Reporte Operativo de Riesgos componente tactico.pdf

Detailed Risk Report

PRJR13011

01 Proyecto

Risk Management

06/11/2013 8:00:09

The information in this document and any attachments is intended for users of Modulo Risk Manager©, a product developed by Modulo Security LLC. If you do not have permission to access this information, know that it is prohibited to read, release, or copy this information. Improper use will be subject to the legislation in effect based on the confidentiality agreements.

The controls in the knowledge bases created by Modulo Security LLC are protected by copyright and ownership laws.

The full or partial unauthorized reproduction of the information in this report shall result in civil and criminal punishments.

Issued:

[email protected]

Those responsible for implementing the controls should know that thetechnical recommendations in the knowledge bases provided by ModuloSecurity LLC apply to generic systems.

These knowledge bases should be evaluated in terms of theirapplicability and impact before being implemented in a live operatingenvironment. The system under analysis should be taken into account,given that a change in the configuration or permission parameters in thefile systems could damage the applications.

Clients will be held responsible for any results achieved with the use ofcustom knowledge bases. Creating knowledge bases using a methodologyother than that used by Modulo Security LLC may lead to distorted orbiased results.

Modulo Security LLC will not be held responsible for evaluating,

validating, or supporting custom knowledge bases and queries created

with the help of the knowledge management features provided in

Módulo Risk Manager©, nor will it be held responsible for any related

damage.

ATTENTION

www.modulo.com

Modulo Security LLC

2 of 44 Copyright © 2011 Modulo Solutions for GRC


PRJR13011

[email protected]

http://www.modulo.com.br

http://www.modulo.com.br

This report presents the results of the 01 Proyecto project. It aims at providing guidance on how to prioritize the recommendations that should be applied according to the risk level (PSR). It can also be used as a tool to implement the controls in the assets in question.

The report includes two tables to support the risk treatment process:1) List of non-implemented controls;2) Detailed list of non-implemented controls.

The Controls Ordered by Risk table includes information on:1) The controls that should be implemented;2) Their priority;3) Where the controls should be treated.

The Controls To Be Implemented table includes information on:1) Which controls should be implemented;2) The sum of the total risk referring to the control;3) The justification for each control;4) Recommendations on how to implement each control;5) The number of locations where controls should be implemented (number of asset components).

1. INTRODUCTION

Copyright © 2011 Modulo Solutions for GRC3 of 44

PRJR13011


1,2,3,4,5,6These are acceptable risks, and asset managers should beinformed of them.

Very Low

8,9,10,12,15,16These are risks which may be acceptable once reviewed andconfirmed by the asset managers.

Low

18,20,24,25,27,30 These are risks which may be acceptable once reviewed andconfirmed by the asset managers; however, their acceptanceshould be done formally.

Medium

32,36,40,45,48,50These are unacceptable risks, and asset managers should at leastbe oriented on how to control them.

High

60,64,75,80,100,125 These are unacceptable risks, and asset managers should beoriented on how to minimize them immediately.

Very High

Possible PSR ValuesDefinitionRisk Level of the Control

The calculated risk levels vary from 1 to 125. They are divided into five different levels, each of which have orientations specified as to the prioritization of the treatment measures:

This is the degree of importance the asset holds to theorganization, which may take into consideration thebusiness components it supports.

This severity scores the level of impact on theorganization if the risk materializes. This means that ifthe incident occurs, the severity will score the degreethe performance, reliability, or quality of the asset willbe compromised.

This is the probability that vulnerabilities or weaknessesare exploited by one or more threats due to the absenceof controls.

RELEVANCESEVERITYPROBABILITY

This table contains the following information:

Grouping: groupings are categories that allow controls related to each other to be organized in order to facilitate analyses and treatment measures.

PSR: this is the maximum value of the risk found for each control. This report shows the PSR in descending order. Risk is calculated for each non-implemented control through the Risk = Probability x Severity x Relevance, where:

2.1 List of Non-Implemented Controls

2. ANALYSIS RESULTS


PRJR13011


Control: this is a security measure required to lower the risk, which may be a policy, practice, procedure, organizational structure, or software function. It also includes the security-related hardware devices. Controls aim at reducing or eliminating vulnerabilities, inhibiting threat agents, or minimizing the impacts caused by incidents.

ID: this is the unique identifier for each control, which appears in parentheses after each.

Asset Component: this is where the control has not been implemented.

1,2,3,4,5,6These are acceptable risks, and asset managers should beinformed of them.

