain group policies such as the

Windows security policy. GPO settings can be applied to sites, domains, and

organizational units.

Check

CISP

section

Rationale

Computers with applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

Develop a data control policy that limits access to computing resources and cardholder information to only users whose jobs require such access. Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know. Configure system security parameters to prevent misuse.

GPOs can play a role in data control, restricting user access and preventing misuse.

Computers without applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

Users with applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

(21)

Policy modules Users without applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

Security groups with applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

Security groups without applied GPOs (Windows 2000 Server, Windows Server 2003) 6.1 6.2 8.2.4

Check

CISP

section

(22)

File Attributes

The File Attributes module reports changes to file creation and modification

times, file sizes, and CRC/MD5 checksum signatures. It also reports violations of

the file permission settings that are specified in template files.

Check

CISP

section

Rationale

File ownership (Windows NT, Windows 2000) 8.2.4 10.6

Configure system security parameters to prevent misuse. Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files.

Improper file ownership may allow unauthorized access.

File and folder ownership (Windows XP, Windows 2003)

8.2.4 10.6

Improper file ownership may allow unauthorized access.

File attributes 8.2.4 10.6

Improper file attributes may allow unauthorized access.

Changed file (times) 8.2.4 10.6

Changes to these files may indicate unauthorized access.

Changed file (size) 8.2.4 10.6

(23)

Policy modules

Changed file (signature)

8.2.4 10.6

File ACL 8.2.4 10.6

Files giving all users Full Control

8.2.4 10.6

World writable files may allow unauthorized access. Do not notify if file

(24)

File Attributes template files

Symantec uses LiveUpdate every two weeks to overwrite the default template

files that are loaded on your computer. You can edit the template files by

copying and renaming them.

Each File Attributes template is for a specific operating system. The default File

Attributes template files have the following extensions.

OS

File name

Template name

Windows 2000 Server fileatt_policy.s50 File Windows NT Server fileatt_policy.s40 File Windows Server 2003 fileatt_policy.s50 File Windows 2000 Professional fileatt_policy.w50 File Windows XP fileatt_policy.w51 File

(25)

Policy modules

File Watch

The File Watch module creates and maintains a snapshot file for each agent

where you run the module that stores file information. The File Watch template

specifies the files or directories to be checked, the depth of directory reversal.

Check

CISP section Rationale

Changed files (ownership)

10.6 10.6.2

Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files. Perform critical file comparisons at least daily, or more frequently, if the process can be automated.

Ownership changes may be an indication of unauthorized access.

Changed files (signature)

10.6 10.6.2

Changes to the listed files may indicate unauthorized access.

New files 10.6 10.6.2

Files added to the watched directories may indicate unauthorized access.

Removed files 10.6 10.6.2

Files removed from the watched directories may indicate unauthorized access.

Malicious files 10.6 10.6.2

(26)

Note: Malicious File Watch templates identify known attack signatures for

malicious file checks.

File Watch template files

Symantec uses LiveUpdate every two weeks to overwrite the default template

files that are loaded on your computer. You can edit the template files by

copying and renaming them.

Note: Do not edit Malicious File Watch files.

Automatically update snapshots (Windows 2000, Windows XP, Windows Server 2003) N/A N/A

OS

File name

Template name

Windows NT Server nt_policy.fw File Watch Windows 2000 w2k_policy.fw File Watch Windows XP xp_policy.fw File Watch Windows Server 2003 w3s.fw File Watch

Windows NT Server nt.mfw Malicious File Watch Windows 2000 w2k.mfw Malicious File Watch Windows XP xp.mfw Malicious File Watch Windows Server 2003 w3s.mfw Malicious File Watch

(27)

Policy modules

Login Parameters

The Login Parameters module checks to see if the control setting for account

lockout is enabled, if the lockout threshold is properly set, if locked accounts

must be reactivated by an administrator, and if the autologon feature is

disabled.

Check

CISP section Rationale

Account lockout threshold

7.3.10 8.2.4

Monitor system access attempts. Limit repeated attempts by locking out the user ID after a specific number of attempts. Configure system security parameters to prevent misuse.

This policy ships with a default setting of 6 unsuccessful attempts, but you can change it to reflect your corporate policy.

Account lockout duration

7.3.11 Set the lockout duration to 30 minutes or until the Administrator enables the user ID.

This policy ships with a default setting of 0 (meaning Administrator intervention is required to reset the account) but you can change it to reflect your corporate policy.

