- Print
- PDF
OS Security Checker
- Print
- PDF
The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.
Available in Classic and VPC
In the OS Security Checker menu, you can check the security setting inspection result of the Operating System (OS). You can view the detailed inspection result via the inspection report or download as a PDF or Excel file. Also, you can check the appropriate security setting solutions.
In order to check the inspection result, first, run the security setting inspection on the server. For the detailed information about how to inspect, see OS and WAS Inspection.
OS Security Checker screen
The basic description of the OS Security Checker menu to use System Security Checker is the following:
Area | Description |
---|---|
① Menu name | The name of the currently showing menu and number of viewing inspections. |
② Basic features | |
③ Search areas | View the search results by filtering by the inspection dates or searching by the server names. |
④ Click the Excel | Button to download the inspection result as an Excel file. |
⑤ Inspection Result List | The list of currently viewing inspection result for OS security settings. |
View Inspection Result
The following is how to check the inspection result for the server’s OS security setting inspection.
- Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
- Click the OS Security Checker menu.
- Check the result of the inspection.
- You can search the desirable result by filtering by the inspection dates or entering server names.
- Region: the region of the server
- Server name: the inspected server names. Click it to view the detailed inspection result and solutions (See Detailed result and solutions)
- InstanceNo: unique server number
- Check list: view inspection type
- Linux, Windows: in case of inspecting the OS of Linux or Windows
- Finance: in case of inspecting Linux security settings based on the Financial Security Agency’s Electronic Financial Infrastructure
- Inspection Date: the date of inspection
- OS version: the OS version of the inspected server
- Vulnerable/All items: the number of inspection items turned out to be “Bad” / The number of all inspection items
- Critical, Major, Minor: the number of “Bad” inspection items for each severity
- Report view: click the [Report] button to check the entire inspection result as an inspection report and download as a PDF file.
Detailed Result and Solutions
The following is how to check the detailed result of the OS security setting inspection and the explanation and solutions for each inspection items and download them.
- Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
- Click the OS Security Checker menu.
- Click the inspected server's name to view the detailed result.
- Once the Detailed Result and Solutions window pops up, check the inspection details and result.
- Click each inspection item to check the description of each inspection item, suggested settings, examination standard, and solutions.
- Select the Severity and Inspection Result and click the [Search] button to filter the inspection items.
- Click the [Report] button to view the showing result as an inspection report and download as a PDF file.
- Click the [Excel] button to download the showing result as an Excel file.
OS Security Setting Inspection Items
Check the OS security setting inspection items for each server operating system.
- Linux Inspection Items
- Linux Inspection Items(Based on Financial Security Agency’s Electronic Financial Infrastructure)
- Windows Inspection Items
You can check explanation about the inspection items, suggested settings and solutions on the Detailed Result and Solutions pop-up window of NAVER Cloud Platform console. (See Detailed Result and Solutions)
Linux Inspection Items (CSAP)
The following describes the Linux CSAP Security Setting inspection items for Linux.
Check ID | Checklist | Description |
---|---|---|
U-01 | Restrict root account remote access | Inspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status. ※ /etc/securetty: file for restricting root access to Telnet If pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings tty (terminal-teletype): user logs into the console directly from a monitor, keyboard, etc. connected to the server pts (pseudo-terminal): connects using Telnet, SSH, Terminal, etc. |
U-02 | Password complexity settings | Inspect if the Password complexity related settings for user accounts (both root and normal accounts) set in the system policy. |
U-03 | Set an account lockout threshold | Inspect if the user log-in failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack. |
U-04 | The maximum usage time setting for passwords | If you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, etc.). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time to ensure that passwords are changed periodically. |
U-05 | Password file protection | On some older systems, the password policy is not enforced and passwords are stored in plain text in the /etc/passwd file. Inspect if the passwords of user accounts are encrypted. |
U-06 | Root home path directory authority and path settings | If the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you execute a common command (such as ls, mv, ps, etc.), the files in the current directory are executed first, rather than the original command. Check the PATH environment variable for the root account, as anomalous files could be executed by a malicious user. |
U-07 | File and directory owner settings | Check if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking. |
U-08 | The owner and authority setting for the /etc/passwd file | The "/etc/passwd" file is an important file that contains the user's ID, password (marked with 'x' for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be modified by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately. |
U-09 | The owner and authority setting for the /etc/shadow file | The "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account. |
U-10 | The owner and authority setting for the /etc/hosts file | The "/etc/hosts" file is the file used to map IP addresses to hostnames. If permissions management is not in place for this file, it can be exploited for DNS-bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account. |
U-11 | The owner and authority setting for the /etc/(x)inetd.conf file | The Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account. |
U-12 | The owner and authority setting for the /etc/syslog.conf file | The "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have a proper access permission, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
U-13 | The owner and authority setting for the /etc/services file | The "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
