WINDOWS 2000 SECURITY CHECKLIST
Sites are required to secure the Microsoft Windows 2000 operating system in accordance with DOD Directive 8500.1, Section 4.18 (and related footnote). The checks in this document were developed from DISA and NSA guidelines specified in the above reference.
The Windows 2000 Security Checklist is composed of five major sections and five appendices. The organizational breakdown proceeds as follows:
The vulnerabilities discussed in Sections 3 and 5 of this document are applicable to all versions of Windows 2000. To reduce the complexity of the manual procedures, however, these sections are designed around the Windows 2000 desktop.
This document is designed to instruct the reviewer on how to assess both the Professional and Member Server configurations in a mixed Windows NT 4/2000 domain. In addition, the security settings recommended can also be used to configure Group Policy in a Windows 2000 Active Directory environment
The Access Control Lists (ACLs) on a system under review may differ from the recommendations specified in Appendix A. If the reviewed ACL is more restrictive, or if an equivalent user group is identified, there is no problem. If a specific application requires less restrictive settings, these must be documented with the site IAO.
Site-approved Applications may require specific exceptions to the requirements in this document, for proper functioning. Exceptions should be justified and clearly documented with the IAO. Exceptions for requirements that are rated as Category 1 findings should include a statement that the site has determined from the vendor that the setting was necessary. It should also include any additional action that the site is taking to mitigate the risk (e.g., ACL settings, Group membership, Firewall, etc.).
The Gold Standard is the minimum level of security configuration that a system must meet in order to be connected to the network. The Platinum standard is the security level that must be reached to achieve certification and accreditation. This checklist measures a system’s security configuration against the Platinum Standard.
To distinguish configuration settings that are required to meet Platinum level standards, aTo perform a successful Security Readiness Review (SRR), this document provides two methods to assess vulnerabilities on a Windows 2000 operating system—the Gold Disk and manual procedures. The manual procedures should be performed if the Gold Disks are not available, if they are not permitted, or if there is a discrepancy in the tools’ reporting.
The following table enumerates the documents and resources consulted:
This section lists questions that must be asked of the System Administrator or the Information Assurance Officer (IAO) in an interview prior to the SRR.
This check verifies, by observation, that the equipment and all ancillary devices are adequately protected.
Physical security Requirements. |
Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security of the AIS is the first line protection of any system. Note: Critical servers should be located in rooms, or locked cabinets, that are accessible only to authorized systems personnel. User workstations containing sensitive data should be in access controlled areas. |
This check verifies that each user with administrative privileges has been assigned a unique account, separate from the built-in “Administrator” account. This implementation permits the auditing of administrative actions by individual. This check also verifies that the default “Administrator” account is not being used. The IAO will maintain a list of all users belonging to the Administrator’s group and any other group with special privileges.
If any of the following conditions are true, then this is a finding:
- Each System Administrator does not have a unique userid dedicated for administering the system.
- Each System Administrator does not have a separate account for normal user tasks.
- The built-in Administrator account is used to administer the system.
- Administrators have not been properly trained.
- The IAO does not maintain a list of users belonging to the Administrator’s group.
Users with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks. |
Using a privileged account to perform routine functions makes the computer vulnerable to attack by any virus or Trojan Horse inadvertently introduced during a session that has been granted full privileges. The rule of least privilege should always be enforced. |
This check verifies that a backup administrator account has been created to ensure system availability in the event that no administrators are able or available to access the system. The built-in administrator account may be used for this purpose. The IAO will ensure the backup administrator account is stored in a secure location.
If no back administrator account exists or it is not stored in a secure location, then this is a finding.Members of the Backup Operators group do not have separate accounts for backup duties and normal operational tasks. |
Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to cirvumvent the file access restrictions present on NTFS disk drives for the purpose of backup and restore. Members of the Backup Operators group should have special logon accounts for performing their backup duties. |
This check verifies that the passwords for the default and backup administrator accounts are changed at least annually or when any member of the administrative team leaves the organization.
If the site does not have a policy for changing the default and backup administrator account passwords as described above, then this is a finding.Administrator Account Password Changes |
Default and backup administrator passwords are not changed as required. |
This check verifies that each user with backup operator privileges has been assigned a unique account with membership in the “Backup Operators” group, separate from their standard user account.
If any of the following conditions are true, then this is a finding:
- Each BackupOperator does not have a unique userid dedicated for backing up the system.
- Each Backup Operator does not have a separate account for normal user tasks.
- Backup Operators have not been properly trained.
- The IAO does not maintain a list of users belonging to the Backup Operator’s group.
Members of the Backup Operators group do not have separate accounts for backup duties and normal operational tasks. |
Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to cirvumvent the file access restrictions present on NTFS disk drives for the purpose of backup and restore. Members of the Backup Operators group should have special logon accounts for performing their backup duties. |
This check verifies that all shared accounts on the system are documented and justified.
Any shared account must be documented with the IAO. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account, which provides no individual identification and accountability is mitigated.Shared user accounts are permitted on the system. |
This check verifies that all shared accounts on the system are documented and justified. Any shared account must be documented with the IAO as shared accounts do not provide individual accountability for system access and resource usage. Documentation should include the reason for the account, who has access to this account, and how the risk of using a shared account, which provides no individual identification and accountability is mitigated. Note: A shared account may be permitted for a help desk or site security personnel machine, if that machine is stand-alone and has no access to the network. |
This check verifies that access to the Event Logs is restricted to members of an “auditors” group, or other restricted-membership group that serves this purpose.
