Available in Classic and VPC
In the OS Security Checker menu, you can view the security setting inspection results of the Operating System (OS). You can view the detailed inspection results through the diagnostic report or download it as a PDF or Excel file. Also, you can view the appropriate security settings and solutions.
Note
To view the inspection results, run the security setting inspection on the server first. For more information on how to inspect, see Inspect OS and WAS.
OS Security Checker screen
The basic description of the OS Security Checker menu for using System Security Checker is as follows:
| Area | Description |
|---|---|
| ① Menu name | Name of the menu currently being viewed and the number of viewing inspections. |
| ② Basic features | |
| ③ Search areas | View the inspection results by filtering based on the inspection dates, or searching by server names. |
| ④ Excel | Click the button to download the inspection results as an Excel file. |
| ⑤ Inspection result list | List of currently viewing inspection results for OS security settings. |
View inspection results
To check the inspection results for the server’s OS security setting inspection, follow these steps:
- From the NAVER Cloud Platform console, click
> Services > Security > System Security Checker in order. - Click OS Security Checker.
- View the results of the inspection.
- You can search for desirable results by filtering based on inspection dates or entering server names.
- Region: the Region of the server.
- Server name: the inspected server names. Click to view the detailed inspection results and solutions. For more information, see View detailed results and solutions.
- InstanceNo: unique server number.
- Check list: view inspection type.
- Linux, Windows: in case of inspecting the OS of Linux or Windows.
- Finance: in case of inspecting Linux security settings based on the Financial security agency’s electronic financial infrastructure.
- Inspection date: the date of inspection.
- OS version: the OS version of the inspected server.
- Vulnerable/All items: the number of inspection items turned out to be "Bad"/the number of all inspection items.
- Critical, Major, Minor: the number of "Bad" inspection items for each severity.
- Report view: click [Report] to view the entire inspection results as an inspection report and download it as a PDF file.
View detailed results and solutions
To view the detailed results of the OS security setting inspection and the description and solutions for each inspection item and download them, follow these steps:
- From the NAVER Cloud Platform console, click > Services > Security > System Security Checker in order.
- Click OS Security Checker.
- Click the inspected server's name to view the detailed results.
- When the detailed results and solutions popup window appears, view the inspection details and results.
- Click each inspection item to view the description of each inspection item, suggested settings, examination criteria, and solutions.
- Select the Severity and Inspection results and click [Search] to filter the inspection items.
- Click [Report] to view the results you are viewing as an inspection report and download it as a PDF file.
- Click [Excel] to download the viewing results as an Excel file.
OS security setting inspection items
Check the OS security setting inspection items for each server operating system.
- Linux inspection items (CSAP)
- Linux inspection items (KISA)
- Linux inspection items (based on Financial security agency’s electronic financial infrastructure)
- Windows inspection items
Note
You can view descriptions of the inspection items, suggested settings and solutions on the detailed results and solutions popup window on the NAVER Cloud Platform console. For more information, see View detailed results and solutions.
Linux inspection items (CSAP)
The following describes the Linux CSAP security setting inspection items:
| Check ID | Inspection items | Description of inspection items |
|---|---|---|
| U-01 | root account remote access limits | Inspect that the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status. ※ /etc/securetty: file for limiting root access to Telnet. If pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings. tty (terminal-teletype): the user logs into the console directly from a monitor, keyboard, and so on, which is connected to the server. pts (pseudo-terminal): accesses using Telnet, SSH, Terminal, and so on. |
| U-02 | Password complexity settings | Inspect that the password complexity related settings for user accounts (both root and regular accounts) are set in the system policy. |
| U-03 | Account lockout threshold settings | Inspect that the user login failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack. |
| U-04 | Maximum usage time settings for passwords | If you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, and so on). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time so that passwords can be changed periodically. |
| U-05 | Password file protection | On some older systems, the password policy is not applied and passwords are stored in plain text in the /etc/passwd file. Inspect that the passwords of user accounts are encrypted and stored. |
| U-06 | root home path directory permission and path settings | If the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you run common commands (such as ls, mv, ps, and so on), the files in the current directory are run first, rather than the original commands. Check the PATH environment variable for the root account, as anomalous files could be run by a malicious user. |
| U-07 | File and directory owner settings | Check if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking. |
| U-08 | Owner and permission settings for the /etc/passwd file | The "/etc/passwd" file is an important file that contains the user's ID, password (marked with "x" for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be edited by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately. |
| U-09 | Owner and permission settings for the /etc/shadow file | The "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account. |
| U-10 | Owner and permission settings for the /etc/hosts file | The "/etc/hosts" file is the file used to map IP addresses to host names. If permissions management is not in place for this file, it can be exploited for DNS bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account. |
| U-11 | Owner and permission settings for the /etc/(x)inetd.conf file | The Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account. |
| U-12 | Owner and permission settings for the /etc/syslog.conf file | The "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have proper access permissions, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
| U-13 | Owner and permission settings for the /etc/services file | The "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
| U-14 | Inspect the SUID, SGID, and Stick bit configuration files | A file with Set User-ID (SUID) and Set Group-ID (SGID) set (especially if it is owned by root) can run certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID properties except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats. *Set User-ID (SUID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file. *Set Group-ID (SGID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file. |
| U-15 | Owner and permission settings for user, system startup files, and environment files | Limit access permissions to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users. Types of environment variable files: ".profile," ".kshrc," ".cshrc," ".bashrc," ".bash_profile," ".login," ".exrc," ".netrc," and so on. |
| U-16 | Inspect the world writable file | If an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users. |
| U-17 | Forbid using $HOME/.rhosts, hosts.equiv | The "r" commands, such as rlogin, rsh, rexec, and so on, are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can run arbitrary commands on the system with administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the "+" setting (allow all hosts). |