U-14 | Inspect the SUID,SGID,Stick bit setting files | A file with SUID (Set User-ID) and SGID (Set Group-ID) set (especially if it is owned by root) can execute certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID attributes except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats. *SUID (Set User-ID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file. *SGID (Set Group-ID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file. |
U-15 | The owner and authority setting for user, system start files and environment files | Restrict access to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users. Types of environment variable files: ".profile", ".kshrc", ".cshrc", ".bashrc", ".bash_profile", ".login", ".exrc", ".netrc", etc. |
U-16 | Inspect the world writable file | If an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users. |
U-17 | Forbid using $HOME/.rhosts, hosts.equiv | The 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the '+' setting (allow all hosts). |
U-18 | Access IP and Port Restriction | Prevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting. Related configuration files: hosts.allow, hosts.deny |
U-19 | The owner and authority setting for cron files | If the crontab command is available to normal users except root, they may intentionally or unintentionally execute illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users. |
U-20 | Deactivating finger service | Finger (User Information Verification Service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service. |
U-21 | Disable anonymous FTP | Check to see if the FTP service in use is allowing anonymous FTP access, and consider blocking it. |
U-22 | Deactivate r services | The 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. It is recommended that you disable them if you are not using them for services. |
U-23 | Disable the services vulnerable to Dos attacks | If you do not use the services that are vulnerable to DoS attacks, it recommended that you disable them. The services suggested to forbid using: echo, discard, daytime, chargen |
U-24 | Deactivate NFS services | Network File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it, manage it according to control #25. |
U-25 | NFS access control | When using NFS, restrict access to only authorized users. everyone sharing must be restricted to prevent unauthorized access. |
U-26 | Remove automountd. | automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd. |
U-27 | Check the RPC service | Remote Procedure Call (RPC) is a protocol between protocols that allows running a coordinate or procedure in another addressed spaces without a coding for remote controls. It recommended that you disable services as some RPC services has vulnerability, including remote operation. The RPC services suggested to forbid using: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, cachefsd |
U-28 | Check NIS and NIC+ | The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to distribute usernames, passwords, and other confidential information to computers located in the same domain. Because it passes confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and to use NIS+ when necessary. |
U-29 | Deactivate tftp and talk services | It is recommended that you deactivate the tftp, talk and ntalk services as they are vulnerable in security aspects. |
U-30 | Check the Sendmail version | The Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required. |
U-31 | Restrict spam mail relays | Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't restrict the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack. |
U-32 | Prevent normal users to run Sendmail | When using the SMTP service, the q option can be used to arbitrarily change sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users. |
U-33 | Patch DNS security version | Berkeley Internet Name Domain (BIND) consists of DNS server and resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible. |
U-34 | Set DNS Zone Transfer | DNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Restrict the transfer of zone information to secondary name servers only. If you allow zone transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, etc. |
U-35 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed via regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities. |
U-36 | Regular review and report of logs | Check if the system status is maintained to be stable via regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. And when you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment. |
Linux Inspection Items (KISA)
The following describes the Linux KISA Security Setting inspection items for Linux.
Check ID | Checklist | Description |
---|---|---|
U-01 | Restrict root account remote access | Inspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status |
U-02 | Password complexity settings | Inspect if the password complexity related settings for user accounts (both root and normal accounts) set in the system policy |
U-03 | Set an account lockout threshold | Inspect if the user log-in failure threshold is set in the system policy |
U-04 | Password file protection | Inspect if the system’s user account passwords stored in the /etc/passwd file are encrypted and saved |
U-05 | Root home path directory authority and path settings | Inspect if root accounts’ PATH environment variables includes "."(Current directory). |
U-06 | File and directory owner settings | Inspect if there is any files or directory without an owner |
U-07 | The owner and authority setting for the /etc/passwd file | The owner and permissions setting for important system files |
U-08 | The owner and authority setting for the /etc/shadow file | The owner and permissions setting for important system files |
U-09 | The owner and authority setting for the /etc/hosts file | The owner and permissions setting for important system files |
U-10 | The owner and authority setting for the /etc/(x)inetd.conf file | The owner and permissions setting for important system files |
U-11 | The owner and authority setting for the /etc/syslog.conf file | The owner and permissions setting for important system files |
U-12 | The owner and authority setting for the /etc/services file | The owner and permissions setting for important system files |
U-13 | Inspect the SUID,SGID,Stick bit setting files | Remove the unnecessary SUID and SGID properties for the files. |
U-14 | The owner and authority setting for user, system start files and environment files | Restrict access permissions for user files in the home directory and environment variable files, such as system start file for each user, etc. |