If the site has not created an “auditors” group to restrict access to the Event Logs, this is a finding..Access to the Windows Event Logs has not been restricted to an Auditors group. |
The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group. Note: The administrator, who is responsible for an individual system, should be added to the local auditors group, since he needs the audit user right to perform his tasks. |
This check verifies that Audit logs are reviewed on a regular basis to identify possible security breaches and weakness.
If a site does not have a policy in place that defines procedures for reviewing audit logs, then this is a finding.There is no local policy for reviewing audit logs. |
To be of value, audit logs will be reviewed on a regular basis to identify security breaches and potential weaknesses in the security structure. |
This check verifies that Audit logs are archived to ensure data is not being lost.
If a site does not have a policy in place that defines procedures for archiving audit logs, then this is a finding.There is no local policy for archiving audit logs. |
To be of value, audit logs will be archived on a regular basis to isave space. |
This check verifies that System information backups are maintained in accordance with DISA standards for the recovery of a damaged or compromised system. System information backups should be created to include all information necessary to restore the system.
- The site does not maintain emergency system recovery data.
- The emergency system recovery data is not protected from destruction and stored in locked storage container.
- The emergency system recovery data has not been updated following the last system modification.
System information backups are not created, updated, and protected according to DISA requirements. |
Recovery of a damaged or compromised system will be difficult without an up-to-date Emergency Repair Disk (ERD). An ERD also allows recovery of a damaged or corrupted system that cannot be rebooted. The ERD, when used in the recovery process, can restore the local systems user database to the version that existed when the ERD was previously made. In particular, if the ERD contained an administrator account without a password, then that exposed account may be attacked. As a valuable system resource, the ERD should be protected and stored in a physically secure location. |
This check verifies that the site has a process for implementing security configurations on a system. The Microsoft Security Configuration tools such as Security Templates and Group Policy that are integrated into Windows should be used to configure platforms for security compliance.
Microsoft Security Configuration Manager is not being used to configure platforms for Security compliance. |
The Microsoft Security Configuration Toolset that is integrated in Windows 2000 should be used to configure platforms for security compliance. The SCM allows system administrators to consolidate all security related system settings into a single configuration file. These settings can then be applied consistently to any number of Windows Machines. The SCM can use the same configuration file to check platforms for compliance with security policy. If an alternate method is used to configure a system (e.g. manually), that achieves the same configured result, then this is acceptable. Note: The DISA FSO Gold Disk for Windows 2000 can be used to configure a system to meet security requirements. |
If the site does not use a tool to compare system files (*.exe, *.bat, *.com, *.cmd and *.dll) on servers against a baseline, on a weekly basis, then this is a finding.
System Configuration Changes (Servers) |
System files are not checked for unauthorized changes. |
This check applies to machines whose services are accessed remotely. (e.g. FTP, Telnet, etc.).
If the User account used for unencrypted remote access within the Enclave (premise router) has administrator privileges, then this is a finding. If User ID and Password information used for remote access to system services from outside the Enclave is not encrypted, then this is a finding.Unencrypted remote access is permitted to system services. |
This check applies to machines whose services are accessed remotely. (e.g. FTP, Telnet, etc.). When unencrypted access to system services is permitted, an intruder can intercept user identification and passwords that are being transmitted in clear text. This could give an intruder unlimited access to the network. |
If a Server does not have a host-based intrusion detection (HID) system installed and enabled, then this is a finding. Severity Override: This finding can be downgraded to a Category III, if there is an active JIDS or Firewall protecting the network.
Intrusion Detection (Servers) Requirements |
A Server does not have a host-based Intrusion Detection System. |
This section details the procedures that may be performed on the Windows 2000 console that will allow the reviewer to analyze the system for security vulnerabilities. Analysis determines the composite effect Local policy and of Group Policy on WIN2K Professional and Server, and to Domain Controller policy on Domain Controllers. Some procedures will differ on Domain Controllers. These will be highlighted throughout the document when applicable.
The following applications are used during the manual Security Readiness Review process:The DumpSec application is an analysis tool that permits the user to systematically review ACL, audit, and user information from the local system. This tool is not included with the basic installation of Windows 2000, but may be acquired or download from SomarSoft, Inc. (www.somarsoft.com). The findings discovered during the execution of these procedures may be mapped to the PDIs found in Section 2. If the environment is a mixed one, with down-level OSs, or maintains trusts with down-level OSs, then the following checks should be reviewed. Configuring them to the required setting could cause compatibility problems. 5.3.8.1 Restrict Anonymous Network Shares. 5.3.8.8 SMB Client Packet Signing 5.3.8.10 SMB Server Packet Signing 5.3.8.15 LanMan Compatible Password Option Not Properly Set 5.3.8.39 Encryption and Signing of Secure Channel Traffic 5.3.8.40 Encryption of Secure Channel Traffic. If the environment is a mixed one, with down-level OSs, or maintains trusts with down-level OSs, then the following checks should be reviewed. Configuring them to the required setting could cause compatibility problems.
- Windows Explorer
- Computer Manager
- Server Manager
- Microsoft Management Console
- Control Panel
- Registry Editor
- DumpSec
- Command Prompt
- 5.3.8.1 Restrict Anonymous Network Shares.
- 5.3.8.8 SMB Client Packet Signing
- 5.3.8.10 SMB Server Packet Signing
- 5.3.8.15 LanMan Compatible Password Option Not Properly Set
- 5.3.8.39 Encryption and Signing of Secure Channel Traffic
- 5.3.8.40 Encryption of Secure Channel Traffic.
Windows Explorer permits users and administrators the capability to manage the permissions and audit configuration of file objects on NTFS volumes.