Shutdown without logon

Prevent denial of service by remote shutdown commands.

Autologon disabled

7.1 Uniquely identify all users before allowing them to access system resources or cardholder information. Autologon does not uniquely identify the user who is logging on.

(28)

Network Integrity

The Network Integrity module reports system configuration settings that

pertain to authentication and remote access.

Check

CISP section Rationale

Trusted domains (Windows NT, Windows 2000, Windows Server 2003)

6.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know.

Trusted domains provide broad access and should be reviewed to determine if they meet the need to know requirement.

Shared folders giving all users Full Control

World writable folders may be used to gain unauthorized access.

Hidden shares 8.2.4 Configure system security parameters to prevent misuse.

Hidden shares may allow unauthorized access to system resources and cardholder data.

Anonymous LANMan access disabled 6.2 8.2.4 8.2.7

Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know. Configure system security parameters to prevent misuse. Configure the networking subsystems to protect against known attacks. Anonymous LANMan access may result in unauthorized access. LANMan authentication is often misused and exploited.

Plain text authentication

3.6 Encrypt all passwords.

Plain text authentication is easily defeated and exposes the password.

LANMan Authentication (Windows NT) 3.6 8.2.4 8.2.7

Encrypt all passwords. Configure system security parameters to prevent misuse. Configure the networking subsystems to protect against known attacks.

LANMan authentication is often misused and exploited and the password is not encrypted. RRAS/RAS enabled 8.2.5 Remove all unnecessary functionality, e.g.,

drivers, features, subsystems, file systems, and so on.

(29)

Policy modules

Listening TCP ports 4.4 8.2.3

Encrypt non-console administrative access. Use technologies such as SSH or VPN. Disable all unnecessary services.

Review services and parameter files to determine that telnet and other remote login commands are not available for use. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats.

Listening UDP ports 8.2.3 Disable all unnecessary services.

Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented.

Unauthorized listening ports may not be properly protected against common threats.

New listening TCP ports

4.4 8.2.3

Encrypt non-console administrative access. Use technologies such as SSH or VPN. Disable all unnecessary services.

Review services and parameter files to determine that telnet and other remote login commands are not available for use. Inspect a list of enabled services/daemons, verify that the enabled services are required, and that any potentially dangerous services are justified and documented. Unauthorized listening ports may not be properly protected against common threats.

New listening UDP ports

8.2.3 Disable all unnecessary services.

Unauthorized listening ports may not be properly protected against common threats.

New network shares 8.2.5 Remove all unnecessary functionality, e.g., drivers, features, subsystems, file systems, and so on.

Review new network shares since the last snapshot to ensure that they are authorized.

(30)

Object Integrity

The Object Integrity module reports volumes that do not have Access Control

Lists (ACLs).

OS Patches

The OS Patches (Patch) module reports Windows patches that have been

released by Microsoft Corporation but are not installed on the agent.

Modified network shares

8.2.5 Remove all unnecessary functionality, e.g., drivers, features, subsystems, file systems, and so on.

Review modified network shares since the last snapshot to ensure that they are authorized.

Check

CISP section Rationale

Check

CISP section Rationale

Volumes without ACL control

Volumes that are configured without access control lists may allow unauthorized access.

Local accounts 6.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know.

Local accounts other than the default administrators account may indicate a system compromise and/or provide a means for unauthorized access.

Check

CISP section

Rationale

All module checks 2.1 2.1.1 2.1.2

Make sure all systems and software have the latest vendor-supplied security patches. Keep up with vendor changes and enhancements to security patches. Install new/modified security patches within one month of release.

(31)

Policy modules

Consider registry keys (Windows NT)

N/A This option is enabled to determine whether patches are properly installed.

Consider file dates and versions (Windows NT)

File versions (Windows 2000, Windows XP, Windows Server 2003)

File dates (Windows 2000, Windows XP, Windows Server 2003)

Registry keys (Windows 2000, Windows XP, Windows Server 2003)

Strict (Windows 2000, Windows XP, Windows Server 2003)

Superseded (Windows 2000, Windows XP, Windows Server 2003)

(32)

Patch template files

Symantec uses LiveUpdate every two weeks to overwrite the default template

files that are loaded on your system.

Note: Do not edit, move, or change your Patch template files.

