Reporte Operativo de Riesgos Componente Tactico PDF

Detailed Risk Report
PRJR13011
01 Proyecto
Risk Management
06/11/2013 8:00:09
The information in this document and any attachments is intended for users of Modulo Risk Manager,
a product developed by Modulo Security LLC. If you do not have permission to access this information, know
that it is prohibited to read, release, or copy this information. Improper use will be subject to the legislation in
effect based on the confidentiality agreements.
The controls in the knowledge bases created by Modulo Security LLC are protected by copyright and
ownership laws.
The full or partial unauthorized reproduction of the information in this report shall result in civil and
criminal punishments.
Issued:
riskmanagersupport@modulo.com
Those responsible for implementing the controls should know that the
technical recommendations in the knowledge bases provided by Modulo
Security LLC apply to generic systems.
These knowledge bases should be evaluated in terms of their
applicability and impact before being implemented in a live operating
environment. The system under analysis should be taken into account,
given that a change in the configuration or permission parameters in the
file systems could damage the applications.
Clients will be held responsible for any results achieved with the use of
custom knowledge bases. Creating knowledge bases using a methodology
other than that used by Modulo Security LLC may lead to distorted or
biased results.
Modulo Security LLC will not be held responsible for evaluating,
validating, or supporting custom knowledge bases and queries created
with the help of the knowledge management features provided in
Mdulo Risk Manager, nor will it be held responsible for any related
damage.
ATTENTION
www.modulo.com
Modulo Security LLC
2 of 44 Copyright 2011 Modulo Solutions for GRC
PRJR13011
This report presents the results of the 01 Proyecto project. It aims at providing guidance on how to prioritize the recommendations that should be
applied according to the risk level (PSR). It can also be used as a tool to implement the controls in the assets in question.
The report includes two tables to support the risk treatment process:
1) List of non-implemented controls;
2) Detailed list of non-implemented controls.
The Controls Ordered by Risk table includes information on:
1) The controls that should be implemented;
2) Their priority;
3) Where the controls should be treated.
The Controls To Be Implemented table includes information on:
1) Which controls should be implemented;
2) The sum of the total risk referring to the control;
3) The justification for each control;
4) Recommendations on how to implement each control;
5) The number of locations where controls should be implemented (number of asset components).
1. INTRODUCTION
Copyright 2011 Modulo Solutions for GRC 3 of 44
PRJR13011
1,2,3,4,5,6
These are acceptable risks, and asset managers should be
informed of them.
Very Low
8,9,10,12,15,16
These are risks which may be acceptable once reviewed and
confirmed by the asset managers.
Low
18,20,24,25,27,30
These are risks which may be acceptable once reviewed and
confirmed by the asset managers; however, their acceptance
should be done formally.
Medium
32,36,40,45,48,50
These are unacceptable risks, and asset managers should at least
be oriented on how to control them.
High
60,64,75,80,100,125
These are unacceptable risks, and asset managers should be
oriented on how to minimize them immediately.
Very High
Possible PSR Values Definition Risk Level of the Control
The calculated risk levels vary from 1 to 125. They are divided into five different levels, each of which have orientations specified as to the
prioritization of the treatment measures:
This is the degree of importance the asset holds to the
organization, which may take into consideration the
business components it supports.
This severity scores the level of impact on the
organization if the risk materializes. This means that if
the incident occurs, the severity will score the degree
the performance, reliability, or quality of the asset will
be compromised.
This is the probability that vulnerabilities or weaknesses
are exploited by one or more threats due to the absence
of controls.
RELEVANCE SEVERITY PROBABILITY
This table contains the following information:
Grouping: groupings are categories that allow controls related to each other to be organized in order to facilitate analyses and treatment measures.
PSR: this is the maximum value of the risk found for each control. This report shows the PSR in descending order. Risk is calculated for each
non-implemented control through the Risk = Probability x Severity x Relevance, where:
2.1 List of Non-Implemented Controls
2. ANALYSIS RESULTS
PRJR13011
Control: this is a security measure required to lower the risk, which may be a policy, practice, procedure, organizational structure, or software
function. It also includes the security-related hardware devices. Controls aim at reducing or eliminating vulnerabilities, inhibiting threat agents, or
minimizing the impacts caused by incidents.
ID: this is the unique identifier for each control, which appears in parentheses after each.
Asset Component: this is where the control has not been implemented.
1,2,3,4,5,6
These are acceptable risks, and asset managers should be
informed of them.