Very Low

Risk LevelAsset ComponentRSPControl NameControl IDPSR

2.1.0001 Grouping: Access Control

3 - Medio01 Servidor Back End - Generic Database - DB Empleados532The database's remote management toolsshould be installed only on authorizedworkstations.

MOD_EN.0001781230


2.1.0002 Grouping: Accounts and Passwords

2 - Bajo01 Servidor Back End - MS Windows Srv 2008 MS -512The "DisableSavePassword" parameter shouldbe set to "1".

MOD_EN.0004102710


2.1.0003 Grouping: Auditing and Electronic Monitoring

4 - Alto01 Servidor Back End - Generic Database - DB Empleados542A retention period should be defined for thedatabase's audit log files.

MOD_EN.0001827840

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532A maximum size for the Windows Server 2008Member Server audit log files should beestablished.

MOD_EN.0004103930

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532Windows Server 2008 should be configured tosave a log whenever a fatal error occurs.

MOD_EN.0004111630

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Security System Extension auditsubcategory should be configured as "Success"and "Failure".

MOD_EN.0004126230

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The System Integrity audit subcategory shouldbe configured as "Success" and "Failure".

MOD_EN.0004126330

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The IPsec Driver audit subcategory should beconfigured as "Success" and "Failure".

MOD_EN.0004126430

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Security State Change audit subcategoryshould be configured as "Success" and "Failure".

MOD_EN.0004126530

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Logon audit subcategory should beconfigured as "Success" and "Failure".

MOD_EN.0004126630


PRJR13011


3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Logoff audit subcategory should beconfigured as "Success".

MOD_EN.0004126730

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Special Logon audit subcategory should beconfigured as "Success".

MOD_EN.0004126830

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The File System audit subcategory should beconfigured as "Failure".

MOD_EN.0004126930

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Registry audit subcategory should beconfigured as "Failure".

MOD_EN.0004127030

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Sensitive Privilege Use audit subcategoryshould be configured as "Success" and "Failure".

MOD_EN.0004127130

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Process Creation audit subcategory shouldbe configured as "Success".

MOD_EN.0004127230

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Audit Policy Change audit subcategoryshould be configured as "Success" and "Failure".

MOD_EN.0004127330

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Authentication Policy Change auditsubcategory should be configured as "Success".

MOD_EN.0004127430

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The User Account Management auditsubcategory should be configured as "Success"and "Failure".

MOD_EN.0004127530

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Security Group Management auditsubcategory should be configured as "Success"and "Failure".

MOD_EN.0004127730

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Other Account Management Events auditsubcategory should be configured as "Success"and "Failure".

MOD_EN.0004127830

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -532The Credential Validation audit subcategoryshould be configured as "Success" and "Failure".

MOD_EN.0004127930

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -522NTFS permissions for the"%SystemRoot%\Debug" directory should beconfigured to prevent unauthorized access.

MOD_EN.0004123820

3 - Medio01 Servidor Back End - MS Windows Srv 2008 MS -522The Computer Account Management auditsubcategory should be configured as "Success"and "Failure".

MOD_EN.0004127620


2.1.0004 Grouping: Fault Tolerance

5 - Muy Alto01 Servidor Back End - Generic Database - DB Empleados553The database server's transaction logs anddatabases should be stored on separatephysical disks.

MOD_EN.0001783375

4 - Alto01 Servidor Back End - Generic Database - DB Empleados542In mission critical environments, the database'sFailover Clustering process should beimplemented.

MOD_EN.0001783440


PRJR13011



2.1.0005 Grouping: File Systems and Permissions

5 - Muy Alto01 Servidor Back End - Generic Database - DB Empleados543The operating system and database disk filesystems should be equipped with securitycontrols.

MOD_EN.0001782860

5 - Muy Alto01 Servidor Back End - Generic Database - DB Empleados543Permissions for the directory where thedatabase's data files are located should beconfigured to prevent improper access.

MOD_EN.0001783060

4 - Alto01 Servidor Back End - Generic Database - DB Empleados533Permissions for directories containing databaseand transaction log backup files should be setto prevent improper access.

MOD_EN.0001783145


2.1.0006 Grouping: Service Outages and Other Attacks

5 - Muy Alto01 Firewall - Generic Firewall444The Firewall should have rules to block TCPpackets that have invalid flags.

MOD_EN.0001064364

5 - Muy Alto01 Firewall - Generic Firewall444The traffic of malformed packets should beblocked by the firewall.

MOD_EN.0001064464

4 - Alto01 Firewall - Generic Firewall433Rules to block outgoing forged IP packetsoriginated from internal networks should beimplemented on the Firewall.

MOD_EN.0001063736

4 - Alto01 Firewall - Generic Firewall433Rules to block outgoing forged IP packetsoriginated from the DMZ should beimplemented on the Firewall.

