IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.92 Performing security checks in the Windows
NT client-server network
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
The following points should be checked regularly at the level of the servers in
a Windows NT client-server network in terms of whether they are being
followed and their effectiveness (see also S 4.54 Logging under Windows NT):
- System security settings
The correct setting of the entries relevant to security in the registry, i.e.
essentially the entries in the sector HKEY_LOCAL_MACHINE, must be
checked regularly by checking the entries of the security logs which refer
to the registry.
- Use of privileged user accounts
The use of privileged user accounts, i.e. of accounts with extended rights
and authorisations e.g. for administrators, must be checked regularly by
checking the entries in the security log. Likewise the log must be checked
for log-on attempts to the guest user account.
- Failed access attempts (authorisation violations)
If access to files and/or the registry is recorded, the security log must be
checked weekly, or more often when required, for the occurrence of failed
log-on attempts. If authorisation violations are discovered, the cause must
be established.
- System integrity
System integrity must be checked regularly; in particular, the data relating
to the last modification and the rights to access important system files must
be checked and compared with the values obtained directly after
installation of the system and at each previous check. Since this check,
with the aid of the capabilities offered by Windows NT, is relatively
expensive, suitable ancillary tools should be used here, for example the
shareware program DumpACL, or the service program WinDiff supplied
with the Technical Reference (the "resource kit") for Windows NT, with
which the contents of directories and files can be compared.
- Unused user accounts
It must be ensured that the accounts of former employees are immediately
deactivated and deleted from the system after a suitable transitional period
(approx. ½ year). As the time of the last log-on to the system is not
indicated, then, for this purpose, all user accounts should, if, possible, be
supplied with an expiry date which has to be updated at certain intervals
(e.g. annually) at the request of the user. Inactive, i.e. expired user accounts
must be deleted. The owners must first be informed. The list of defined
users must be checked regularly to ensure that only active employees are
working on the system.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000