Very Low
Risk Level Asset Component R S P Control Name Control ID PSR
2.1.0001 Grouping: Access Control
3 - Medio 01 Servidor Back End - Generic Database - DB Empleados 5 3 2
The database's remote management tools
should be installed only on authorized
workstations.
MOD_EN.00017812 30
2.1.0002 Grouping: Accounts and Passwords
2 - Bajo 01 Servidor Back End - MS Windows Srv 2008 MS - 5 1 2
The "DisableSavePassword" parameter should
be set to "1".
MOD_EN.00041027 10
2.1.0003 Grouping: Auditing and Electronic Monitoring
4 - Alto 01 Servidor Back End - Generic Database - DB Empleados 5 4 2
A retention period should be defined for the
database's audit log files.
MOD_EN.00018278 40
3 - Medio 01 Servidor Back End - MS Windows Srv 2008 MS - 5 3 2
A maximum size for the Windows Server 2008
Member Server audit log files should be
established.
MOD_EN.00041039 30
Windows Server 2008 should be configured to
save a log whenever a fatal error occurs.
MOD_EN.00041116 30
The Security System Extension audit
subcategory should be configured as "Success"
and "Failure".
MOD_EN.00041262 30
The System Integrity audit subcategory should
be configured as "Success" and "Failure".
MOD_EN.00041263 30
The IPsec Driver audit subcategory should be
configured as "Success" and "Failure".
MOD_EN.00041264 30
The Security State Change audit subcategory
should be configured as "Success" and "Failure".
MOD_EN.00041265 30
The Logon audit subcategory should be
configured as "Success" and "Failure".
MOD_EN.00041266 30
PRJR13011
The Logoff audit subcategory should be
configured as "Success".
MOD_EN.00041267 30
The Special Logon audit subcategory should be
MOD_EN.00041268 30
The File System audit subcategory should be
configured as "Failure".
MOD_EN.00041269 30
The Registry audit subcategory should be
MOD_EN.00041270 30
The Sensitive Privilege Use audit subcategory
MOD_EN.00041271 30
The Process Creation audit subcategory should
be configured as "Success".
MOD_EN.00041272 30
The Audit Policy Change audit subcategory
MOD_EN.00041273 30
The Authentication Policy Change audit
subcategory should be configured as "Success".
MOD_EN.00041274 30
The User Account Management audit
and "Failure".
MOD_EN.00041275 30
The Security Group Management audit
and "Failure".
MOD_EN.00041277 30
The Other Account Management Events audit
and "Failure".
MOD_EN.00041278 30
The Credential Validation audit subcategory
MOD_EN.00041279 30
NTFS permissions for the
"%SystemRoot%\Debug" directory should be
configured to prevent unauthorized access.
MOD_EN.00041238 20
The Computer Account Management audit
and "Failure".
MOD_EN.00041276 20
2.1.0004 Grouping: Fault Tolerance
5 - Muy Alto 01 Servidor Back End - Generic Database - DB Empleados 5 5 3
The database server's transaction logs and
databases should be stored on separate
physical disks.
MOD_EN.00017833 75
In mission critical environments, the database's
Failover Clustering process should be
implemented.
MOD_EN.00017834 40
PRJR13011
2.1.0005 Grouping: File Systems and Permissions
The operating system and database disk file
systems should be equipped with security
controls.
MOD_EN.00017828 60
Permissions for the directory where the
database's data files are located should be
configured to prevent improper access.
MOD_EN.00017830 60
Permissions for directories containing database
and transaction log backup files should be set
to prevent improper access.
MOD_EN.00017831 45
2.1.0006 Grouping: Service Outages and Other Attacks
5 - Muy Alto 01 Firewall - Generic Firewall 4 4 4
The Firewall should have rules to block TCP
packets that have invalid flags.
MOD_EN.00010643 64
The traffic of malformed packets should be
blocked by the firewall.
MOD_EN.00010644 64
4 - Alto 01 Firewall - Generic Firewall 4 3 3
Rules to block outgoing forged IP packets
originated from internal networks should be
implemented on the Firewall.
MOD_EN.00010637 36
4 - Alto 01 Firewall - Generic Firewall 4 3 3
Rules to block outgoing forged IP packets
originated from the DMZ should be
implemented on the Firewall.
MOD_EN.00010645 36
2.1.0007 Grouping: System and Application Settings
Some types of ICMP packets necessary for
controlling the communication and the status
of networks should be allowed.
MOD_EN.00010635 64
3 - Medio 01 Firewall - Generic Firewall 4 3 2
The use of the "Any" identifier in the Firewall
rules should be avoided.