MOD_EN.0001064536


2.1.0007 Grouping: System and Application Settings

5 - Muy Alto01 Firewall - Generic Firewall444Some types of ICMP packets necessary forcontrolling the communication and the statusof networks should be allowed.

MOD_EN.0001063564

3 - Medio01 Firewall - Generic Firewall432The use of the "Any" identifier in the Firewallrules should be avoided.

MOD_EN.0001063824

3 - Medio01 Firewall - Generic Firewall432The most frequently used rules should beplaced at the top of the Firewall's rule base.

MOD_EN.0001969624

2 - Bajo01 Firewall - Generic Firewall422The firewall's rules should be created using IPaddresses instead of DNS names.

MOD_EN.0001970316


PRJR13011


This table contains the following information:

Control and ID: Name of the control and its respective ID.

Total PSR: Sum of the PSR of the non-implemented controls.

Number of Asset Components: Number of asset components where the absence of a control was identified.

Control Details

· Reason: This field provides explanations on why it is important to implement control

· Recommendation: This field provides guidance on how to implement the control.

· References: This field provides additional information on the control and its implementation whenever possible.

· Questionnaire: This field lists the questionnaire which includes the recommended control.

· Comments: This field consolidates the comments provided by analysts.

2.2 Detailed List of Non-implemented Controls


PRJR13011


ReasonThe "DisableSavePassword" parameter defines whether or not the Operating System willenable the option for storing user authentication credentials for dial-up connections.When stored, these credentials do not need to be re-entered every time a newconnection request is executed. In order to prevent attackers from gaining unauthorizedaccess to other computers through a dial-up connection, it is recommended to configurethis parameter to keep user credentials from being stored in the system.

RecommendationThis control can be implemented through the following procedures:

1. Click on "Start" -> "Run".

2. Enter "regedit" in the "Open" field, and click "OK".

3. Select the "HKLM\SYSTEM\CurrentControlSet\Services\Rasman\Parameters" key.

4. Double click the "DisableSavePassword" parameter, and change the value in the "ValueData" field to 1.

5. When finished, click "OK" to save the changes made.

NOTE: If the "DisableSavePassword" parameter cannot be found, it should be createdthrough the following procedures:



3. Right-click on the "HKLM\SYSTEM\CurrentControlSet\Services\Rasman\Parameters" key,and click on "New" -> "DWORD Value".

4. Create a parameter named "DisableSavePassword".

5. Double click the parameter created, and change the value in the "Value Data" field to1.


Warning: This control has been developed for generic environments. Assess applicabilityand potential impacts prior to implementing it in a production environment.

Referenceshttp://technet.microsoft.com/en-us/library/cc784187.aspx

QuestionnaireOperating System - "Microsoft" - Windows Server 2008 Family (Member Server)

Comments

110The "DisableSavePassword"parameter should be set to"1".

MOD_EN.00041027

Detailed Description of the ControlNumber of

AssetComponents

Total PSRControl NameControl ID

2.2.0001 Grouping: Access Control

ReasonAs well as installation of the database on the server, many database managementsystems allow installation of remote management tools on network workstations. Goodsecurity practice recommends that all management or development components whichare not strictly necessary for the database's operations should be removed. Remotemanagement tools should be installed only on authorized workstations. This practiceprotects the server from exposure to attacks based on improper use of thesecomponents.

RecommendationThis control can be implemented by means of the following procedures:

1. Uninstall from the server all unnecessarily installed connectivity or remotemanagement components, using the database setup program, or through appropriatemeans for the database in question.

2. Make sure that the required tools are installed only on workstations that areauthorized to remotely manage the database.

Warning! This control was designed for generic environments. Evaluate applicability andpossible impact prior to implementation in an operational environment.

ReferencesFor additional information, see the database manual.

QuestionnaireApplication - "Database" - Generic Database

Comments

130The database's remotemanagement tools should beinstalled only on authorizedworkstations.

MOD_EN.00017812


AssetComponents


2.2.0002 Grouping: Accounts and Passwords


PRJR13011



















Comments


MOD_EN.00041027


PRJR13011



















Comments


MOD_EN.00041027


AssetComponents


2.2.0003 Grouping: Auditing and Electronic Monitoring

ReasonDefinition of a retention period for the database's audit log files can prevent loss oftraceability regarding events occurred. Notice that limiting the size of logs does notprevent the definition of a retention period for audit log entries. Once they reach theirmaximum size, log files can be restarted and old data can be saved on other media. Thisallows you to establish a balance between the need for disk space and the need topreserve the logs for a certain period of time, which is useful for a more consistentevaluation of security incidents, and in certain environments may even be a legal orregulatory requirement.