U-15 | Inspect the world writable file | Inspect if there are unnecessary world writable files.world writable |
U-16 | Inspect the device files that do not exist at /dev | Inspect if there are device files that actually do not exist. |
U-17 | Forbids using $HOME/.rhosts, hosts.equiv | Restrict the r commands, such as rlogin, rsh, rexec, etc. |
U-18 | Access IP and Port Restriction | Prevent external attacks in advance by setting only for limited hosts to be able to use the service. |
U-19 | Deactivating finger service | Deactivate finger service to prevent unauthorized people to view the user information |
U-20 | Disable anonymous FTP | Block Anonymous FTP access to restrict users without permission from using the FTP. |
U-21 | Deactivate r services | Deactivate r commands, such as rlogin, rsh, rexec, etc. |
U-22 | The owner and authority setting for cron files | The owner and permissions setting for important system files |
U-23 | Disable the services vulnerable to Dos attacks | Disables the unused services vulnerable to Dos attacks. |
U-24 | Deactivate NFS services | Deactivate NFS services. |
U-25 | NFS access control | Restrict NFS usage and access to only authorized users. |
U-26 | Remove automountd. | Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd. |
U-27 | Check the RPC service | Disable services as some RPC services has vulnerability, including remote operation. |
U-28 | Check NIS and NIC+ | You must not use NIS service as much as possible. If necessary, use NIS+. |
U-29 | Deactivate tftp and talk services | Deactivate the tftp, talk and ntalk services as they are vulnerable in security aspects |
U-30 | Check the Sendmail version | Many weaknesses are found in most versions. If it is unnecessary, stop using it |
U-31 | Restrict spam mail relays | Restrict the SMTP server’s relay feature. |
U-32 | Prevent normal users to run Sendmail | Restrict normal users from using q options upon providing SMTP services |
U-33 | Patch DNS security version | Use the most recent version of BIND. |
U-34 | Set DNS Zone Transfer | Restrict |
U-35 | Remove the Apache directory listing | Deactivate the directory listing feature. |
U-36 | Restrict Apache web process permissions | Apache must be run with a separate authority instead of root authority. |
U-37 | Forbid access to Apache's upper directory | Restrict moving to the upper directory in the AllowOverride option |
U-38 | Remove all unnecessary files of Apache | Inspect if the unnecessary files created as a default upon installing Apache are removed. |
U-39 | Forbid using Apache links | Restrict using symbolic links |
U-40 | Restrict Apache file upload and download | Fundamentally forbids uploading and downloading files and restricts the size when necessary. |
U-41 | Separate Apache web service areas | Change the DocumentRoot from the default setting(htdocs directory) to other locations |
U-42 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed via regular security patches |
U-43 | Regular review and report of logs | Check if the system status is maintained to be stable via regular log reviews. |
U-44 | Forbid ‘0’ for UID other than root | Inspect if there are accounts other than root account that has 0 UID value (same permissions as root). |
U-45 | Restrict root account’s su | |
U-46 | Minimum password length settings | Set the minimum password length to more than 8 characters |
U-47 | The maximum usage time setting for passwords | To allow them to change passwords regularly, restrict the maximum usage time appropriately. |
U-48 | The minimum usage time setting for passwords | Set the minimum duration until changing passwords. |
U-49 | Removal of unnecessary accounts | |
U-50 | Include minimum accounts in an admin group | Inspect if the system manage group has its minimum number of accounts |
U-51 | Forbid GIDs without accounts | Inspect if unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group setting file |
U-52 | Forbid same UID | Inspects it there is a user account with the same UID. |
U-53 | User shell inspection | Restrict accounts that do not require logging in from log-ins by bestowing /bin/false shell |
U-54 | Session Timeout Setting | Set the Session Timeout to force quit the connection when no event occurred for a certain period. |
U-55 | The owner and authority setting for the hosts.lpd file | The owner and authority setting for important system files |
U-56 | Manage umask settings | Inspect if the UMASK value is appropriate. |
U-57 | The owner and authority setting for Home Directory | Restrict normal users other than the owner of user home directory from editing the home directory |
U-58 | Manage the existence of the directory assigned as home directory | Inspect if the user account and home directory matches |
U-59 | Search and remove hidden files and directories | Inspect if hidden files or suspicious files exists in the directory |
U-60 | Allow ssh remote access | Use the SSH (Secure Shell) service that encrypts all communication between users and system upon remote access |
U-61 | Check the ftp service | Inspect if the FTP service is activated |
U-62 | Restrict shell for ftp accounts | Block the system access to the account by giving /bin/false shell to the created default account upon installing FTP |
U-63 | The owner and authority setting for the Ftpusers file | The owner and authority setting for important system files |
U-64 | Ftpusers file setting | |
U-65 | The owner and authority setting for the at file | The owner and authority setting for important system files |
U-66 | Check whether to run SNMP service | Stop using unnecessary SNMP services |
U-67 | Complexity setting for SNMP service community string | Changes the community string to a value that cannot be guessed. |
U-68 | Warning message upon logging on | Set to block the unnecessary information and shows the warming message about illegal usage upon logging on to the server or service |
U-69 | Access Permission for NFS setting file | Inspect if the NFS setting file is restricted for normal users from editing |
U-70 | expn, vrfy commands restriction | If you need to use SMTP for unavoidable reasons, restrict VRFY and EXPN, the basic service of Sendmail, from using to prevent Sendmail abuse. |
U-71 | Hide Apache web service information | Set the message to avoid exposing too much details upon web page errors |
U-72 | Set system logging based on a policy | Inspect the logging setting is applied according the internal policy |
Linux Inspection Items(Based on Financial Security Agency’s Electronic Financial Infrastructure)
The following describes the Security Setting inspection items based on Financial Security Agency’s Electronic Financial Infrastructure for Linux.