MOD_EN.00010638 24
3 - Medio 01 Firewall - Generic Firewall 4 3 2
The most frequently used rules should be
placed at the top of the Firewall's rule base.
MOD_EN.00019696 24
2 - Bajo 01 Firewall - Generic Firewall 4 2 2
The firewall's rules should be created using IP
addresses instead of DNS names.
MOD_EN.00019703 16
PRJR13011
This table contains the following information:
Control and ID: Name of the control and its respective ID.
Total PSR: Sum of the PSR of the non-implemented controls.
Number of Asset Components: Number of asset components where the absence of a control was identified.
Control Details
Reason: This field provides explanations on why it is important to implement control
Recommendation: This field provides guidance on how to implement the control.
References: This field provides additional information on the control and its implementation whenever possible.
Questionnaire: This field lists the questionnaire which includes the recommended control.
Comments: This field consolidates the comments provided by analysts.
2.2 Detailed List of Non-implemented Controls
PRJR13011
Reason
The "DisableSavePassword" parameter defines whether or not the Operating System will
enable the option for storing user authentication credentials for dial-up connections.
When stored, these credentials do not need to be re-entered every time a new
connection request is executed. In order to prevent attackers from gaining unauthorized
access to other computers through a dial-up connection, it is recommended to configure
this parameter to keep user credentials from being stored in the system.
Recommendation
This control can be implemented through the following procedures:
1. Click on "Start" -> "Run".
2. Enter "regedit" in the "Open" field, and click "OK".
3. Select the "HKLM\SYSTEM\CurrentControlSet\Services\Rasman\Parameters" key.
4. Double click the "DisableSavePassword" parameter, and change the value in the "Value
Data" field to 1.
5. When finished, click "OK" to save the changes made.
NOTE: If the "DisableSavePassword" parameter cannot be found, it should be created
through the following procedures:
3. Right-click on the "HKLM\SYSTEM\CurrentControlSet\Services\Rasman\Parameters" key,
and click on "New" -> "DWORD Value".
4. Create a parameter named "DisableSavePassword".
5. Double click the parameter created, and change the value in the "Value Data" field to
1.
Warning: This control has been developed for generic environments. Assess applicability
and potential impacts prior to implementing it in a production environment.
References
http://technet.microsoft.com/en-us/library/cc784187.aspx
Questionnaire
Operating System - "Microsoft" - Windows Server 2008 Family (Member Server)
Comments
1 10 The "DisableSavePassword"
parameter should be set to
"1".
MOD_EN.00041027
Detailed Description of the Control
Number of
Asset
Components
Total PSR Control Name Control ID
2.2.0001 Grouping: Access Control
Reason
As well as installation of the database on the server, many database management
systems allow installation of remote management tools on network workstations. Good
security practice recommends that all management or development components which
are not strictly necessary for the database's operations should be removed. Remote
management tools should be installed only on authorized workstations. This practice
protects the server from exposure to attacks based on improper use of these
components.
Recommendation
This control can be implemented by means of the following procedures:
1. Uninstall from the server all unnecessarily installed connectivity or remote
management components, using the database setup program, or through appropriate
means for the database in question.
2. Make sure that the required tools are installed only on workstations that are
authorized to remotely manage the database.
Warning! This control was designed for generic environments. Evaluate applicability and
possible impact prior to implementation in an operational environment.
References
For additional information, see the database manual.
Questionnaire
Application - "Database" - Generic Database
Comments
1 30 The database's remote
management tools should be
installed only on authorized
workstations.
MOD_EN.00017812
Number of
Asset
Components
2.2.0002 Grouping: Accounts and Passwords
PRJR13011
Reason
Recommendation
Data" field to 1.
1.
References
Questionnaire
Comments
"1".
MOD_EN.00041027
PRJR13011
Reason
Recommendation
Data" field to 1.
1.
References
Questionnaire
Comments
"1".
MOD_EN.00041027
Number of
Asset
Components
2.2.0003 Grouping: Auditing and Electronic Monitoring
Reason
Definition of a retention period for the database's audit log files can prevent loss of
traceability regarding events occurred. Notice that limiting the size of logs does not
prevent the definition of a retention period for audit log entries. Once they reach their
maximum size, log files can be restarted and old data can be saved on other media. This
allows you to establish a balance between the need for disk space and the need to
preserve the logs for a certain period of time, which is useful for a more consistent
evaluation of security incidents, and in certain environments may even be a legal or
regulatory requirement.
Recommendation
This control can be implemented using the following procedures:
1. Define a retention period for audit log files.
References
Questionnaire
Comments
1 40 A retention period should be
defined for the database's
audit log files.
