IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
5. Configuring groups
To facilitate administration, user accounts which need to fulfil identical
requirements should be coalesced into groups. User rights such as file,
directory and sharing rights as well as any additional, pre-defined functions
are then assigned to these groups instead of individual user accounts. The user
accounts inherit the rights and authorisations of the groups to which they
belong. For example, all the staff members of a particular department can be
coalesced into one group. Rights and authorisations should only be allocated
to individual users in exceptional situations.
6. Determining user rights
Rights allow a user to perform certain actions on the system. They refer to the
entire system, are not assigned to any special object, and can annul the
authorisations to an object, as a right takes precedence over all file and
directory authorisations. Whenever a user logs into an account to which the
desired rights were granted either directly or via group membership, he can
perform the corresponding actions. If a user does not possess the appropriate
rights, Windows NT stops all attempts to carry out the actions concerned.
As already mentioned, user rights should be assigned to groups instead of
individual users wherever possible.
During installation, Windows NT performs default settings which are
generally adequate for secure and efficient operation. However, it is advisable
to withdraw the "Shut down system" and "Local login" rights from the
"Everyone" group and, if applicable, the "Local login" right from the "Guests"
group (refer to S 4.50 Structured system administration under Windows NT).
7. Determining the specifications for logging
Windows NT provides very detailed capabilities for the logging of incidents
relevant to security which, when used to the full, are capable of occupying the
system to a large extent with auditing and consume large amounts of disk
space in the process. A spectrum of incident types can be recorded which
extends from system-wide incidents, such as, for example, the log-on of a user
through to a user attempting to read a certain file. Both the successful and the
failed attempts to perform an action can be recorded. In the configuration of
the logging, however, it must be noted that an increase in logging does not
necessarily also increase the security of the monitored system. Log files which
are not evaluated or which, on account of their size, can only be evaluated
with great effort, do not lead to improved supervision of the system
sequences; on the contrary, they are ultimately useless. For these reasons,
logging should be set in such a way that under normal circumstances it only
records the really significant incidents (see S 4.54 Logging under Windows
NT).
8. Rules concerning data storage
A specification is required as to where user data should be stored (refer to S
2.138 Structured data storage). In some cases, for example, it is advisable to
store user data only on a server. This model does not permit a storage of data
on local hard disks. However, it is also conceivable to store certain user data
only on a local hard disk. The strategy to be employed must be ascertained in
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000