| U-18 | Access IP and port restriction | Prevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting. Related configuration files: hosts.allow and hosts.deny. |
| U-19 | Owner and permission settings for cron files | If the crontab command is available to normal users except root, they may intentionally or unintentionally run illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users. |
| U-20 | Disable finger service | Finger (user information verification service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service. |
| U-21 | Disable Anonymous FTP | Check if the FTP service in use is allowing anonymous FTP access, and it is recommended to block it. |
| U-22 | Disable r series services | The "r" commands, such as rlogin, rsh, rexec, and so on, are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can run arbitrary commands on the system with administrator permissions. It is recommended that you disable them if you are not using them for services. |
| U-23 | Disable the services vulnerable to DoS attacks | If you do not use the services that are vulnerable to DoS attacks, it is recommended that you disable them. Services suggested forbidding the use of: echo, discard, daytime, and chargen. |
| U-24 | Disable NFS services | Network File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it for unavoidable reasons, manage it according to control #25. |
| U-25 | NFS access control | When using NFS, restrict access to only authorized users. Everyone sharing must be restricted to prevent unauthorized access. |
| U-26 | Remove automountd | automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send a Remote Procedure Call (RPC) through automountd. |
| U-27 | Check the RPC service | Remote Procedure Call (RPC) is a protocol between processes that allows running a function or procedure in another address space without coding for remote controls. It is recommended that you disable services as some RPC services have vulnerabilities, including remote operation. RPC services suggested forbidding the use of: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, and cachefsd. |
| U-28 | Check NIS and NIS+ | The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to deploy user names, passwords, and other confidential information to computers located in the same domain. Because it forwards confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and use NIS+ when necessary. |
| U-29 | Disable tftp and talk services | It is recommended that you disable the tftp, talk, and ntalk services as they are vulnerable in security aspects. |
| U-30 | Check the Sendmail version | The Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required. |
| U-31 | Limit spam mail relays | Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for transferring email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't limit the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack. |
| U-32 | Prevent normal users from running Sendmail | When using the SMTP service, the q option can be used to arbitrarily change Sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users. |
| U-33 | Patch DNS security version | Berkeley Internet Name Domain (BIND) consists of a DNS server and a resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible. |
| U-34 | Set DNS Zone Transfer | DNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Limit the transfer of Zone information to secondary name servers only. If you allow Zone Transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, and so on. |
| U-35 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed through regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities. |
| U-36 | Regular review and report of logs | Check if the system status is maintained to be stable through regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. When you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment. |
Linux inspection items (KISA)
The following describes the Linux KISA security setting inspection items:
| Check ID | Inspection items | Description of inspection items |
|---|---|---|
| U-01 | root account remote access limits | Inspect that the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status. |
| U-02 | Password complexity settings | Inspect that the password complexity related settings for user accounts (both root and regular accounts) are set in the system policy. |
| U-03 | Account lockout threshold settings | Inspect that the user login failure threshold is set in the system policy. |
| U-04 | Password file protection | Inspect that the system’s user account passwords stored in the /etc/passwd file are encrypted and saved. |
| U-05 | root home path directory permission and path settings | Inspect that root accounts’ PATH environment variables include "." (referring to the current directory). |
| U-06 | File and directory owner settings | Inspect that there are any files or directories without an owner. |
| U-07 | Owner and permission settings for the /etc/passwd file | Owner and permission settings for important system files. |
| U-08 | Owner and permission settings for the /etc/shadow file | Owner and permission settings for important system files. |
| U-09 | Owner and permission settings for the /etc/hosts file | Owner and permission settings for important system files. |
| U-10 | Owner and permission settings for the /etc/(x)inetd.conf file | Owner and permission settings for important system files. |
| U-11 | Owner and permission settings for the /etc/syslog.conf file | Owner and permission settings for important system files. |
| U-12 | Owner and permission settings for the /etc/services file | Owner and permission settings for important system files. |
| U-13 | Inspect the SUID, SGID, and Stick bit configuration files | Remove the unnecessary SUID and SGID properties for the files. |
| U-14 | Owner and permission settings for user, system startup files, and environment files | Restrict access permissions for user files in the home directory and environment variable files, such as system startup files for each user. |
| U-15 | Inspect the world writable file | Inspect that there are unnecessary world writable files. |
| U-16 | Inspect the device files that do not exist at /dev | Inspect that there are device files that actually do not exist. |
| U-17 | Forbid using $HOME/.rhosts, hosts.equiv | Restrict the r commands, such as rlogin, rsh, rexec, and so on. |
| U-18 | Access IP and port restriction | Prevent external attacks in advance by setting only for limited hosts to be able to use the service. |
| U-19 | Disable finger service | Disable finger service to prevent unauthorized people from viewing the user information. |
| U-20 | Disable Anonymous FTP | Block Anonymous FTP access to restrict users without permission from using the FTP. |
| U-21 | Disable r series services | Disable r commands, such as rlogin, rsh, rexec, and so on. |
| U-22 | Owner and permission settings for cron files | Owner and permission settings for important system files. |
| U-23 | Disable the services vulnerable to DoS attacks | Disable the unused services vulnerable to DoS attacks. |
| U-24 | Disable NFS services | Disable NFS services. |
| U-25 | NFS access control | Restrict NFS usage and access to only authorized users. |
| U-26 | Remove automountd | Stop the service because it has a vulnerable element that a local attacker can send a Remote Procedure Call (RPC) through automountd. |
| U-27 | Check the RPC service | Disable services as some RPC services have vulnerabilities, including remote operation. |
| U-28 | Check NIS and NIS+ | You must not use NIS service as much as possible. If necessary, use NIS+. |
| U-29 | Disable tftp and talk services | Disable the tftp, talk, and ntalk services as they are vulnerable in security aspects. |
| U-30 | Check the Sendmail version | Many weaknesses are found in most versions. If it is unnecessary, stop using it. |
| U-31 | Limit spam mail relays | Limit the SMTP server’s relay feature. |
