Beruflich Dokumente
Kultur Dokumente
General Passwords
Minimum Password Age - The period of time after a user has changed their password, where
they are unable then change their password again.
Reset Account Lockout counter - The period over which failed password entries are tallied
towards account lockout. The counter is also reset on lockout of the account.
Password History Requirements - Enforce password uniqueness by remembering previous
passwords.
Dormant Account Deletion - The period of time after which an un-used account (no activity) is
automatically deleted, with the exception of staff on extended leave.
Account Lockout Duration - The duration of account lockout before being automatically re-
enabled. The Help Desk also has a process to manually re-enable the account.
Account Lockout Threshold - The number of failed password entries before account lockout.
Minimum Password Age - The period of time after a user has changed their password, where
they are unable then change their password again.
Reset Account Lockout counter - The period over which failed password entries are tallied
towards account lockout. The counter is also reset on lockout of the account.
Password History Requirements - Enforce password uniqueness by remembering previous
passwords.
Maximum Password Age - The period of time after which a user is required to change their
password.
Account Lockout Threshold - The number of failed password entries before account lockout.
Dormant Account Disabling - The period of time after which an un-used account (no activity)
is automatically disabled
Minimum Password Length - Minimum length of a user password.
Password Change on First Login - A user issued an initial password (e.g. by the Help Desk),
which is forced to change the password on the first login to the system.
Account Lockout Duration - The duration of account lockout before being automatically re-
enabled. The Help Desk also has a process to manually re-enable the account.
Privileged Accounts1
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being cracked,
passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single password
before being required to change it.
Password Complexity - Minimum strength of a password in terms of the character sets that
are used to construct the password.
Account Lockout Duration - The duration of account lockout before being automatically re-
enabled. The Help Desk also has a process to manually re-enable the account.
System Accounts2
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being cracked,
passwords should be longer in length.
Password Complexity - Minimum strength of a password in terms of the character sets that
are used to construct the password.
Account Lockout Duration - The duration of account lockout before being automatically re-
enabled. The Help Desk also has a process to manually re-enable the account.
Maximum Password Age - The period of time that a user is allowed to use a single password
before being required to change it.
Required Configuration
1 day (or more)
Enabled
Required Configuration
* No repeating of 2 or more characters
* Not month of year
* Not be the login ID
* No part of user’s surname
1 day (or more)
Forever
Required Configuration
12 Characters (or more)
Forever
Required Configuration
12 Characters (or more)
Forever
System accounts refer to all accounts that perform underlying platform or application services, and are therefore not used by “
systems.
Examples of system accounts include, but are not limited to:
* Application service accounts;
* Platform service accounts; and
* Functional logins.
The use of IT computing resources is restricted by the implementation of adequate identification, authentication and authorisa
and resources to access rules.
Management ensure the establishment, issuing, suspension and closure (or other modification) of user/privileged accounts is a
formally approved by data or system owners.
The use of system administration and privileged accounts/passwords is controlled through an on-line system.
Only authorised individuals can gain access to data files and other backup items/media.
Out-of-the box default account names MUST be renamed (except Unix ‗root‘ account)
Only Administrators and Privileged access users are permitted to have full control access to files, directories and system resour
The "Everyone" group MUST NOT be used in Access Control Lists (ACLs) to provide access to disk, application & system resourc
Only Administrators are permitted to modify and delete configuration files
Resources MUST be created with permissions and rights according to the principles of need-to-know, least privilege and segreg
Standard Operating Environment 3 - Configuration files must be restricted such that “Everyone” or ”World” access is not grante
Security measures are approved/implemented in line with business requirements and IT security policy/practices for all financi
related) systems.
There is a formal process to monitor, assess and escalate any issues associated with industry alerts and security patches.
