Secure Computer Configuration for Electronic Funds Transfer

Document Sample
Secure Computer Configuration for Electronic Funds Transfer Powered By Docstoc
					UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

Secure Computer Configuration for Wire Transfers
Background
Wire transfers are accomplished through the use of a web-based application that is provided to the University by the financial institution. Authorized University personnel use an ―off the shelf‖ web browser to access the application. The following controls exist to prevent unauthorized transactions:
● The responsibilities for transaction entry and transaction approval are segregated

between two different groups of authorized University employees.
● Authentication to the application (by all employees using this banking application)

requires not only a password, but also a digital certificate that has been installed on the employee’s personal computer (PC). The employees' PCs (and any other authorized users and administrators of those PCs) are trusted implicitly by these controls to prohibiting the following:
● Transfer of the digital certificate's private key to unauthorized people or storage

locations.
● Capture and/or transmission of passwords to unauthorized people or storage

locations.
● Capture and/or transmission of transactions to unauthorized people or storage

locations.
● Modification of transactions as they are transmitted to the financial institution.

Unfortunately, most PC software cannot be trusted to do this at the level required for wire transfers without careful management. This document describes requirements for the management of these PCs.

Controls
The following measures should be taken to mitigate the risks to private keys, passwords, and transactions. 1. Conduct periodic risk assessment and implement a departmental security plan in compliance with Business & Finance Bulletin IS-3: Electronic Information Security. 2. To prevent unauthorized capture, transmission, or modification of private keys, passwords and transactions, it is necessary to ensure that the web based application provided by the Financial Institution (BA DIRECT WIRE TRANSFER PC), its operating system, or the web browser have not been compromised or modified. The following measures are intended for a single PC that is connected to a typical ―campus‖ network. 2.1. Access Controls 2.1.1. The BA DIRECT WIRE TRANSFER PC must be used exclusively for BA DIRECT WIRE TRANSFER functions and must not have any other uses. 2.1.2. User access to the BA DIRECT WIRE TRANSFER PC: 2.1.2.1. User must use only the local user accounts created for the BA

Page 1 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

DIRECT WIRE TRANSFER function. To ensure that only local accounts can log on to the BA DIRECT WIRE TRANSFER PC, the BA DIRECT WIRE TRANSFER PC must not be a member of any NT/AD domain. 2.1.2.2. The local user accounts MUST NOT be shared for any reason. 2.1.2.3. Ensure that login accounts have no more privileges than are necessary—the account should have no more privileges than those given to the built-in local Users group. 2.1.2.4. Ensure that the web browser's private key storage is encrypted by establishing a password for the ―Software Security Device‖ under ―Manage Security Devices‖ of the ―Advanced‖ portion of Firefox's Preferences dialog. 2.1.3. Designation of BA DIRECT WIRE TRANSFER computers by function: 2.1.3.1. In order to enforce this segregation of function between two types of BA DIRECT WIRE TRANSFER PCs, only the initiators’ user accounts will be created on the ―Initiator‖ BA DIRECT WIRE TRANSFER PCs. Conversely, only the local user accounts for approvers/releasers will be created on the ―Releaser‖ BA DIRECT WIRE TRANSFER PCs. 2.1.3.2. There will be a minimum of two separate BA DIRECT WIRE TRANSFER PCs at a given site: an ―Initiator‖ BA DIRECT WIRE TRANSFER PC dedicated to usage by the transaction initiators, and a ―Releaser‖ BA DIRECT WIRE TRANSFER PC dedicated to usage by the transaction approvers/releasers. 2.1.3.3. The ―Initiator‖ computer may be shared among multiple initiators, but not with approver/releasers. The ―Releaser‖ BA DIRECT WIRE TRANSFER PC may be shared among multiple approvers/releasers, but never with initiators. The system administrators for initiator computers must be different from the system administrators for approver/releaser computers. 2.2. Physical Controls 2.2.1. Physical security of the BA DIRECT WIRE TRANSFER PC: 2.2.1.1. Prevent unauthorized removal of the BA DIRECT WIRE TRANSFER PC by securing the BA DIRECT WIRE TRANSFER PC with an anchoring device (e.g. cable lock) or by placing the BA DIRECT WIRE TRANSFER PC in a limited-access area (e.g. locked room). 2.2.1.2. Prevent unauthorized access to the internal components of the BA DIRECT WIRE TRANSFER PC by locking the chassis (some models of cable locks combine this feature with the anchoring function). 2.2.2. Control access to devices that store digital certificates' private keys. 2.3. System Configuration 2.3.1. Use a secure operating system, such as Windows XP Professional with SP2, including the security settings in Appendix A: ―Security Template Settings for BA DIRECT WIRE TRANSFER Computers.‖
Page 2 of 14 Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