| U-32 | Prevent normal users from running Sendmail | Limit normal users from using q options upon providing SMTP services. |
| U-33 | Patch DNS security version | Use the most recent version of BIND. |
| U-34 | Set DNS Zone Transfer | Limit to transferring the Zone information only to Secondary Name Server. |
| U-35 | Remove the Apache directory listing | Disable the directory listing feature. |
| U-36 | Limit Apache web process permissions | Apache must be run with separate permissions instead of root permissions. |
| U-37 | Forbid access to Apache's upper directory | Limit moving to the upper directory in the AllowOverride option. |
| U-38 | Remove all unnecessary files of Apache | Inspect that the unnecessary files created as a default upon installing Apache are removed. |
| U-39 | Forbid using Apache links | Limit using symbolic links. |
| U-40 | Limit Apache file upload and download | Fundamentally forbid uploading and downloading files and limit the size when necessary for unavoidable reasons. |
| U-41 | Separate Apache web service areas | Change the DocumentRoot from the default settings (htdocs directory) to other paths. |
| U-42 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed through regular security patches. |
| U-43 | Regular review and report of logs | Check if the system status is maintained to be stable through regular log reviews. |
| U-44 | Forbid "0" for UID other than root | Inspect that there are accounts other than the root account that have 0 UID value (same permissions as root). |
| U-45 | Limit root account’s su | |
| U-46 | Minimum password length settings | Set the minimum password length to more than 8 characters. |
| U-47 | Maximum usage time settings for passwords | To allow them to change passwords regularly, limit the maximum usage time appropriately. |
| U-48 | Minimum usage time settings for passwords | Set the minimum duration until changing passwords. |
| U-49 | Remove unnecessary account | |
| U-50 | Include minimum accounts in an admin group | Inspect that the system admin group has its minimum number of accounts. |
| U-51 | Forbid GIDs without accounts | Inspect that unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group configuration file. |
| U-52 | Forbid same UID | Inspect that there is a user account with the same UID. |
| U-53 | Check user shell | Restrict accounts that do not require logging in from logins by bestowing /bin/false shell. |
| U-54 | Session Timeout settings | Set the Session Timeout to force quit the connection when no event occurs for a certain period. |
| U-55 | Owner and permission settings for the hosts.lpd file | Owner and permission settings for important system files. |
| U-56 | Manage UMASK settings | Inspect that the UMASK value is appropriate. |
| U-57 | Owner and permission settings for home directory | Limit normal users other than the owner of user home directory from editing the home directory. |
| U-58 | Manage the existence of the directory assigned as the home directory | Inspect that the user account and home directory match. |
| U-59 | Search and remove hidden files and directories | Inspect that hidden files or suspicious files exist in the directory. |
| U-60 | Allow ssh remote access | Use the Secure Shell (SSH) service that encrypts all communication between users and system upon remote access. |
| U-61 | Check the ftp service | Inspect that the FTP service is enabled. |
| U-62 | Limit shell for ftp accounts | Block the system access to the created default account upon installing FTP by giving /bin/false shell to the account. |
| U-63 | Owner and permission settings for the Ftpusers file | Owner and permission settings for important system files. |
| U-64 | Ftpusers file settings | |
| U-65 | Owner and permission settings for the at file | Owner and permission settings for important system files. |
| U-66 | Check whether to run SNMP service | Stop using unnecessary SNMP services. |
| U-67 | Complexity settings for SNMP service community string | Change the community string to a value that cannot be guessed. |
| U-68 | Warning message upon logging on | Set to block unnecessary information and show the warning message about illegal usage upon logging in to the server or service. |
| U-69 | Access permission for NFS configuration file | Inspect that the NFS configuration file is restricted for normal users from editing. |
| U-70 | expn, vrfy commands limits | If you need to use SMTP for unavoidable reasons, restrict VRFY and EXPN, the basic service of Sendmail, from using to prevent Sendmail abuse. |
| U-71 | Hide Apache web service information | Set the message to avoid exposing too much details upon web page errors. |
| U-72 | Set system logging based on a policy | Inspect the logging setting is applied according to the internal policy. |
Linux inspection items (based on Financial security agency’s electronic financial infrastructure)
The following describes the security setting inspection items based on Financial security agency’s electronic financial infrastructure for Linux:
| Check ID | Inspection items | Description of inspection items |
|---|---|---|
| SRV-001 | Complexity settings for SNMP service community string | The Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. To send and receive information called MIBs, SNMP uses a "Community String," which is a kind of password during the authentication process. The Community String is often set to public or private by default, and if this is not changed, there is a vulnerability that can be exploited to determine important information and settings on the system by using this string. Change the Community String to a value that cannot be guessed. |
| SRV-004 | Run unnecessary SMTP service | SMTP service is a service based on the SMTP protocol transferring mail over the Internet. A malicious attacker can use the SMTP service to obtain information about the computer running the SMTP service or to perform various attacks. Therefore, check whether unnecessary SMTP services are running. |
| SRV-005 | expn, vrfy commands limits | "Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for transferring emails over the Internet. However, it has many vulnerabilities and is not recommended for use unless absolutely necessary for the service. If you need to use it for unavoidable reasons, limit VRFY and EXPN, the basic service of Sendmail, from using them to prevent Sendmail abuse. *VRFY: commands that SMTP clients send to SMTP servers to validate if there is a mail for a certain ID. *EXPN (Mailing list extension): commands to forward mail upon transferring mails." |
| SRV-006 | Insufficient SMTP service log level settings | Sendmail is a popular Mail Transfer Agent (MTA) and is a service that is included by default in Unix. It must be monitored to ensure service availability and for ongoing security vulnerabilities. The loglevel of Sendmail must be checked for the appropriateness of the loglevel settings to distinguish between leaving logs of events during service operation. |
| SRV-007 | Check the Sendmail version | The Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required. |
| SRV-008 | Disable DoS protection for the SMTP service | Inspect that the security settings are appropriate in preventing mail service rejections or system down due to exceeding the network circuit capacity or server process capacity. |
| SRV-009 | Limit spam mail relays | Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for transferring email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't limit the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack. |
| SRV-010 | Prevent normal users from running Sendmail | When using the SMTP service, the q option can be used to arbitrarily change Sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users. |
| SRV-011 | Ftpusers file settings | FTP service transfers IDs and passwords unencrypted, which can expose the IDs and passwords with a simple sniffer. It is recommended that you avoid using FTP services unless absolutely necessary. If you must use an FTP service for unavoidable reasons, restrict direct access to the root account to ensure that the root account's password information is not exposed. |