This program is accessed through the following procedures:Upon completion, the “Windows Explorer” application should appear:
- Click on the “Start” button.
- Select “Programs” from the “Start” Menu.
- Select “Accessories”
- Select “Windows Explorer.”
This check verifies that Service Pack 4 for Windows 2000 is installed, or, a later service pack has been applied.
- From the menu bar click “Start” and then “Run”.
- Type “winver.exe” in the dialog box and click OK.
JTF-GNO COMMUNICATIONS TASKING ORDER (CTO) 06-02, states: Passwords will contain a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters. The password will be a minimum of nine characters in length.
This check determines whether the site has implemented a password filter that enforces the DOD requirements listed above. If PPE, or another product is used, then the reviewer should have the SA show that it is configured to enforce the DOD requirements. Severity Override: If no password filter is used, and the security option for “Password must meet complexity requirements” (V0001150/3.028) is set to “Enabled”, then this finding can be downgraded to a Category III, since a less strict complexity algorithm is used.Strong Password Filtering Requirements |
A password filter that enforces DoD requirements is not installed. |
This check verifies that shared printers have properly configured share permissions.
If there are no locally attached printers, then mark this as “Not Applicable.” Perform this check for each locally attached printer:
- Select the Control Panel directory
- Select the Printers directory.
Perform this check on each printer that has the “Shared” radio-button selected:
- Right click on a locally-attached printer
- Select Sharing from the drop-down menu.
The following table lists the recommended printer share security settings: If the share permissions do not match the above table, then this is a finding.
- Select the Security tab
CCE-3898-4 | Printer Share Permissions Requirements |
Printer share permissions are not configured as recommended. |
In Windows 2000, the Computer Management console is used to configure a variety of System-related features for the local environment.
This program is accessed through the following procedures:
- Right-click the “My Computer icon on the desktop.
- Select “Manage” from the drop-down menu.
This check verifies that all local drives are configured using the NTFS format, enabling the use of Windows 2000’s security and auditing features.
If the file system column does not indicate “NTFS” as the file system for each local drive, then this is a finding.
- Expand the “Storage” object in the Tree window
- Select the “Disk Management” object
Figure 5.2.1
CCE-3947-9 | Local NTFS Volumes Requirements |
Local volumes are not formatted using NTFS. |
This check verifies that prohibited services are not activated.
- Expand the “Services and Applications” object in the Tree window.
- Select the “Services” object.
This check verifies that services listed as disabled in the table below are disabled. Any services listed for which the site has documented exceptions are also permitted.
This table contains lists of services for Servers and Workstations that Sites are required to disable, unless there is a real requirement for specific services. Required services will vary between organizations, and will vary depending on the role of the individual system. Organizations will develop their own list of services that are exceptions to the recommended disabled list, and any additional services that are not specified in this table. Exceptions will be documented and justified with the IAO. The Site’s list will be provided for any security review. Services that are common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. If services listed in the following table are found, that are not disabled, and the site does not have documented exceptions for these, then this is a finding.CCE-3372-0 | Alerter Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4825-6 | Application Management Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4764-7 | ASP .NET State Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4453-7 | Certificate Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3892-7 | ClipBook Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4195-4 | DHCP Server Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4803-3 | Distributed Link Tracking Client Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4253-1 | Distributed Link Tracking Server Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4447-9 | Distributed Transaction Coordinator Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3059-3 | Fax Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3830-7 | FTP Publishing Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3835-6 | IIS Admin Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4794-4 | Indexing Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3554-3 | Internet Connection Sharing Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4777-9 | License Logging Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3738-2 | Messenger Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4035-2 | NetMeeting Remote Desktop Sharing Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4495-8 | Network Dynamic Data Exchange (DDE) Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4801-7 | Network DDE DDE Share Database Manager (DSDM) Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4729-0 | Network News Transport Protocol Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
Printer Spooler Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4539-3 | Remote Access Auto Connection Manager Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4779-5 | Remote Access Connection Manager Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4720-9 | Resultant Set of Policy Provider Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3973-5 | Routing And Remote Access Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3643-4 | Simple Mail Transfer Protocol (SMTP) Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3515-4 | Simple TCP/IP Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4096-4 | Smart Card Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4874-4 | Smart Card Helper Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4882-7 | Telephony Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3524-6 | Simple Network Management Protocol (SNMP) Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3819-0 | Simple Network Management Protocol (SNMP) Trap Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4667-2 | Task Scheduler Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3951-1 | Telnet Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4751-4 | Uninterrupted Power Supply Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3922-2 | Windows Internet Name Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3722-6 | World Wide Web Publishing Services Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-4244-0 | Wireless Zero Configuration |
Disabling the setting will prevent all wireless wi-fi interfrace from working unless a third partry management software is used to manage the device. This will not be an issue on managed desktops but will impact mobile device. |
This check verifies that a virus-protection program approved by DOD-CERT is installed and activated on the Windows 2000 system.
If none of the following products are installed and supported at an appropriate maintenance level, then this is a finding: Symantec Antivirus at the following level is not installed.McAfee’s Antivirus Version 8.0 or higher is not installed.
- Corporate Edition Version 9.0.6 or higher
- Corporate Edition Version 10.x or higher
The anti virus signature file is out of date.And
If the anti virus program signature file is not dated within the past 14 days, then, this is a finding. (If no signature file has been released in the previous 14 days, then the most current one is required.)
Virus Protection Software Requirements |
An approved DOD virus scan program is not used and/or updated. |
This check verifies that user-created file shares drives are configured properly.
If user-created file shares have not been reconfigured to remove ACL permissions from the “Everyone group”, then this is a finding.
- Expand the “System Tools” object in the Tree window
- Expand the “Shared Folders” object.