RecommendationThis control can be implemented using the following procedures:

1. Define a retention period for audit log files.


References


Comments

140A retention period should bedefined for the database'saudit log files.

MOD_EN.00018278


PRJR13011


ReasonCorrectly defining the maximum size for the Windows Server 2008 Member Server auditlog files will reduce the risk of excessive consumption of disk space. If a maximum sizefor the audit logs is not predefined, disk space may be reduced to the point where theaudit log files can no longer be saved, which will lead to the loss traceability and mayrender the system unavailable for lack of disk space. Therefore, it is recommended toestablish a maximum size for these files.


1. Click on "Start" -> "Administrative Tools" -> "Event Viewer".

2. Right-click on the type of audit you wish to configure (Located in "Windows Logs\","Applications and Services Logs"\ and "Applications and Services Logs\Microsoft\" ), andclick on "Properties".

3. Select the "General" tab.

4. Enter the desired size for the type of audit previously selected in the "Maximum logsize" field.


NOTE: The bigger the maximum size for the logs, the more information can be stored. Onthe other hand, more disk space will be used up. This parameter should be set upaccording to the systems characteristics and the corporate Security Policy.


ReferencesWindows Server 2008 Security Guide - Appendix A


Comments

130A maximum size for theWindows Server 2008Member Server audit log filesshould be established.

MOD_EN.00041039


PRJR13011


ReasonImplementation of this control ensures that a security log will be saved in order todocument that the system has been restarted for technical reasons. This will allow thesystem Administrator to become aware of the issue, and research the causes for the fatalerror (e.g. unexpected software and hardware failure).




3.Select the "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" key.

4.Double click on the "LogEvent" parameter, and set the value in the "Value Data" field to"1".

5.When finished, click "OK" to save the changes made.


ReferencesISO/IEC 27002:2005 - Topic 10.10.5 - Fault logging.


Comments

130Windows Server 2008 shouldbe configured to save a logwhenever a fatal erroroccurs.

MOD_EN.00041116


PRJR13011


ReasonThe Security System Extension audit subcategory is responsible for creating eventsrelated to the installation of services in the system, event log of process logon, theloading of authentication packages, and LSA notification and security. It is recommendedto enable this audit in order to assist the administrator in obtaining information relatedto system security.


1. Click on "Start" -> "All Programs" -> "Accessories", right-click on "Command Prompt",and click on "run as administrator".

2.Enter the following command: Auditpol /set /subcategory:"Security System Extension"/success:enable /failure:enable

NOTE: The "Audit: Force audit policy subcategory settings (Windows Vista or later) tooverride audit policy category settings" policy should be enabled so that the subcategorysettings can override the audit policy settings. Refer to the References section foradditional details.


ReferencesWindows Server 2008 Security Guide Appendix A http://technet.microsoft.com/en-us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-us


Comments

130The Security SystemExtension audit subcategoryshould be configured as"Success" and "Failure".

MOD_EN.00041262


PRJR13011


ReasonThe System Integrity audit subcategory is responsible for creating system integrityevents, such as encryption operations, check operations, among others. It isrecommended to enable this audit so as to assist the administrator in obtaininginformation on system integrity.


1. Click on "Start" -> "All Programs" -> "Accessories" -> Right-click on "Command Prompt" -> "run as administrator".

2.Enter the following command:

Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable



ReferencesWindows Server 2008 Security Guide Appendix A http://technet.microsoft.com/en-us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-us


Comments

130The System Integrity auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041263


PRJR13011


ReasonThe IPsec Driver audit subcategory is responsible for creating IPsec Driver related events,such as discarding packages, successfully starting an IPsec service, among others. It isrecommended to enable this parameter so as to assist the administrator in obtainingsecurity information related to the IPsec.




Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable



ReferencesWindows Server 2008 Security Guide Appendix Ahttp://technet.microsoft.com/en-us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-us


Comments

130The IPsec Driver auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041264


PRJR13011


ReasonThe Security State Change audit subcategory is responsible for creating events related tosystem shutdown, start up, time changes and audit failure recovery. It is recommendedto enable this audit so as to assist the administrator in obtaining information on systemstatus changes.




Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable





Comments

130The Security State Changeaudit subcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041265


PRJR13011


ReasonThe Logon audit subcategory is responsible for creating events related to failed andsuccessful system logon attempts. It is recommended to enable this audit so as to assistthe administrator in obtaining system access information as well as to allow traceabilityin case of security incidents.




