OS Security Checker
    • PDF

    OS Security Checker

    • PDF

    Article Summary

    The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.

    Available in Classic and VPC

    In the OS Security Checker menu, you can check the security setting inspection result of the Operating System (OS). You can view the detailed inspection result via the inspection report or download as a PDF or Excel file. Also, you can check the appropriate security setting solutions.

    Note

    In order to check the inspection result, first, run the security setting inspection on the server. For the detailed information about how to inspect, see OS and WAS Inspection.

    OS Security Checker screen

    The basic description of the OS Security Checker menu to use System Security Checker is the following:
    ssc-ossecuritychecker_screen_en

    AreaDescription
    ① Menu nameThe name of the currently showing menu and number of viewing inspections.
    ② Basic features
  • Subscription request and cancellation (See Start System Security Checker)
  • Check how to inspect
  • Check the OS Security Checker guide
  • Check detailed information of System Security Checker
  • Refresh the page
  • ③ Search areasView the search results by filtering by the inspection dates or searching by the server names.
    ④ Click the ExcelButton to download the inspection result as an Excel file.
    ⑤ Inspection Result ListThe list of currently viewing inspection result for OS security settings.

    View Inspection Result

    The following is how to check the inspection result for the server’s OS security setting inspection.

    1. Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
    2. Click the OS Security Checker menu.
    3. Check the result of the inspection.
      • You can search the desirable result by filtering by the inspection dates or entering server names.
      • Region: the region of the server
      • Server name: the inspected server names. Click it to view the detailed inspection result and solutions (See Detailed result and solutions)
      • InstanceNo: unique server number
      • Check list: view inspection type
        • Linux, Windows: in case of inspecting the OS of Linux or Windows
        • Finance: in case of inspecting Linux security settings based on the Financial Security Agency’s Electronic Financial Infrastructure
      • Inspection Date: the date of inspection
      • OS version: the OS version of the inspected server
      • Vulnerable/All items: the number of inspection items turned out to be “Bad” / The number of all inspection items
      • Critical, Major, Minor: the number of “Bad” inspection items for each severity
      • Report view: click the [Report] button to check the entire inspection result as an inspection report and download as a PDF file.

    Detailed Result and Solutions

    The following is how to check the detailed result of the OS security setting inspection and the explanation and solutions for each inspection items and download them.

    1. Click the Services > Security > System Security Checker menu on the NAVER Cloud Platform console one by one in order.
    2. Click the OS Security Checker menu.
    3. Click the inspected server's name to view the detailed result.
    4. Once the Detailed Result and Solutions window pops up, check the inspection details and result.
      • Click each inspection item to check the description of each inspection item, suggested settings, examination standard, and solutions.
      • Select the Severity and Inspection Result and click the [Search] button to filter the inspection items.
      • Click the [Report] button to view the showing result as an inspection report and download as a PDF file.
      • Click the [Excel] button to download the showing result as an Excel file.

    OS Security Setting Inspection Items

    Check the OS security setting inspection items for each server operating system.

    Note

    You can check explanation about the inspection items, suggested settings and solutions on the Detailed Result and Solutions pop-up window of NAVER Cloud Platform console. (See Detailed Result and Solutions)

    Linux Inspection Items (CSAP)

    The following describes the Linux CSAP Security Setting inspection items for Linux.

    Check IDChecklistDescription
    U-01Restrict root account remote accessInspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status.

    ※ /etc/securetty: file for restricting root access to Telnet
    If pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings
    tty (terminal-teletype): user logs into the console directly from a monitor, keyboard, etc. connected to the server
    pts (pseudo-terminal): connects using Telnet, SSH, Terminal, etc.
    U-02Password complexity settingsInspect if the Password complexity related settings for user accounts (both root and normal accounts) set in the system policy.
    U-03Set an account lockout thresholdInspect if the user log-in failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack.
    U-04The maximum usage time setting for passwordsIf you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, etc.). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time to ensure that passwords are changed periodically.
    U-05Password file protectionOn some older systems, the password policy is not enforced and passwords are stored in plain text in the /etc/passwd file. Inspect if the passwords of user accounts are encrypted.
    U-06Root home path directory authority and path settingsIf the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you execute a common command (such as ls, mv, ps, etc.), the files in the current directory are executed first, rather than the original command. Check the PATH environment variable for the root account, as anomalous files could be executed by a malicious user.
    U-07File and directory owner settingsCheck if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking.
    U-08The owner and authority setting for the /etc/passwd fileThe "/etc/passwd" file is an important file that contains the user's ID, password (marked with 'x' for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be modified by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately.
    U-09The owner and authority setting for the /etc/shadow fileThe "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account.
    U-10The owner and authority setting for the /etc/hosts fileThe "/etc/hosts" file is the file used to map IP addresses to hostnames. If permissions management is not in place for this file, it can be exploited for DNS-bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account.
    U-11The owner and authority setting for the /etc/(x)inetd.conf fileThe Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account.
    U-12The owner and authority setting for the /etc/syslog.conf fileThe "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have a proper access permission, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account.
    U-13The owner and authority setting for the /etc/services fileThe "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account.
    U-14Inspect the SUID,SGID,Stick bit setting filesA file with SUID (Set User-ID) and SGID (Set Group-ID) set (especially if it is owned by root) can execute certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID attributes except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats.