- Select the “Shares” object.
- Right click any user-created shares (ignore Netlogon, Sysvol and administrative shares; the system will prompt you if Properties are selected for administrative shares).
- Select Properties
- Select the Share Permissions tab
File Shares Requirements |
File share ACLs have not been reconfigured to remove the "Everyone" group. |
The Microsoft Management Console (MMC) is the primary system configuration tool for Windows 2000. It utilizes “Snap-in” functions to configure the various parts of the system. The Security Configuration and Analysis snap-in permits the analysis of Account Policy, System Auditing, Local Policies, Event Logs, Services, Registry ACLs and Auditing, and File ACLs and Auditing.
The procedures outlined in this checklist depend upon the use of a Microsoft security options file that has been updated to include some additional security checks that are recommended either by NSA or DISA FSO guidance. The built-in Security Configuration and Analysis tool uses the Security Options file, to display various options that can be configured or analyzed.
To load the updated Security Options file, do the following:The additional options will now appear the next time the Security Configuration and Analysis tool is started.
- Rename the sceregvl.inf file in the %SystemRoot%\inf directory
- Copy the updated sceregvl.inf file from the media provided (Gold Disk, etc.) to the %SystemRoot%\inf directory
- Re-register scecli.dll by executing ‘regsvr32 scecli.dll’ at a command prompt
Use the following procedure to use the MMC and load the Security Configuration and Analysis snap-in:
- Select “Start” and “Run” from the desktop.
- Type “mmc.exe” in the Run dialog
- Select “Console” from the MMC menu bar
- Select “Add/Remove snap-in” from the drop-down menu
- Click the “Add” button on the Standalone tab.
- Select the “Security Configuration and Analysis” snap-in and click the “Add” button
- Click “Close”.
- Click “OK”.
- Right-click on the Security Configuration and Analysis object in the left window.
- Select ‘Open Database’
- Enter “C:\temp\scan\srr.sdb” for the database name
- In the ‘Import Template’ window enter the appropriate file name for a workstation or server (i.e. A:\FSOWIN2KDC_Analyze_Only.inf).
- Check the box to “Clear the database before importing”.
- Select “Open”.
The following window will appear:
- Right-click on the Security Configuration and Analysis object in the left window
- Select ‘Analyze Computer Now’ (Important – DO NOT select ‘Configure Computer’)
- Enter “C:\temp\scan\srr.log” for the log name in the ‘Error log file path’ window and click OK.
This check verifies that the system’s password policy conforms to DISA standards.
- Expand the “Security Configuration and Analysis” object in the tree window.
- Expand the “Account Policies” object and select “Password Policy”.
CCE-3827-3 | Maximum Password Age Requirements |
Maximum password age does not meet minimum requirements |
CCE-3224-3 | Minimum Password Age Requirements |
\Minimum password age does not meet minimum requirements.\ |
CCE-3228-4 | Minimum Password Length Requirements |
Minimum password length does not meet minimum requirements. |
CCE-3588-1 | Password Uniqueness Requirements |
Password uniqueness does not meet minimum requirements. |
CCE-3042-9 | Passwords Must Meet Complexity Requirements |
Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks. |
CCE-3852-1 | Disable Reversible Password Encryption Requirements |
Reversible password encryption is not disabled. |
This check verifies that the system’s account lockout policy conforms to DISA standards.
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “Account Policies” object and select “Account Lockout Policy”
Figure 5.3.4
CCE-3229-2 | Bad Logon Attempts Requirements |
Number of allowed bad logon attempts does not meet minimum requirements. |
CCE-3687-1 | Bad Logon Counter Reset Requirements |
Time before bad-logon counter is reset does not meet minimum requirements. |
CCE-3960-2 | Lockout Duration Requirements |
Lockout duration does not meet minimum requirements |
This check verifies that the Kerberos authentication settings are configured to the minimum required DISA standards
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “Account Policies” object and select “Kerberos Policy”.
CCE-4645-8 | Kerberos - User Logon Restrictions (DC) Requirements |
Kerberos user logon restrictions are not enforced. |
CCE-4865-2 | Kerberos - Service Ticket Lifetime (DC) Requirements |
Kerberos service ticket maximum lifetime does not meet minimum standards |
CCE-4750-6 | Kerberos - User Ticket Lifetime (DC) Requirements |
Kerberos user ticket maximum lifetime does not meet minimum standards. |
CCE-4684-7 | Kerberos - User Ticket Renewal Lifetime (DC Requirements |
Kerberos user ticket renewal maximum lifetime does not meet minimum standards. |
CCE-4715-9 | Kerberos - Computer Clock Synchronization (DC) Requirements |
Computer clock synchronization tolerance does not meet minimum standards. |
This check verifies that the minimum user account and object auditing on the local system is configured to DISA standards.
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “Local Policies” object and select “Audit Policy”.
Figure 5.3.6
Compare the settings in the Policy window with the figure in section 5.3.6. If system does not audit the events listed above, then this is a finding. Events with a value of “No Auditing” indicate those that are not required by DISA to be audited.
“Audit directory services access” can be set to “No Auditing” for Professional and Member Servers. If auditing is disabled, then mark this check as a “FINDING.”Auditing Configuration Requirements |
System-auditing configuration does not meet minimum requirements. |
This check verifies that the system’s user rights and advanced user rights policies are configured in accordance with DISA requirements.
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “Local Policies” object and select “User Rights Assignment”
User and advanced user rights settings do not meet minimum requirements.