MOD_EN.00018278
PRJR13011
Reason
Correctly defining the maximum size for the Windows Server 2008 Member Server audit
log files will reduce the risk of excessive consumption of disk space. If a maximum size
for the audit logs is not predefined, disk space may be reduced to the point where the
audit log files can no longer be saved, which will lead to the loss traceability and may
render the system unavailable for lack of disk space. Therefore, it is recommended to
establish a maximum size for these files.
Recommendation
1. Click on "Start" -> "Administrative Tools" -> "Event Viewer".
2. Right-click on the type of audit you wish to configure (Located in "Windows Logs\",
"Applications and Services Logs"\ and "Applications and Services Logs\Microsoft\" ), and
click on "Properties".
3. Select the "General" tab.
4. Enter the desired size for the type of audit previously selected in the "Maximum log
size" field.
NOTE: The bigger the maximum size for the logs, the more information can be stored. On
the other hand, more disk space will be used up. This parameter should be set up
according to the systems characteristics and the corporate Security Policy.
References
Windows Server 2008 Security Guide - Appendix A
Questionnaire
Comments
1 30 A maximum size for the
Windows Server 2008
Member Server audit log files
should be established.
MOD_EN.00041039
PRJR13011
Reason
Implementation of this control ensures that a security log will be saved in order to
document that the system has been restarted for technical reasons. This will allow the
system Administrator to become aware of the issue, and research the causes for the fatal
error (e.g. unexpected software and hardware failure).
Recommendation
3.Select the "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" key.
4.Double click on the "LogEvent" parameter, and set the value in the "Value Data" field to
"1".
5.When finished, click "OK" to save the changes made.
References
ISO/IEC 27002:2005 - Topic 10.10.5 - Fault logging.
Questionnaire
Comments
1 30 Windows Server 2008 should
be configured to save a log
whenever a fatal error
occurs.
MOD_EN.00041116
PRJR13011
Reason
The Security System Extension audit subcategory is responsible for creating events
related to the installation of services in the system, event log of process logon, the
loading of authentication packages, and LSA notification and security. It is recommended
to enable this audit in order to assist the administrator in obtaining information related
to system security.
Recommendation
1. Click on "Start" -> "All Programs" -> "Accessories", right-click on "Command Prompt",
and click on "run as administrator".
2.Enter the following command: Auditpol /set /subcategory:"Security System Extension"
/success:enable /failure:enable
NOTE: The "Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings" policy should be enabled so that the subcategory
settings can override the audit policy settings. Refer to the References section for
additional details.
References
Windows Server 2008 Security Guide Appendix A http://technet.microsoft.com/en-
us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-us
Questionnaire
Comments
1 30 The Security System
Extension audit subcategory
should be configured as
"Success" and "Failure".
MOD_EN.00041262
PRJR13011
Reason
The System Integrity audit subcategory is responsible for creating system integrity
events, such as encryption operations, check operations, among others. It is
recommended to enable this audit so as to assist the administrator in obtaining
information on system integrity.
Recommendation
1. Click on "Start" -> "All Programs" -> "Accessories" -> Right-click on "Command Prompt" -
> "run as administrator".
2.Enter the following command:
Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
additional details.
References
Windows Server 2008 Security Guide Appendix A http://technet.microsoft.com/en-
Questionnaire
Comments
1 30 The System Integrity audit
subcategory should be
configured as "Success" and
"Failure".
MOD_EN.00041263
PRJR13011
Reason
The IPsec Driver audit subcategory is responsible for creating IPsec Driver related events,
such as discarding packages, successfully starting an IPsec service, among others. It is
recommended to enable this parameter so as to assist the administrator in obtaining
security information related to the IPsec.
Recommendation
Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
additional details.
References
Windows Server 2008 Security Guide Appendix Ahttp://technet.microsoft.com/en-
Questionnaire
Comments
1 30 The IPsec Driver audit
"Failure".
MOD_EN.00041264
PRJR13011
Reason
The Security State Change audit subcategory is responsible for creating events related to
system shutdown, start up, time changes and audit failure recovery. It is recommended
to enable this audit so as to assist the administrator in obtaining information on system
status changes.
Recommendation
Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Security State Change
audit subcategory should be
"Failure".
MOD_EN.00041265
PRJR13011
Reason
The Logon audit subcategory is responsible for creating events related to failed and
successful system logon attempts. It is recommended to enable this audit so as to assist
the administrator in obtaining system access information as well as to allow traceability
in case of security incidents.
Recommendation
Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Logon audit subcategory
"Success" and "Failure".