    *SUID (Set User-ID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file.
    *SGID (Set Group-ID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file.
    U-15The owner and authority setting for user, system start files and environment filesRestrict access to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users.
    Types of environment variable files: ".profile", ".kshrc", ".cshrc", ".bashrc", ".bash_profile", ".login", ".exrc", ".netrc", etc.
    U-16Inspect the world writable fileIf an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users.
    U-17Forbid using $HOME/.rhosts, hosts.equivThe 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the '+' setting (allow all hosts).
    U-18Access IP and Port RestrictionPrevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting.
    Related configuration files: hosts.allow, hosts.deny
    U-19The owner and authority setting for cron filesIf the crontab command is available to normal users except root, they may intentionally or unintentionally execute illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users.
    U-20Deactivating finger serviceFinger (User Information Verification Service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service.
    U-21Disable anonymous FTPCheck to see if the FTP service in use is allowing anonymous FTP access, and consider blocking it.
    U-22Deactivate r servicesThe 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. It is recommended that you disable them if you are not using them for services.
    U-23Disable the services vulnerable to Dos attacksIf you do not use the services that are vulnerable to DoS attacks, it recommended that you disable them.
    The services suggested to forbid using: echo, discard, daytime, chargen
    U-24Deactivate NFS servicesNetwork File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it, manage it according to control #25.
    U-25NFS access controlWhen using NFS, restrict access to only authorized users. everyone sharing must be restricted to prevent unauthorized access.
    U-26Remove automountd.automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd.
    U-27Check the RPC serviceRemote Procedure Call (RPC) is a protocol between protocols that allows running a coordinate or procedure in another addressed spaces without a coding for remote controls. It recommended that you disable services as some RPC services has vulnerability, including remote operation.
    The RPC services suggested to forbid using: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, cachefsd
    U-28Check NIS and NIC+The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to distribute usernames, passwords, and other confidential information to computers located in the same domain. Because it passes confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and to use NIS+ when necessary.
    U-29Deactivate tftp and talk servicesIt is recommended that you deactivate the tftp, talk and ntalk services as they are vulnerable in security aspects.
    U-30Check the Sendmail versionThe Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required.
    U-31Restrict spam mail relaysSimple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't restrict the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack.
    U-32Prevent normal users to run SendmailWhen using the SMTP service, the q option can be used to arbitrarily change sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users.
    U-33Patch DNS security versionBerkeley Internet Name Domain (BIND) consists of DNS server and resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible.
    U-34Set DNS Zone TransferDNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Restrict the transfer of zone information to secondary name servers only. If you allow zone transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, etc.
    U-35Apply the recent security patch and vendor recommendationsCheck if the system is safely managed via regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities.
    U-36Regular review and report of logsCheck if the system status is maintained to be stable via regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. And when you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment.

    Linux Inspection Items (KISA)

    The following describes the Linux KISA Security Setting inspection items for Linux.