Check ID | Inspection item | Description |
---|---|---|
SRV-001 | Complexity setting for SNMP service community string | The Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. To send and receive information called MIBs, SNMP uses a "Community String," which is a kind of password during the authentication process. The Community String is often set to public or private by default, and if this is not changed, there is a vulnerability that can be exploited to determine important information and settings on the system by using this string. Change the Community String to a value that cannot be guessed. |
SRV-004 | Execute unnecessary SMTP service | SMTP service is a service based on the SMTP protocol sending mails over the Internet. A malicious attacker can use the SMTP service to obtain information about the computer running the SMTP service or to perform various attacks. Therefore check whether unnecessary SMTP services are running. |
SRV-005 | expn, vrfy commands restriction | "Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending emails over the Internet. However, it has many vulnerabilities and is not recommended for use unless absolutely necessary for the service. If you need to use it for unavoidable reasons, restrict VRFY and EXPN, the basic service of Sendmail, from using to prevent Sendmail abuse. *VRFY: a command that SMTP clients send to SMTP servers to check if there is a mail for a certain ID *EXPN (Mailing list extension): a commend to forward mails upon sending mails.” |
SRV-006 | Insufficient SMTP service log level settings | Sendmail is a popular mail transfer agent (MTA) and is a service that is included by default in Unix. It must be monitored to ensure service availability and for ongoing security vulnerabilities. The loglevel of Sendmail must be checked for the appropriateness of the loglevel setting to distinguish between leaving logs of events during service operation. |
SRV-007 | Check the Sendmail version | The Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required. |
SRV-008 | Disable Dos protection for the SMTP service | Inspect if the security setting is appropriate in preventing mail service rejections or system down due to exceeding the network circuit capacity or server process capacity. |
SRV-009 | Restrict spam mail relays | Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't restrict the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack. |
SRV-010 | Prevent normal users to run Sendmail | When using the SMTP service, the q option can be used to arbitrarily change sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users. |
SRV-011 | Ftpusers file setting | FTP service transmits IDs and passwords unencrypted, which can expose the IDs and passwords with a simple sniffer. It is recommended that you avoid using FTP services unless absolutely necessary. If you must use an FTP service, restrict direct access to the root account to ensure that the root account's password information is not exposed. |
SRV-012 | Expose host information within the .netrc file | .netrc files are used by FTP to automatically send and receive files. .netrc files are insecure because they store the FTP access IP and password in plain text. Make sure that correct permissions are set. |
SRV-013 | Disable anonymous FTP | Check to see if the FTP service in use is allowing anonymous FTP access, and consider blocking it. |
SRV-014_1 | NFS access control | When using NFS, restrict access to only authorized users. everyone sharing must be restricted to prevent unauthorized access. |
SRV-014_2 | Access Permission for NFS setting file | Network File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. If the NFS access control configuration file is accessible and modifiable by non-administrative users, they may be able to register unauthorized users and mount the file system for illegal tampering. Therefore, ensure that your NFS access control configuration file is restricted from being modified by normal users. |
SRV-015 | Deactivate NFS services | Network File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it, manage it according to control #25. |
SRV-016 | Check the RPC service | "Remote Procedure Call (RPC) is a protocol between protocols that allows running a coordinate or procedure in another addressed spaces without a coding for remote controls. It recommended that you disable services as some RPC services has vulnerability, including remote operation. The RPC services suggested to forbid using: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, cachefsd" |
SRV-022 | Unset password in account, insufficient management of blank password | If you don't set a password for each account, your account can be compromised by an attacker. Make sure to set an appropriate password. It is recommended that you always set an appropriate level of password strength for all accounts that require a login. |
SRV-025 | Forbid using $HOME/.rhosts, hosts.equiv | The 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the '+' setting (allow all hosts). |
SRV-026 | Restrict root account remote access | "Inspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status. ※ /etc/securetty: file for restricting root access to Telnet If pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings tty (terminal-teletype): user logs into the console directly from a monitor, keyboard, etc. connected to the server pts (pseudo-terminal): connects using Telnet, SSH, Terminal, etc." |
SRV-027 | Access IP and Port Restriction | "Prevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting. Related configuration files: hosts.allow, hosts.deny" |
SRV-028 | Session Timeout Setting | If the Session timeout value is not set, the system may be vulnerable to unauthorized access during idle time. Session timeout must be set in the configuration file for the user shell. |
SRV-034 | Remove automountd. | automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd. |
SRV-035_1 | Deactivate tftp and talk services | It is recommended that you deactivate the tftp, talk and ntalk services as they are vulnerable in security aspects. |
SRV-035_2 | Deactivating finger service | Finger (User Information Verification Service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service. |
SRV-035_3 | Deactivate r services | The 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. It is recommended that you disable them if you are not using them for services. |
SRV-035_4 | Disable the services vulnerable to Dos attacks | "If you do not use the services that are vulnerable to DoS attacks, it recommended that you disable them. The services suggested to forbid using: echo, discard, daytime, chargen" |
