Item

Stan.

Standard Description

Comply

Comments

LEGEND

Implementation Standard (Stan.):
N = not applicable
O = optional
R = recommended
M = mandatory

Level of Compliance (Comply):
X = no protection/not implemented
W = needs work
A = adequate; meets or exceeds standard

1. General

1-1

R

Budget plan produced and budget line items include cost of annual maintenance (maintenance contract or line item for time/materials)

X W A

1-2

R

Budget plan produced and budget line items include cost of equipment replacement.

X W A

1-3

M / R

Backup plan developed for servers (M) and staff workstations (R)

X W A

1-4

R

Security policy developed detailing rights and responsibilities of staff, patron, and contract users of the network

X W A

1-5

M

Acceptable Use Policy (AUP) developed for patrons and staff; includes consequences of misuse of equipment or services

X W A

1-6

R

Workstation security plan developed

X W A

1-7

M

Train staff not to reveal system passwords to anyone other than specified contracted technicians having prior authorization

X W A

1-8

M

Train staff not to allow anyone access to systems and network equipment without prior authorization

X W A

1-9

M

Require companies performing maintenance/ configuration to sign a disclosure agreement: to disclose configuration parameters (especially passwords) to designated library staff and not to disclose library network configuration information to any third-party without prior authorization.

X W A

2. Physical & Data Security

2-1

M

Dead bolt locks on all building entrances/exits

X W A

2-2

M

All servers and network equipment in staff-only area, preferably locked (alternatively, in locked equipment cabinet)

X W A

2-3

R

Data cables/data jacks (public areas) are secured from patron access, if possible

X W A

2-4

R

Locked storage is used for backup media and emergency recovery disks/CDs

X W A

2-5

R

Rotate one backup set offsite regularly and store in a secure location

X W A

2-6

R

Store backup of router, firewall configuration file, if applicable, in a secure location

X W A

2-7

R

Keys used in securing equipment or media are stored in a controlled location

X W A

2-8

M

Electrical system inspection for adequate building power capacity, breaker box, and independently grounded electrical circuits (dedicated circuits suggested for PCs; ground suggested for equipment racks)

X W A

2-9

M

All workstation power cords connected to surge protectors meeting UL1449 330V standard

X W A

2-10

M

All modems physically connected to phone lines are surge protected

X W A

2-11

O

Outlets on dedicated circuits are colored fluorescent orange

X W A

2-12

R

Serial numbers and physical asset numbers (if applicable) are recorded for all workstations, servers, and network equipment

X W A

2-13

O

Insurance coverage against damage or theft

X W A

3. Password Security

3-1

M

Develop written password policy and provide to all staff and patrons using specific user logons

X W A

3-2

M

Develop written instructions in creating strong passwords and provide to all staff and patrons using specific user logons

X W A

3-3

M

Document passwords for all network equipment, servers, and workstations

X W A

3-4

M

Store password documentation in secure location known only by library director and one other person

X W A

4. Hardware Security

4-1

M

BIOS: public workstation: boot order, set primary hard drive first

X W A

4-2

M

BIOS: server (locked staff-only access): boot order, either setting

X W A

4-3

M

BIOS: server (when locked staff-only access is not possible): boot order, set primary hard drive first

X W A

4-4

M

BIOS: workstations: supervisor password set

X W A

4-5

M

BIOS: servers: if servers can restart automatically with password set, set one

X W A

4-6

M

BIOS: anti-virus protection enabled

X W A

4-7

O

BIOS: public workstations: floppy drive(s) disabled if AUP specifies no patron access to floppy disks

X W A

4-8

M

BIOS: servers (when locked staff-only access is not possible): disable floppy drive

X W A

4-9

M

BIOS: public workstations: setup message hidden/ disabled, if available

X W A

4-10

M

BIOS: all computers: record setup configuration parameters

X W A

4-11

R

Servers and workstations: use small padlocks to secure case covers

X W A

4-12

O

Public workstations (or all computers in a very insecure environment): secure CPU, monitor, keyboard, and mouse to table/desk with hardware security cables/devices.