    Check IDChecklistDescription
    U-01Restrict root account remote accessInspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status
  • We recommend users to log-in with a separate user account and change it to root permissions by using su commands before working on it
  • U-02Password complexity settingsInspect if the password complexity related settings for user accounts (both root and normal accounts) set in the system policy
    U-03Set an account lockout thresholdInspect if the user log-in failure threshold is set in the system policy
    U-04Password file protectionInspect if the system’s user account passwords stored in the /etc/passwd file are encrypted and saved
    U-05Root home path directory authority and path settingsInspect if root accounts’ PATH environment variables includes "."(Current directory).
    U-06File and directory owner settingsInspect if there is any files or directory without an owner
    U-07The owner and authority setting for the /etc/passwd fileThe owner and permissions setting for important system files
  • /etc/passwd: a file that contains the user's ID, password (marked with 'x' for security), UID, GID, home directory, and shell information
  • U-08The owner and authority setting for the /etc/shadow fileThe owner and permissions setting for important system files
  • /etc/shadow: a file that stores and manages passwords for all accounts registered on the system in encrypted form
  • U-09The owner and authority setting for the /etc/hosts fileThe owner and permissions setting for important system files
  • /etc/hosts: the file used to map the IP addresses and host names
  • U-10The owner and authority setting for the /etc/(x)inetd.conf fileThe owner and permissions setting for important system files
  • /etc/(x)inetd.conf: the service setting file for Internet super daemon
  • U-11The owner and authority setting for the /etc/syslog.conf fileThe owner and permissions setting for important system files
  • /etc/syslog.conf: a file that sets up the main log records that occur during system operation
  • U-12The owner and authority setting for the /etc/services fileThe owner and permissions setting for important system files
  • /etc/services: the file used for service management
  • U-13Inspect the SUID,SGID,Stick bit setting filesRemove the unnecessary SUID and SGID properties for the files.
  • SUID(Set User-ID): It gains the file owner’s permissions temporarily to run certain tasks upon running its set file.
  • SGID(Set Group-ID): It gains the file owner group’s permissions temporarily to run certain tasks upon running its set file
  • U-14The owner and authority setting for user, system start files and environment filesRestrict access permissions for user files in the home directory and environment variable files, such as system start file for each user, etc.
  • The types of environment variable files: ".profile", ".kshrc", ".cshrc", ".bashrc", ".bash_profile", ".login", ".exrc", ".netrc", etc.
  • U-15Inspect the world writable fileInspect if there are unnecessary world writable files.world writable
  • world writable: allow writing the file content for all users
  • U-16Inspect the device files that do not exist at /devInspect if there are device files that actually do not exist.
    U-17Forbids using $HOME/.rhosts, hosts.equivRestrict the r commands, such as rlogin, rsh, rexec, etc.
  • r command: the commands that allow remote admin access without authentication
  • U-18Access IP and Port RestrictionPrevent external attacks in advance by setting only for limited hosts to be able to use the service.
  • Related setting files: hosts.allow and hosts.deny
  • U-19Deactivating finger serviceDeactivate finger service to prevent unauthorized people to view the user information
  • Finger (user information checking service): it allows checking the user information registered to the system from outside the network
  • U-20Disable anonymous FTPBlock Anonymous FTP access to restrict users without permission from using the FTP.
  • Anonymous FTP: anyone can run the FPT by using the log-in name, anonymous or ftp, and password
  • U-21Deactivate r servicesDeactivate r commands, such as rlogin, rsh, rexec, etc.
  • r command: the commands that allow remote admin access without authentication
  • U-22The owner and authority setting for cron filesThe owner and permissions setting for important system files
  • /etc/cron.allow, /etc/cron.deny: the files that allow or block the user-registered crontab commands
  • U-23Disable the services vulnerable to Dos attacksDisables the unused services vulnerable to Dos attacks.
  • The services suggested to forbid using: echo, discard, daytime, chargen
  • U-24Deactivate NFS servicesDeactivate NFS services.
  • NFS(Network File System): a service that allows a remote computer’s file system to be mounted in the local system and make it available to use
  • If you must use it, manage according to the U-25 item
  • U-25NFS access controlRestrict NFS usage and access to only authorized users.
  • NFS(Network File System): a service that allows a remote computer’s file system to be mounted in the local system and make it available to use
  • U-26Remove automountd.Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd.
  • automountd: It offers a feature for clients to automatically mount to the server and unmount upon not using it.
  • U-27Check the RPC serviceDisable services as some RPC services has vulnerability, including remote operation.
  • Remote Procedure Call (RPC): a protocol between protocols that allows running a coordinate or procedure in another addressed spaces without a coding for remote controls.
  • The RPC services suggested to forbid using: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, and cachefsd
  • U-28Check NIS and NIC+You must not use NIS service as much as possible. If necessary, use NIS+.
  • Network Information Service (NIS): Deploy the user names, passwords, and other confidential information to computers in the same domain
  • U-29Deactivate tftp and talk servicesDeactivate the tftp, talk and ntalk services as they are vulnerable in security aspects
    U-30Check the Sendmail versionMany weaknesses are found in most versions. If it is unnecessary, stop using it
  • If you need to use it, use the most recent version
  • U-31Restrict spam mail relaysRestrict the SMTP server’s relay feature.
    U-32Prevent normal users to run SendmailRestrict normal users from using q options upon providing SMTP services
  • Upon using q options, they can change the sendmail settings as they wish or forcedly drop the mail queue
  • U-33Patch DNS security versionUse the most recent version of BIND.
  • BIND (Berkeley Internet Name Domain): a DNS designed for BSD-based Unix system. It consists of server and resolver library
  • U-34Set DNS Zone TransferRestrict
  • to sending the zone information only to Secondary Name ServerDNS Zone Transfer: a feature used to maintain the zone information consistency between the Primary Name Server
  • and Secondary Name Server.
    U-35Remove the Apache directory listingDeactivate the directory listing feature.
  • Directory Listing: a feature that shows the list of all files in the directory if the basic document does not exist in the directory
  • U-36Restrict Apache web process permissionsApache must be run with a separate authority instead of root authority.
    U-37Forbid access to Apache's upper directoryRestrict moving to the upper directory in the AllowOverride option
    U-38Remove all unnecessary files of ApacheInspect if the unnecessary files created as a default upon installing Apache are removed.
  • The default files: /[Apache_home]/htdocs/manual and /[Apache_home]/manual
  • U-39Forbid using Apache linksRestrict using symbolic links
    U-40Restrict Apache file upload and downloadFundamentally forbids uploading and downloading files and restricts the size when necessary.
    U-41Separate Apache web service areasChange the DocumentRoot from the default setting(htdocs directory) to other locations
    U-42Apply the recent security patch and vendor recommendationsCheck if the system is safely managed via regular security patches
    U-43Regular review and report of logsCheck if the system status is maintained to be stable via regular log reviews.
    U-44Forbid ‘0’ for UID other than rootInspect if there are accounts other than root account that has 0 UID value (same permissions as root).
    U-45Restrict root account’s su
  • Inspect if there are su-related groups in the group setting files of the system user account(/etc/group)
  • Inspect if su commands are only allowed within the su-related groups
  • U-46Minimum password length settingsSet the minimum password length to more than 8 characters
    U-47The maximum usage time setting for passwordsTo allow them to change passwords regularly, restrict the maximum usage time appropriately.
    U-48The minimum usage time setting for passwordsSet the minimum duration until changing passwords.
    U-49Removal of unnecessary accounts
  • Inspect if there are unnecessary accounts among the system accounts
  • Deletes the following basic accounts: adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, nfsnobody, and squid
  • U-50Include minimum accounts in an admin groupInspect if the system manage group has its minimum number of accounts
    U-51Forbid GIDs without accountsInspect if unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group setting file
    U-52Forbid same UIDInspects it there is a user account with the same UID.
    U-53User shell inspectionRestrict accounts that do not require logging in from log-ins by bestowing /bin/false shell
    U-54Session Timeout SettingSet the Session Timeout to force quit the connection when no event occurred for a certain period.
    U-55The owner and authority setting for the hosts.lpd fileThe owner and authority setting for important system files
  • /etc/hosts.lpd: the file contains the information of hosts(users) authorized to use the local print service.
  • U-56Manage umask settingsInspect if the UMASK value is appropriate.
  • UMASK value: It designates the access permission for newly created files in the system.
  • U-57The owner and authority setting for Home DirectoryRestrict normal users other than the owner of user home directory from editing the home directory
    U-58Manage the existence of the directory assigned as home directoryInspect if the user account and home directory matches
    U-59Search and remove hidden files and directoriesInspect if hidden files or suspicious files exists in the directory
    U-60Allow ssh remote accessUse the SSH (Secure Shell) service that encrypts all communication between users and system upon remote access
  • We recommend changing the SSH usage port from the default port (TCP/Port no. 22)
  • U-61Check the ftp serviceInspect if the FTP service is activated
    U-62Restrict shell for ftp accountsBlock the system access to the account by giving /bin/false shell to the created default account upon installing FTP
    U-63The owner and authority setting for the Ftpusers fileThe owner and authority setting for important system files
  • ftpusers file: a setting file for FTP access control. The accounts registered in the file cannot access FTP.
  • U-64Ftpusers file setting
  • FTP service deactivation is recommended
  • If you need to use FTP, run the ftpusers file to restrict root account from accessing directly.
  • ftpusers file: a setting file for FTP access control. The accounts registered in the file cannot access FTP.
  • U-65The owner and authority setting for the at fileThe owner and authority setting for important system files
  • /etc/at.deny and /etc/at.allow: the files that allow or block the user-registered at commands
  • U-66Check whether to run SNMP serviceStop using unnecessary SNMP services
    U-67Complexity setting for SNMP service community stringChanges the community string to a value that cannot be guessed.
  • Community string: a kind of passwords used for SNMP authentication process
  • U-68Warning message upon logging onSet to block the unnecessary information and shows the warming message about illegal usage upon logging on to the server or service
    U-69Access Permission for NFS setting fileInspect if the NFS setting file is restricted for normal users from editing
    U-70expn, vrfy commands restrictionIf you need to use SMTP for unavoidable reasons, restrict VRFY and EXPN, the basic service of Sendmail, from using to prevent Sendmail abuse.
  • VRFY: a command that SMTP clients send to SMTP servers to check if there is a mail for a certain ID
  • EXPN(Mailing list extension): a commend to forward mails upon sending mails.
  • U-71Hide Apache web service informationSet the message to avoid exposing too much details upon web page errors
    U-72Set system logging based on a policyInspect the logging setting is applied according the internal policy

    Linux Inspection Items(Based on Financial Security Agency’s Electronic Financial Infrastructure)

    The following describes the Security Setting inspection items based on Financial Security Agency’s Electronic Financial Infrastructure for Linux.