SRV-035_5 | Check NIS and NIC+ | The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to distribute usernames, passwords, and other confidential information to computers located in the same domain. Because it passes confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and to use NIS+ when necessary. |
SRV-037 | Check the ftp service | FTP services allow usernames and passwords to be sent unencrypted and sniffed. It is recommended that you avoid using FTP whenever possible. |
SRV-040 | Remove the web service directory listing | Directory listing is a feature that shows the list of all files in the directory if the basic document does not exist in the directory. When directory listing is enabled, all files in directories can be accessed from the outside, which not only exposes the structure of your web server, but also risks exposing important files that should not be exposed, such as backup files or source files. |
SRV-042 | Forbid access to web service's upper directory | Check the AllowOverride option to ensure that it restricts moves to an upper directory. If an upper directory can be navigated by using a character such as "..", there is a risk that an attacker will be able to access paths that should not be accessible. |
SRV-043 | Remove all unnecessary files of web service | Inspect if the unnecessary files created as a default upon installing Apache are removed. The default files: (/[Apache_home]/htdocs/manual, /[Apache_home]/manual)" |
SRV-044 | Restrict web service file upload and download | Due to the nature of the infrastructure, file uploads and downloads are fundamentally prohibited and you must restrict the size when necessary. To prevent server overload and use resources efficiently, it is recommended that upload and download files do not exceed 5 MB. |
SRV-045 | Restrict web service web process permissions | If the web server daemon is running with root permissions, a vulnerability in a web application, etc. could allow an attacker to gain the root permissions . Therefore, Apache must be run with a separate permissions instead of root permissions. |
SRV-046 | Separate the web service areas | Use the htdocs directory as the DocumentRoot by default upon installing Apache. It is recommended that you change this to a separate path because the htdocs directory contains Apache documentation that should not (or need not) be exposed, as well as information about your system that could be used in an attack. |
SRV-047 | Forbid using web service links | Symbolic links to the root directory (/) of the system could allow access to files in any file system using the web server-driven user permission (nobody), so it is dangerous. Because an invalid symbolic link can expose sensitive information on your server, you must limit the use of symbolic links. |
SRV-048 | Execute unnecessary web service | "If unnecessary services are installed and run by default when the system starts, potential security vulnerabilities may occur. Services that are not actually required may cause performance degradation of the system or may be exploited for attacks, so they should be checked periodically. (Evaluation example) - Various vulnerabilities (OpenSSL, etc.) have been reported for the Tmax WebtoB web server, so check whether the service is used." |
SRV-060 | Unchanged web service default account (username or password) | Tomcat is a Java application server that provides the Apache web server with the ability to run JSP and Java servlets. If you do not change the account that is set by default when Tomcat is installed, unauthorized people can gain access to the system. Check if the default account is properly secured. |
SRV-062 | Exposure of DNS service information | Exposure of information such as DNS server type and version can be used by attackers for other attacks, so ensure that proper security settings are in place. |
SRV-063 | Insufficient DNS Recursive Query setting | An attack threat (DNS Cache Poisoning - an attack that causes false information to enter the DNS cache) is possible when an attacker sends a large number of DNS requests to a spoofed IP (Victim) address. Check the appropriateness of the security settings to counter this attack. |
SRV-064 | Patch DNS security version | Berkeley Internet Name Domain (BIND) consists of DNS server and resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible. |
SRV-066 | Set DNS Zone Transfer | DNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Restrict the transfer of zone information to secondary name servers only. If you allow zone transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, etc. |
SRV-069_1 | Password complexity settings | Inspect if the Password complexity related settings for user accounts (both root and normal accounts) set in the system policy. |
SRV-069_2 | Minimum password length settings | Short passwords can easily be compromised by brute force attacks or password guessing. By setting a minimum password length as a policy, you can reduce the risk of password being compromised by an attack. |
SRV-069_3 | The maximum usage time setting for passwords | If you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, etc.). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time to ensure that passwords are changed periodically. |
SRV-069_4 | The minimum usage time setting for passwords | If you don't set a password minimum age, users can change their passwords to anything they're familiar with. This can significantly undermine the effectiveness of a policy of regularly changing passwords. It is recommended that you protect passwords by enabling the Save a recent password setting to prevent users from reusing old passwords. |
SRV-070 | Password file protection | On some older systems, the password policy is not enforced and passwords are stored in plain text in the /etc/passwd file. Inspect if the passwords of user accounts are encrypted. |
SRV-073 | Include minimum accounts in an admin group | Inspect if the system admin group only has the minimum number of accounts (the root account and accounts allowed for system management). |
SRV-074 | Removal of unnecessary accounts | "You must present invasion from unmanaged accounts by inspecting if there are unnecessary accounts. Inspect if there are unnecessary accounts among the system accounts(retired, job changes, leave of absence, etc.). adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, nfsnobody (excluded), and squid |
SRV-075 | Existence of guessable account passwords | When setting a password, the password complexity must be set so that a strong password can be established by including all letters/numbers/special characters. Passwords consisting of only alphanumeric characters can be easily inferred by currently released password cracking utilities and random attacks. Therefore, check for compliance with your company's password management policy. |