MOD_EN.00041266
PRJR13011
Reason
The Logoff audit subcategory is responsible for creating events related to system user
logoff. It is recommended to enable this audit to assist the administrator in obtaining
user logoff information in order to either monitor the use of accounts during odd hours or
to allow traceability in case of security incidents.
Recommendation
Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
additional details.
References
Questionnaire
Comments
1 30 The Logoff audit subcategory
"Success".
MOD_EN.00041267
PRJR13011
Reason
The Special Logon functionality has been introduced as of Windows Vista. This feature
creates an audit event whenever a user belonging to a special group set up by the
administrator logs on to the system. It is recommended to enable this audit so as to
gather security related events.
Recommendation
Auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable
NOTE 1: For additional information on the Special Logon resource, see "Description of the
Special Groups feature" http://support.microsoft.com/kb/947223
NOTE 2: The "Audit: Force audit policy subcategory settings (Windows Vista or later) to
additional details.
References
us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-
ushttp://support.microsoft.com/kb/947223
Questionnaire
Comments
1 30 The Special Logon audit
MOD_EN.00041268
PRJR13011
Reason
The File System audit subcategory is responsible for creating file system related events.
It is recommended to enable this audit to assist the administrator in obtaining relevant
information.
Recommendation
Auditpol /set /subcategory:"File System" /success:disable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The File System audit
MOD_EN.00041269
PRJR13011
Reason
The Registry audit subcategory is responsible for creating events related to the
modification of the Windows registry. Unsuccessful registry modification attempts may
indicate the presence of malware or malicious users. It is recommended to enable this
audit to assist in obtaining information on registry modification attempts that may impact
security.
Recommendation
Auditpol /set /subcategory:"Registry" /success:disable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Registry audit
MOD_EN.00041270
PRJR13011
Reason
The Sensitive Privilege Use audit subcategory is responsible for creating events whenever
a service with elevated privileges has been initiated, when special privileges are assigned
to a new user account, among others. It is recommended to enable this audit to assist the
administrator in obtaining information on the use of security privileges.
Recommendation
Auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Sensitive Privilege Use
"Failure".
MOD_EN.00041271
PRJR13011
Reason
The Process Creation audit subcategory is responsible for creating events related to the
creation of a process and the assignment of a token to this process. It is recommended to
enable this audit to assist the administrator in obtaining information on the creation of
processes as well as the user responsible for it.
Recommendation
Auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable
NOTE 1: For additional information on access tokens, refer to the document "What are
Access Tokens?" http://technet.microsoft.com/en-us/library/cc759267.aspx
NOTE 2: The "Audit: Force audit policy subcategory settings (Windows Vista or later) to
additional details.
References
us/library/cc264465.aspxhttp://support.microsoft.com/default.aspx/kb/947226/en-
us"What are Access Tokens?" http://technet.microsoft.com/en-us/library/cc759267.aspx
Questionnaire
Comments
1 30 The Process Creation audit
MOD_EN.00041272
PRJR13011
Reason
The Audit Policy Change audit subcategory is responsible for creating events whenever
there is a change in the audit policy. It is recommended to enable this audit to assist the
administrator in obtaining information on changes to the audit policy that may affect
security.
Recommendation
Auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Audit Policy Change
"Failure".
MOD_EN.00041273
PRJR13011
Reason
The Authentication Policy Change audit subcategory is responsible for creating events
related to changes in the authentication policy. It is recommended to enable this audit to
assist the administrator in obtaining information on changes to the authentication policy.
Recommendation
Auditpol /set /subcategory:"Authentication Policy Change" /success:enable
/failure:disable
additional details.
References
Questionnaire
Comments
1 30 The Authentication Policy
Change audit subcategory
"Success".
MOD_EN.00041274
PRJR13011
Reason
The User Account Management audit subcategory is responsible for creating events
related to the creation, modification and deletion of user accounts. It is recommended to
enable this audit to assist the administrator in obtaining information on unauthorized
user account management.
Recommendation
Auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The User Account
Management audit
"Failure".
MOD_EN.00041275
PRJR13011
Reason
The Security Group Management audit subcategory is responsible for creating events
related to the creation, modification and deletion of security groups, as well as the
inclusion and exclusion of security group members. It is recommended to enable this
audit to assist the administrator in obtaining information on unauthorized security group
changes.
Recommendation
Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Security Group
Management audit
"Failure".
MOD_EN.00041277
PRJR13011
Reason
The Other Account Management Events audit subcategory is responsible for creating
events related to the modification of the domain policy, access to the account hash,
among others. It is recommended to enable this audit to assist the administrator in
obtaining security related information.