    Check IDInspection itemDescription
    SRV-001Complexity setting for SNMP service community stringThe Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. To send and receive information called MIBs, SNMP uses a "Community String," which is a kind of password during the authentication process. The Community String is often set to public or private by default, and if this is not changed, there is a vulnerability that can be exploited to determine important information and settings on the system by using this string. Change the Community String to a value that cannot be guessed.
    SRV-004Execute unnecessary SMTP serviceSMTP service is a service based on the SMTP protocol sending mails over the Internet. A malicious attacker can use the SMTP service to obtain information about the computer running the SMTP service or to perform various attacks. Therefore check whether unnecessary SMTP services are running.
    SRV-005expn, vrfy commands restriction"Simple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending emails over the Internet. However, it has many vulnerabilities and is not recommended for use unless absolutely necessary for the service. If you need to use it for unavoidable reasons, restrict VRFY and EXPN, the basic service of Sendmail, from using to prevent Sendmail abuse.

    *VRFY: a command that SMTP clients send to SMTP servers to check if there is a mail for a certain ID
    *EXPN (Mailing list extension): a commend to forward mails upon sending mails.”
    SRV-006Insufficient SMTP service log level settingsSendmail is a popular mail transfer agent (MTA) and is a service that is included by default in Unix. It must be monitored to ensure service availability and for ongoing security vulnerabilities. The loglevel of Sendmail must be checked for the appropriateness of the loglevel setting to distinguish between leaving logs of events during service operation.
    SRV-007Check the Sendmail versionThe Sendmail service has many reported vulnerabilities in most versions. It is recommended not to use it if it is not required for your service, and to use the latest version if it is required.
    SRV-008Disable Dos protection for the SMTP serviceInspect if the security setting is appropriate in preventing mail service rejections or system down due to exceeding the network circuit capacity or server process capacity.
    SRV-009Restrict spam mail relaysSimple Mail Transfer Protocol (SMTP) is the standard communication protocol for sending email over the Internet. If you need to provide a service that sends email through an SMTP server, you need to have appropriate security settings in place. If you don't restrict the relay feature, it can be hijacked as a spam server for malicious purposes or become the target of a DoS attack.
    SRV-010Prevent normal users to run SendmailWhen using the SMTP service, the q option can be used to arbitrarily change sendmail settings or force mail queues to drop. Therefore, restrict the q option from normal users.
    SRV-011Ftpusers file settingFTP service transmits IDs and passwords unencrypted, which can expose the IDs and passwords with a simple sniffer. It is recommended that you avoid using FTP services unless absolutely necessary. If you must use an FTP service, restrict direct access to the root account to ensure that the root account's password information is not exposed.
    SRV-012Expose host information within the .netrc file.netrc files are used by FTP to automatically send and receive files. .netrc files are insecure because they store the FTP access IP and password in plain text. Make sure that correct permissions are set.
    SRV-013Disable anonymous FTPCheck to see if the FTP service in use is allowing anonymous FTP access, and consider blocking it.
    SRV-014_1NFS access controlWhen using NFS, restrict access to only authorized users. everyone sharing must be restricted to prevent unauthorized access.
    SRV-014_2Access Permission for NFS setting fileNetwork File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system.
    If the NFS access control configuration file is accessible and modifiable by non-administrative users, they may be able to register unauthorized users and mount the file system for illegal tampering. Therefore, ensure that your NFS access control configuration file is restricted from being modified by normal users.
    SRV-015Deactivate NFS servicesNetwork File System (NFS) is a service that allows you to mount and use the file system of a remote computer on your local system. Its use is prohibited due to the high risk of unauthorized services abusing it to access and tamper with the system through NFS mounts. If you must use it, manage it according to control #25.
    SRV-016Check the RPC service"Remote Procedure Call (RPC) is a protocol between protocols that allows running a coordinate or procedure in another addressed spaces without a coding for remote controls. It recommended that you disable services as some RPC services has vulnerability, including remote operation.
    The RPC services suggested to forbid using: rpc.cmsd, rpc.ttdbserverd, sadmind, rusersd, walld, sprayd, rstatd, rpc.nisd, rexd, rpc.pcnfsd, rpc.statd, rpc.ypupdated, rpc.rquotad, kcms_server, cachefsd"
    SRV-022Unset password in account, insufficient management of blank passwordIf you don't set a password for each account, your account can be compromised by an attacker. Make sure to set an appropriate password. It is recommended that you always set an appropriate level of password strength for all accounts that require a login.
    SRV-025Forbid using $HOME/.rhosts, hosts.equivThe 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. This is a very weak security structure, so if you must use it, limit the permissions. Set the /etc/hosts.equiv file and .rhosts file user to root, or the corresponding account, and then set the permissions to 600, and restrict the settings in those files to not include the '+' setting (allow all hosts).
    SRV-026Restrict root account remote access"Inspect if the root account fundamentally blocks the access attempts from the root accounts of external unauthorized people by checking the root account’s remote access block setting status.