The Patch module uses the following template files

Password Strength

The Password Strength module examines system parameters that control the

construction, change, aging, expiration, and storage of passwords.

OS

File name

Template name

Windows NT Server patch.ps4 Patch Windows 2000 Professional patch.pw5 Patch Windows 2000 Server patch.ps5 Patch

Windows XP patch.pwx Patch

Windows Server 2003 patch.p6s Patch

Windows NT Server windows.pkl Patch Keywords Windows 2000 Professional windows.pkl Patch Keywords Windows 2000 Server windows.pkl Patch Keywords Windows XP windows.pkl Patch Keywords Windows Server 2003 windows.pkl Patch Keywords

Check

CISP

section

Rationale

Minimum password length

7.3.7 Require a minimum password length of at least seven characters.

This policy ships with a default setting of seven characters.

Accounts without passwords

7.3 7.3.7

(33)

Policy modules

Password = username

7 (Best Practices)

Periodically use password-cracking software to identify weak passwords and require users to change them immediately.

Easily guessed passwords are not well protected as required by the standard.

Password = any username

7 (Best Practices)

Password = wordlist word

7 (Best Practices)

MD4 hashes N/A Periodically use password-cracking software to identify weak passwords and require users to change them immediately.

This option increases the effectiveness of ESM’s protection against password guessing.

Reverse order 7 (Best Practices)

Periodically use password-cracking software to identify weak passwords and require owners of weak passwords to change them immediately.

Double occurrences 7 (Best Practices)

Plural forms 7 (Best Practices)

Password changes 7.3.6 Change user passwords at least every 90 days. Users must be able to change their own passwords.

Check

CISP

section

(34)

Registry

The Registry module reports registry key changes and violations of registry key

settings that are specified in template files.

Password must expire

7.3.6 Change user passwords at least every 90 days. Automatically expiring accounts helps to identify unused accounts that should be terminated. Maximum password

age

7.3.6 Change user passwords at least every 90 days. This policy ships with a default setting of 90 days, but should be changed to reflect your corporate policy. Password

uniqueness

7.3.9 Do not allow a user to submit a new password that is the same as any of the last four passwords that they have used.

This policy ships with a default setting of 4 prior passwords, but should be changed to reflect your corporate policy.

Syskey encryption 3.6 Encrypt all passwords.

Encrypting passwords reduces the risk of discovery. Password stored using weak encryption (Windows 2000, Windows XP, Windows Server 2003)

3.6 Encrypt all passwords.

Encrypting passwords reduces the risk of discovery.

Check

CISP

section

Rationale

Check

CISP

section

Rationale

Key ownership 8.2.4 Configure system security parameters to prevent misuse.

Improper registry key ownership may allow unauthorized access.

Key permissions 8.2.4 Configure system security parameters to prevent misuse.

(35)

Policy modules

Key and value existence

Deletion of registry keys may indicate a variety of security violations.

Changed key (time) 8.2.4 Configure system security parameters to prevent misuse.

Changes to registry keys may indicate unauthorized access.

Changed value (size) 8.2.4 Configure system security parameters to prevent misuse.

Changed value (signature)

Allow any privileged account

N/A N/A

(36)

Registry template files

Symantec uses LiveUpdate every two weeks to overwrite the default template

files that are loaded on your computer.

The Registry module uses the following template files to specify registry

settings.

Startup Files

The Startup Files module reports information about system services, run keys,

and remote registry access.

OS

File name

Template name

Windows NT Server registry_policy.rs4 Registry - Windows NT Server 4.0 Windows 2000 Professional registry_policy.rw5 Registry - Windows 2000 Professional Windows 2000 Server registry_policy.rs5 Registry - Windows 2000 Server Windows XP registry_policy.rwx Registry - Windows XP Windows Server 2003 registry_policy.rs6 Registry - Windows Server 2003

Check

CISP

section

Rationale

Installed services 8.2.3 Disable all unnecessary services.

Unauthorized services may not be properly protected against common threats.

Disallowed services 4.4 Encrypt non-console administrative access. Telnet, rlogin, and ftp do not encrypt the password. Changed services 8.2.7 Configure the networking subsystems to protect

against known attacks.

Changes to an authorized service may indicate a system compromise.

New services 8.2.3 8.2.7

Disable all unnecessary services. Configure the networking subsystems to protect against known attacks.

