Dfhzaf 05

SOX Configuration Reference - General
General Passwords
Minimum Password Age - The period of time after a user has changed their password, where
they are unable then change their password again.
Reset Account Lockout counter - The period over which failed password entries are tallied
towards account lockout. The counter is also reset on lockout of the account.
Password History Requirements - Enforce password uniqueness by remembering previous
passwords.
Dormant Account Deletion - The period of time after which an un-used account (no activity) is
automatically deleted, with the exception of staff on extended leave.
Account Lockout Duration - The duration of account lockout before being automatically re-
enabled. The Help Desk also has a process to manually re-enable the account.
Account Lockout Threshold - The number of failed password entries before account lockout.
Minimum Password Length – Minimum length of a user password.

Maximum Password Age - The period of time after which a user is required to change their
password.
Dormant Account Disabling - The period of time after which an un-used account (no activity)
is automatically disabled
Password Complexity - Minimum strength of a password in terms of the character sets that
are used to construct the password.
Password Change on First Login - A user issued an initial password (e.g. by the Help Desk),
which is forced to change the password on the first login to the system.
Mainframe Passwords
Minimum Password Age - The period of time after a user has changed their password, where
they are unable then change their password again.
Reset Account Lockout counter - The period over which failed password entries are tallied
towards account lockout. The counter is also reset on lockout of the account.
Password History Requirements - Enforce password uniqueness by remembering previous
passwords.
Maximum Password Age - The period of time after which a user is required to change their
password.
Account Lockout Threshold - The number of failed password entries before account lockout.
Dormant Account Disabling - The period of time after which an un-used account (no activity)
is automatically disabled
Minimum Password Length - Minimum length of a user password.
Password Change on First Login - A user issued an initial password (e.g. by the Help Desk),
which is forced to change the password on the first login to the system.
Privileged Accounts1
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being cracked,
passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single password
before being required to change it.
System Accounts2
passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single password
before being required to change it.
Required Configuration
1 day (or more)
1 day (or more)
12 Passwords (or more)
120 days (or less) Where this system feature is available.
30 Minutes (or more)
5 attempts (or less)
8 Characters (or more)

90 days (or less)
AlphaNumeric - (alphabetic characters, plus numbers or special characters)
Enabled
* No repeating of 2 or more characters
* Not month of year
* Not be the login ID
* No part of user’s surname
1 day (or more)
1 day (or more)
10 Passwords (or more)
39 days (or less)
5 attempts (or less)

Enabled
Forever
45 days - (or less)
Complex - (alphabetic characters, plus numbers, plus special characters)
Forever
Complex - (alphabetic characters, plus numbers, plus special characters)
Forever
Never Expires (Reset password manually at least once per year).

