Access control
a) Accounts and permissions should be assigned to the logged-in user;
this item mainly investigates whether the server has assigned corresponding accounts and permissions to the user when the user logs in;
1) Interview with the system administrator, who can log in the operating system, and what are they Owned permissions;
2) Select the% systemdrive% \ windows \ system,% systemroot% \ system32 \ config folder, right-click Properties-Security, and view the permission settings of everyone group, users group and administrators group.
Note; it is best to have two or more accounts other than administrator in the system
b) The default account should be renamed or deleted, and the default password of the default account should be modified;
this item mainly investigates whether the owner renames the system default account and changes the default password; the
default account of the windows system is: administrator and guest
1) Enter "lusrmgr" on the command line ".msc", the "Local Users and Groups" window pops up to see if the Administrator is renamed, there is no default password for Windows
2) Check if the Guest account is disabled, if it is not disabled, you need to rename it
c) Superfluous and expired accounts should be deleted or deactivated in time to avoid the existence of shared accounts;
this item mainly investigates whether there are redundant and unneeded accounts in the server, and no one can share an account;
command line input "lusrmgr. "msc", a "Local Users and Groups" window pops up, asking about the use of O & M personnel accounts
d) The minimum authority required by the management user should be granted to achieve the separation of the authority of the management user;
this item mainly assesses whether the management account should be "three separate";
1) Check the account established on the Windows operating system
2) Whether it has been achieved The account is consistent with the actual situation of the personnel, whether it contains at least the management account and the audit account
Note; separation of powers: system administrator, security administrator, audit administrator
System administrator: manage accounts, documents, files, etc. in the system;
security management Member: Setting of authorization policy and other basic policies, as well as setting of security parameters. The setting of security parameters is stated in the evaluation item of security management in the security category of the security management center. If the security in security management and the security of the security administrator mean the same, then the functions of the security administrator should include the security parameters Settings. My understanding of security parameters is malicious code prevention and intrusion prevention, that is, the settings of antivirus software, firewall, ip strategy, and anti-intrusion software parameters.
Audit administrator: management of audit strategies in the system, such as log storage strategies and audit strategies in group policies.
e) The access control strategy should be configured by the authorized subject, and the access control strategy stipulates the subject ’s access rules to the object;
this item mainly investigates who configures the access control strategy and rules by the server;
1) Interview with the system administrator, which account is responsible for configuration Access control strategy;
2) Check the permission configuration of key directories, whether to configure access rules according to security policies.
Note; who is usually the system administrator to configure
f) The granularity of access control should reach the user level or the process level of the subject, and the file and database table level of the object;
this item mainly investigates whether the access control strategy is made and whether the strategy is clearly defined to a user (not just the user group ), A file (not just a folder);
select important folders such as% systemdrive% \ program files,% systemdrive% system32, and% systemdrive% \ Windows \ system32 \ config,% systemdrive% \ Windows \ system32 \ secpol For other important files, right-click Properties-Security, and view access permission settings.
Note; under normal circumstances, this item is in line with the subject user level, object file level
g) Security tags should be set for important subjects and objects, and the subject's access to information resources with security tags should be controlled.
This item mainly strengthens the host of the server and sets sensitive marks, etc .;
asks whether the administrator has marked the server's sensitive information and resources, and can restrict users' access to these marked resources.
Note; under normal circumstances, the owner of this item is not in line, (the access control mechanism that comes with windows is definitely not in line with the requirements, you need to use third-party software (pepper map) or customized windows system)
security audit
a) The security audit function should be enabled, the audit covers every user, and audit important user behaviors and important security events;
this item mainly
checks whether the server is enabled with audit function; for windows, in the server manager or event viewer Or you can view the specific content of the audit log and some strategies in computer management: you can enter CompMgmtLauncher, eventvwr, compmgmt.msc in the run box to open
1) For Windows, the log audit function is turned on by default, The Windows event log server is turned on by default and cannot be turned off under normal circumstances;
2) Enter "secpol.msc" on the command line, a "Local Security Policy" window pops up, and click "Security Settings-> Local Policies-> Audit Policies" "Check the audit policy, whether to cover all users and important events. The
audit content includes:
audit policy changes: success / failure
audit login events: success / failure
audit object access: success / failure
audit process tracking: success / failure
audit directory service access: success / Failure
Audit privilege use: Success / Failure
Audit Department System events: success / failure
Audit account login events: success / failure
Audit account management: success / failure
3) Whether to use third-party audit tools
b) The audit record should include the date and time of the event, the user, the type of event, the success of the event, and other information related to the audit;
this item mainly examines the type
of audit record ; the audit record of Windows is theoretically consistent by default. Click "Control Panel"-> "Administrative Tools"-> "Event Viewer"
(level, user, recording time, task category, event, source, etc.)
c) The audit records should be protected and backed up regularly to avoid unintended deletion, modification, or overwriting;
this item mainly protects the audit records;
by asking the administrator who keeps the audit records during operation and maintenance, is there any regular period? Backup? Where is the backup stored? , Whether the preservation time is greater than 6 months.
d) The audit process should be protected to prevent unauthorized interruption.
The Windows Event Log service cannot be turned off under normal circumstances.
Intrusion prevention
a) The principle of minimum installation should be followed, and only the required components and applications should be installed;
enter appwiz.cpl to see the programs / control panel-program functions-installation installed in windows; ask the administrator if these programs are redundant.
b)
Unneeded system services, default sharing and high-risk ports should be closed; 1) Enter “netstat –an” on the command line to see if the listening ports in the list include high-risk ports, such as TCP135, 139, 445, 593, 1025 Ports, UDP135, 137, 138, 445 ports, backdoor ports of some popular viruses, such as TCP2745, 3127, 6129 ports.