SRV-081_1 | The owner and authority setting for cron files | If the crontab command is available to normal users except root, they may intentionally or unintentionally execute illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users. |
SRV-081_2 | The owner and authority setting for the at file | An at daemon (one-time task scheduler) manages task scheduling so that any task can run at any given time. Only users registered in the /etc/at.allow file can use the at command, so you must set the appropriate permissions in that file. If the permissions in the /at.allow file are incorrect, there is a risk of system damage, such as registering a user account that has gained permissions and executing an illegal scheduled file. |
SRV-081_3 | Insufficient permissions setting for the crontab setting file | A crontab is a file that you use when you need to perform periodic tasks. If the others permissions in crontab's task settings file has write and read permissions, you can edit the file contents or read the contents. This can cause important information to be leaked, so it is necessary to check that the appropriate permissions are granted to the relevant files. |
SRV-082 | Insufficient permissions setting for system's major directories | Inappropriate permissions setting for the system's major directories can allow malicious programs such as Trojans to be installed and important files to be tampered with. This can be exploited for system intrusion or denial-of-service attacks, so you must check the appropriateness of system directory permissions. |
SRV-083 | Insufficient permissions setting for the system startup script | Due to errors in the ownership and permissions settings of the system startup script, there is a possibility that an arbitrary attacker can use it to invade the system by changing the contents of the script. Therefore, check the appropriateness of the permissions settings. |
SRV-084 | The owner and authority setting for the hosts.lpd file | To prevent unauthorized tampering with hosts.lpd, delete the hosts.lpd file or manage its owner/permissions. |
SRV-084_1 | The owner and authority setting for the /etc/passwd file | The "/etc/passwd" file is an important file that contains the user's ID, password (marked with 'x' for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be modified by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately. |
SRV-084_2 | The owner and authority setting for the /etc/shadow file | The "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account. |
SRV-084_3 | The owner and authority setting for the /etc/hosts file | The "/etc/hosts" file is the file used to map IP addresses to hostnames. If permissions management is not in place for this file, it can be exploited for DNS-bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account. |
SRV-084_4 | The owner and authority setting for the /etc/(x)inetd.conf file | The Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account. |
SRV-084_5 | The owner and authority setting for the /etc/syslog.conf file | The "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have a proper access permission, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
SRV-084_6 | The owner and authority setting for the /etc/services file | The "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
SRV-087 | Insufficient existence and permissions setting for C complier | If an attacker compiles a source file containing attack codes after entering the system and creates an executable file, it can be exploited to attack the system (gain administrator permissions, cause a denial of service, etc.). Inspect whether a C compiler exists in the system and whether it is appropriate to use it. |
SRV-091 | Inspect the SUID,SGID,Stick bit setting files | A file with SUID (Set User-ID) and SGID (Set Group-ID) set (especially if it is owned by root) can execute certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID attributes except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats. *SUID (Set User-ID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file. *SGID (Set Group-ID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file. |
SRV-092_1 | The owner and authority setting for Home Directory | If configuration files in a user's home directory are tampered with by unauthorized users, there is a risk that normal user services will be restricted. Ensure to restrict normal users other than the owner of that home directory from editing it. |
SRV-092_2 | Manage the existence of the directory assigned as home directory | The user home directory is the directory in which the user performs tasks after logging in to the shell. The user environment is configured by the user configuration file that exists in the logged in user home directory, and if the home directory is incorrect, the following security issues can occur. 1) No home directory - If the home directory of a normal user rather than the root user is /, the user's current directory is logged in as / when logging in, causing administrative and security problems. 2) Hidden directories in the home directory - These may be created by an unauthorized user to hide files. 3) Illegal executable files with the name of a system command exist in the home directory - It may enter the relative path and system command to execute the illegal file. |
SRV-093 | Inspect the world writable file | If an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users. |
SRV-094 | The authority setting error for the Crontab reference file | If the others permissions in crontab's task settings file has write and read permissions, you can edit the file contents or read the contents. Inspect if the Crontab-related files have the appropriate security settings. |
SRV-095 | File and directory owner settings | Check if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking. |
SRV-096 | The owner and authority setting for user, system start files and environment files | "Restrict access to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users. Types of environment variable files: ".profile", ".kshrc", ".cshrc", ".bashrc", ".bash_profile", ".login", ".exrc", ".netrc", etc." |
SRV-108 | Insufficient access control and management of logs | If system log file permissions are not set correctly, an arbitrary user may be able to falsify log records (e.g. intrusion attempts and intrusion trace manipulation, etc.). Check the appropriateness of log file permission settings. |
SRV-109 | Set system logging based on a policy | In the event of a security incident, system logging must be performed in accordance with internal policies to determine the cause and verify the facts of the breach. If logging is not possible, it is difficult to determine the cause of the incident and cannot provide sufficient evidence for legal response. |