Privileged access users refer to accounts that have ability to modify system and/or application settings and configurations. Priv
delete, view and modify other user's profile; view privileged systems audit logs and install system and/or application patches.
Examples of privileged access users include, but not limited to:
* “Root” super user access;
* Administrators;
* Enterprise Administrators;
* Domain Administrators;
* System Operators;
* Backup Operators;
* Account Operators;
* Application Operator/Administrators;
* Database Administrators; and,
* Application administrators.
System accounts refer to all accounts that perform underlying platform or application services, and are therefore not used by “
systems.
Examples of system accounts include, but are not limited to:
* Application service accounts;
* Platform service accounts; and
* Functional logins.
The use of IT computing resources is restricted by the implementation of adequate identification, authentication and authorisa
and resources to access rules.
Management ensure the establishment, issuing, suspension and closure (or other modification) of user/privileged accounts is a
formally approved by data or system owners.
The use of system administration and privileged accounts/passwords is controlled through an on-line system.
Only authorised individuals can gain access to data files and other backup items/media.
Out-of-the box default account names MUST be renamed (except Unix ‗root‘ account)
Only Administrators and Privileged access users are permitted to have full control access to files, directories and system resour
The "Everyone" group MUST NOT be used in Access Control Lists (ACLs) to provide access to disk, application & system resourc
Only Administrators are permitted to modify and delete configuration files
Resources MUST be created with permissions and rights according to the principles of need-to-know, least privilege and segreg
Standard Operating Environment 3 - Configuration files must be restricted such that “Everyone” or ”World” access is not grante
Security measures are approved/implemented in line with business requirements and IT security policy/practices for all financi
related) systems.
There is a formal process to monitor, assess and escalate any issues associated with industry alerts and security patches.
Unused services and ports MUST be disabled including but not limited to TFTP, NNTP. CHARGEN, CHARGEN-UDP, C
DAYTIME-UDP, ECHO-UDP, EKLOGIN, GSSFTP, IMAP, IMAPS, IPOP2, IPOP3, KRB5-TELNET, KLOGIN, KSHELL, NTA
RLOGIN, RSH, RSYNC, SERVERS, SERVICES, SGI_FAM, TALK, TELNET, TIME, TIME-UDP, WU-FTPD, DISCARD, ECH
WHO, PCNFSD, RSTATD, RUSER, RWALL, SPRAYD, TFTP
All devices MUST synchronise their clocks with Westpac authorised NTP Servers
Unencrypted File Transfer Protocols such as FTP or TFTP MUST NOT be used (a policy non-compliance MUST be raised fo
instead Secure File Transfer protocols MUST be used e.g. FTPS (FTP over SSL), SFTP (FTP over SSH), SCP and HTTPS
Telnet network protocol is not permitted and MUST be replaced with SSHv2
Standard Operating Environment Security Standard 3. Access Controls Lists and Controls - Anti-Virus: Anti-Virus must be e
scanning, “in memory” scanning and with automated updating to the latest virus definitions.
IT security administration ensure that security activity is logged and any indication of imminent security violation is reported im
may be concerned, internally and externally, and is acted upon in a timely manner.
Audit logs covering key security incidents are produced, and reviewed by exception.
Usage of sensitive utilities/audit tools is logged, and reviewed by exception.
Management ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, r
examination of the time sequences of processing and the other activities surrounding or supporting processing.
Operational logs cannot be altered or deleted retrospectively.
Logging retention period for online logs MUST be at least 60 days
All successful and failed logins MUST be logged
All security related incidents and events MUST be logged
Administrators & Privileged access users activities MUST be logged
Logs MUST be archived on a different system other than the system being audited
Standard Operating Environment Security Standard 2:
Audit account logon: Success, Failure
Audit account management: Success, Failure
Audit directory/file access: Failure
Audit logon events: Success, Failure
Audit object/library/executables access: Failure
Audit policy change: Success, Failure
Audit all privilege account use: Success, Failure
Audit system events: Success, Failure
ss users can add,
authenticate to
nisms, linking users
a timely manner and

Compliance Requirement
1.1 Password
General Passwords
Minimum Password Age - The period of time after a user has changed their password,
where they are unable then change their password again.
Password History Requirements - Enforce password uniqueness by remembering
previous passwords.
Account Lockout Threshold - The number of failed password entries before account
lockout.
Maximum Password Age - The period of time after which a user is required to change
their password.
Password Complexity - Minimum strength of a password in terms of the character sets
that are used to construct the password.
guessed by password cracking tools. To lessen the chances of a password being
cracked, passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single
password before being required to change it.
System Accounts2
guessed by password cracking tools. To lessen the chances of a password being
cracked, passwords should be longer in length.
System accounts should be set up to restrict “human” login to the account wherever
possible.
1.2 Access Privileges, Authentication and Authorisation

Control
World-writeable files
Authentication configuration
Access to Operating System Resources

Out-of-the-box default accounts logon details must be changed
Inactive accounts must be disabled in a timely manner