CCE-3917-2 | Right To Access This Computer From The Network |
Verify that the user right 'Access This Computer From The Network' has been granted appropriately. |
CCE-3736-6 | Right To Act As Part Of The Operating System |
Verify that the user right 'Act As Part Of The Operating System' has been granted appropriately. |
CCE-3542-8 | Right To Add Workstations To Domain |
Verify that the user right 'Add Workstations To Domain' has been granted appropriately. |
CCE-3296-1 | Right To Change the System Time |
Verify that the user right 'Change the System Time' has been granted appropriately. |
CCE-3943-8 | Right To Create A Pagefile |
Verify that the user right 'Create A Pagefile' has been granted appropriately. |
CCE-3860-4 | Right To Create A Token Object |
Verify that the user right 'Create A Token Object' has been granted appropriately. |
CCE-4790-2 | Right To Create Global Objects |
Verify that the user right 'Create Global Objects' has been granted appropriately. |
CCE-3767-1 | Right To Create Permanent Shared Objects |
Verify that the user right 'Create Permanent Shared Objects' has been granted appropriately. |
CCE-3503-0 | Denied Access To This Computer From The Network |
Verify that the user right 'Deny Access To This Computer From The Network' has been granted appropriately. |
CCE-4235-8 | Denied Logon As A Service |
Verify that the user right 'Deny Logon As A Service' has been granted appropriately. |
CCE-3489-2 | Denied Logon Locally |
Verify that the user right 'Deny Logon Locally' has been granted appropriately. |
CCE-3282-1 | Computer and User Accounts Enabled To Be Trusted For Delegation |
Verify that the user right 'Enable Computer and User Accounts To Be Trusted For Delegation' has been granted appropriately. |
CCE-3904-0 | Right To Force Shutdown From A Remote System |
Verify that the user right 'Force Shutdown From A Remote System' has been granted appropriately. |
CCE-3811-7 | Right To Generate Security Audits |
Verify that the user right 'Generate Security Audits' has been granted appropriately. |
CCE-4332-3 | Impersonate a Client After Authentication |
Verify that the user right 'Impersonate a Client After Authentication' has been granted appropriately. |
CCE-3630-1 | Right To Increase Scheduling Priority |
Verify that the user right 'Increase Scheduling Priority' has been granted appropriately. |
CCE-3798-6 | Right To Load And Unload Device Drivers |
Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately. |
CCE-3317-5 | Right To Lock Pages In Memory |
Verify that the user right 'Lock Pages In Memory' has been granted appropriately. |
CCE-3965-1 | Right To Log On As A Batch Job |
Verify that the user right 'Log On As A Batch Job' has been granted appropriately. |
CCE-3903-2 | Right To Modify Firmware Environment Values |
Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately. |
CCE-3926-3 | Right To Profile Single Process |
Verify that the user right 'Profile Single Process' has been granted appropriately. |
CCE-3445-4 | Right To Profile System Performance |
Verify that the user right 'Profile System Performance' has been granted appropriately. |
CCE-3829-9 | Right To Remove Computer From Docking Station |
Verify that the user right 'Remove Computer From Docking Station' has been granted appropriately. |
CCE-3970-1 | Right To Replace A Process Level Token |
Verify that the user right 'Replace A Process Level Token' has been granted appropriately. |
CCE-3912-3 | Right To Restore Files And Directories |
Verify that the user right 'Restore Files And Directories' has been granted appropriately. |
CCE-3934-7 | Right To Shut Down The System |
Verify that the user right 'Shut Down The System' has been granted appropriately. |
CCE-3850-5 | Right To Synchronize Directory Service Data |
Verify that the user right 'Synchronize Directory Service Data' has been granted appropriately. |
CCE-3471-0 | Right To Take Ownership Of Files Or Other Objects |
Verify that the user right 'Take Ownership Of Files Or Other Objects' has been granted appropriately. |
This check verifies that security options on the local system are configured to DISA standards.
Expand the “Security Configuration and Analysis” object in the tree window Expand the “Local Policies” object and select “Security Options”.
Figure 5.3.8
CCE-3837-2 | Network access: Do not allow anonymous enumeration of SAM accounts and shares |
If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system. |
CCE-3959-4 | Display Shutdown Button Requirements |
The system allows shutdown from the logon dialog box. |
CCE-4069-1 | Devices: Allow only administrators to format and eject removable media |
Verifies that only the correct users are allowed to format and eject removable media> |
CCE-3921-4 | Microsoft network server: Amount of idle time required before suspending session |
Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. |
CCE-4786-0 | Forcibly Disconnect when Logon Hours Expire Requirements |
Users are not forcibly disconnected when logon hours expire. |
CCE-3747-3 | SMB Client Packet Signing Always Requirements:Microsoft network client: Digitally sign communications (always) |
This check verifies that the client policy is set to always sign packets. |
CCE-3994-1 | SMB Client Packet Signing When Possible Requirements: Microsoft network client: Digitally sign communications (if server agrees) |
This check verifies that the client policy is set to sign packets if the server agrees. |
CCE-3783-8 | SMB Server Packet Signing Always Requirements: Microsoft network server: Digitally sign communications (always) |
This check verifies that the server policy is set to always sign packets. |
CCE-3928-9 | Microsoft network server: Digitally sign communications (if client agrees) |
Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees. |
CCE-3886-9 | Interactive logon: Do not require CTRL+ALT+DEL |
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. |
CCE-3726-7 | Disable Media Autoplay (HKLM Software hive) Requirements |
The system is configured to allow applications to run automatically when Windows Explorer opens. |
CCE-3646-7 | Interactive logon: Do not display last user name |
This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box. |
CCE-4012-1 | Display Legal Notice Requirements |
Legal notice is not configured to display before console logon. |
CCE-3884-4 | Disable Dead Gateway Detection Requirements |
The system is configured to allow dead gateway detection |
CCE-3915-6 | MSS: (DisableIPSourceRouting) IP source routing protection level |
This setting protects against packet spoofing. Set to 2 to completely disable source routing. |
CCE-3704-4 | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes |
This check determines whether ICMP redirects are allowed to override OSPF generated routes. |
CCE-4065-9 | MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses |
This check verifies that the system is configured to disable the Internet Router Discovery Protocol (IDRP), which could lead to a denial of service. |