2.3.2. Remove all software except for the essential components of the operating system, the web browser, the firewall software and the virus protection software. Disable or remove all unnecessary services. 2.3.3. Ensure that only the required software will be allowed to be executed by the user (e.g., via Software Restriction Policies in Windows XP Local Security Policy). 2.3.3.1. Set the Enforcement so that the software restriction policies apply to ―All users except local administrators‖. 2.3.3.2. Set the default Security Level to ―Disallowed‖, which is the maximally restrictive setting that does not allow any software to run except for those that are defined as exceptions under ―Additional Rules‖. 2.3.3.3. Specify exceptions for the allowed applications by creating new rules (both ―Hash‖ and ―Path‖). 2.3.4. Use Firefox as the BA DIRECT WIRE TRANSFER P/C's web browser. 2.3.5. Install ZoneAlarm or a similar firewall and configure it to enable communication only with the financial institution and other required system management services, such as anti-virus and patch servers, log servers, etc. 2.3.6. There must be no wireless connectivity to the computer. 2.3.7. There must be no ―back door‖ connections to the computer or remote control software, such as Windows Terminal Server or PC Anywhere. 2.3.8. Remove or disable physical media readers (e.g., CDs, floppy disks, ―flash‖ drives) and disable USB. 2.3.9. Use a locally attached printer only. 2.3.10. Enable password protection on BIOS to prevent unauthorized system reconfiguration (this is not to be confused with the power-on password). 2.4. System Administration and Maintenance 2.4.1. System administration and software updates (operating system and application) must be performed in a highly-secure manner, preferably locally, not over a network. 2.4.2. Ensure that all critical security patches are applied to the operating system and all applications within 24 hours of release. 2.4.3. Ensure that virus, spyware scanners, etc. are installed and updated within 1 week of new release of new threat definitions, unless deemed critical. 2.5. System Monitoring and Incident Response 2.5.1. Enable and monitor all appropriate log facilities for tracking user access and activity. 2.5.2. Auditing of logs must be conducted regularly by an established schedule, with a minimum frequency of once a week. 2.5.3. Install Tripwire for Servers as standalone installation and monitor

Page 3 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

system administration/change activity. 2.5.4. Monitor network traffic involving the BA DIRECT WIRE TRANSFER PC’s and generate notices if unusually activity occurs. Use static IP addresses to enhance the robustness of this monitoring. 2.5.5. If the BA DIRECT WIRE TRANSFER PC’s is ever compromised, do forensics on it to determine how it was compromised and to structure a recovery plan. (See Appendix B: ―Sample Incident Response Check List.‖)

Appendix A: Security Template Settings for BA DIRECT WIRE TRANSFER Computers
(This template is based on NIST Special Publication 800-68 (Draft) ―Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist‖, ―Appendix A—NIST Security Template Settings‖. Line items without numbers are additional UC settings.) BA DIRECT WIRE TRANSFER Requirements 24 passwords remembered 0 1 day 12 characters Enabled Disabled 15 minutes 10 invalid logon attempts 15 minutes Success, Failure Success, Failure No auditing Success, Failure Success, Failure Success Failure No auditing Success Remove all entries None Not Defined (Not Applicable) Rev. 6 5/05/2006

Policy A-1 1.1 1.2 1.3 1.4 1.5 1.6 A-2 2.1 2.2 2.3 A-3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 A-4 4.1 4.2 4.3 Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store password using reversible encryption for all users in the domain Account lockout duration Account lockout threshold Reset account lockout counter after Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Access this computer from the network Act as part of the operating system Add workstations to domain

Comment

Page 4 of 14

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 4.34 4.35 4.36 4.37 A-5 5.1 5.2 5.3