SRV-115 | Regular review and report of logs | Check if the system status is maintained to be stable via regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. And when you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment. |
SRV-118 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed via regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities. |
SRV-121 | Root home path directory authority and path settings | If the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you execute a common command (such as ls, mv, ps, etc.), the files in the current directory are executed first, rather than the original command. Check the PATH environment variable for the root account, as anomalous files could be executed by a malicious user. |
SRV-122 | Manage umask settings | UMASK is a command that sets the default permissions when creating files and directories. Set the UMASK value appropriately to ensure that newly created files are not granted excessive permissions. |
SRV-127 | Set an account lockout threshold | Inspect if the user log-in failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack. |
SRV-131 | Restrict root account’s su | Only su-related groups must be granted permission to use su command. Restrict users who are not in the su group from using the su command. Inspect if there are su-related groups in the group setting files (/etc/group) of the system user account and ensure that su commands are allowed only within the su-related groups. |
SRV-133 | Insufficient account restriction for using the cron service | Cron is a daemon that executes a set of commands at a certain time, and you need to control access to the cron service. Since the periodic execution of commands can be exploited for intrusion or information exposure, you must check that the proper account settings are made in the cron file. |
SRV-142_1 | Forbid ‘0’ for UID other than root | Check whether the file that stores the user's account information (/etc/passwd) has any accounts with the same user identification (UID) as the root (UID=0) account. An account with the same UID as the root account would have the same permissions as root, which could pose a significant risk to the system. |
SRV-142_2 | Forbid same UID | UNIX systems assign a UID to every user account and use that UID to manage user information such as username, password, home directory, etc. If duplicate UIDs exist, the system may recognize them as the same user and cause problems. In the event of a breach of personal information and related data by an attacker, the audit trail becomes difficult, so it's necessary to ensure that there are no identical UIDs. |
SRV-144 | Inspect the device files that do not exist at /dev | If the device does not exist or the name is entered incorrectly, the system might continue to create symbolic link files in the /dev directory, causing an error. For example, if you mistype rmt0 as rmto, you run the risk that the root file system will continue to create files in the /dev directory until a device name entry error causes an error, such as creating a new rmto file. Proactively find and remove devices that don’t actually exist. |
SRV-147 | Check whether to run SNMP service | The Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. It is used to understand or set the system status in real time. It is recommended to stop the SNMP service if it is not used because it can cause major information leakage and illegal modification of information in the system. |
SRV-148 | Hide Apache web service information | Set the message to avoid exposing too much details upon web page errors. Do not expose unnecessary information about your web server, such as error pages, web server type, OS information, user account names, etc. If unnecessary information is exposed, there is a high probability that the information can be used to gather vulnerabilities in the system and used in an attack. |
SRV-158 | Allow ssh remote access | Because Telnet, FTP, etc. transmit data unencrypted, there is a high risk that your ID/password and sensitive information could be exposed. Therefore, it is recommended that you use the Secure Shell (SSH) service, which encrypts all communication between users and the system when connecting remotely. When using SSH, TCP/22 is used as the default port, it is recommended that you change the port as an attacker may try to attack through the default port. |
SRV-158_1 | Execute unnecessary Telnet service | Since the Telnet service sends and receives data in plain text when using the password authentication method, the authentication ID/password can be exposed to the outside world. It is not recommended that you use the Telnet service, and you must ensure that it is disabled. |
SRV-161 | The owner and authority setting for the Ftpusers file | ftpusers file is a setting file for FTP access control and the accounts registered in the file cannot access FTP. Restrict unauthorized users from editing the ftpusers file by setting appropriate permissions on the file. |
SRV-163 | Warning message upon logging on | Setup a warning message to avoid providing unnecessary information about the server to unauthorized users and to alert them that only authorized users should access the server. |
SRV-164 | Forbid GIDs without accounts | Inspect if unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group setting file |
SRV-165_1 | User shell inspection | Limit the login shells of unnecessary accounts that are created by default during OS installation. In general, change the shell settings of accounts that do not need to be logged in (adm, sys, daemon, etc.) to /sbin/nologin, etc. |
SRV-165_2 | Restrict shell for ftp accounts | Restrict the shell of the ftp account, which is created by default when the FTP service is installed, to a default account that does not require a login to block system access to that account. Granting shell to a default account that does not require a login exposes the account to attackers, which can lead to unauthorized system access. |
SRV-166 | Search and remove hidden files and directories | Suspicious hidden files and directories may have been created by an attacker rather than a legitimate user. Periodically check hidden files/directories. |
SRV-174 | Execute unnecessary DNS service | The Domain Name Service (DNS) is a service that translates between domain names and IPs. If left running unnecessarily, it can be a pathway for attack due to potential security vulnerabilities. Be sure that this service is disabled with respect to tasks. |
Windows Inspection Items
The following describes the Security Setting inspection items for Windows.