CCE-3600-4 | MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds |
This check verifies that the system is configured to control how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. |
CCE-4027-9 | Tcp Max Half Open Retried |
This setting specifies the number of connections permitted in the SYN-RCVD state for which at least one retransmission of the SYN has been sent, before SynAttackProtect measures are implemented. |
CCE-3878-6 | Tcp Max Half Open |
This setting specifies the number of connections permitted in the SYN-RCVD state before SynAttackProtect measures are implemented. |
CCE-3682-2 | Computer Browser Spoofing Attacks |
The system is configured to allow Computer Browser spoofing attacks. |
CCE-3922-2 | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers |
This check verifies that the system is configured to prevent release of its NetBIOS name when a name-release request is received. |
CCE-4085-7 | The value for “Network Security: Protect against SYN attacks |
This check verifies that the system is configured to protect against Syn attacks. The setting should be set to "“Reduce Transmission Retrys and notify WinSock”. |
CCE-3545-1 | Disable Caching of Logon Credentials Requirements |
Caching of logon credentials is not limited |
CCE-3559-2 | MSS: (AutoAdminLogon) Enable Automatic Logon Disabled |
If enabled, this setting will allow a user to directly log on to the system with administrator privileges when the machine is rebooted. This would give full access to any unauthorized individual who reboots the computer. By default this setting is not enabled. If this setting exists, it should be disabled. If this capability exists, the default password will also be present in the registry, and must be removed. |
CCE-3145-0 | Resetting Computer Account Password Requirements |
The computer account password is prevented from being reset |
CCE-4010-5 | MSS: (DisableSavePassword) Prevent the dial-up password from being saved |
This check determines whether the dial-up password is prevented from being saved. |
CCE-3675-6 | Secure Print Driver Installation Requirements |
Print driver installation privilege is not restricted to administrators. |
CCE-3098-1 | Interactive logon: Prompt user to change password before expiration. |
This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password. |
CCE-3948-7 | Protect Kernel object attributes Requirements |
The system is not configured to protect kernel object attributes. |
CCE-4067-5 | Recovery console: Allow automatic administrative logon |
If this option is enabled, the Recovery Console does not require you to provide a password and will automatically log on to the system, giving Administrator access to system files. By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system. |
CCE-3463-7 | Recovery console: Allow floppy copy and access to all drives and all folders |
Enabling this option enables the Recovery Console SET command, which allows you to set Recovery Console environment variables. This permits floppy copy and access to all drives and folders. It should be disabled. |
CCE-3899-2 | Accounts: Rename administrator account |
The Administrator account is created by default when installing Windows 2000. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account. |
CCE-4045-1 | Accounts: Rename guest account |
The Guest account is created by default when installing Windows 2000, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account. |
CCE-3607-9 | Digitally encrypt or sign secure channel data (always) |
Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted. |
Encryption Of Secure Channel Traffic Requirements |
todo |
Signing Of Secure ChannelT raffic Requirements |
todo |
CCE-3978-4 | Domain member: Require strong session key |
This setting controls the required strength of a session key. Session keys in Windows 2000 are stronger than those in NT and should be used whenever possible. |
CCE-3392-8 | Microsoft network client: Send unencrypted password to third-party SMB servers |
Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication. |
CCE-3596-4 | Interactive logon: Smart card removal behavior |
When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked. |
CCE-3956-0 | Global System Object Permission Strength Requirements |
The default permissions of global system objects are not increased. |
CCE-3589-9 | Audit Log Warning Level Requirements |
The system does not generate an audit event when the audit log reaches a percent full threshold. |
This check verifies that Windows 2000 Server and Professional are to preserve event data, should the size of the logs reach their maximum.
- Expand the “Security Configuration and Analysis” object in the tree window.
- Expand the “Event Log” object and select “Settings for Event Logs”.
Figure 5.3.9
CCE-3775-4 | Maximum Application Log Size |
Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. |
CCE-3096-5 | Maximum Security Log Size |
Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. |
CCE-3889-3 | Maximum System Log Size |
Inadequate log size will cause the log to fill up quickly and require frequent clearing by administrative personnel. An exception is for NT workstations that do not share resources. The smaller size should allow sufficient audit information for supporting the investigation of suspicious events, but since it is overwritten, does not require administrator interaction for clearing the file. Microsoft recommends that the combined size of all the event logs (including DNS logs, Directory Services logs, and Replication logs on Servers or Domain Controllers) should not exceed 300 megabytes. Exceeding the recommended value can impact performance. |
CCE-3880-2 | Prevent Local Guests Group From Accessing Application Log |
By default, the Windows 2000 event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. |
CCE-3964-4 | Prevent Local Guests Group From Accessing Security Log |
By default, the Windows 2000 event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. |
CCE-3990-9 | Prevent Local Guests Group From Accessing System Log |
By default, the Windows 2000 event logs may be viewed over the network by an anonymous user. This method of access over the network is communicating through the Server service which has SYSTEM access to the actual log files. |
CCE-3797-8 | Retention of Events in Application Log |
The application log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. |
CCE-3589-9 | Retention of Events in Security Log |
The security log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. |
CCE-3805-9 | Retention of Events in System Log |
The system log should be configured to correctly handle itself when it reaches the maximum size. The log can be overwritten after a certain number of days, overwritten when it becomes full, or have to be cleared manually. |
This check verifies that the Group Restrictions conform to DISA standards
- Expand the “Security Configuration and Analysis” object in the tree window.