X W A

4-13

M

All servers: protect with UPS (400va or higher), preferably having auto shutdown software

X W A

4-14

M

Network equipment (hubs or switches): protect with UPS (250va or higher)

X W A

4-15

M

Router/firewall: protect with UPS (250va or higher)

X W A

5. Workstation Security

5-1

M

Configure NT Workstation partitions with NTFS file systems

X W A

5-2

M

Disable boot keys on Windows 95/98 workstations

X W A

5-3

R

Configure workstations with private IP addresses (LAN-wide recommendation), either static or dynamic (through DHCP)

X W A

5-4

M

Require logon at each workstation

X W A

5-5

R

Disable display of previous user name on logon screen

X W A

5-6

M

If individual patron accounts are implemented, develop a written password policy with training documentation for patrons to follow

X W A

5-7

M

Install Windows System Policy Editor or third-party software to restrict access and secure desktop/shell

X W A

5-8

M

Restrict command line/shell access

X W A

5-9

M

Restrict access to hard drive (consistent with terms for downloading/saving files specified in AUP)

X W A

5-10

M

Configure web browser to enhance privacy, and restrict access to web browser settings

X W A

5-11

R

Install software to restrict access to system functions within Windows applications

X W A

5-12

M

Remove unnecessary/unused files/programs from hard drive

X W A

5-13

M

Remove Network Monitor Agent from public workstations, if installed

X W A

5-14

M

Schedule procedure to periodically remove all user files if file downloading/saving is permitted in AUP; also remove unneeded "cookies"

X W A

5-15

M

Install and maintain anti-virus software on all workstations

X W A

5-16

M

Update virus signatures on regular schedule (at least once every two weeks)

X W A

5-17

M

Upgrade anti-virus software to support scanning of floppy diskette, e-mail, and Internet file downloads, if necessary

X W A

5-18

R

Implement secure registry settings to secure desktop/operating system settings

X W A

5-19

M

Document software and security settings for future use in configuring new workstations

X W A

5-20

M

Schedule periodic download and installation of operating system patches

X W A

5-21

M

Create and maintain current Emergency Repair Disks, and store in a controlled location

X W A

5-22

R

Implement paper log to record maintenance problems and patron misuse of workstation

X W A

5-23

M

File all workstation component documentation (papers/manuals/disks) for use by service technicians

X W A

6. LAN/Domain Server Security

6-1

M

Configure all NT Server partitions with NTFS file systems

X W A

6-2

R

Configure separate operating system and data partitions (both NTFS)

X W A

6-3

O

Mirror server drives (or implement RAID), if funding allows, for redundancy

X W A

6-4

R

Configure servers with private IP addresses (LAN-wide recommendation)

X W A

6-5

M

Remove unnecessary services

X W A

6-6

M

Remove unnecessary files/programs

X W A

6-7

M

Configure file system with proper file/folder access permissions (Specifically, restrict access to system files and executables)

X W A

6-8

R

Restrict access to the Network Monitor Agent

X W A

6-9

M

Disable anonymous user logons

X W A

6-10

M

Disable caching of user logons

X W A

6-11

M

Configure account policy to restrict unauthorized logon attempts

X W A

6-12

M

Create logon warning message (a warning against unauthorized logon or access and use of restricted resources)

X W A

6-13

R

Create alternative Administrators group and restrict membership

X W A

6-14

R

Restrict privileges of default Administrators group

X W A

6-15

R

Create alternative Administrator account (with new name) with full privileges

X W A

6-16

R

Disable default Administrator account

X W A

6-17

R

Configure auditing of Administrator account logon attempts (to track hacking attempts)

X W A

6-18

M

Set a strong password for current administrator/root account

X W A

6-19

M

Use different passwords for domain/server accounts than for local workstation accounts, or use different account names

X W A

6-20

M

Restrict access permissions for the Everyone group

X W A

6-21

M

Disable Guest account if enabled

X W A

6-22

M

Create appropriate user and group accounts (minimum of three groups: Patrons, Staff, and Administrators)

X W A

6-23

M

Set appropriate group access permissions

X W A

6-24

M

Set appropriate user account passwords (password for PatronX account(s) may be simple or empty)

X W A

6-25

M

Encrypt the SAM password database

X W A

6-26

M

Configure Remote Access Service security. if applicable

X W A

6-27

M

Set/Create registry entries/values for proper security (disable Netware DLL Trojan horse capability, if applicable; restrict remote access to registry; restrict access to named pipes and the scheduler; block 8.3 attack; etc.)