    ※ /etc/securetty: file for restricting root access to Telnet
    If pts/x-related settings exist in the "/etc/securetty" file, be sure to remove pts/x-related settings in the "securetty" file, as they allow root account access regardless of PAM module settings
    tty (terminal-teletype): user logs into the console directly from a monitor, keyboard, etc. connected to the server
    pts (pseudo-terminal): connects using Telnet, SSH, Terminal, etc."
    SRV-027Access IP and Port Restriction"Prevent external attacks by allowing only limited hosts to use the service. By default, you must set the deny setting for all hosts, and add only those hosts that are absolutely necessary for the service to the allow setting.
    Related configuration files: hosts.allow, hosts.deny"
    SRV-028Session Timeout SettingIf the Session timeout value is not set, the system may be vulnerable to unauthorized access during idle time. Session timeout must be set in the configuration file for the user shell.
    SRV-034Remove automountd.automountd provides a feature for clients to automatically mount to a server and unmount upon not using it. Stop the service because it has a vulnerable element that a local attacker can send an RPC(Remote Procedure Call) via automountd.
    SRV-035_1Deactivate tftp and talk servicesIt is recommended that you deactivate the tftp, talk and ntalk services as they are vulnerable in security aspects.
    SRV-035_2Deactivating finger serviceFinger (User Information Verification Service) allows you to check user information registered in the system from outside the network. To prevent unauthorized persons from viewing user information, it is recommended that you prohibit the use of the service.
    SRV-035_3Deactivate r servicesThe 'r' commands, such as rlogin, rsh, rexec, etc. are commands that allow remote access by an administrator without authentication. If proper security settings are not applied, an attacker from a remote location can execute arbitrary commands on the system with the administrator permissions. It is recommended that you disable them if you are not using them for services.
    SRV-035_4Disable the services vulnerable to Dos attacks"If you do not use the services that are vulnerable to DoS attacks, it recommended that you disable them.
    The services suggested to forbid using: echo, discard, daytime, chargen"
    SRV-035_5Check NIS and NIC+The Network Information Service (NIS) is an RPC service called ypserv that is used in conjunction with portmap and other related services to distribute usernames, passwords, and other confidential information to computers located in the same domain. Because it passes confidential information unencrypted over the network, it is a security vulnerability. It is recommended that you avoid using the NIS service whenever possible, and to use NIS+ when necessary.
    SRV-037Check the ftp serviceFTP services allow usernames and passwords to be sent unencrypted and sniffed. It is recommended that you avoid using FTP whenever possible.
    SRV-040Remove the web service directory listingDirectory listing is a feature that shows the list of all files in the directory if the basic document does not exist in the directory. When directory listing is enabled, all files in directories can be accessed from the outside, which not only exposes the structure of your web server, but also risks exposing important files that should not be exposed, such as backup files or source files.
    SRV-042Forbid access to web service's upper directoryCheck the AllowOverride option to ensure that it restricts moves to an upper directory. If an upper directory can be navigated by using a character such as "..", there is a risk that an attacker will be able to access paths that should not be accessible.
    SRV-043Remove all unnecessary files of web serviceInspect if the unnecessary files created as a default upon installing Apache are removed.
    The default files: (/[Apache_home]/htdocs/manual, /[Apache_home]/manual)"
    SRV-044Restrict web service file upload and downloadDue to the nature of the infrastructure, file uploads and downloads are fundamentally prohibited and you must restrict the size when necessary. To prevent server overload and use resources efficiently, it is recommended that upload and download files do not exceed 5 MB.
    SRV-045Restrict web service web process permissionsIf the web server daemon is running with root permissions, a vulnerability in a web application, etc. could allow an attacker to gain the root permissions . Therefore, Apache must be run with a separate permissions instead of root permissions.
    SRV-046Separate the web service areasUse the htdocs directory as the DocumentRoot by default upon installing Apache. It is recommended that you change this to a separate path because the htdocs directory contains Apache documentation that should not (or need not) be exposed, as well as information about your system that could be used in an attack.
    SRV-047Forbid using web service linksSymbolic links to the root directory (/) of the system could allow access to files in any file system using the web server-driven user permission (nobody), so it is dangerous. Because an invalid symbolic link can expose sensitive information on your server, you must limit the use of symbolic links.
    SRV-048Execute unnecessary web service"If unnecessary services are installed and run by default when the system starts, potential security vulnerabilities may occur. Services that are not actually required may cause performance degradation of the system or may be exploited for attacks, so they should be checked periodically.
    (Evaluation example)
    - Various vulnerabilities (OpenSSL, etc.) have been reported for the Tmax WebtoB web server, so check whether the service is used."
    SRV-060Unchanged web service default account (username or password)Tomcat is a Java application server that provides the Apache web server with the ability to run JSP and Java servlets. If you do not change the account that is set by default when Tomcat is installed, unauthorized people can gain access to the system. Check if the default account is properly secured.
    SRV-062Exposure of DNS service informationExposure of information such as DNS server type and version can be used by attackers for other attacks, so ensure that proper security settings are in place.
    SRV-063Insufficient DNS Recursive Query settingAn attack threat (DNS Cache Poisoning - an attack that causes false information to enter the DNS cache) is possible when an attacker sends a large number of DNS requests to a spoofed IP (Victim) address. Check the appropriateness of the security settings to counter this attack.
    SRV-064Patch DNS security versionBerkeley Internet Name Domain (BIND) consists of DNS server and resolver library designed for BSD-based Unix systems. Various vulnerabilities have been reported in almost all versions, and it is recommended that you install and use the latest version whenever possible.
    SRV-066Set DNS Zone TransferDNS Zone Transfer is a feature used to maintain the zone information consistency between the Primary Name Server and Secondary Name Server. Restrict the transfer of zone information to secondary name servers only. If you allow zone transfers to unauthorized users, an attacker can use the transferred zone information to learn a lot of information about hosts, system information, network configuration, etc.
    SRV-069_1Password complexity settingsInspect if the Password complexity related settings for user accounts (both root and normal accounts) set in the system policy.
    SRV-069_2Minimum password length settingsShort passwords can easily be compromised by brute force attacks or password guessing. By setting a minimum password length as a policy, you can reduce the risk of password being compromised by an attack.
    SRV-069_3The maximum usage time setting for passwordsIf you do not set a maximum usage time for passwords, there is no limit to the amount of time an unauthorized person can attempt various attacks (random brute force attacks, dictionary attacks, etc.). A compromised password can be used to take control of the system for an extended period of time. Appropriately limit the maximum usage time to ensure that passwords are changed periodically.
    SRV-069_4The minimum usage time setting for passwordsIf you don't set a password minimum age, users can change their passwords to anything they're familiar with. This can significantly undermine the effectiveness of a policy of regularly changing passwords. It is recommended that you protect passwords by enabling the Save a recent password setting to prevent users from reusing old passwords.
    SRV-070Password file protectionOn some older systems, the password policy is not enforced and passwords are stored in plain text in the /etc/passwd file. Inspect if the passwords of user accounts are encrypted.
    SRV-073Include minimum accounts in an admin groupInspect if the system admin group only has the minimum number of accounts (the root account and accounts allowed for system management).
    SRV-074Removal of unnecessary accounts"You must present invasion from unmanaged accounts by inspecting if there are unnecessary accounts. Inspect if there are unnecessary accounts among the system accounts(retired, job changes, leave of absence, etc.).

    adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, nfsnobody (excluded), and squid
    SRV-075Existence of guessable account passwordsWhen setting a password, the password complexity must be set so that a strong password can be established by including all letters/numbers/special characters. Passwords consisting of only alphanumeric characters can be easily inferred by currently released password cracking utilities and random attacks. Therefore, check for compliance with your company's password management policy.
    SRV-081_1The owner and authority setting for cron filesIf the crontab command is available to normal users except root, they may intentionally or unintentionally execute illegal scheduled files. Ensure that cron-related files are not accessible to unauthorized users.
    SRV-081_2The owner and authority setting for the at fileAn at daemon (one-time task scheduler) manages task scheduling so that any task can run at any given time. Only users registered in the /etc/at.allow file can use the at command, so you must set the appropriate permissions in that file. If the permissions in the /at.allow file are incorrect, there is a risk of system damage, such as registering a user account that has gained permissions and executing an illegal scheduled file.
    SRV-081_3Insufficient permissions setting for the crontab setting fileA crontab is a file that you use when you need to perform periodic tasks. If the others permissions in crontab's task settings file has write and read permissions, you can edit the file contents or read the contents. This can cause important information to be leaked, so it is necessary to check that the appropriate permissions are granted to the relevant files.
    SRV-082Insufficient permissions setting for system's major directoriesInappropriate permissions setting for the system's major directories can allow malicious programs such as Trojans to be installed and important files to be tampered with. This can be exploited for system intrusion or denial-of-service attacks, so you must check the appropriateness of system directory permissions.
    SRV-083Insufficient permissions setting for the system startup scriptDue to errors in the ownership and permissions settings of the system startup script, there is a possibility that an arbitrary attacker can use it to invade the system by changing the contents of the script. Therefore, check the appropriateness of the permissions settings.
    SRV-084The owner and authority setting for the hosts.lpd fileTo prevent unauthorized tampering with hosts.lpd, delete the hosts.lpd file or manage its owner/permissions.
    SRV-084_1The owner and authority setting for the /etc/passwd fileThe "/etc/passwd" file is an important file that contains the user's ID, password (marked with 'x' for security), UID, GID, home directory, and shell information. If the "/etc/passwd" file can be modified by a user other than the administrator (root), malicious actions such as shell tampering, user addition/deletion, and privilege escalation attempts are possible, so the file's permissions must be managed appropriately.
    SRV-084_2The owner and authority setting for the /etc/shadow fileThe "/etc/shadow" file is an important file that stores and manages passwords for all accounts registered on the system in encrypted form. If permissions management is not in place for this file, account and password information can be exposed to the outside world. It is recommended that you restrict access for all users except the administrator (root) account.
    SRV-084_3The owner and authority setting for the /etc/hosts fileThe "/etc/hosts" file is the file used to map IP addresses to hostnames. If permissions management is not in place for this file, it can be exploited for DNS-bypassed farming attacks by registering malicious systems in the hosts file. It is recommended that you restrict access for all users except the administrator (root) account.
    SRV-084_4The owner and authority setting for the /etc/(x)inetd.conf fileThe Internet super daemon is responsible for running the daemon when internal programs registered in the service configuration file (/etc/(x)inetd.conf) are requested from the external network. If the access permissions of inetd.conf (xinetd.d) are set incorrectly, an unauthorized person can register a malicious program and run the service with root permissions, affecting existing services. It is recommended that you restrict access for all users except the administrator (root) account.
    SRV-084_5The owner and authority setting for the /etc/syslog.conf fileThe "/etc/syslog.conf" file is a file that sets up the main log records that occur during system operation. If the file does not have a proper access permission, it can be tampered with by an attacker. System logs may not accurately record traces of the intruder or system errors. It is recommended that you restrict write permissions for all users except the administrator (root) account.
    SRV-084_6The owner and authority setting for the /etc/services fileThe "/etc/services" file is used to manage services. If normal users can access and edit the file, it can cause a breach by restricting legitimate services or maliciously running unauthorized services. It is recommended that you restrict write permissions for all users except the administrator (root) account.
    SRV-087Insufficient existence and permissions setting for C complierIf an attacker compiles a source file containing attack codes after entering the system and creates an executable file, it can be exploited to attack the system (gain administrator permissions, cause a denial of service, etc.). Inspect whether a C compiler exists in the system and whether it is appropriate to use it.
    SRV-091Inspect the SUID,SGID,Stick bit setting filesA file with SUID (Set User-ID) and SGID (Set Group-ID) set (especially if it is owned by root) can execute certain commands to gain root permissions and cause service failure. For root-owned SUID files, remove SUID and SGID attributes except for those that are absolutely necessary, and periodically diagnose and manage them for misconfiguration and security threats.