Adjust memory quotas for a process Allow logon through Terminal Services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create a token object Create permanent shared objects Debug programs Deny access to this computer from the network Deny logon as a batch job Deny logon as a service Deny logon locally Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job Log on as a service Log on locally Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only

Not Defined Remove all entries Administrators Users Administrators Administrators None None None Guest Not Defined Not Defined Not Defined Everyone Not Defined (Not Applicable) Remove all entries Local Service, Network Service Administrators Administrators None Not Defined Not Defined Users, Administrators Administrators Administrators Administrators Administrators Administrators Users, Administrators Local Service, Network Service Administrators Users, Administrators Not Defined (Not Applicable) Administrators Not Defined Disabled Enabled

Page 5 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

5.4

Accounts: Rename administrator account

5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17

5.18

5.19

5.20

5.21 5.22 5.23 5.24

Accounts: Rename guest account Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally loggedon user only Devices: Restrict floppy access to locally loggedon user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name

Built-in Administrator account should be renamed and disabled, then a separate administrator account created for administrative purpose. Not Defined Enabled Enabled Enabled Disabled Administrators Enabled Enabled Enabled Warn but allow installation Not Defined (Not Applicable) Not Defined (Not Applicable) Not Defined (Not Applicable) Enabled

Enabled

Enabled

Disabled 30 Days Enabled Enabled

Page 6 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

5.25 5.26 5.27

5.28

5.29

5.30 5.31 5.32

5.33

5.34

5.35

5.36

5.37

5.38 5.39

5.40

5.41

5.42

5.43

Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Network access: Allow anonymous SID/Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Let Everyone permissions apply to anonymous users

Disabled <DoJ Approved> <DoJ Approved> Should be edited to contain message content pertinent to UC policy. Should be edited to contain message content pertinent to UC policy.

0

14 Days

Not Defined Lock Workstation Enabled

Enabled

Disabled

15 minutes

Enabled

Enabled

Enabled Disabled

Enabled

Enabled

Enabled

Disabled

Page 7 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

5.44 5.45 5.46 5.47 5.48 5.49 5.50 5.51

Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network access: Sharing and security model for local accounts Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery Console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for nonWindows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Maximum application log size

None Not Defined None Classic Enabled Enabled Send NTLMv2, Refuse LM and NTLM Require Signing Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption Disabled Not Defined Disabled Enabled Enabled

5.52

5.53

5.54 5.55 5.56 5.57 5.58

5.59

Object Creator

5.60

Enabled

5.61 A-6 6.1

Enabled

16 MB

Page 8 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 A-7 7.1 7.2 A-8 8.1

Maximum security log size Maximum system log size Prevent local guests group from accessing application log Prevent local guests group from accessing security log Prevent local guests group from accessing system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Power Users Remote Desktop Users Alerter Application Layer Gateway

80 MB 16 MB Enabled Enabled Enabled Not Defined Not Defined Not Defined Not Defined Not Defined Not Defined None None Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration.

8.2 8.3

Clipbook Computer Browser Distribute Link Tracking Client Error Reporting Fast User Switching Compatibility

8.4 8.5 8.6 8.7 8.8 8.9 8.10

Fax Service FTP Publishing Service IIS Admin Service Indexing Service Messenger Net Logon Netmeeting Remote Desktop Sharing Network Location Awareness (NLA)

Per UCOP Common Desktop Initiative configuration.

8.11 8.12 8.13 8.14 8.15 8.16

Remote Desktop Help Session Manager Remote Registry Routing and Remote Access Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Service Simple Network Management Protocol (SNMP) Trap

Page 9 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

8.17 8.18 8.19 8.20

Task Scheduler Telnet Terminal Services Universal Plug and Play Device Host Volume Shadow Copy WebClient Wireless Zero Configuration

Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration. Per UCOP Common Desktop Initiative configuration.