Auditpol /set /subcategory:"Logon" /success:enable /failure:enable





Comments

130The Logon audit subcategoryshould be configured as"Success" and "Failure".

MOD_EN.00041266


PRJR13011


ReasonThe Logoff audit subcategory is responsible for creating events related to system userlogoff. It is recommended to enable this audit to assist the administrator in obtaininguser logoff information in order to either monitor the use of accounts during odd hours orto allow traceability in case of security incidents.




Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable





Comments

130The Logoff audit subcategoryshould be configured as"Success".

MOD_EN.00041267


PRJR13011


ReasonThe Special Logon functionality has been introduced as of Windows Vista. This featurecreates an audit event whenever a user belonging to a special group set up by theadministrator logs on to the system. It is recommended to enable this audit so as togather security related events.




Auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable

NOTE 1: For additional information on the Special Logon resource, see "Description of theSpecial Groups feature" http://support.microsoft.com/kb/947223

NOTE 2: The "Audit: Force audit policy subcategory settings (Windows Vista or later) tooverride audit policy category settings" policy should be enabled so that the subcategorysettings can override the audit policy settings. Refer to the References section foradditional details.


ReferencesWindows Server 2008 Security Guide Appendix Ahttp://technet.microsoft.com/en-us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-ushttp://support.microsoft.com/kb/947223


Comments

130The Special Logon auditsubcategory should beconfigured as "Success".

MOD_EN.00041268


PRJR13011


ReasonThe File System audit subcategory is responsible for creating file system related events.It is recommended to enable this audit to assist the administrator in obtaining relevantinformation.




Auditpol /set /subcategory:"File System" /success:disable /failure:enable





Comments

130The File System auditsubcategory should beconfigured as "Failure".

MOD_EN.00041269


PRJR13011


ReasonThe Registry audit subcategory is responsible for creating events related to themodification of the Windows registry. Unsuccessful registry modification attempts mayindicate the presence of malware or malicious users. It is recommended to enable thisaudit to assist in obtaining information on registry modification attempts that may impactsecurity.




Auditpol /set /subcategory:"Registry" /success:disable /failure:enable





Comments

130The Registry auditsubcategory should beconfigured as "Failure".

MOD_EN.00041270


PRJR13011


ReasonThe Sensitive Privilege Use audit subcategory is responsible for creating events whenevera service with elevated privileges has been initiated, when special privileges are assignedto a new user account, among others. It is recommended to enable this audit to assist theadministrator in obtaining information on the use of security privileges.




Auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable





Comments

130The Sensitive Privilege Useaudit subcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041271


PRJR13011


ReasonThe Process Creation audit subcategory is responsible for creating events related to thecreation of a process and the assignment of a token to this process. It is recommended toenable this audit to assist the administrator in obtaining information on the creation ofprocesses as well as the user responsible for it.




Auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable

NOTE 1: For additional information on access tokens, refer to the document "What areAccess Tokens?" http://technet.microsoft.com/en-us/library/cc759267.aspx

NOTE 2: The "Audit: Force audit policy subcategory settings (Windows Vista or later) tooverride audit policy category settings" policy should be enabled so that the subcategorysettings can override the audit policy settings. Refer to the References section foradditional details.


ReferencesWindows Server 2008 Security Guide Appendix Ahttp://technet.microsoft.com/en-us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-us"What are Access Tokens?" http://technet.microsoft.com/en-us/library/cc759267.aspx


Comments

130The Process Creation auditsubcategory should beconfigured as "Success".

MOD_EN.00041272


PRJR13011


ReasonThe Audit Policy Change audit subcategory is responsible for creating events wheneverthere is a change in the audit policy. It is recommended to enable this audit to assist theadministrator in obtaining information on changes to the audit policy that may affectsecurity.




Auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable





Comments

130The Audit Policy Changeaudit subcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041273


PRJR13011


ReasonThe Authentication Policy Change audit subcategory is responsible for creating eventsrelated to changes in the authentication policy. It is recommended to enable this audit toassist the administrator in obtaining information on changes to the authentication policy.




Auditpol /set /subcategory:"Authentication Policy Change" /success:enable/failure:disable





Comments

130The Authentication PolicyChange audit subcategoryshould be configured as"Success".

MOD_EN.00041274


PRJR13011


ReasonThe User Account Management audit subcategory is responsible for creating eventsrelated to the creation, modification and deletion of user accounts. It is recommended toenable this audit to assist the administrator in obtaining information on unauthorizeduser account management.




Auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable





Comments

130The User AccountManagement auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041275


PRJR13011


ReasonThe Security Group Management audit subcategory is responsible for creating eventsrelated to the creation, modification and deletion of security groups, as well as theinclusion and exclusion of security group members. It is recommended to enable thisaudit to assist the administrator in obtaining information on unauthorized security groupchanges.




Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable





Comments

130The Security GroupManagement auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041277


PRJR13011


ReasonThe Other Account Management Events audit subcategory is responsible for creatingevents related to the modification of the domain policy, access to the account hash,among others. It is recommended to enable this audit to assist the administrator inobtaining security related information.




Auditpol /set /subcategory:"Other Account Management Events" /success:enable/failure:enable





Comments

130The Other AccountManagement Events auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041278


PRJR13011


ReasonThe "%SystemRoot%\Debug" directory is used for storing several system and ActiveDirectory logs. If an unauthorized user is granted access to this directory, they may beable to make unauthorized changes to it so as to remove their traces from the system.Therefore, it is recommended that NTFS permissions for this directory be configured toprevent unauthorized access.


1. Click on "Start" -> "Programs" -> "Accessories" -> "Windows Explorer".

2. Right-click on "%SystemRoot%\Debug" and click on "Properties".

3. Select the "Security" tab.

4. Configure access rights as follows:

Administrators = Full Control

SYSTEM = Full Control

CREATOR OWNER = Full Control

Authenticated Users = Traverse Folder / Execute File; Read Attributes; Read Permissions.

5. Check the "Inherit from parent the permission entries that apply to child objects.Include these with entries explicitly defined here" box.


NOTE 1: In order to determine the actual path to "%SystemRoot%", execute the followingprocedures:


2. Enter "cmd" in the "Open" field, and click "OK".

3. Enter the following command:

echo %SystemRoot%

NOTE 2: If Windows will not allow users to be removed or added at the time of theconfiguration, click on the "Advanced" button, select the "Permissions" tab, uncheck the"Inherit from parent the permission entries that apply to child objects. Include these withentries explicitly defined here" box, and then click on "Remove".

Warning: This control has been developed for generic environments. Assess applicabilityand potential impacts prior to implementation and, if necessary, adjust the suggestedpermissions according to the characteristics of the environment.

ReferencesCIS - Windows Server 2003 Operating System Legacy, Enterprise, and Specialized SecurityBenchmark Consensus Security Settings for Domain Controller


Comments

120NTFS permissions for the"%SystemRoot%\Debug"directory should beconfigured to preventunauthorized access.

MOD_EN.00041238

ReasonThe Credential Validation audit subcategory is responsible for creating events related tothe validation of credentials, such as network access attempts. It is recommended toenable this parameter to assist the administrator in obtaining security relatedinformation.




Auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable





Comments

130The Credential Validationaudit subcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041279


PRJR13011


















echo %SystemRoot%





Comments


MOD_EN.00041238


PRJR13011


















echo %SystemRoot%





Comments


MOD_EN.00041238

ReasonThe Computer Account Management audit subcategory is responsible for creating eventsrelated to the creation, modification and deletion of domain computer accounts. It isrecommended to enable this audit to assist the administrator in obtaining information onunauthorized domain computer account management.




Auditpol /set /subcategory:"Computer Account Management" /success:enable/failure:enable





Comments

120The Computer AccountManagement auditsubcategory should beconfigured as "Success" and"Failure".

MOD_EN.00041276


PRJR13011



AssetComponents


2.2.0004 Grouping: Fault Tolerance

ReasonThe transaction logs register changes to the databases, allowing the databases to berecovered in case of any system failure. These logs should be stored on separate physicaldisks, in order to prevent simultaneous loss of databases and their respective transactionlogs in the event of software or hardware failure. Additionally, storing databases and logson separate physical disks contributes to better system performance.


1. Whenever possible, configure the database server to save databases and transactionlogs in partitions located on separate hard disks.

2. If possible, a disk mirroring or duplexing system can be used, such as RAID10, whichworks with four or more disks, always in pairs (6, 8, 10), and combines characteristics ofthe RAID1 and RAID0 systems, so as to guarantee both performance and availability ofdata and increase the system's fault tolerance level. This approach is a little moreexpensive, but with it you don't depend solely on backup files for system recovery, sincethe loss of a database together with its recovery log is an unacceptable risk in mostcorporations.

Note: Since logging activities require a large volume of data to be saved, the disk wheretransaction logs are stored should be properly sized for the procedure.


References


Comments

175The database server'stransaction logs anddatabases should be storedon separate physical disks.