    *SUID (Set User-ID): it gains the file owner’s permissions temporarily to run certain tasks upon running its set file.
    *SGID (Set Group-ID): it gains the file owner group’s permissions temporarily to run certain tasks upon running its set file.
    SRV-092_1The owner and authority setting for Home DirectoryIf configuration files in a user's home directory are tampered with by unauthorized users, there is a risk that normal user services will be restricted. Ensure to restrict normal users other than the owner of that home directory from editing it.
    SRV-092_2Manage the existence of the directory assigned as home directoryThe user home directory is the directory in which the user performs tasks after logging in to the shell. The user environment is configured by the user configuration file that exists in the logged in user home directory, and if the home directory is incorrect, the following security issues can occur.
    1) No home directory
    - If the home directory of a normal user rather than the root user is /, the user's current directory is logged in as / when logging in, causing administrative and security problems.
    2) Hidden directories in the home directory
    - These may be created by an unauthorized user to hide files.
    3) Illegal executable files with the name of a system command exist in the home directory
    - It may enter the relative path and system command to execute the illegal file.
    SRV-093Inspect the world writable fileIf an important file, such as a system file, is set to world writable, a malicious user can tamper with it. Because of the risk of unauthorized access and failure of the system, restrict write permissions for normal users.
    SRV-094The authority setting error for the Crontab reference fileIf the others permissions in crontab's task settings file has write and read permissions, you can edit the file contents or read the contents. Inspect if the Crontab-related files have the appropriate security settings.
    SRV-095File and directory owner settingsCheck if there are files and directories that do not have an owner and delete them to prevent illegal behavior by random users. A user with the same UID as the deleted owner can access the file/directory and information can be exposed. This threat is most likely due to the fact that files related to retirees are not deleted, or malicious files are created by hacking.
    SRV-096The owner and authority setting for user, system start files and environment files"Restrict access to environment variable files, such as user files in the home directory and user-specific system startup files, as appropriate. Unauthorized persons can tamper with environment variable files and cause disruption of legitimate services. It is recommended that you restrict write permissions for all users except the administrator (root) account and its users.
    Types of environment variable files: ".profile", ".kshrc", ".cshrc", ".bashrc", ".bash_profile", ".login", ".exrc", ".netrc", etc."
    SRV-108Insufficient access control and management of logsIf system log file permissions are not set correctly, an arbitrary user may be able to falsify log records (e.g. intrusion attempts and intrusion trace manipulation, etc.). Check the appropriateness of log file permission settings.
    SRV-109Set system logging based on a policyIn the event of a security incident, system logging must be performed in accordance with internal policies to determine the cause and verify the facts of the breach. If logging is not possible, it is difficult to determine the cause of the incident and cannot provide sufficient evidence for legal response.
    SRV-115Regular review and report of logsCheck if the system status is maintained to be stable via regular log reviews. If you do not have a procedure for reviewing and reporting logs, you may miss identifying external intrusion attempts. And when you do discover a suspected intrusion attempt, it can be difficult to analyze the relevant information and take further action, such as blocking access to the affected equipment.
    SRV-118Apply the recent security patch and vendor recommendationsCheck if the system is safely managed via regular security patches. It is recommended that you apply the latest security patches to prevent attacks that exploit known vulnerabilities.
    SRV-121Root home path directory authority and path settingsIf the PATH environment variable contains a "." (referring to the current directory) at the beginning or middle of the variable, when you execute a common command (such as ls, mv, ps, etc.), the files in the current directory are executed first, rather than the original command. Check the PATH environment variable for the root account, as anomalous files could be executed by a malicious user.
    SRV-122Manage umask settingsUMASK is a command that sets the default permissions when creating files and directories. Set the UMASK value appropriately to ensure that newly created files are not granted excessive permissions.
    SRV-127Set an account lockout thresholdInspect if the user log-in failure threshold is set in the system policy. It is recommended that you set a threshold to block attempts to log in to the system, such as from a brute force attack.
    SRV-131Restrict root account’s suOnly su-related groups must be granted permission to use su command. Restrict users who are not in the su group from using the su command. Inspect if there are su-related groups in the group setting files (/etc/group) of the system user account and ensure that su commands are allowed only within the su-related groups.
    SRV-133Insufficient account restriction for using the cron serviceCron is a daemon that executes a set of commands at a certain time, and you need to control access to the cron service. Since the periodic execution of commands can be exploited for intrusion or information exposure, you must check that the proper account settings are made in the cron file.
    SRV-142_1Forbid ‘0’ for UID other than rootCheck whether the file that stores the user's account information (/etc/passwd) has any accounts with the same user identification (UID) as the root (UID=0) account. An account with the same UID as the root account would have the same permissions as root, which could pose a significant risk to the system.
    SRV-142_2Forbid same UIDUNIX systems assign a UID to every user account and use that UID to manage user information such as username, password, home directory, etc. If duplicate UIDs exist, the system may recognize them as the same user and cause problems. In the event of a breach of personal information and related data by an attacker, the audit trail becomes difficult, so it's necessary to ensure that there are no identical UIDs.
    SRV-144Inspect the device files that do not exist at /devIf the device does not exist or the name is entered incorrectly, the system might continue to create symbolic link files in the /dev directory, causing an error. For example, if you mistype rmt0 as rmto, you run the risk that the root file system will continue to create files in the /dev directory until a device name entry error causes an error, such as creating a new rmto file. Proactively find and remove devices that don’t actually exist.
    SRV-147Check whether to run SNMP serviceThe Simple Network Management Protocol (SNMP) service is a protocol for network management by automatically collecting information from each host on a TCP/IP-based network on a regular basis. It is used to understand or set the system status in real time. It is recommended to stop the SNMP service if it is not used because it can cause major information leakage and illegal modification of information in the system.
    SRV-148Hide Apache web service informationSet the message to avoid exposing too much details upon web page errors. Do not expose unnecessary information about your web server, such as error pages, web server type, OS information, user account names, etc. If unnecessary information is exposed, there is a high probability that the information can be used to gather vulnerabilities in the system and used in an attack.
    SRV-158Allow ssh remote accessBecause Telnet, FTP, etc. transmit data unencrypted, there is a high risk that your ID/password and sensitive information could be exposed. Therefore, it is recommended that you use the Secure Shell (SSH) service, which encrypts all communication between users and the system when connecting remotely. When using SSH, TCP/22 is used as the default port, it is recommended that you change the port as an attacker may try to attack through the default port.
    SRV-158_1Execute unnecessary Telnet serviceSince the Telnet service sends and receives data in plain text when using the password authentication method, the authentication ID/password can be exposed to the outside world. It is not recommended that you use the Telnet service, and you must ensure that it is disabled.
    SRV-161The owner and authority setting for the Ftpusers fileftpusers file is a setting file for FTP access control and the accounts registered in the file cannot access FTP. Restrict unauthorized users from editing the ftpusers file by setting appropriate permissions on the file.
    SRV-163Warning message upon logging onSetup a warning message to avoid providing unnecessary information about the server to unauthorized users and to alert them that only authorized users should access the server.
    SRV-164Forbid GIDs without accountsInspect if unnecessary groups (groups without accounts, not used for system management and operation or with accounts but not used in system management or operation) exist in the group setting file
    SRV-165_1User shell inspectionLimit the login shells of unnecessary accounts that are created by default during OS installation. In general, change the shell settings of accounts that do not need to be logged in (adm, sys, daemon, etc.) to /sbin/nologin, etc.
    SRV-165_2Restrict shell for ftp accountsRestrict the shell of the ftp account, which is created by default when the FTP service is installed, to a default account that does not require a login to block system access to that account. Granting shell to a default account that does not require a login exposes the account to attackers, which can lead to unauthorized system access.
    SRV-166Search and remove hidden files and directoriesSuspicious hidden files and directories may have been created by an attacker rather than a legitimate user. Periodically check hidden files/directories.
    SRV-174Execute unnecessary DNS serviceThe Domain Name Service (DNS) is a service that translates between domain names and IPs. If left running unnecessarily, it can be a pathway for attack due to potential security vulnerabilities. Be sure that this service is disabled with respect to tasks.