Recommendation
Auditpol /set /subcategory:"Other Account Management Events" /success:enable
/failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Other Account
Management Events audit
"Failure".
MOD_EN.00041278
PRJR13011
Reason
The "%SystemRoot%\Debug" directory is used for storing several system and Active
Directory logs. If an unauthorized user is granted access to this directory, they may be
able to make unauthorized changes to it so as to remove their traces from the system.
Therefore, it is recommended that NTFS permissions for this directory be configured to
prevent unauthorized access.
Recommendation
1. Click on "Start" -> "Programs" -> "Accessories" -> "Windows Explorer".
2. Right-click on "%SystemRoot%\Debug" and click on "Properties".
3. Select the "Security" tab.
4. Configure access rights as follows:
Administrators = Full Control
SYSTEM = Full Control
CREATOR OWNER = Full Control
Authenticated Users = Traverse Folder / Execute File; Read Attributes; Read Permissions.
5. Check the "Inherit from parent the permission entries that apply to child objects.
Include these with entries explicitly defined here" box.
NOTE 1: In order to determine the actual path to "%SystemRoot%", execute the following
procedures:
2. Enter "cmd" in the "Open" field, and click "OK".
3. Enter the following command:
echo %SystemRoot%
NOTE 2: If Windows will not allow users to be removed or added at the time of the
configuration, click on the "Advanced" button, select the "Permissions" tab, uncheck the
"Inherit from parent the permission entries that apply to child objects. Include these with
entries explicitly defined here" box, and then click on "Remove".
and potential impacts prior to implementation and, if necessary, adjust the suggested
permissions according to the characteristics of the environment.
References
CIS - Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security
Benchmark Consensus Security Settings for Domain Controller
Questionnaire
Comments
1 20 NTFS permissions for the
"%SystemRoot%\Debug"
directory should be
configured to prevent
unauthorized access.
MOD_EN.00041238
Reason
The Credential Validation audit subcategory is responsible for creating events related to
the validation of credentials, such as network access attempts. It is recommended to
enable this parameter to assist the administrator in obtaining security related
information.
Recommendation
Auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
additional details.
References
Questionnaire
Comments
1 30 The Credential Validation
"Failure".
MOD_EN.00041279
PRJR13011
Reason
Recommendation
procedures:
echo %SystemRoot%
References
Questionnaire
Comments
directory should be
MOD_EN.00041238
PRJR13011
Reason
Recommendation
procedures:
echo %SystemRoot%
References
Questionnaire
Comments
directory should be
MOD_EN.00041238
Reason
The Computer Account Management audit subcategory is responsible for creating events
related to the creation, modification and deletion of domain computer accounts. It is
recommended to enable this audit to assist the administrator in obtaining information on
unauthorized domain computer account management.
Recommendation
Auditpol /set /subcategory:"Computer Account Management" /success:enable
/failure:enable
additional details.
References
Questionnaire
Comments
1 20 The Computer Account
Management audit
"Failure".
MOD_EN.00041276
PRJR13011
Number of
Asset
Components
2.2.0004 Grouping: Fault Tolerance
Reason
The transaction logs register changes to the databases, allowing the databases to be
recovered in case of any system failure. These logs should be stored on separate physical
disks, in order to prevent simultaneous loss of databases and their respective transaction
logs in the event of software or hardware failure. Additionally, storing databases and logs
on separate physical disks contributes to better system performance.
Recommendation
1. Whenever possible, configure the database server to save databases and transaction
logs in partitions located on separate hard disks.
2. If possible, a disk mirroring or duplexing system can be used, such as RAID10, which
works with four or more disks, always in pairs (6, 8, 10), and combines characteristics of
the RAID1 and RAID0 systems, so as to guarantee both performance and availability of
data and increase the system's fault tolerance level. This approach is a little more
expensive, but with it you don't depend solely on backup files for system recovery, since
the loss of a database together with its recovery log is an unacceptable risk in most
corporations.
Note: Since logging activities require a large volume of data to be saved, the disk where
transaction logs are stored should be properly sized for the procedure.
References
Questionnaire
Comments
1 75 The database server's
transaction logs and
databases should be stored
on separate physical disks.
MOD_EN.00017833
PRJR13011
Reason
In mission critical environments, where client/server applications requiring high
availability are executed (for example e-commerce websites), if the database provides
the Failover Clustering service, this service should be implemented. In this process, the
operating system works together with the database to guarantee system availability in
case of hardware or software failure, through the use of redundant configurations in
which the service is automatically and transparently transferred to another server with
similar configuration settings.