Permissions for user environment control files
1.3 System Resources
Control
System Time
Services
FTP
SNMP
1.4 Logging
Control
Security events logged
Security logs reviewed
Security logs retention

pliance Requirement
minage = 1
histsize = 12
loginretries = 5
minlen = 8
maxage = 13 (weeks)
minalpha = 1
minother = 1
minlen = 12
maxage = 7 (weeks)
minalpha = 1
minother = 1
minlen = 12
minalpha = 1
minother = 1
For system accounts:
/etc/security/user
login = false
rlogin = false
/etc/ftpusers
Id must exist in file
/etc/passwd
value of login shell in /etc/passwd must be /bin/false
.log and .sh files must not be world writeable
/etc/passwd - Must not contain passwords
Shadow Password File – Permissions must be 600
Pluggable Authentication Module ( PAM) – Must be used
Permissions for the following resources must be as specified
/.netrc - Read access only by root, write access only by root
/etc/inetd.conf
owner: Root
group: System
permissions: 644
/ - Settings for other must be r-x .Note: This particular requirement is not
recursive.
Settings for other on these directories and all files and directories underneath
them must be r-x or more stringent
/etc
/bin
/usr/sbin
/usr/bin
/usr/etc
/var/adm - Settings for files for other in this directory must be r-x or more
stringent. Not including subdirectories.
/etc/snmpd.conf - Must be x40 or more restrictive
The following files must have read access only by root and write access only by
root
~root /.netrc
~root /.rhosts
The following users must be disabled:
uucp, guest, daemon, bin, sys, adm, lp, and nobody
Inactive user accounts must be disabled after 90 days of inactivity
Users’ local profile (${HOME}/.profile) should have permissions of 0600
/etc/ntp.conf must be configured on all systems to synchronise with Westpac
authorised NTP Servers
# East Chatswood Computer Centre
server ntp-eccc-a.ntp.net.westpac.com.au
key 4 prefer
# Ryde Computer Centre, NSW

server ntp-rcc-a.ntp.net.westpac.com.au key 4
The following services must be disabled:

rexd, yppasswd, ECHO, CHARGEN, RSTATD, TFTP, RWALLD, RUSERSD,
DISCARD, DAYTIME, BOOTPS, FINGER, SPRAYD, PCNFSD, NETSTAT,
WHO
FTP usage requires a policy non-compliance
Anonymous FTP must be disabled
Community names of 'public' and 'private" are not permitted if SNMP service is
active
Capture messages sent to the syslong AUTH facility and configs - Must exist
Capture FTP and inetd connection tracing information - May exist
Create /var/adm/loginlog to capture failed login attempts - May exist
Turn on cron logging - Must exist
Enable system accounting - Must exist
The following logs must exist with permissions as indicated:
/var/adm/wtmpx
Owner: adm
Group: adm
Permissions 644
/var/adm/sulog
owner: root
group: root
permission: 644
/etc/syslog.conf
owner: root
group: unixsec
Permission: 640
/var/adm/loginlog
owner: root
group: unixsec
Permission: 640
/var/cron/log
owner: root
group: sys
Permission: 600
/etc/default/login
owner: root
group: unixsec
Permission: 640
/etc/security/failedlogin
Logs must be exported to a different system for daily analysis.
Location logs exported to must be identified
Logs retention period must be 60 days or greater
1.1 Password
General Passwords
passwords should be longer in length. - 12 characters (or more)
password before being required to change it. - 45 days or less
are used to construct the password. - Complex - (alphabetic characters, plus numbers, plus
special characters)
System Accounts2