| SRV-012 | Expose host information within the .netrc file | .netrc files are used by ftp to automatically send and receive files. .netrc files are insecure because they store the FTP access IP and password in plain text. Make sure that proper permissions are set. |
| SRV-013 | Disable Anonymous FTP | Check if the FTP service in use is allowing anonymous FTP access, and it is recommended to block it. |
| SRV-014_1 | NFS access control | When using NFS, restrict access to only authorized users. Everyone sharing must be restricted to prevent unauthorized access. |
| SRV-014_2 | Access permission for NFS configuration file | Network File System (NFS) is a service that allows you to mount and use just like the file system of a remote computer on your local system. If the NFS access control configuration file is accessible and editable by non-administrative users, they may be able to register unauthorized users and mount the file system for illegal tampering. Therefore, ensure that your NFS access control configuration file is limited from being edited by normal users. |
| SRV-015 | Disable NFS services | Network File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it for unavoidable reasons, manage it according to control #25. |
| SRV-016 | Check the RPC service | "Remote Procedure Call (RPC) is a protocol between processes that allows running a function or procedure in another address space without coding for remote controls. It is recommended that you disable services as some RPC services have vulnerabilities, including remote operation. RPC services suggested forbidding the use of: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, and cachefsd." |
| SRV-022 | Unset password in account, insufficient management of blank password | If you don't set a password for each account, your account can be compromised by an attacker. Make sure to set an appropriate password. It is recommended that you always set an appropriate level of password strength for all accounts that require a login. |
| SRV-025 | Forbid using $HOME/.rhosts, hosts.equiv | The "r" commands, such as rlogin, rsh, rexec, and so on, are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can run arbitrary commands on the system with administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the "+" setting (allow all hosts). |
| SRV-026 | root account remote access limits | "Inspect that the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status. ※ /etc/securetty: file for limiting root access to Telnet. If *pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings. tty (terminal-teletype): the user logs into the console directly from a monitor, keyboard, and so on, which is connected to the server. pts (pseudo-terminal): accesses using Telnet, SSH, Terminal, and so on." |
| SRV-027 | Access IP and port restriction | "Prevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting. Related configuration files: hosts.allow, hosts.deny." |
| SRV-028 | Session Timeout settings | If the Session timeout value is not set, the system may be vulnerable to unauthorized access during idle time. Session timeout must be set in the configuration file for the user shell. |
| SRV-034 | Remove automountd | automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send a Remote Procedure Call (RPC) through automountd. |
| SRV-035_1 | Disable tftp and talk services | It is recommended that you disable the tftp, talk, and ntalk services as they are vulnerable in security aspects. |
| SRV-035_2 | Disable finger service | Finger (user information verification service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service. |
| SRV-035_3 | Disable r series services | The "r" commands, such as rlogin, rsh, rexec, and so on, are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can run arbitrary commands on the system with administrator permissions. It is recommended that you disable them if you are not using them for services. |
| SRV-035_4 | Disable the services vulnerable to DoS attacks | "If you do not use the services that are vulnerable to DoS attacks, it is recommended that you disable them. Services suggested forbidding the use of: echo, discard, daytime, and chargen." |
| SRV-035_5 | Check NIS and NIS+ | The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to deploy user names, passwords, and other confidential information to computers located in the same domain. Because it forwards confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and use NIS+ when necessary. |
| SRV-037 | Check the ftp service | FTP services allow user names and passwords to be transferred unencrypted and sniffed. It is recommended that you avoid using FTP whenever possible. |
| SRV-040 | Remove the web service directory listing | Directory listing is a feature that shows the list of all files in the directory if the basic document does not exist in the directory. When directory search feature is enabled, all files in directories can be accessed from the outside, which not only exposes the structure of your WEB server, but also risks exposing important files that should not be exposed, such as backup files or source files. |
| SRV-042 | Forbid access to web service's upper directory | Check the AllowOverride option to ensure that it limits moves to an upper directory. If an upper directory can be navigated by using a character such as ".." there is a risk that an attacker will be able to access paths that should not be accessible. |
| SRV-043 | Remove all unnecessary files of web service | "Inspect that the unnecessary files created as a default upon installing Apache are removed. The default files: (/[Apache_home]/htdocs/manual, /[Apache_home]/manual)." |
| SRV-044 | Restrict web service file upload and download | Due to the nature of the infrastructure, file uploads and downloads are fundamentally prohibited and you must limit the size when necessary. To prevent server overload and use resources efficiently, it is recommended that upload and download files do not exceed 5 MB. |
| SRV-045 | Limit web service web process permissions | If Apache daemon is running with root permissions, a vulnerability in a web application, could allow an attacker to gain the root permissions. Therefore, Apache must be run with separate permissions instead of root permissions. |
| SRV-046 | Separate the web service areas | Use the htdocs directory as the DocumentRoot by default upon installing Apache. It is recommended that you change this to a separate path because the htdocs directory contains Apache documentation that should not (or need not) be exposed, as well as information about your system that could be used in an attack. |
| SRV-047 | Forbid using web service links | Symbolic links to the root directory (/) of the system could allow access to files in any file system using the web server-driven user permission (nobody), so it is dangerous. Because an invalid symbolic link can expose sensitive information on your server, you must limit the use of symbolic links. |
| SRV-048 | Run unnecessary web service | "If unnecessary services are installed and run by default when the system starts, potential security vulnerabilities may occur. Services that are not actually required may cause performance degradation of the system or may be exploited for attacks, so they should be checked periodically. (Evaluation examples) - Various vulnerabilities (OpenSSL, and so on) have been reported for the Tmax WebtoB web server, so check whether the service is used." |
| SRV-060 | Unchanged web service default account (user name or password) | Tomcat is a Java application server that provides the Apache web server with the feature to run JSP and Java servlets. If you do not change the account that is set by default when Tomcat is installed, unauthorized people can gain access to the system. Check if the default account is properly secured. |