- Expand the “Restricted Groups” object.
Figure 5.3.10
This check verifies that the Power Users group is restricted from having any members and from belonging to any other groups. Double click the value for “Power Users”. If there are any users or groups listed under the “members” tab, then this is a finding. If there are any groups listed under the “member of” tab, then this is a finding.
CCE-4003-0 | Power Users Restricted Group |
The Restricted Groups option allows the administrator to manage membership of sensitive groups. The Power Users group is one such group. This group has been given significant privileges under Windows 2000. |
This check verifies that the ACLs for disabled services meet minimum requirements.
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “System Services” object and select each applicable disabled Service.(Disabled Services can be identified using the Control Panel’s Services applet.
- Right click the Service and select Security.
- Select ‘View Security’
Figure 5.3.11 If the ACLs for applicable disabled Services do not restrict permissions to Administrators, ‘full Control’, System ‘full control’, and Authenticated Users ‘Read’, then this is a finding.
Service Object Permissions Requirements |
ACLs for disabled Services do not conform to minimum requirements. |
This check verifies that the access-control permissions applied to the directory object conforms to DISA standards
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “Registry” object and navigate to the key being investigated.
Figure 5.3.12-1
To investigate a possible Registry ACL discrepancy
- Select the object being investigated
- Right click on the object
- Select “Security”
- Click on the “View Security” button
- Highlight each group in turn to view effective settings.
CCE-3503-0 | Anonymous Access to the Registry Requirements |
Anonymous access to the Registry is not restricted. Figure 5.3.12.1 |
CCE-3748-1 | Registry Key Auditing Requirements |
Registry key-auditing configuration does not meet minimum requirements. |
This check verifies that the access-control permissions applied to the file or directory object conforms to DISA standards. If Windows 2000 is not installed on NTFS partitions, then mark all checks in this section as a “FINDING.”
- Expand the “Security Configuration and Analysis” object in the tree window
- Expand the “File System” object and navigate to the directory/file being investigated
To investigate a possible ACL discrepancy
- Select the object being investigated
- Right click on the object
- Select “Security”
- Click on the “View Security” button
- Highlight each group in turn to view effective settings
CCE-3095-7 | System Files Requirements |
ACLs for system files and directories do not conform to minimum requirements. |
Access to the Windows Event Logs has not been restricted to an Auditors group. |
The Security Event Log contains information on security exceptions that occur on the system. This data is critical for identifying security vulnerabilities and intrusions. The Application and System logs can also contain information that is critical in assessing security events. Therefore, these logs must be protected from unauthorized access and modification. Only individuals who have auditing responsibilities (IAO, IAM, auditors, etc.) should be members of this group. The individual System Administrators responsible for maintaining this system can also be members of this group. Note: The administrator, who is responsible for an individual system, should be added to the local auditors group, since he needs the audit user right to perform his tasks.Figure 5.3.13.2 |
CCE-4812-4 | Audit Directory Service Access |
Audits the event of a user accessing an active directory object that has its own System Access Control List (SACL) specified. This setting is not applicable to Windows 2000 systems. |
The “Control Panel” is responsible for many configuration options on Windows 2000
This program is accessed through the following procedures:
- Click on the “Start” button
- Select “Settings” from the “Start” Menu
- Select “Control Panel.”
Select “Control Panel.”
CCE-4008-9 | Password Protected Screen Savers Requirements |
Current user configuration is not set with a password-protected screen saver. Figure 5.4.1 |
Booting into Multiple Operating Systems Requirements |
Booting into alternate operating systems is permitted. Figure 5.4.2 |
This check verifies that Administrative Templates options on the local system are configured to DISA standards.
The Registry settings displayed are for checking purposes only and should not be modified directly, since this will not update the Administrative Template Policy file that is saved on the system, and the settings will not be displayed correctly in the MMC. These settings should only be made using the MMC Local Computer Policy snap-in or through Group Policy. This will insure that previous settings are not lost when any changes are made to the Administrative Template settings, and that findings are reported correctly by the Gold Disk.
Use the following procedure to use the MMC and load the Local Computer Policy snap-in:
- Select “Start” and “Run” from the desktop.
- Type “mmc.exe” in the Run dialog.
- Select “File” from the MMC menu bar.
- Select “Add/Remove snap-in” from the drop-down menu.
- Click the “Add” button on the Standalone tab.
- Select the “Group Policy” snap-in and click the “Add” button.
- Click “Finish”
- Click “Close”.
- Click “OK”.
This check verifies that Remote Desktop Sharing should be disabled.