Unused services and ports MUST be disabled including but not limited to TFTP, NNTP. CHARGEN, CHARGEN-UDP, C
DAYTIME-UDP, ECHO-UDP, EKLOGIN, GSSFTP, IMAP, IMAPS, IPOP2, IPOP3, KRB5-TELNET, KLOGIN, KSHELL, NTA
RLOGIN, RSH, RSYNC, SERVERS, SERVICES, SGI_FAM, TALK, TELNET, TIME, TIME-UDP, WU-FTPD, DISCARD, ECH
WHO, PCNFSD, RSTATD, RUSER, RWALL, SPRAYD, TFTP
All devices MUST synchronise their clocks with Westpac authorised NTP Servers
Unencrypted File Transfer Protocols such as FTP or TFTP MUST NOT be used (a policy non-compliance MUST be raised fo
instead Secure File Transfer protocols MUST be used e.g. FTPS (FTP over SSL), SFTP (FTP over SSH), SCP and HTTPS
Telnet network protocol is not permitted and MUST be replaced with SSHv2
Standard Operating Environment Security Standard 3. Access Controls Lists and Controls - Anti-Virus: Anti-Virus must be e
scanning, “in memory” scanning and with automated updating to the latest virus definitions.
IT security administration ensure that security activity is logged and any indication of imminent security violation is reported im
may be concerned, internally and externally, and is acted upon in a timely manner.
Audit logs covering key security incidents are produced, and reviewed by exception.
Usage of sensitive utilities/audit tools is logged, and reviewed by exception.
Management ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, r
examination of the time sequences of processing and the other activities surrounding or supporting processing.
Operational logs cannot be altered or deleted retrospectively.
Logging retention period for online logs MUST be at least 60 days
All successful and failed logins MUST be logged
All security related incidents and events MUST be logged
Administrators & Privileged access users activities MUST be logged
Logs MUST be archived on a different system other than the system being audited
Standard Operating Environment Security Standard 2:
Audit account logon: Success, Failure
Audit account management: Success, Failure
Audit directory/file access: Failure
Audit logon events: Success, Failure
Audit object/library/executables access: Failure
Audit policy change: Success, Failure
Audit all privilege account use: Success, Failure
Audit system events: Success, Failure
ss users can add,
authenticate to
Privileged Accounts1
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being
cracked, passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single
password before being required to change it.
Password Complexity - Minimum strength of a password in terms of the character sets
that are used to construct the password.
System Accounts2
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being
cracked, passwords should be longer in length.
Password Complexity - Minimum strength of a password in terms of the character sets
that are used to construct the password.
System accounts should be set up to restrict “human” login to the account wherever
possible.
Services
FTP
SNMP
1.4 Logging
Control
Security events logged
Security events logged
Required Configuration
minage = 1
histsize = 12
loginretries = 5
minlen = 8
maxage = 13 (weeks)
minalpha = 1
minother = 1
Required Configuration
minlen = 12
maxage = 7 (weeks)
minalpha = 1
minother = 1
Required Configuration
minlen = 12
minalpha = 1
minother = 1
For system accounts:
/etc/security/user
login = false
rlogin = false
/etc/ftpusers
Id must exist in file
/etc/passwd
value of login shell in /etc/passwd must be /bin/false
Required Configuration
.log and .sh files must not be world writeable
/etc/passwd - Must not contain passwords
Shadow Password File – Permissions must be 600
Pluggable Authentication Module ( PAM) – Must be used
Permissions for the following resources must be as specified
/.netrc - Read access only by root, write access only by root
/etc/inetd.conf
owner: Root
group: System
permissions: 644
/ - Settings for other must be r-x .Note: This particular requirement is not
recursive.
Settings for other on these directories and all files and directories underneath
them must be r-x or more stringent
/etc
/bin
/usr/sbin
/usr/bin
/usr/etc
/var/adm - Settings for files for other in this directory must be r-x or more
stringent. Not including subdirectories.