| SRV-062 | Exposure of DNS service information | Exposure of information such as DNS server type and version can be used by attackers for other attacks, so ensure that proper security settings are in place. |
| SRV-063 | Insufficient DNS Recursive Query settings | An attack threat (DNS Cache Poisoning - an attack that causes false information to enter the DNS cache) is possible when an attacker sends a large number of DNS requests to a spoofed IP (Victim) address. Check the appropriateness of the security settings to counter this attack. |
| SRV-064 | Patch DNS security version | Berkeley Internet Name Domain (BIND) consists of a DNS server and a resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible. |
| SRV-066 | Set DNS Zone Transfer | DNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Limit the transfer of Zone information to secondary name servers only. If you allow Zone Transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, and so on. |
| SRV-069_1 | Password complexity settings | Inspect that the password complexity related settings for user accounts (both root and regular accounts) are set in the system policy. |
| SRV-069_2 | Minimum password length settings | Short passwords can easily be compromised by brute force attacks or password guessing. By setting a minimum password length as a policy, you can reduce the risk of passwords being compromised by an attack. |
| SRV-069_3 | Maximum usage time settings for passwords | If you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, and so on). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time so that passwords can be changed periodically. |
| SRV-069_4 | Minimum usage time settings for passwords | If you don't set a password minimum time, users can change their passwords to anything they're familiar with. This can significantly undermine the effectiveness of a policy of regularly changing passwords. It is recommended that you protect passwords by applying the save a recent password setting to prevent users from reusing old passwords. |
| SRV-070 | Password file protection | On some older systems, the password policy is not applied and passwords are stored in plain text in the /etc/passwd file. Inspect that the passwords of user accounts are encrypted and stored. |
| SRV-073 | Include minimum accounts in an admin group | Inspect that the system admin group only has the minimum number of accounts (the root account and accounts allowed for system management). |
| SRV-074 | Remove unnecessary account | "You must present invasion from unmanaged accounts by inspecting if there are unnecessary accounts. Inspect that there are unnecessary accounts among the system accounts (retired, job changes, leave of absence, and so on). adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, nfsnobody (excluded), and squid." |
| SRV-075 | Existence of guessable account passwords | When setting a password, the password complexity must be set so that a strong password can be established by including all letters/numbers/special characters. Passwords consisting of only alphanumeric characters can be easily inferred by currently released password cracking utilities and random attacks. Therefore, check for compliance with your company's password management policy. |
| SRV-081_1 | Owner and permission settings for cron files | If the crontab command is available to normal users except root, they may intentionally or unintentionally run illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users. |
| SRV-081_2 | Owner and permission settings for the at file | An at daemon (1 time task scheduler) manages task scheduling so that any task can run at any given time. Only users registered in the /etc/at.allow file can use the at command, so you must set the appropriate permissions in that file. If the permissions in the at access limit file are incorrect, there is a risk of system damage, such as registering a user account that has gained permissions and running an illegal scheduled file. |
| SRV-081_3 | Insufficient permission settings for the Crontab configuration file | A Crontab is a file that you use when you need to perform periodic tasks. If the others permissions in Crontab's task settings file have write and read permissions, you can edit the file contents or read the contents. This can cause important information to be leaked, so it is necessary to check that the appropriate permissions are granted to the relevant files. |
| SRV-082 | Insufficient permission settings for system's major directories | Inappropriate permission settings for the system's major directories can allow malicious programs such as Trojans to be installed and important files to be tampered with. This can be exploited for system intrusion or denial-of-service attacks, so you must check the appropriateness of system directory permissions. |
| SRV-083 | Insufficient permission settings for the system startup script | Due to errors in the ownership and permission settings of the system startup script, there is a possibility that an arbitrary attacker can use it to invade the system by changing the contents of the script. Therefore, check the appropriateness of the permission settings. |
| SRV-084_1 | Owner and permission settings for the /etc/passwd file | The "/etc/passwd" file is an important file that contains the user's ID, password (marked with "x" for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be edited by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately. |
| SRV-084_2 | Owner and permission settings for the /etc/shadow file | The "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account. |
| SRV-084_3 | Owner and permission settings for the /etc/hosts file | The "/etc/hosts" file is the file used to map IP addresses to host names. If permissions management is not in place for this file, it can be exploited for DNS bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account. |
| SRV-084_4 | Owner and permission settings for the /etc/(x)inetd.conf file | The Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account. |
| SRV-084_5 | Owner and permission settings for the /etc/syslog.conf file | The "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have proper access permissions, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
| SRV-084_6 | Owner and permission settings for the /etc/services file | The "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account. |
| SRV-084_7 | Owner and permission settings for the hosts.lpd file | To prevent unauthorized tampering with hosts.lpd, delete the hosts.lpd file or manage its owner/permissions. |
| SRV-087 | Insufficient existence and permission settings for C compiler | If an attacker compiles a source file containing attack codes after entering the system and creates an executable file, it can be exploited to attack the system (gain administrator permissions, cause a denial of service, and so on). Inspect whether a C compiler exists in the system and whether it is appropriate to use it. |
| SRV-091 | Inspect the SUID, SGID, and Stick bit configuration files | A file with Set User-ID (SUID) and Set Group-ID (SGID) set (especially if it is owned by root) can run certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID properties except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats. *Set User-ID (SUID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file. *Set Group-ID (SGID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file. |
| SRV-092_1 | Owner and permission settings for home directory | If configuration files in a user's home directory are tampered with by unauthorized users, there is a risk that normal user services will be restricted. Ensure to restrict normal users other than the owner of that home directory from editing it. |