MOD_EN.00017833


PRJR13011


ReasonIn mission critical environments, where client/server applications requiring highavailability are executed (for example e-commerce websites), if the database providesthe Failover Clustering service, this service should be implemented. In this process, theoperating system works together with the database to guarantee system availability incase of hardware or software failure, through the use of redundant configurations inwhich the service is automatically and transparently transferred to another server withsimilar configuration settings.


1. Make the necessary hardware investments for implementation of the operatingsystem's Clustering service and configuration of the database's Failover Clustering service.

Warning! Control developed for generic environments requiring high availability level.Evaluate applicability and possible impact prior to implementation in an operationalenvironment.

ReferencesFor additional information, see the database and operating system manuals.


Comments

140In mission criticalenvironments, the database'sFailover Clustering processshould be implemented.

MOD_EN.00017834


PRJR13011



AssetComponents


2.2.0005 Grouping: File Systems and Permissions

ReasonThe database can be installed on servers using different file systems. However, it shouldbe installed on a server whose file system allows access control, cryptography, auditlogging, and other security benefits.


1. When installing the operating system and/or formatting the disks where the databasefiles are to be stored, select a file system with advanced security features. For furtherinformation, see the operating system manual.


ReferencesFor additional information, see the database and operating system manual.


Comments

160The operating system anddatabase disk file systemsshould be equipped withsecurity controls.

MOD_EN.00017828


PRJR13011


ReasonGranting of incorrect permissions for the directories containing the databases increasesthe risk of improper access, which may compromise the confidentiality, the integrity, orthe availability of the files stored in these directories, causing financial loss and harmingthe company's image. Therefore, these permissions should be checked, and only the leastnecessary permissions should be granted.


1. Access the operating system where the database is installed, using an Administratoraccount.

2. Select the directory where the database's data files are stored.

3. Define the appropriate permissions so that operating system administrators have fullaccess rights. If there are any execution users, they should have only Read and Executeaccess to these directories.

Note 1: Additional permissions can be granted after a security analysis.

Warning! This control was designed for generic environments. Evaluate applicability andpossible impact prior to implementation and, if necessary, adjust the suggestedpermissions according to the characteristics of the environment.

ReferencesFor additional information, see the database and the operating system manuals.


Comments

160Permissions for the directorywhere the database's datafiles are located should beconfigured to preventimproper access.

MOD_EN.00017830


PRJR13011


ReasonDatabase backup files may contain sensitive information and therefore need to beprotected, by setting permissions so as to block access to unauthorized users. In the sameway, incorrect granting of permissions to the directory containing the transaction logs'backup files increases the risk of improper access, which may compromise the integrity,the confidentiality, and the availability of such files.


1. Access the operating system where the database is installed, using an Administratoraccount.

2. Select the directories where the database and transaction log backup files are stored.

3. Define the appropriate permissions so that operating system administrators have fullaccess rights. If there are any execution users, they should have only Read and Executeaccess to these directories.

Note 1: Additional permissions can be granted after a security analysis.

Warning! This control was designed for generic environments. Evaluate applicability andpossible impact prior to implementation and, if necessary, adjust the suggestedpermissions according to the characteristics of the environment.

ReferencesFor additional information, see the database and operating system manuals.


Comments

145Permissions for directoriescontaining database andtransaction log backup filesshould be set to preventimproper access.

MOD_EN.00017831


AssetComponents


2.2.0006 Grouping: Service Outages and Other Attacks


PRJR13011


ReasonFlags in the TCP header are used to indicate the current state of a TCP connection. Sometools use packets with invalidly configured flags to get past inadequately set up firewallsor similar devices, with the aim of testing or mapping networks protected by them. Thereare also faults in some systems that can be exploited through the use of invalid TCP flags.TCP packets with invalid flags should be blocked to impede the exploitation of thesefaults.


1. Enter the following rules in the Firewall "Rule Base" to block TCP packets with invalidflags:

- Packets with no flagged bits

- Packets with the SYN and FIN bits flagged at the same time

- Packets with the SYN and RST bits flagged at the same time

- Packets with the FIN and RST bits flagged at the same time

- Only the FIN bit flagged without the ACK bit

- Only the PSH bit flagged without the ACK bit

- Only the URG bit flagged without the ACK bit

Note: Normally, Firewall applications provide a graphical user interface for configuringthe rules. For additional information, consult the firewall documentation or seektechnical support from the manufacturer.


References

QuestionnaireApplication - "Firewall" - Generic Firewall

Comments

164The Firewall should haverules to block TCP packetsthat have invalid flags.

MOD_EN.00010643


PRJR13011


ReasonMalformed packets can be generated by defective or poorly configured equipment, or byattackers. This type of traffic should be blocked by the Firewall.