    Windows Inspection Items

    The following describes the Security Setting inspection items for Windows.

    Check IDInspection itemDescription
    WKS-01Rename the administrator accountChange the admin account’s name so that the attacker will not be able to guess the name easily.
    WKS-02Restrict the use of Guest accountRestrict using the Guest account as it is a vulnerable account that allows anyone to access the system
  • If you need unspecified individuals to access, create a normal user account rather than using the Guest account
  • WKS-03Set an account lockout thresholdSets the log-in failure count that causes user account to be locked.
    WKS-04Not using “Saving the password using a decipherable encryption”.Unless the application program’s requirement is bigger than the password protection, do not use the policy to all users in the domain.
    WKS-05Not using “Apply the Everyone usage permission to anonymous users”.Cancel the policy to block accessing the recourses that anonymous users gave permission as Everyone group.
    WKS-06Set an account lockout periodSets a time to maintain account lock after passing the log-in failure threshold.
    WKS-07Password complexity settingsThe complexity setting to ensure powerful passwords, that include alphabets, number and special characters, are set upon setting passwords.
    WKS-08Minimum password lengthSets the minimum password length to more than 8 characters.
    WKS-09Maximum password ageSet the maximum password usage time to encourage them to change passwords often.
    WKS-10Minimum password ageSets the minimum duration until changing passwords.
    WKS-11Do not show last user nameSet the name of the last user logged on to the device not to be shown on the desktop
    WKS-12Save a recent passwordSet the number of new unique passwords used to connect with the user account until using the previous password again
    WKS-13Restrict using empty passwords in the local account for console log-ons.Block the console and network access from accounts with empty passwords by restricting empty password usage.
    WKS-14Remove unnecessary services - AlerterDo not use or remove the unnecessary services.
  • Alerter: Send warning messages from the server to client
  • .
    WKS-15Remove unnecessary services - ClipbookDo not use or remove the unnecessary services.
  • Clipbook: share the Clipbook in the server with other clients.
  • WKS-16Remove unnecessary services - MessengerDo not use or remove the unnecessary services.
  • Messenger: send a message to client by using the net send command
  • .
    WKS-17Check whether to run IIS serviceStop unnecessary IIS services
    WKS-18Check whether to run FTP serviceStop unnecessary FTP services
    WKS-19Set DNS Zone TransferApply the block setting for DNS Zone Transfer to prevent leaking the domain information to outside the authorized DNS server.
    WKS-20Set Terminal Services encryption levelSet the terminal services to be encrypted to protect the data transferred between the client and server communication and stops the terminal services if unnecessary
    WKS-21Check whether to run SNMP serviceStop using the SNMP service if it is unused to prevent leaking the major information of the system and illegal editing.
    WKS-22Telnet security settingsSets Telnet to only use NTLM authentication which does not send passwords via networks.
    WKS-23System logging setting according to the policy - AuditLogonEventsSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditLogonEvents: Upon a user logging on or off to a computer, it creates an event in the computer’s security logs.
  • WKS-24System logging setting according to the policy - AuditAccountLogonSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditAccountLogon: When a user logs on to the domain, the log-on attempts are recorded in the domain controller
  • .
    WKS-25System logging setting according to the policy - AuditPolicyChangeSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditPolicyChange: Inspects the success or failure of the inspection policy changes.
  • WKS-26System logging setting according to the policy - AuditAccountManageSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditAccountManage: Used to determine the time of writing, changing or deleted of a user or a group
  • .
    WKS-27System logging setting according to the policy - AuditPrivilegeUseSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditPrivilegeUse: inspects the success or failure of using the permissions.
  • WKS-28System logging setting according to the policy - AuditDSAccessSet an appropriate inspection level to leave necessary logs according to the legal requirement and organization's policies.
  • AuditDSAccess: create inspection items when a user listed in SACL attempts to access certain Active Directory objects
  • .
    WKS-29Remotely accessible registry pathsStop using the remote registry service unless necessary.
    WKS-30Set event log management
  • Set the maximum log size as 10,240 KB to secure enough space for storing logs
  • Disable the event log management from automatic overwriting to prevent deleting the logs from the past
  • WKS-31Allow system shutdown without logging onDeactivates the system quit button on the log-on window to prevent a threat of unauthorized users quitting the system.
    WKS-32Do not allow anonymous enumeration of SAM accounts and sharesPrevent a malice account information stealing by not allowing the SAM(Security Account Manager) and sharing to listing anonymously
    WKS-33Control Autologon featureDeactivate the Autologon feature
  • Autologon: an automatic log-in feature using the stored replacement certificate encrypted in the registry.
  • WKS-34Allow formatting and ejecting of removable mediaRestrict the users who are allowed to format and eject the NTFS of mobility media.
    WKS-35Prevent users from installing printer driversBlock users from installing printer drivers to prevent system damages from malice users.
    WKS-36Set warning messagesSet a warning message about illegal usage of the system to be shown upon log-ons
    WKS-37LAN Manager authentication levelVia Lan manager authentication level setting, decide the Challenge/Response authentication protocol to be used for network log-ons. We recommend using NTLMv2 for secure authentication.
  • LAN Manager: In charge of authentication upon certain tasks, including file and printer share through networks.

  • Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.