Control
World-writeable files
Permissions for user environment control files
Control
System Time
Services
FTP
SNMP
1.4 Logging
Control
* All successful and failed logins MUST be logged
* All security related incidents and events MUST be logged
* Administrators & Privileged access users activities MUST be logged
Access to security events log


pliance Requirement
PASSLENGTH=12
MAXWEEKS = 7
per-userid password age settings in /etc/shadow = 45
PASSREQ=YES
MINALPHA=1
MINNONALPHA=1
.log and .sh files must not be world writeable
Permissions for the following resources must be as specified or stricter
Resource: /var/log
Permissions: Settings for files for “other” in this directory must be r-x or more
stringent; subdirectories are not OSR's.
Resource: /var/adm
Permissions: Settings for files for “other” in this directory must be r-x or more
stringent; subdirectories are not OSR's.
/etc/opt/ux/*/etc/opt/ux/*
Owners: root, deamon, bin, sys, adm, uucp, nuucp, listen, lp, unixsupp
Groups: root, other, bin, sys, adm, uucp, mail, tty, lp, nuucp, daemon, sysadmin,
unixsupp, oper
permission: drwxr-xr-x
.netrc files
permission: 0400
/etc/passwd
owner: root
group: root
permission: 644
/etc/shadow
owner: root
group: root
permission: 600
/etc/inetd.conf
owner: root
group: sys
permission: 644

The following users and groups must have a null password:
deamon
bin
sys
adm
lp
uucp
nobody
Group and Everyone permissions for the following files must be none eg x00
.bashrc, .bash_profile, .profile, .cshrc
All devices MUST synchronise their clocks with Westpac Group authorised NTP
Servers
The following services must be disabled:
TFTP, NNTP. CHARGEN, CHARGEN-UDP, CUPS-LPD, DAYTIME, DAYTIME-
UDP, ECHO-UDP, EKLOGIN, GSSFTP, IMAP, IMAPS, IPOP2, IPOP3, KRB5-
TELNET, KLOGIN, KSHELL, NTALK, POP3S, REXEC, RLOGIN, RSH, RSYNC,
SERVERS, SERVICES, SGI_FAM, TALK, TELNET, TIME, TIME-UDP, WU-FTPD,
DISCARD, ECHO, FINGER, SYSTAT, WHO, PCNFSD, RSTATD, RUSER,
RWALL, SPRAYD, TFTP

Anonymous FTP must be disabled
Community names of public or private must not exist on non-loopback interfaces
Periodic change of community names not required on secure internal networks.
SU Events
Sudo Events
SSH Login Authentication Events

* No Account Present for illegal user
* Maximum number of attempts exceeded for illegal user
* Maximum number of attempts exceeded for
* Not allowed because not listed in AllowUsers
* Permission denied for illegal user
* Authentication Failed
The following logs must exist with permissions as indicated:
/var/cron/log
owner: root
group: sys
Permission: 600
/var/adm/wtmpx
Owner: adm
Group: adm
Permissions 644
/var/adm/sulog
owner: root
group: root
permission: 644
/etc/default/login
owner: root
group: system, sys, root, unixsec
Permission: 640
etc/syslog.conf
owner: root
group: system, sys, unixsec
Permission: 640
/var/adm/loginlog or /var/log/authlog
owner: root
group: unixsec
Permission: 640
§ Logs must be exported to a different system for daily analysis.

§ Location logs exported to must be identified
Logs retention period must be 60 days or greater
1.1 Passwords
General Passwords
Minimum Password Age - The period of time after a user has changed their
password, where they are unable then change their password again.
Reset Account Lockout counter - The period over which failed password entries
are tallied towards account lockout. The counter is also reset on lockout of the
account.
Password History Requirements - Enforce password uniqueness by remembering
previous passwords.
Account Lockout Duration - The duration of account lockout before being
automatically re-enabled. The Help Desk also has a process to manually re-
enable the account.
Account Lockout Threshold - The number of failed password entries before
account lockout.
Maximum Password Age - The period of time after which a user is required to
change their password.
Password Complexity - Minimum strength of a password in terms of the character
sets that are used to construct the password.
Minimum Password Length - Blank passwords and shorter-length passwords are
easily guessed by password cracking tools. To lessen the chances of a password
being cracked, passwords should be longer in length.
enable the account.
System Accounts2
Minimum Password Length - Blank passwords and shorter-length passwords are
easily guessed by password cracking tools. To lessen the chances of a password
being cracked, passwords should be longer in length.

enable the account.