| SRV-092_2 | Manage the existence of the directory assigned as the home directory | The user home directory is the directory in which the user performs tasks after logging in to the shell. The user environment is configured by the user environment configuration file that exists in the logged-in user home directory, and if the home directory is incorrect, the following security issues can occur: 1) If the home directory doesn't exist. - If the home directory of a normal user rather than the root user is /, the user's current directory is logged in as / when logging in, causing administrative and security problems. 2) If the hidden directories in the home directory exist. - These may be created by an unauthorized user to hide files. 3) If the illegal executable files with the name of a system command exist in the home directory. - It may enter the relative path and system command to run the illegal file. |
| SRV-093 | Inspect the world writable file | If an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users. |
| SRV-094 | The permission setting error for the Crontab reference file | If the other permissions in Crontab's task configuration file have write permission, you can edit the file contents or perform malicious tasks. Inspect that the Crontab-related files have the appropriate security settings. |
| SRV-095 | File and directory owner settings | Check if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking. |
| SRV-096 | Owner and permission settings for user, system startup files, and environment files | "Limit access permissions to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users. Types of environment variable files: ".profile," ".kshrc," ".cshrc," ".bashrc," ".bash_profile," ".login," ".exrc," ".netrc," and so on. |
| SRV-108 | Insufficient access control and management of logs | If system log file permissions are not set correctly, an arbitrary user may be able to falsify log records (such as intrusion attempts and intrusion trace manipulation). Check the appropriateness of log file permission settings. |
| SRV-109 | Set system logging based on a policy | In the event of a security incident, system logging must be performed in accordance with internal policies to determine the cause and verify the facts of the breach. If logging is not possible, it is difficult to determine the cause of the incident and cannot provide sufficient evidence for a legal response. |
| SRV-115 | Regular review and report of logs | Check if the system status is maintained to be stable through regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. When you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment. |
| SRV-118 | Apply the recent security patch and vendor recommendations | Check if the system is safely managed through regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities. |
| SRV-121 | root home path directory permission and path settings | If the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you run common commands (such as ls, mv, ps, and so on), the files in the current directory are run first, rather than the original commands. Check the PATH environment variable for the root account, as anomalous files could be run by a malicious user. |
| SRV-122 | Manage UMASK settings | UMASK is a command that sets the default permissions when creating files and directories. Set the UMASK value appropriately to ensure that newly created files are not granted excessive permissions. |
| SRV-127 | Account lockout threshold settings | Inspect that the user login failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack. |
| SRV-131 | Limit root account’s su | Only su-related groups must be granted permission to use su commands. Limit users who are not in the su group from using the su command. Inspect that there are su-related groups in the group setting files (/etc/group) of the system user account and ensure that su commands are allowed only within the su-related groups. |
| SRV-133 | Insufficient account restriction for using the Cron service | cron is a daemon that runs a set of commands at a certain time, and you need to control access to the cron service. Because periodically running commands can be exploited for intrusion or information exposure, you must check that the proper account settings are made in the cron file. |
| SRV-142_1 | Forbid "0" for UID other than root | Check whether the file that stores the user's account information (/etc/passwd) has any accounts with the same user identification (UID) as the root (UID=0) account. An account with the same UID as the root account would have the same permissions as root, which could pose a significant risk to the system. |
| SRV-142_2 | Forbid same UID | UNIX systems assign a UID to every user account and use that UID to manage user information such as user name, password, home directory, and so on. If duplicate UIDs exist, the system may recognize them as the same user and cause problems. In the event of a leak of personal information and related data by an attacker, the audit trail becomes difficult, so it's necessary to ensure that there are no identical UIDs. |
| SRV-144 | Inspect the device files that do not exist at /dev | If the device does not exist or the name is entered incorrectly, the system might continue to create symbolic link files in the /dev directory, causing an error. For example, if you mistakenly entered rmt0 as rmto, you run the risk that the root file system will continue to create files in the /dev directory until a device name entry error occurs, such as creating a new rmto file. Proactively find and remove devices that don’t actually exist. |
| SRV-147 | Check whether to run SNMP service | The Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. It is used to understand or set the system status in real time. It is recommended to stop the SNMP service if it is not used because it can cause major information leakage and illegal editing of information in the system. |
| SRV-148 | Hide Apache web service information | Set the error message to avoid exposing too many details upon web page errors. Do not expose unnecessary information about your web server, such as error pages, web server type, OS information, user account names, and so on. If unnecessary information is exposed, there is a high probability that the information can be used to gather vulnerabilities in the system and used in an attack. |
| SRV-158 | Allow ssh remote access | Because Telnet and FTP transfer data unencrypted, there is a high risk that your ID/password and sensitive information could be exposed. Therefore, it is recommended that you use the Secure Shell (SSH) service, which encrypts all communication between users and the system when connecting remotely. When using SSH, TCP/Port 22 is used as the default port, it is recommended that you change the port as an attacker may try to attack through the default port. |
| SRV-158_1 | Run unnecessary Telnet service | Because the Telnet service sends and receives data in plain text when using the password authentication method, the authentication ID/password can be exposed to the outside world. It is not recommended that you use the Telnet service, and you must check if it is disabled. |
| SRV-161 | Owner and permission settings for the Ftpusers file | ftpusers file is a configuration file for FTP access control and the accounts registered in the file cannot access FTP. Limit unauthorized users from editing the ftpusers file by setting appropriate permissions on the file. |
| SRV-163 | Warning message upon logging on | Set up a warning message to avoid providing unnecessary information about the server to unauthorized users and to alert them that only authorized users should access the server. |
| SRV-164 | Forbid GIDs without accounts | Inspect that unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group configuration file. |
| SRV-165_1 | Check user shell | Limit the login shells of unnecessary accounts that are created by default during OS installation. In general, change the shell settings of accounts that do not need to be logged in (adm, sys, daemon, and so on) to /sbin/nologin, and so on. |
| SRV-165_2 | Limit shell for ftp accounts | Limit the shell of the ftp account, which is created by default when the FTP service is installed, to a default account that does not require a login to block system access to that account. Granting shell to a default account that does not require a login exposes the account to attackers, which can lead to unauthorized system access. |