/etc/snmpd.conf - Must be x40 or more restrictive
The following files must have read access only by root and write access only by
root
~root /.netrc
~root /.rhosts
The following users must be disabled:
uucp, guest, daemon, bin, sys, adm, lp, and nobody
Inactive user accounts must be disabled after 90 days of inactivity
Users’ local profile (${HOME}/.profile) should have permissions of 0600
Required Configuration
/etc/ntp.conf must be configured on all systems to synchronise with Westpac
authorised NTP Servers
# East Chatswood Computer Centre
server ntp-eccc-a.ntp.net.westpac.com.au
key 4 prefer
Required Configuration
Capture messages sent to the syslong AUTH facility and configs - Must exist
Capture FTP and inetd connection tracing information - May exist
Create /var/adm/loginlog to capture failed login attempts - May exist
Turn on cron logging - Must exist
Enable system accounting - Must exist
The following logs must exist with permissions as indicated:
/var/adm/wtmpx
Owner: adm
Group: adm
Permissions 644
/var/adm/sulog
owner: root
group: root
permission: 644
/etc/syslog.conf
owner: root
group: unixsec
Permission: 640
/var/adm/loginlog
owner: root
group: unixsec
Permission: 640
/var/cron/log
owner: root
group: sys
Permission: 600
/etc/default/login
owner: root
group: unixsec
Permission: 640
/etc/security/failedlogin
Logs must be exported to a different system for daily analysis.
Location logs exported to must be identified
Logs retention period must be 60 days or greater
Compliance Requirement
1.1 Password
General Passwords
Privileged Accounts1
Minimum Password Length - Blank passwords and shorter-length passwords are easily
guessed by password cracking tools. To lessen the chances of a password being cracked,
passwords should be longer in length. - 12 characters (or more)
Maximum Password Age - The period of time that a user is allowed to use a single
password before being required to change it. - 45 days or less
Password Complexity - Minimum strength of a password in terms of the character sets that
are used to construct the password. - Complex - (alphabetic characters, plus numbers, plus
special characters)
System Accounts2
1.3 System Resources
Control
System Time
Services
FTP
SNMP
1.4 Logging
Control
Security events logged
* All successful and failed logins MUST be logged
* All security related incidents and events MUST be logged
* Administrators & Privileged access users activities MUST be logged
Required Configuration
Required Configuration
PASSLENGTH=12
MAXWEEKS = 7
per-userid password age settings in /etc/shadow = 45
PASSREQ=YES
MINALPHA=1
MINNONALPHA=1
Required Configuration
Required Configuration
.log and .sh files must not be world writeable
Permissions for the following resources must be as specified or stricter
Resource: /var/log
Permissions: Settings for files for “other” in this directory must be r-x or more
stringent; subdirectories are not OSR's.
Resource: /var/adm
Permissions: Settings for files for “other” in this directory must be r-x or more
stringent; subdirectories are not OSR's.
/etc/opt/ux/*/etc/opt/ux/*
Owners: root, deamon, bin, sys, adm, uucp, nuucp, listen, lp, unixsupp
Groups: root, other, bin, sys, adm, uucp, mail, tty, lp, nuucp, daemon, sysadmin,
unixsupp, oper
permission: drwxr-xr-x
.netrc files
permission: 0400
/etc/passwd
owner: root
group: root
permission: 644
/etc/shadow
owner: root
group: root
permission: 600
/etc/inetd.conf
owner: root
group: sys
permission: 644
Required Configuration
All devices MUST synchronise their clocks with Westpac Group authorised NTP
Servers
The following services must be disabled:
TFTP, NNTP. CHARGEN, CHARGEN-UDP, CUPS-LPD, DAYTIME, DAYTIME-
UDP, ECHO-UDP, EKLOGIN, GSSFTP, IMAP, IMAPS, IPOP2, IPOP3, KRB5-
TELNET, KLOGIN, KSHELL, NTALK, POP3S, REXEC, RLOGIN, RSH, RSYNC,
SERVERS, SERVICES, SGI_FAM, TALK, TELNET, TIME, TIME-UDP, WU-FTPD,
DISCARD, ECHO, FINGER, SYSTAT, WHO, PCNFSD, RSTATD, RUSER,
RWALL, SPRAYD, TFTP
Required Configuration
SU Events
Sudo Events
Reset Account Lockout counter - The period over which failed password entries
are tallied towards account lockout. The counter is also reset on lockout of the
account.
Password History Requirements - Enforce password uniqueness by remembering
previous passwords.
Account Lockout Duration - The duration of account lockout before being
automatically re-enabled. The Help Desk also has a process to manually re-
enable the account.
Account Lockout Threshold - The number of failed password entries before
account lockout.
Minimum Password Length - Minimum length of a user password.