Recommendation
1. Make the necessary hardware investments for implementation of the operating
system's Clustering service and configuration of the database's Failover Clustering service.
Warning! Control developed for generic environments requiring high availability level.
Evaluate applicability and possible impact prior to implementation in an operational
environment.
References
For additional information, see the database and operating system manuals.
Questionnaire
Comments
1 40 In mission critical
environments, the database's
Failover Clustering process
should be implemented.
MOD_EN.00017834
PRJR13011
Number of
Asset
Components
2.2.0005 Grouping: File Systems and Permissions
Reason
The database can be installed on servers using different file systems. However, it should
be installed on a server whose file system allows access control, cryptography, audit
logging, and other security benefits.
Recommendation
1. When installing the operating system and/or formatting the disks where the database
files are to be stored, select a file system with advanced security features. For further
information, see the operating system manual.
References
For additional information, see the database and operating system manual.
Questionnaire
Comments
1 60 The operating system and
database disk file systems
should be equipped with
security controls.
MOD_EN.00017828
PRJR13011
Reason
Granting of incorrect permissions for the directories containing the databases increases
the risk of improper access, which may compromise the confidentiality, the integrity, or
the availability of the files stored in these directories, causing financial loss and harming
the company's image. Therefore, these permissions should be checked, and only the least
necessary permissions should be granted.
Recommendation
1. Access the operating system where the database is installed, using an Administrator
account.
2. Select the directory where the database's data files are stored.
3. Define the appropriate permissions so that operating system administrators have full
access rights. If there are any execution users, they should have only Read and Execute
access to these directories.
Note 1: Additional permissions can be granted after a security analysis.
possible impact prior to implementation and, if necessary, adjust the suggested
References
For additional information, see the database and the operating system manuals.
Questionnaire
Comments
1 60 Permissions for the directory
where the database's data
files are located should be
improper access.
MOD_EN.00017830
PRJR13011
Reason
Database backup files may contain sensitive information and therefore need to be
protected, by setting permissions so as to block access to unauthorized users. In the same
way, incorrect granting of permissions to the directory containing the transaction logs'
backup files increases the risk of improper access, which may compromise the integrity,
the confidentiality, and the availability of such files.
Recommendation
1. Access the operating system where the database is installed, using an Administrator
account.
2. Select the directories where the database and transaction log backup files are stored.
3. Define the appropriate permissions so that operating system administrators have full
access rights. If there are any execution users, they should have only Read and Execute
access to these directories.
Note 1: Additional permissions can be granted after a security analysis.
possible impact prior to implementation and, if necessary, adjust the suggested
References
For additional information, see the database and operating system manuals.
Questionnaire
Comments
1 45 Permissions for directories
containing database and
transaction log backup files
should be set to prevent
improper access.
MOD_EN.00017831
Number of
Asset
Components
2.2.0006 Grouping: Service Outages and Other Attacks
PRJR13011
Reason
Flags in the TCP header are used to indicate the current state of a TCP connection. Some
tools use packets with invalidly configured flags to get past inadequately set up firewalls
or similar devices, with the aim of testing or mapping networks protected by them. There
are also faults in some systems that can be exploited through the use of invalid TCP flags.
TCP packets with invalid flags should be blocked to impede the exploitation of these
faults.
Recommendation
1. Enter the following rules in the Firewall "Rule Base" to block TCP packets with invalid
flags:
- Packets with no flagged bits
- Packets with the SYN and FIN bits flagged at the same time
- Packets with the SYN and RST bits flagged at the same time
- Packets with the FIN and RST bits flagged at the same time
- Only the FIN bit flagged without the ACK bit
- Only the PSH bit flagged without the ACK bit
- Only the URG bit flagged without the ACK bit
Note: Normally, Firewall applications provide a graphical user interface for configuring
the rules. For additional information, consult the firewall documentation or seek
technical support from the manufacturer.
References
Questionnaire
Application - "Firewall" - Generic Firewall
Comments
1 64 The Firewall should have
rules to block TCP packets
that have invalid flags.
MOD_EN.00010643
PRJR13011
Reason
Malformed packets can be generated by defective or poorly configured equipment, or by
attackers. This type of traffic should be blocked by the Firewall.
Recommendation
1. Enter rules in the "Rule Base" of the firewall to block traffic with the addresses
"0.0.0.0" (invalid address), "255.255.255.255" (address used only on local networks) and
"224.0.0.0/4" (address reserved for UDP's Multicast).
References
Questionnaire
Comments
1 64 The traffic of malformed
packets should be blocked by
the firewall.