| SRV-166 | Search and remove hidden files and directories | Suspicious hidden files and directories may have been created by an attacker rather than a legitimate user. Periodically check hidden files/directories. |
| SRV-174 | Run unnecessary DNS service | The Domain Name Service (DNS) is a service that translates between domain names and IPs. If left running unnecessarily, it can be a pathway for attack due to potential security vulnerabilities. Be sure if the service is enabled regardless of tasks. |
Windows inspection items
The following describes the security setting inspection items for Windows:
| Check ID | Inspection items | Description of inspection items |
|---|---|---|
| W-01 | Rename the administrator account | In general, a malicious user can keep trying password guessing attacks by using that there is no limit on login failure count when the admin account is set as Administrator. Change the administrator account's name so that the attacker will not be able to guess the admin password and account name easily. |
| W-02 | Guest account status | Limit using the guest account as it is a vulnerable account that allows anyone to temporarily access the system. If you need unspecified individuals to access, create a normal user account rather than using the Guest account. |
| W-03 | Remove unnecessary account | Inspect whether unused accounts, unnecessary accounts, or suspicious accounts exist. Because an unmanaged and unnecessary account's password has not been changed for a long time, *there is a risk account information can be exposed by brute force attacks or password guessing. *Brute Force Attack: puts the number of all possible combinations to decipher a password through the computer. * Definition of "unnecessary account" differs by customer/service, so you need to check it manually for the active user. * If you delete an account that is not clearly identified, failure may occur to the tasks related to the account. |
| W-04 | Account lockout threshold settings | The attacker can try password combination attacks for all user accounts using automatic methods, so you must apply the account lockout threshold settings and specify the logon failure count to lock the user account. |
| W-05 | Maximum usage time settings for passwords | If you continue to use a password that has not been changed for a long time, the password can be leaked by password guessing attacks, so be sure that users change the password frequently to reduce the risk of a valid password being attacked. Set the maximum date for valid passwords, make users change passwords when the date is passed to reduce the possibility of password cracking, and prevent unauthorized use of passwords obtained illegally. |
| W-06 | Remove no limit on password usage time | If "no limit on password usage time" is set, you may be subject to password cracking attacks due to the unchanged password. By default, local users' passwords must be changed for each specific cycle. |
| W-07 | Save the password using a decipherable encryption | If the application program protocol that requires a user password for authentication is supported, the password is saved in a decipherable way. Thus, the attacker using password attacks may use the exposed account to log on to the network resources. Set the "Save the password using a decipherable encryption" policy and block the user account's password from being saved as decipherable text. |
| W-08 | Include minimum users in an admin group | To reduce system damage from regular user permissions, it is desirable to separate the account for management tasks and the account for regular tasks. System management requires 2 accounts respectively, and the admin group must include as a minimum number of users as possible. * Definition of "unnecessary account" differs by customer/service, so you need to check it manually. * If you delete an account in the administrator group, failure may occur for the tasks. |
| W-09 | Set sharing permissions and user group | If Everyone is included in the shared account, access of an anonymous user is possible. Therefore, check if shared folders except for C$, D$, Admin$, and IPC$, which are default shared folders, are prohibited from being shared with the Everyone group. |
| W-10 | Remove hard disk default sharing | When the default shared items of the system are not removed, dangerous situations may occur where all system resources can be accessed. The Nimda virus, which occurred in the past, also uses this sharing feature as a pathway of penetration among various methods, so you must remove default sharing. |
| W-11 | Remove unnecessary service | If unnecessary vulnerable services installed in the system by default are not removed, attacks are possible due to vulnerabilities of the services. For network services, external intrusion may occur through open ports. Remove or disable services and executable files that are not necessary to the user environment to block malicious attacks through them. [Unnecessary service list] Alerter (send a warning message from the server to the client). Clipbook (share clipbook on the server with other clients). Messenger (send a message to the client using the net send commands). Simple TCP/IP Services (Echo, Discard, Character Generator, Daytime, and Quote of the Day). |
| W-12 | Check whether to run NetBIOS binding service | If NetBIOS TCP/IP binding is enabled in the Windows system directly connected to the Internet, the attacker may use network shared resources. Remove NetBIOS and TCP/IP binding not to provide file sharing service through TCP/IP, and prevent access attempts to shared resources on the Internet. |
| W-13 | Check whether to run FTP service | The default FTP services transfer the account and password unencrypted, which can be sniffed with a simple sniffer. Therefore, avoid using vulnerable FTP services. |
| W-14 | FTP directory access permission settings | If excessive permissions (Examples: Everyone Full Control) are granted to the FTP home directory, there is a risk of information leakage and file forgery and tampering because an arbitrary user has write and edit permissions. Therefore, set the access permissions for FTP service directory appropriately and block unintentional information leakage. |
| W-15 | Forbid Anonymous FTP | If anonymous FTP access is allowed, major confidential materials or internal information may be leaked illegally. Therefore, limit anonymous FTP access and block illegal leaks of important information. |
| W-16 | Set FTP access control | For FTP protocol, credentials or data specified on logon are not encrypted, and all credentials are transferred through the network in plain text. Therefore authentication information is easily exposed through traffic sniffing between server clients, so designate user IPs that are allowed to access and limit users. ※ Basically, the infrastructure system must not use FTP services, but if this service must be used within organizations for unavoidable reasons, establish, apply, and use related protection measures. ※ Related inspection items: W-26 (high) and W-27 (high) |
| W-17 | Set DNS Zone Transfer | If DNS Zone Transfer blocking settings are not applied, there is a risk that domain information that is stored in the DNS server may be leaked to the outside world rather than approved DNS servers. Therefore, apply the DNS Zone Transfer blocking settings and prevent the illegal external leakage of domain information. ※ zone-transfer: it is called zone (are) transfer and it is a technology for zone file synchronization between master and slave, or between primary DNS and secondary DNS. |