Maximum Password Age - The period of time after which a user is required to
change their password.
Password Complexity - Minimum strength of a password in terms of the character
sets that are used to construct the password.
Privileged Accounts1
Minimum Password Length - Blank passwords and shorter-length passwords are
easily guessed by password cracking tools. To lessen the chances of a password
being cracked, passwords should be longer in length.
Maximum Password Age - The period of time that a user is allowed to use a single
password before being required to change it.
Password Complexity - Minimum strength of a password in terms of the character
sets that are used to construct the password.
Account Lockout Duration - The duration of account lockout before being
automatically re-enabled. The Help Desk also has a process to manually re-
enable the account.
System Accounts2
Minimum Password Length - Blank passwords and shorter-length passwords are
easily guessed by password cracking tools. To lessen the chances of a password
being cracked, passwords should be longer in length.
Screen Saver
1.3 System Resources
Control
Anti-Virus
System Time
Services
FTP
SNMP
Two-way trusts
1.4 Logging
Control
Minimum logging requirements
Required Configuration
Minimum password age - 1 day (or more)
Required Configuration
Minimum password length -12 Characters (or more)
Required Configuration
Minimum password length - 12 Characters (or more)
horisation
Required Configuration
The ‘Everyone’ group must not be granted permission to resources,
directories or shares
For the following resources, Users and Authenticated Users must only be
granted read and execute privileges or more restrictive
%systemroot%\
%SystemRoot%\system
%systemroot%\system32
%systemroot%\system32\drivers
%systemroot%\system32\config
%systemroot%\system32\spool
%SystemRoot%\system32\GroupPolicy
%systemroot%\repair
%SystemRoot%\security
%SystemRoot%\system32\config\SecEvent.Evt - Administrators: Full
Control; System: Full Control; Users: Read & Execute
%SystemRoot%\system32\config\SysEvent.Evt - Administrators: Full
Control; System: Full Control; Users: Read & Execute
%SystemRoot%\system32\config\AppEvent.Evt - Administrators: Full
Control; System: Full Control; Users: Read & Execute
The guest account must be renamed and disabled
The Administrator account must be renamed
Inactive user accounts must be disabled after 90 days of inactivity
Access to the listed user rights must be as specified:
Take ownership of files or other objects (SeTakeOwnershipPrivilege) –
Administrators
Manage auditing and security log (SeSecurityPrivilege) - Administrators
Required Configuration
An enterprise standard anti-virus must be enabled
All devices MUST synchronise their clocks with Westpac authorised NTP
Servers
The following services must be disabled and have a start-up mode setting
of manual or disabled:
Distributed File System
File Replication
NetMeeting Remote Desktop Sharing
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Procedure Call (RPC) Locator
Routing and Remote Access
SNMP Service
SNMP Trap
Telnet
WebClient
WinHTTP Web Proxy Auto-Discovery Service
The following services must be disabled
ECHO, CHARGEN, RSTAT, TFTP, RWALL, RUSER, DISCARD,
DAYTIME, BOOTPS, FINGER, SPRAYD, PCNFSD, NETSTAT, WHO
Required Configuration
Audit account management: Success, Failure
Audit directory access: Failure
Audit logon events: Success, Failure
Audit object access: Failure
Audit policy change: Success, Failure
Audit privilege use: Success, Failure
Audit system events: Success, Failure
The following registry keys must have audit enabled for change or delete
(Set Value, Delete)
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\RunO
nce
HKEY_LOCAL_MACHINE\SW\Microsoft\Windows\CurrentVersion\RunO
nceEx
HKEY_LOCAL_MACHINE\SW\Microsoft\WindowsNT\CurrentVersion\Ae
Debug
HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\SessionManager\Know
nDLLs
HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\SecurePipeServers\wi
nreg
The following directories must have audit enabled for failure:
%systemroot%\
%systemroot%\system32
%systemroot%\system32\drivers
%systemroot%\system32\config
%systemroot%\system32\spool
%systemroot%\repair
Standard Windows events logs (audit, security and operational) must be
exported to a different system for daily analysis
Location logs exported to must be identified
Minimum log retention period is 60 days