(37)

Policy modules

Symantec Product Info

The Symantec Product Info module reports information about installed

Symantec products.

Deleted services 8.2.7 Configure the networking subsystems to protect against known attacks.

Attackers frequently disable security-related services. Contents of Run

keys

8.2.7 Configure the networking subsystems to protect against known attacks.

Malicious software often uses Run keys to restore itself after a reboot. Review output from this check to ensure that Run keys are authorized.

Remote Procedure Call (RPC) disabled

8.2.3 Disable all unnecessary services.

RPC is a frequently exploited service that should be disabled unless required.

Remote registry access (non-administrators)

Only Administrators should have remote access to the registry.

Check

CISP

section

Rationale

Check

CISP

section

Rationale

Symantec AntiVirus Corporate Edition Minimum version 5 5.2

Use and regularly update antivirus software programs. Keep all antivirus mechanisms current and actively running.

The default is version 9.0. Change this to match your corporate policy.

Symantec AntiVirus Corporate Edition LiveUpdate frequency

5 5.2

(38)

System Auditing

System auditing identifies unauthorized users and provides valuable tracking

information during or after an attack. The module reports security events that

are audited for failure or success and what happens when the log file is full.

Symantec AntiVirus Corporate Edition Scan frequency

5 5.2

This policy ships with a default frequency of seven days. Change this to match your corporate policy.

Check

CISP

section

Rationale

Check

CISP

section

Rationale

Security events success auditing 8.2.4 9.2 9.2.2 9.2.3 9.2.5 9.2.6 9.2.7

Configure system security parameters to prevent misuse. Implement automated audit trails to reconstruct the following events:

■ All actions taken by any user with root or

administrative privileges

■ Access to all audit trails

■ Use of identification and authentication

mechanisms

■ Initialization of the audit logs ■ Deletion of objects

For specific settings see Security events auditing (success and failure) name lists

Security events failure auditing 8.2.4 9.2 9.2.2 9.2.3 9.2.5 9.2.6 9.2.7

Configure system security parameters to prevent misuse. Implement automated audit trails to reconstruct the following events:

■ All actions taken by any user with root or

administrative privileges

■ Access to all audit trails

■ Use of identification and authentication

mechanisms

■ Initialization of the audit logs ■ Deletion of objects

(39)

Policy modules

Security events auditing (success and failure) name lists

The following list explains the events that should be audited in the Windows

Audit Policy as well as the conditions under which an audit log entry is

generated.

Days until security events are overwritten

9.6 Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations. An audit history usually covers a period of six months or more.

Overwritten logs cannot be reviewed. This policy ships with a default setting of 180 days.

Guest access to event logs

9.4 Secure audit trails so that they cannot be altered.

Platform

Audit for Success

Audit for Failure

Windows NT Server

■ Logon and logoff ■ Restart, shutdown system ■ Security policy changes ■ User and group management

■ File and object access ■ Logon and logoff ■ Restart, shutdown system ■ Security policy changes ■ Use of user rights

■ User and group management

Windows 2000 Professional

■ Audit account logon events ■ Audit account management ■ Audit logon events ■ Audit policy change ■ Audit privilege use

■ Audit account logon events ■ Audit account management ■ Audit logon events ■ Audit object access ■ Audit policy changes ■ Audit privilege use ■ Audit system events

Windows 2000 Server

■ Audit account logon events ■ Audit account management ■ Audit logon events ■ Audit object access ■ Audit policy changes ■ Audit privilege use ■ Audit system events

Check

CISP

section

(40)

Windows 2000 Server with ADS

■ Audit account logon events ■ Audit account management ■ Audit directory service access ■ Audit logon events

■ Audit object access ■ Audit policy changes ■ Audit privilege use ■ Audit system events

Windows XP ■ Audit account logon events ■ Audit account management ■ Audit logon events ■ Audit policy change ■ Audit privilege use

■ Audit account logon events ■ Audit logon events ■ Audit object access ■ Audit policy change ■ Audit privilege use ■ Audit system event

Windows Server 2003

■ Audit account logon events ■ Audit logon events ■ Audit object access ■ Audit policy change ■ Audit privilege use ■ Audit system event

Windows Server 2003 with ADS

■ Audit account logon events ■ Audit directory service access ■ Audit logon events

■ Audit object access ■ Audit policy change ■ Audit privilege use ■ Audit system event