CCE-4035-2 | NetMeeting Remote Desktop Sharing Service Disabled |
Unnecessary services should not be running on the system. Services typically run under the local System Account, which generally have more permissions than are required by the service. Compromising a service could allow an intruder to obtain System permissions and open the system to a variety of attacks. |
CCE-3971-9 | IE - Security Zones: Use Only Machine Settings Requirements |
Use of machine based security zone settings is not enforced. |
CCE-4019-6 | IE - Security Zones: Do Not Allow Users to Change Policies Requirements |
Users are allowed to change the I.E. security policies. |
CCE-4117-8 | IE - Security Zones: Do Not Allow Users to Add/Delete Sites Requirements |
Users are allowed to Add/Delete Sites |
CCE-4125-1 | IE - Make Proxy Settings Per Machine Requirements |
Proxy server settings are not per machine |
CCE-3962-8 | IE - Disable Automatic Install of Internet Explorer Components Requirements |
Automatic install of I.E. components is not disabled. |
CCE-3874-5 | IE - Disable Periodic Check for Internet Explorer Software Updates Requirements |
I.E. automatically checks for program updates |
CCE-3517-0 | IE - Disable Software Update Shell Notifications on Program Launch Requirements |
IE - Disable Software Update Shell Notifications On Program Launch |
The “Registry Editor” permits users and administrators the capability to manage the permissions and audit configuration of file objects on NTFS volumes.
This program is accessed through the following procedures:Upon completion, the “Registry Editor” application should appear:
- Click on the “Start” button
- Select “Run” from the “Start” Menu
- In the “Run” dialog box, enter “REGEDT32” in the “Open” field.
- Click on the “OK” button.
CCE-4848-8 | Recycle Bin Configured to Delete Files (Servers) Requirements |
The Recycle Bin on a Server is not configured to delete files. |
CCE-4768-8 | CAC logon required (NIPRNet only) Requirement |
The system is configured to allow logon with username and password. |
The program “DumpSec,” distributed by SomarSoft, Inc., provides reports on the contents of the SAM database.
This program is not a part of the basic Windows 2000 installation, and must be acquired separately. This program is also distributed under the name “DumpACL”. This program is accessed through the following procedures:Upon completion, the “DumpSec” application should appear:
- Click on the “Start” button.
- Select “Run” from the “Start” Menu.
- In the “Run” dialog box, enter the explicit path of the “DumpSec”
- application in the “Open” field.
- Click on the “OK” button.
This check verifies that user accounts defined on the local system conform to DISA requirements.
- Select “Dump Users as Table” from the “Report” menu.
- Select the available fields in the following sequence, and click on the “Add” button for each entry:
- UserName
- SID
- PswdRequired
- PswdExpires
- PswdLastSetTime
- LastLogonTime
- AcctDisabled
- Groups
- Click “OK” to proceed.
Application Account Passwords Requirements |
Application account passwords are not changed annually. |
Dormant Accounts Requirements |
account is dormant. |
Local Users Exist on Workstation Requirements |
Local users exist on a workstation in a domain. |
CCE-3766-3 | AccouGuestAccountStatunts: Guest account status |
A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled. |
Restricted Administrator Group Membership Requirements |
A regular user has Administrator rights on the local workstation. |
The “Command Prompt” permits the assignment of direct commands to the Windows 2000 operating system.
This program is accessed through the following procedures:Upon completion, the “Command Prompt” window should appear:
- Click on the “Start” button.
- Select “Programs” from the “Start” Menu.
- Select “Accessories
- Select “Command Prompt.”
This check verifies that the FTP server is configured in accordance with DISA standards. If an FTP server (such as the “FTP Publishing Service” included with Microsoft IIS for Windows 2000 Server and with Microsoft Peer Web Service for Windows 2000 Professional) is running, then perform the following checks.
To test for the existence of an FTP-server on the local system, enter the following command in the “Command Prompt” window: X:\>ftp 127.0.0.1 -> ftp: connect:Connection refused ftp> If the command returns a “Connection refused” error message, then mark the following two checks as “NOT A FINDING.”Anonymous ftp will not be configured on systems that are inside the protected perimeter. This check does not apply to systems that are outside the perimeter, where FTP is installed on a dedicated machine. Accounts with administrator privileges will not be used to access ftp.
Prohibited FTP Logins Permitted Requirements |
An “anonymous” FTP connection within the enclave is permitted. |
If the FTP session indicates access to operating system files like “PAGEFILE.SYS” or “NTLDR,” then this is a finding.
CCE-3807-5 | Access to System Drive Permitted Requirements |
Installed FTP server is configured to allow access to the system drive. |
This section defines the checks that should be made to verify the Security settings for Microsoft's distributed COM (DCOM). DCOM extends the Component Object Model (COM) to support communication among objects on different computers—on a LAN, a WAN, or even the Internet. With DCOM, an application can be distributed at locations that make the most sense to the user and to the application.
This check verifies that DCOM calls are executed under the security context of the calling user.
- Using the Registry Editor, go to the following Registry key:
- HKLM\Software\Classes\Appid
- View each subkey in turn and verify that the RunAs value has not been added.
- If any subkey has a RunAs value, then this would be a finding.
CCE-4799-3 | DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
This check verifies that Windows Server 2000, is configured to restrict DCOM access permissions. |
CCE-4689-6 | DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
This check verifies that Windows Server 2000, is configured to restrict DCOM launch permissions. |
DCOM - System Authorization Level |
A Windows system has an incorrect default DCOM authorization level. |
DCOM - Default Object Access Permissions Requirements |
A Windows system has incorrect Default DCOM access permissions. |
DCOM - Default Object Launch Permissions Requirements |
A Windows system has incorrect Default DCOM launch permissions. |
DCOM - Object Registry Permissions Requirements |
A Windows system has a writable DCOM configuration. |
CCE-4830-6 | DCOM - RunAs Value Requirements |
DCOM calls are not executed under the security context of the calling user. |
Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature.
Security Patches Up-To-Date |
Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses. |
Trademark Information
Microsoft, Windows, Windows 2000, and Internet Explorer are either registered trademarks or trademarks of Microsoft Corporation
in the United States and other countries.
All other names are registered trademarks or trademarks of their respective companies.