8.21 A-9 9.1 9.2 9.3 9.4 9.5 9.6 9.7

World Wide Web Publishing Services %SystemRoot% \system32\at.exe %SystemRoot% \system32\attrib.exe %SystemRoot% \system32\cacls.exe %SystemRoot% \system32\debug.exe %SystemRoot% \system32\drwatson.exe %SystemRoot% \system32\drwtsn32.exe %SystemRoot% \system32\edlin.exe %SystemRoot% \system32\eventcreate.ex e %SystemRoot% \system32\eventtriggers. exe %SystemRoot% \system32\ftp.exe %SystemRoot% \system32\net.exe %SystemRoot% \system32\net1.exe %SystemRoot% \system32\netsh.exe %SystemRoot% \system32\rcp.exe %SystemRoot% \system32\reg.exe %SystemRoot% \regedit.exe %SystemRoot% \system32\regedt32.exe %SystemRoot% \system32\regsvr32.exe %SystemRoot% \system32\rexec.exe

9.8 9.9

910

911

9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19

Page 10 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

9.20 9.21 9.22 9.23 9.24

%SystemRoot% \system32\rsh.exe %SystemRoot% \system32\runas.exe %SystemRoot% \system32\sc.exe %SystemRoot% \system32\subst.exe %SystemRoot% \system32\telnet.exe %SystemRoot% \system32\tftp.exe %SystemRoot% \system32\tlntsvr.exe

9.25 9.26 A-10 10.1

Administrators: Full; System: Full Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full; INTERACTIVE: Read, Ex Administrators: Full; System: Full Administrators: Full; System: Full; Creator Owner: Full; Users: Read Administrators: Full; System: Full; Users: Read Administrators: Full; System: Full; Authenticated Users: Read Administrators: Full; System: Full; Creator Owner: Full; Users: Read Administrators: Full; System: Full; Authenticated Users: Read Administrators: Full; System: Full; Creator Owner: Full Administrators: Full; System: Full; Creator Owner: Full Administrators: Full; Users: Read Administrators: Full; System: Full; Network Service: Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Read Permissions; Users: Read Administrators: Full; System: Full; Users: Read

HKLM\Software HKLM\Software\Microsoft\ Windows\CurrentVersion\ Installer HKLM\Software\Microsoft\ Windows\CurrentVersion\ Policies HKLM\System

10.2

10.3

10.4

10.5

HKLM\System\CurrentCon trolSet\Enum HKLM\System\CurrentCon trolSet\Services\SNMP\Pa rameters\PermittedManag ers HKLM\System\CurrentCon trolSet\Services\SNMP\Pa rameters\ValidCommuniti es HKLM\Software\Microsoft\ Windows\CurrentVersion\ policies\Ratings

10.6

10.7

10.8

10.9

HKLM\Software\Microsoft\ MSDTC

10.10

HKU\.Default\Software\Mi crosoft\SystemCertificate s\Root\ProtectedRoots

Page 11 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

10.11 A-11 11.1

HKLM\Software\Microsoft\ Windows NT\CurrentVersion\SecEdi t HKLM\Software\Microsoft\ DrWatson\CreateCrashDu mp HKLM\Software\Microsoft\ Windows NT\CurrentVersion\AEDeb ug\Auto HKLM\Software\Microsoft\ Windows\CurrentVersion\ Policies\Explorer\NoDrive TypeAutoRun HKU\.Default\Software\Mi crosoft\Windows\Current Version\Policies\Explorer\ NoDriveTypeAutoRun HKLM\Software\Microsoft\ Windows NT\CurrentVersion\Winlog on\AutoAdminLogon HKLM\System\CurrentCon trolSet\Control\CrashCont rol\AutoReboot HKLM\System\CurrentCon trolSet\Services\Cdrom\A utorun HKLM\System\CurrentCon trolSet\Services\LanmanS erver\Parameters\AutoSh areWks HKLM\System\CurrentCon trolSet\Services\MrxSmb\ Parameters\RefuseReset HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\DisableIPSource Routing HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\EnableDeadGWD etect HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\EnableICMPRedir ect HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\EnablePMTUDisc overy HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\KeepAliveTime HKLM\System\CurrentCon trolSet\Services\Netbt\Pa rameters\NoNameRelease OnDemand HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\PerformRouterDi scovery