2) View the default share; enter "net share" on the command line to view the information of all shared resources on the local computer, whether to open the default share, listed as C $, D $.
Note; The relationship between services, processes, and ports is this. When a service is enabled, a service will start one or several processes, and then the process may listen to the port, and then only when the process listens to the port, this The communication of the port is meaningful.
All in all, it is necessary to judge whether there is regulation of external communications, and here we must combine the actual situation to judge.
For example, the default share has not been deleted, but the port used by the default share has been prohibited by the firewall or ip policy, so it cannot be mechanically determined to be inconsistent.
In addition, whether a monitored port is a redundant or high-risk port must be judged based on actual conditions. In many cases, interviews are still required.
Finally, in addition to the firewall and IP policies that come with Windows, it is likely that the other party has implemented control with third-party devices such as hardware firewalls, and pay attention to interviews.
c) The management terminal managed by the network should be restricted by setting the terminal access method or network address range;
1) Using remote desktop: For remote management using Windows remote desktop, it is in the windows firewall or ip policy Or in the hardware firewall to see if there is an ip restriction on the rdp port, the rdp port is generally the default value of 3389. Note that the granularity of the limit here is best to reach the IP address level, that is, a specific number or dozens of IP addresses, or at least a relatively small network segment level.
2) Using third-party tools: For example, using TeamViewer, it depends on whether the software itself has this function, or use other software to help achieve the effect of managing terminal IP restrictions.
3) There is no remote management: that is, no strategy is actually done, but the server cannot be logged in remotely from the external network, and only local login and operation can be performed directly on the server in the computer room. Or not applicable
d) Data validity verification function should be provided to ensure that the content input through the human-machine interface or through the communication interface meets the system setting requirements;
because the application system provides the input interface externally, and the data is implemented through source code settings or other hardware measures Validity check function, so this test item is not applicable at the server level
e) It should be able to find possible known vulnerabilities and, after sufficient testing and evaluation, promptly patch the vulnerabilities;
1) Ask the system administrator whether to regularly scan the operating system for vulnerabilities, whether to evaluate and update the vulnerabilities found in the scan Test, update time, update method.
2) Enter "appwiz.cpl" on the command line, open the program and function interface, click "View installed updates" in the list on the left, open the "Installed updates" interface, and view the patch updates in the list on the right.
360 security guards and other software is not a professional scan tool
f) It should be able to detect the intrusion of important nodes, and provide an alarm when a serious intrusion occurs.
For Windows, it must be implemented through third-party software and hardware. Some antivirus software, such as EDR, Kaspersky (Enterprise Edition), etc., have intrusion prevention detection and alarm functions (via email, SMS, etc.), or deployed in the network Devices such as IPS have related functions.
In addition, if deployed on the cloud, Alibaba Cloud, Huawei Cloud, etc. also have such security services, which can also meet the requirements. But it should be noted that whether the tested party has purchased such security services.
Malicious code prevention
a) Technical measures against malicious code attacks or active immune credible verification mechanisms should be used to identify intrusions and virus behaviors in a timely manner and effectively block them.
1) Check whether anti-malware software is installed (Note: For Windows operating systems, anti-malware software is not installed and it is determined to be high risk, the situation is more serious)
2) Check whether the virus database and version of the malicious code software have been updated in time
Credible verification
a) Based on the trusted root, the system boot program, system program, important configuration parameters and application programs of the computing device can be trusted and verified, and dynamic and trusted verification can be performed in the key execution links of the application program. After the sex is damaged, it will call the police and send the verification result to the security management center.
At present, most information systems do not have credible verification. Only a few in industrial control systems contain credible computing, so this item is not applicable at present. )
Data integrity
a) an integrity check technique should be used to ensure that important data or cryptographic technology during transmission of authentication data including but not limited to, critical business data, audit data is important, important configuration data, video data and vital important personal information or the like;
if The data of the server only contains its own configuration data, then it is written according to the identity authentication item C, and it involves another calculation such as the transmission of audit data.
b) Verification or cryptographic techniques should be used to ensure the integrity of important data during storage, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information.
The operating system can guarantee the integrity of its own data storage
Data confidentiality
a) Cryptographic technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data and important personal information;
if the server data contains only its own configuration data, then the C item is authenticated based on identity To write, involving the transfer of other audit data, for example
b) Cryptographic technology should be used to ensure the confidentiality of important data during storage, including but not limited to authentication data, important business data and important personal information.
The operating system can guarantee the confidentiality of its own data in the storage process
Data backup and recovery
a) It should provide local data backup and recovery functions of important data; if the
server only has its own configuration data, it does not need to be backed up and restored, so this item is not applicable at the server level and should be reflected at the database level.
b) Remote real-time backup function should be provided, and important data should be backed up to the backup site in real time by using the communication network; when the
server only has its own configuration data, remote backup and recovery are not required, so this item is not applicable at the server level Reflected at the database level.
c) Thermal redundancy of important data processing systems should be provided to ensure high availability of the system.
This item needs to ask the administrator and query the network topology, whether the server is deployed in hot redundancy mode, can it ensure the high availability of the server
Remaining information protection
a) It should be ensured that the storage space where the authentication information is located is completely cleared before it is released or reallocated;
check to see whether to disable the use of alternate-source encryption to store passwords and enable the "clear virtual memory page file",
b) Ensure that the storage space containing sensitive data is completely cleared before it is released or reallocated.
Check to see if "Clear Virtual Memory Page File" is disabled. Can you ensure that storage space containing sensitive data is completely cleared before it is released or reallocated