Control


User Rights Assignments
Screen Saver
Control
Anti-Virus
System Time
Services
FTP
SNMP
Two-way trusts
1.4 Logging
Control
Minimum logging requirements
Auditing for sensitive system registry keys and directories


Deny Interactive Logons to Services Accounts via Group Policy
pliance Requirement
Minimum password age - 1 day (or more)
Reset account lockout counter after - 1 day (or more)
Enforce password history - 12 Passwords (or more)
Account lockout duration - 30 Minutes (or more)
Account lockout threshold - 5 attempts (or less)
Minimum password length - 8 Characters (or more)

Maximum password age - 90 days (or less)
Password must meet complexity requirement – enabled
Minimum password length -12 Characters (or more)
Maximum password age - 45 days - (or less)
Account lockout duration – Forever
Minimum password length - 12 Characters (or more)
Account lockout duration – Forever
Maximum password age - Never Expires (Reset password manually at least

once per year).
horisation
The ‘Everyone’ group must not be granted permission to resources,
directories or shares
For the following resources, Users and Authenticated Users must only be
granted read and execute privileges or more restrictive
%systemroot%\
%SystemRoot%\system
%systemroot%\system32
%systemroot%\system32\drivers
%systemroot%\system32\config
%systemroot%\system32\spool
%SystemRoot%\system32\GroupPolicy
%systemroot%\repair
%SystemRoot%\security
%SystemRoot%\system32\config\SecEvent.Evt - Administrators: Full
Control; System: Full Control; Users: Read & Execute
%SystemRoot%\system32\config\SysEvent.Evt - Administrators: Full
%SystemRoot%\system32\config\AppEvent.Evt - Administrators: Full
The guest account must be renamed and disabled
The Administrator account must be renamed
Access to the listed user rights must be as specified:
Take ownership of files or other objects (SeTakeOwnershipPrivilege) –
Administrators
Manage auditing and security log (SeSecurityPrivilege) - Administrators
Load and unload device drivers(SeLoadDriverPrivilege) - Administrators
Force shutdown from a remote system (SeRemoteShutdownPrivilege) -

Administrators
Modify firmware environment values (SeSystemEnvironmentPrivilege) –
Administrators
Create permanent shared objects (SeCreatePermanentPrivilege) – None
Access this computer from the network (SeNetworkLogonRight) -

Authenticated Users
Allow logon Through Terminal Services
(SeRemoteInteractiveLogonRight) - Administrators; Remote Desktop
Users
Deny access to this computer from the network
(SeDenyNetworkLogonRight) - Guests; ANONYMOUS; LOGON
Deny logon as a batch job (SeDenyBatchLogonRight) - Guests
Deny logon as a service (SeDenyServiceLogonRight) - Guests
Deny log on Through Terminal Services
(SeDenyRemoteInteractiveLogonRight) - Guests
Deny logon locally (SeDenyInteractiveLogonRight) - Guests
Password protect the screen saver - Enabled
Screen Saver timeout - 900 sec (or less)
An enterprise standard anti-virus must be enabled
All devices MUST synchronise their clocks with Westpac authorised NTP
Servers
The following services must be disabled and have a start-up mode setting
of manual or disabled:
Distributed File System
File Replication
NetMeeting Remote Desktop Sharing
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Routing and Remote Access
SNMP Service
SNMP Trap
Telnet
WebClient
WinHTTP Web Proxy Auto-Discovery Service
The following services must be disabled
ECHO, CHARGEN, RSTAT, TFTP, RWALL, RUSER, DISCARD,
DAYTIME, BOOTPS, FINGER, SPRAYD, PCNFSD, NETSTAT, WHO