Check ID | Inspection item | Description |
---|---|---|
WKS-01 | Rename the administrator account | Change the admin account’s name so that the attacker will not be able to guess the name easily. |
WKS-02 | Restrict the use of Guest account | Restrict using the Guest account as it is a vulnerable account that allows anyone to access the system |
WKS-03 | Set an account lockout threshold | Sets the log-in failure count that causes user account to be locked. |
WKS-04 | Not using “Saving the password using a decipherable encryption”. | Unless the application program’s requirement is bigger than the password protection, do not use the policy to all users in the domain. |
WKS-05 | Not using “Apply the Everyone usage permission to anonymous users”. | Cancel the policy to block accessing the recourses that anonymous users gave permission as Everyone group. |
WKS-06 | Set an account lockout period | Sets a time to maintain account lock after passing the log-in failure threshold. |
WKS-07 | Password complexity settings | The complexity setting to ensure powerful passwords, that include alphabets, number and special characters, are set upon setting passwords. |
WKS-08 | Minimum password length | Sets the minimum password length to more than 8 characters. |
WKS-09 | Maximum password age | Set the maximum password usage time to encourage them to change passwords often. |
WKS-10 | Minimum password age | Sets the minimum duration until changing passwords. |
WKS-11 | Do not show last user name | Set the name of the last user logged on to the device not to be shown on the desktop |
WKS-12 | Save a recent password | Set the number of new unique passwords used to connect with the user account until using the previous password again |
WKS-13 | Restrict using empty passwords in the local account for console log-ons. | Block the console and network access from accounts with empty passwords by restricting empty password usage. |
WKS-14 | Remove unnecessary services - Alerter | Do not use or remove the unnecessary services. |
WKS-15 | Remove unnecessary services - Clipbook | Do not use or remove the unnecessary services. |
WKS-16 | Remove unnecessary services - Messenger | Do not use or remove the unnecessary services. |
WKS-17 | Check whether to run IIS service | Stop unnecessary IIS services |
WKS-18 | Check whether to run FTP service | Stop unnecessary FTP services |
WKS-19 | Set DNS Zone Transfer | Apply the block setting for DNS Zone Transfer to prevent leaking the domain information to outside the authorized DNS server. |
WKS-20 | Set Terminal Services encryption level | Set the terminal services to be encrypted to protect the data transferred between the client and server communication and stops the terminal services if unnecessary |
WKS-21 | Check whether to run SNMP service | Stop using the SNMP service if it is unused to prevent leaking the major information of the system and illegal editing. |
WKS-22 | Telnet security settings | Sets Telnet to only use NTLM authentication which does not send passwords via networks. |
WKS-23 | System logging setting according to the policy - AuditLogonEvents | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-24 | System logging setting according to the policy - AuditAccountLogon | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-25 | System logging setting according to the policy - AuditPolicyChange | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-26 | System logging setting according to the policy - AuditAccountManage | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-27 | System logging setting according to the policy - AuditPrivilegeUse | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-28 | System logging setting according to the policy - AuditDSAccess | Set an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies. |
WKS-29 | Remotely accessible registry paths | Stop using the remote registry service unless necessary. |
WKS-30 | Set event log management | |
WKS-31 | Allow system shutdown without logging on | Deactivates the system quit button on the log-on window to prevent a threat of unauthorized users quitting the system. |
WKS-32 | Do not allow anonymous enumeration of SAM accounts and shares | Prevent a malice account information stealing by not allowing the SAM(Security Account Manager) and sharing to listing anonymously |
WKS-33 | Control Autologon feature | Deactivate the Autologon feature |
WKS-34 | Allow formatting and ejecting of removable media | Restrict the users who are allowed to format and eject the NTFS of mobility media. |
WKS-35 | Prevent users from installing printer drivers | Block users from installing printer drivers to prevent system damages from malice users. |
WKS-36 | Set warning messages | Set a warning message about illegal usage of the system to be shown upon log-ons |
WKS-37 | LAN Manager authentication level | Via Lan manager authentication level setting, decide the Challenge/Response authentication protocol to be used for network log-ons. We recommend using NTLMv2 for secure authentication. |