1. Enter rules in the "Rule Base" of the firewall to block traffic with the addresses"0.0.0.0" (invalid address), "255.255.255.255" (address used only on local networks) and"224.0.0.0/4" (address reserved for UDP's Multicast).



References


Comments

164The traffic of malformedpackets should be blocked bythe firewall.

MOD_EN.00010644

ReasonPackets with forged source addresses ("IP Spoofing") are characteristic of attacks or ofequipment configured with an incorrect address. These packets should be blocked andthe origin of the attack, or the incorrectly configured equipment, should be identified.


1. Enter rules to prevent "IP Spoofing" attempts originating from the internal network.


References


Comments

136Rules to block outgoingforged IP packets originatedfrom internal networksshould be implemented onthe Firewall.

MOD_EN.00010637


PRJR13011


ReasonPackets with forged source addresses ("IP Spoofing") are characteristic of attacks or ofequipment configured with an incorrect address. These packets should be blocked andthe origin of the attack, or the incorrectly configured equipment, should be identified.


1. Enter rules in the "Rule Base" of the Firewall to prevent "IP Spoofing" attemptsoriginating from the DMZ.



References


Comments

136Rules to block outgoingforged IP packets originatedfrom the DMZ should beimplemented on theFirewall.

MOD_EN.00010645


PRJR13011



AssetComponents


2.2.0007 Grouping: System and Application Settings

ReasonICMP is the Internet control message protocol. Without certain types of ICMP packets,network connectivity may be disrupted due to the inability to exchange networkconfiguration information. Make sure the necessary types of packets are allowed.


1. Enter rules to allow the types of ICMP packets that are necessary for the exchange ofnetwork configuration information, such as shown in the following examples:

# Allow ICMP SOURCE-QUENCH packets# Allow ICMP PARAMETER-PROBLEM packets# Allow incoming ICMP DESTINATION-UNREACHABLE packets# Allow ICMP FRAGMENTATION-NEEDED packets

NOTE: Also, when a software component or system requires the use of "PING" or"TRACEROUTE", the necessary types of ICMP packets should be allowed.


References


Comments

164Some types of ICMP packetsnecessary for controlling thecommunication and thestatus of networks should beallowed.

MOD_EN.00010635


PRJR13011


ReasonServices whose traffic is to be allowed by the rules should be clearly specified, avoidingthe use of the "ANY" mask. This allows a more restrictive control and avoids configurationerrors.


1. Explicitly define the services in the appropriate field in the rules of the Firewall "RuleBase" whenever possible.

NOTE: This recommendation is valid both for addresses and ports.


References


Comments

124The use of the "Any"identifier in the Firewallrules should be avoided.

MOD_EN.00010638


PRJR13011


ReasonIn order to reduce that number of rules against which a data packet must be checked,and, consequently, reduce the processing overhead caused by the Firewall, the mostfrequently rules must be grouped and placed at the top of the rule base, following therecommended working order for the Firewall.

RecommendationThis control can be implemented through the following procedures:1. Identify the most commonly used rules on the Firewall.

2. Edit the Firewall's rule base and place the most commonly used rules on the top of thelist, following the Firewall's recommended working order.

Note 1: In general, Firewall applications have graphical interfaces for configuring rules.For additional information, check the Firewall's documentation or ask for the developer'stechnical support.

Note 2: The logical order of the rules must be respected so as to avoid any firewallmalfunctions, denying valid traffic or allowing forbidden traffic. See the related controls.

Attention! This control was designed for generic environments. Evaluate applicability andpossible impacts prior to implementation in an operational environment.

Related controls: #10617.

References


Comments

124The most frequently usedrules should be placed at thetop of the Firewall's rulebase.

MOD_EN.00019696


PRJR13011


ReasonWhen most firewalls load a rule, they verify if the address is an IP address or a DNS name.If it is a DNS name then they try to resolve its IP address. If they cannot resolve thename, for example, when the DNS server is not accessible due to network problems, thenthe rule will result in an error and will not be effective, which could cause unavailabilityof services or information. For this reason, it is important that IP addresses be usedinstead of DNS names.


1. Use IP addresses instead of DNS names on the Firewall's rules.

Note: Generally, Firewall applications have graphical interfaces in order to configure itsrules. For additional information, consult the Firewall's documentation or ask fortechnical support from the developer.

Warning! This control was designed for generic environments. Evaluate applicability andpossible impacts prior to implementation in production environments.

References


Comments

116The firewall's rules should becreated using IP addressesinstead of DNS names.

MOD_EN.00019703


PRJR13011


Documents

Reporte Operativo de Riesgos componente tactico.pdf