MOD_EN.00010644
Reason
Packets with forged source addresses ("IP Spoofing") are characteristic of attacks or of
equipment configured with an incorrect address. These packets should be blocked and
the origin of the attack, or the incorrectly configured equipment, should be identified.
Recommendation
1. Enter rules to prevent "IP Spoofing" attempts originating from the internal network.
References
Questionnaire
Comments
1 36 Rules to block outgoing
forged IP packets originated
from internal networks
should be implemented on
the Firewall.
MOD_EN.00010637
PRJR13011
Reason
Packets with forged source addresses ("IP Spoofing") are characteristic of attacks or of
equipment configured with an incorrect address. These packets should be blocked and
the origin of the attack, or the incorrectly configured equipment, should be identified.
Recommendation
1. Enter rules in the "Rule Base" of the Firewall to prevent "IP Spoofing" attempts
originating from the DMZ.
References
Questionnaire
Comments
1 36 Rules to block outgoing
forged IP packets originated
from the DMZ should be
implemented on the
Firewall.
MOD_EN.00010645
PRJR13011
Number of
Asset
Components
2.2.0007 Grouping: System and Application Settings
Reason
ICMP is the Internet control message protocol. Without certain types of ICMP packets,
network connectivity may be disrupted due to the inability to exchange network
configuration information. Make sure the necessary types of packets are allowed.
Recommendation
1. Enter rules to allow the types of ICMP packets that are necessary for the exchange of
network configuration information, such as shown in the following examples:
# Allow ICMP SOURCE-QUENCH packets
# Allow ICMP PARAMETER-PROBLEM packets
# Allow incoming ICMP DESTINATION-UNREACHABLE packets
# Allow ICMP FRAGMENTATION-NEEDED packets
NOTE: Also, when a software component or system requires the use of "PING" or
"TRACEROUTE", the necessary types of ICMP packets should be allowed.
References
Questionnaire
Comments
1 64 Some types of ICMP packets
necessary for controlling the
communication and the
status of networks should be
allowed.
MOD_EN.00010635
PRJR13011
Reason
Services whose traffic is to be allowed by the rules should be clearly specified, avoiding
the use of the "ANY" mask. This allows a more restrictive control and avoids configuration
errors.
Recommendation
1. Explicitly define the services in the appropriate field in the rules of the Firewall "Rule
Base" whenever possible.
NOTE: This recommendation is valid both for addresses and ports.
References
Questionnaire
Comments
1 24 The use of the "Any"
identifier in the Firewall
rules should be avoided.
MOD_EN.00010638
PRJR13011
Reason
In order to reduce that number of rules against which a data packet must be checked,
and, consequently, reduce the processing overhead caused by the Firewall, the most
frequently rules must be grouped and placed at the top of the rule base, following the
recommended working order for the Firewall.
Recommendation
1. Identify the most commonly used rules on the Firewall.
2. Edit the Firewall's rule base and place the most commonly used rules on the top of the
list, following the Firewall's recommended working order.
Note 1: In general, Firewall applications have graphical interfaces for configuring rules.
For additional information, check the Firewall's documentation or ask for the developer's
technical support.
Note 2: The logical order of the rules must be respected so as to avoid any firewall
malfunctions, denying valid traffic or allowing forbidden traffic. See the related controls.
Attention! This control was designed for generic environments. Evaluate applicability and
possible impacts prior to implementation in an operational environment.
Related controls: #10617.
References
Questionnaire
Comments
1 24 The most frequently used
rules should be placed at the
top of the Firewall's rule
base.
MOD_EN.00019696
PRJR13011
Reason
When most firewalls load a rule, they verify if the address is an IP address or a DNS name.
If it is a DNS name then they try to resolve its IP address. If they cannot resolve the
name, for example, when the DNS server is not accessible due to network problems, then
the rule will result in an error and will not be effective, which could cause unavailability
of services or information. For this reason, it is important that IP addresses be used
instead of DNS names.
Recommendation
1. Use IP addresses instead of DNS names on the Firewall's rules.
Note: Generally, Firewall applications have graphical interfaces in order to configure its
rules. For additional information, consult the Firewall's documentation or ask for
technical support from the developer.
possible impacts prior to implementation in production environments.
References
Questionnaire
Comments
1 16 The firewall's rules should be
created using IP addresses
instead of DNS names.
MOD_EN.00019703
PRJR13011

Reporte Operativo de Riesgos Componente Tactico PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reporte Operativo de Riesgos Componente Tactico PDF

Uploaded by

Copyright:

Available Formats

Detailed Risk Report

You might also like