X W A

6-28

R

Document software and security settings for future use in reconfiguring servers

X W A

6-29

M

Configure audit logs to track unauthorized access to files/folders/accounts; restrict access to log files

X W A

6-30

M

Develop and implement procedure for monitoring audit logs

X W A

6-31

R

Install software for the server’s UPS that automatically shuts down the server

X W A

6-32

R

Implement procedures for file backups according to backup plan

X W A

6-33

R

Restrict access to backup program

X W A

6-34

R

Maintain backup log and auditing

X W A

6-35

R

Rotate one backup set offsite regularly

X W A

6-36

M

Schedule periodic download and installation of operating system patches

X W A

6-37

M

Create and maintain current Emergency Repair Disks, and store in a controlled location

X W A

6-38

R

Implement paper log to record maintenance problems, attempts at unauthorized access, and other server problems

X W A

6-39

M

File all server component documentation (papers/ manuals/disks) for use by service technicians

X W A

7. Network Equipment Security

7-1

M

Set appropriate network management protocol (SNMP) passwords/community strings

X W A

7-2

M

Record and secure any password settings created by staff or contractors

7-3

M

Configure audit logs properly, if available

X W A

7-4

M

Implement procedure for monitoring audit logs

X W A

7-5

M

Schedule periodic installation of firmware updates

X W A

7-6

M

Document equipment settings for future use in reconfiguring equipment; make backup copy of router configuration file, if possible, and store in secure location

X W A

7-7

M

File all network equipment documentation (papers/ manuals/disks) for use by service technicians

X W A

8. Router/Firewall Security

8-1

R

Use three-port firewall; public services (web/ftp/e-mail) are provided on separate network segment, the DMZ

X W A

8-2

R

Implement network address translation (NAT), if possible

X W A

8-3

R

Use private IP addresses LAN-wide, if possible

X W A

8-4

R

Configure router to deny inbound access to unused ports (unless specific library services require them); for example, FTP on port 21, Telnet on port 23, etc.

X W A

8-5

M

Configure firewall so no packets with source addresses outside the LAN are allowed into the LAN, but only to DMZ

X W A

8-6

R

Firewall uses stateful packet inspection, providing protection against denial-of-service attacks and IP spoofing

X W A

8-7

M

Document settings for future use in reconfiguring router/firewall; make backup copy of router configuration file, if possible, and store in secure location

X W A

8-8

M

Schedule periodic installation of firmware updates

X W A

8-9

M

File all router/firewall documentation (papers/ manuals/disks) for use by service technicians

X W A

9. Web Server Security

9-1

As speci-fied

Implement normal server security steps as listed in section 4, with the exception of 4-9, 4-18 (just remove agent), 4-39 (remove service), and 4-40 and 4-41 (see 7-9 through 7-11)

X W A

9-2

M

Configure web server as standalone server (especially not a domain server)

X W A

9-3

M

Configure web server to run as separate user (not with root or admin privileges)

X W A

9-4

M

Secure the anonymous IIS account

X W A

9-5

M

Disable directory browsing

X W A

9-6

M

Set proper file system access permissions (especially that both Write and Script/Execute permissions [IIS] are never set on same folder; etc.)

X W A

9-7

M

Remove unnecessary services

X W A

9-8

M

Remove unnecessary files/programs

X W A

9-9

R

Unless absolutely required, remove FrontPage extensions if installed

X W A

9-10

R

Restrict scope of indexing if Index Server is used

X W A

9-11

M

Configure registry settings for proper IIS security

X W A

9-12

M

Document settings for future use in reconfiguring web server, and store in secure location

X W A

9-13

M

Configure web server auditing and audit logs properly

X W A

9-14

M

Implement procedure for creating/monitoring audit logs

X W A

9-15

R

Have a trusted source review for security flaws any CGI-type scripts (downloaded from Web or developed locally) used in web pages

X W A

9-16

M

Imperative: Update IIS web server with patches as soon as they are released by Microsoft; repeating 4-42, update the web server’s underlying NT operating system as patches are released by Microsoft

X W A

9-17

M

Subscribe to Microsoft’s Product Security Notification service

X W A

9-18

M

File web server documentation (papers/manuals/ disks) for use by service technicians

X W A

10. Virtual Private Network (VPN) Security

10-1

M

Supports Microsoft’s point-to-point tunneling protocol (PPTP) or IPSec

X W A

10-2

R

Document all server changes required to support the VPN

X W A

10-3

R

Document firewall configuration changes required to support the VPN

X W A