Administrators: Full; System: Full; Users: Read

0

11.2

0

11.3

255

11.4

255

11.5

0

11.6 11.7

0 0

11.8

0

11.9

1

11.10

2

11.11

0

11.12

0

11.13

0

11.14

300000

11.15

1

11.16

0

Page 12 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

11.17 11.18

11.19

11.20 11.21

11.22

HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\SynAttackProtect HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\TcpMaxHalfOpen HKLM\System\CurrentCon trolSet\Services\Tcpip\Par ameters\TcpMaxHalfOpen Retried HKLM\System\CurrentCon trolSet\Services\IPSEC\N oDefaultExempt HKLM\System\CurrentCon trolSet\Services\Lanmans erver\Parameters\Hidden HKLM\System\CurrentCon trolSet\Control\Session Manager\SafeDllSearchMo de HKLM\SOFTWARE\Microso ft\Windows NT\ CurrentVersion\Winlogon\ LogonType

2 100

80

1 1

1 Disables the XP-style Welcome logon screen and reverts to the "classic" Windows 2000 logon screen. Everyone: Failures Everyone: Failures

A-12 12.1 12.2

HKLM\Software HKLM\System

Appendix B: Sample Incident Response Check List
Campus incident response procedures will vary to some extent, depending on the organization of the business functions, information technology, public information, law enforcement, etc. In general, all incident response procedures would include the following elements.  Ensure that the right people are involved. At a minimum, the incident response team includes: the affected system's proprietor and custodian, the campus IT security and policy officers, the campus Chief Information Officer, and the Associate Vice President – Information Resources and Communications (UCOP) if public disclosure is required. In some circumstances, other campus experts may need to be involved (e.g. Chancellor’s office, campus police, legal counsel, public affairs, risk management, internal audit, the campus payment card coordinator, the campus HIPAA security officer, or national and international IT security organizations (e.g., the US CERT). Secure the area. Electronic evidence can be very perishable and can be easily destroyed resulting in an inability to prosecute or inability to determine if personal information was compromised. Secure the scene and all the persons on the scene, then visually identify potential evidence, both conventional (physical) and electronic, and determine if perishable evidence exists. Take care not to alter the condition of any electronic device: If it is off, leave it off. If it is on, leave it on. Inventory and evaluate the scene and then formulate a plan. Incident Response Process Steps: Incident response processes are unpredictable. For this reason, proper documentation at every stage in the process is essential.





Page 13 of 14

Rev. 6 5/05/2006

UCOP, IR&C

Secure Computer Configuration for Electronic Funds Transfer

1. Notify. Provide initial notification of the breach to the affected system's proprietor and custodian, the campus IT security and compliance/policy officers, and any other people required by the circumstances. Provide updates as appropriate throughout the incident response process. 2. Assess the need for forensic investigation. The factors to consider include the potential value of forensic information vs. the immediate need to protect and restore University resources and services. It may be necessary to delay subsequent steps until an appropriate criminal investigation has been conducted. 3. Regain control. Once required forensic information has been collected, regain control of the compromised system. This may include network disconnection, process termination, a reboot, etc. 4. Analyze the intrusion. Understand the nature of the intrusion and its impact on information and process integrity. Determine if restricted information may have been acquired by unauthorized individuals. Determine what address information is available for individuals whose data may have been acquired by unauthorized individuals. 5. Document results of analysis. Prepare a report on the nature of the incident, the nature of the information that has been compromised, the numbers of individuals affected, address information on impacted individuals. 6. Submit report. Notify the campus IT leadership, executive managers, legal counsel, and the Associate Vice President – Information Resources and Communications if there is a possibility that public disclosure will be required. 7. Recover from the intrusion. Perform whatever steps are needed to restore the integrity of the affected information and processes. 8. Correct system or application vulnerabilities. Correct the condition that allowed the intrusion to occur. 9. Restore the service. Once everything is complete, service can be restored 10. Assemble team to determine if notification is required. Work with executive management to determine whether to make public disclosures. ―Determining the Threshold for Security Breach Notification‖ (http://www.ucop.edu/irc/itsec/security_breach_notification.pdf) contains issues that should be considered when evaluating the incident and determining whether to notify affected individuals in compliance with California’s security breach notification requirement. Campus counsel and public affairs should be included in the determination evaluation. 11. Close the incident. Ensure notification of the incident's final resolution to the affected system's proprietor and custodian, the campus IT security and compliance/policy officers, the campus IT leader, the Associate Vice President – Information Resources and Communications, and any other individuals who should be engaged in this process.

Page 14 of 14

Rev. 6 5/05/2006


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:11/9/2009
language:English
pages:14