Anonymous FTP must be disabled.
Community names of 'public' and 'private' are not permitted if the SNMP
service is active; complex string is required.
Trusts must adhere to the following:
Trusting Environment -> Trusted Environment
Development->Development – Allowed
Test->Test – Allowed
Production->Production – Allowed
Production->Development – Disallowed
Production->Test – Disallowed
Development->Production– Disallowed
Test->Production– Disallowed
Audit account management: Success, Failure
Audit directory access: Failure
Audit logon events: Success, Failure
Audit object access: Failure
Audit policy change: Success, Failure
Audit privilege use: Success, Failure
Audit system events: Success, Failure
The following registry keys must have audit enabled for change or delete
(Set Value, Delete)
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\RunO
nce
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\RunO
nceEx
HKEY_LOCAL_MACHINE\SW\Microsoft\WindowsNT\CurrentVersion\Ae
Debug
HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\SessionManager\Know
nDLLs
HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\SecurePipeServers\wi
nreg
The following directories must have audit enabled for failure:
%systemroot%\
%systemroot%\system32
%systemroot%\system32\drivers
%systemroot%\system32\config
%systemroot%\system32\spool
%systemroot%\repair
Standard Windows events logs (audit, security and operational) must be
exported to a different system for daily analysis
Location logs exported to must be identified
Minimum log retention period is 60 days

Dfhzaf 05

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Dfhzaf 05

Hochgeladen von

Copyright:

Verfügbare Formate

SOX Configuration Reference - General

Minimum Password Length – Minimum length of a user password.

1 day (or more)

12 Passwords (or more)

120 days (or less) Where this system feature is available.

30 Minutes (or more)

5 attempts (or less)

8 Characters (or more)

90 days (or less) Where this system feature is available.

AlphaNumeric - (alphabetic characters, plus numbers or special characters)

1 day (or more)

10 Passwords (or more)

39 days (or less)

5 attempts (or less)

60 days (or less) Where this system feature is available.

7 Characters (or more)

45 days - (or less)

Complex - (alphabetic characters, plus numbers, plus special characters)

Complex - (alphabetic characters, plus numbers, plus special characters)

Never Expires (Reset password manually at least once per year).

nisms, linking users

a timely manner and

1.2 Access Privileges, Authentication and Authorisation

Access to Operating System Resources

Out-of-the-box default accounts logon details must be changed

Inactive accounts must be disabled in a timely manner

Security events logged

Security logs reviewed

Security logs retention

# Ryde Computer Centre, NSW

The following services must be disabled:

1.2 Access Privileges, Authentication and Authorisation

Permissions for user environment control files

Access to security events log

Security logs retention

Inactive user accounts must be disabled after 90 days of inactivity

FTP usage requires a policy non-compliance

Periodic change of community names not required on secure internal networks.

SSH Login Authentication Events

§ Logs must be exported to a different system for daily analysis.

Password Complexity - Minimum strength of a password in terms of the character

1.2 Access Privileges, Authentication and Authorisation

Access to Operating System Resources

Out-of-the-box default accounts logon details must be changed

Inactive accounts must be disabled in a timely manner

Auditing for sensitive system registry keys and directories

Security logs retention

Reset account lockout counter after - 1 day (or more)

Enforce password history - 12 Passwords (or more)

Account lockout duration - 30 Minutes (or more)

Account lockout threshold - 5 attempts (or less)

Minimum password length - 8 Characters (or more)

Password must meet complexity requirement – enabled

Maximum password age - 45 days - (or less)

Password must meet complexity requirement – enabled

Account lockout duration – Forever

Password must meet complexity requirement – enabled

Account lockout duration – Forever

Maximum password age - Never Expires (Reset password manually at least

Load and unload device drivers(SeLoadDriverPrivilege) - Administrators

Force shutdown from a remote system (SeRemoteShutdownPrivilege) -

Access this computer from the network (SeNetworkLogonRight) -

FTP usage requires a policy non-compliance