| W-18 | Remove Remote Data Services (RDS) | If RDS of a vulnerable platform is used, there is a risk of denial-of-service attacks or remotely running arbitrary commands with admin permissions. Therefore, remove vulnerable RDS services and block illegal remote attacks. ※ In MDAC 2.7 version or earlier, this vulnerability may cause danger to web servers and web clients, so it is safe to remove RDS if it is not required. ※ Remote Data Services (RDS): it is a component of Microsoft Data Access Components (MDAC) and a service that helps handle the data in the client. |
| W-19 | Apply the latest service pack | If a security update is not applied, vulnerabilities in the system and application programs may cause issues, such as escalating privilege, remotely running codes, and bypassing security features. Maintain the latest version of the system to protect important information and the system from new threats and threats in progress. ※ Service pack: update programs that gather various edited files, such as application programs, services, and executable files to enhance the stability of Windows |
| W-20 | Apply the latest Hot Fix | If you don't apply the latest Hot Fix, there is a possibility of system attacks that exploit known vulnerabilities. To remove vulnerabilities in the system and application programs, you need to apply the latest Hot Fix within 1 month. ※ Latest 3 months based on the guide of major information and communications infrastructures / latest 1 month based on CSAP. ※ Attack tools exploiting vulnerabilities may appear earlier than Hot Fix, so it is recommended to install Hot Fix as soon as possible after the announcement. ※ Hot Fix: a program deployed to patch vulnerabilities that must be fixed immediately (largely related to security). Separately announced when an additional patch is needed after the service pack is announced. |
| W-21 | Vaccine program update | If a vaccine is not updated regularly and periodically, there is a risk of system attacks due to the continuous appearance of new viruses. Maintain the latest updates to vaccine. |
| W-22 | Regular review and report of logs | If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. When you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment. Check that the system status is maintained to be stable and that there are any external attacks through regular log reviews. |
| W-23 | Remotely accessible registry paths | The remote registry service is vulnerable to authentication to access, which may allow remote registry access to other accounts other than the admin account. If the permission settings for the registry are incorrect, there is a risk of remotely running arbitrary files through the registry. Disable the remote registry service and block remote access to the registry. |
| W-24 | Vaccine program installation | If a vaccine program is not installed, there is a risk of system damage due to malicious viruses, such as Worm and Trojans. Install vaccine programs to diagnose virus infection, get rid of the virus, and take precautions through file protection. ※ For the protection infrastructure where the network is isolated, proper update procedures and application methods are required to be established for maintaining the latest updates of a vaccine installed in the system. ※ Worm: replicates itself for malicious purposes, and spreads, largely through network shared folders or mails. ※ Trojans: it is a file with intentional and malicious purposes, which largely spreads as other malwares or disguised programs, or is downloaded through the Internet. |
| W-25 | Set SAM file access control | The Security Account Manager (SAM) file manages the passwords of the user and group accounts and provides authentication through Local Security Authority (LSA). Password attack attempts for SAM files can expose password database information, so limit access to SAM files except for Administrator and System groups. |
| W-26 | Set screen saver (Deleted when the guide is revised in 2024) |
If the screen saver is not set, during your absence, an arbitrary user may access the system and leak important information or adversely affect system operation through malicious actions. Set to log off automatically or lock workstations if the user does not perform any task for a certain amount of time, and block illegal system access during idle time. |
| W-27 | Allow system shutdown without logging on | If the "system shutdown" button is enabled in the logon window, an illegal system shutdown is possible without logging on, which affects normal service operation. Prevent illegal system shutdown through unauthorized users by disabling the shutdown button on the system logon window. |
| W-28 | Forcible system shutdown through the remote system | If the force shutdown settings for the remote system are not appropriate, it may be exploited for denial-of-service attacks. Set users or groups who can end the operating system remotely through the network and allow only certain users to end the system. |
| W-29 | System shutdown when security audit cannot be logged | If the "system shutdown immediately when security audit cannot be logged" policy is enabled, it may cause system shutdown for malicious purposes and be exploited for denial-of-service attacks. Also, system and data damage may occur due to an abnormal system shutdown. If you disable this policy and cannot log events due to log capacity excess, you must prevent abnormal system shutdowns due to this policy. ※ In general, if the preservation method for security logs is [Do not overwrite events] or [Overwrite events every day] when the security audit logs are full, events are not logged. If you use this policy when the security logs are full and no longer possible to overwrite existing logs, the following stop errors will appear. |
| W-30_1 | Do not allow anonymous enumeration of SAM accounts (RestrictAnonymousSAM) | In Windows, an anonymous user can perform enumeration of domain accounts (users, computers, and groups) and network shared names. Therefore, if anonymous enumeration of Security Account Manager (SAM) accounts is allowed, a malicious user may view the account name list and use this information to guess passwords or perform social engineering attack methods. This setting is required to prevent account information from being maliciously stolen by an anonymous user. ※ Block the threat from the outside world through Ports 135-139 (TCP, UDP) blocks in the firewall and routers. ※ Network and phone access connection > local area > registration information > advanced > advanced settings > you must unshare Microsoft network file and print sharing. |
| W-30_2 | Do not allow anonymous enumeration of SAM accounts (RestrictAnonymous) | In Windows, an anonymous user can perform enumeration of domain accounts (users, computers, and groups) and network shared names. Therefore, if anonymous enumeration of Security Account Manager (SAM) accounts is allowed, a malicious user may view the account name list and use this information to guess passwords or perform social engineering attack methods. This setting is required to prevent account information from being maliciously stolen by an anonymous user. ※ Block the threat from the outside world through Ports 135-139 (TCP, UDP) blocks in the firewall and routers. ※ Network and phone access connection > local area > registration information > advanced > advanced settings > you must unshare Microsoft network file and print sharing. |
| W-31 | Control Autologon feature | When you use Autologon feature, the intruder can view the login account and password in the registry using hack tools. Therefore, set to never use the Autologon feature. *Autologon: an automatic login feature using the stored replacement certificate encrypted in the registry. |
| W-32 | Allow formatting and ejecting of mobility media | Limit users who are allowed to format and eject the NTFS of mobility media so that the users can move the data of mobility disk only to an arbitrary computer for which they have management permissions, and gain ownership for files to view or edit. ※ The security settings are options to decide users who can format or eject the mobility NTFS media, and this feature can be allowed to Administrators, Administrators, and Power Users, and Administrators and Interactive Users groups. |