What are the risks of logging into a system routing as root or some other administrative identity

Report No. 03-04
November 2002
Office of the Inspector General

Our review disclosed that security controls need improvement to fully protect the ITS II from unauthorized use, loss, or modification. Specifically we found vulnerabilities in the areas of life cycle; authorize processing; system security plan; personnel security; physical and environmental protection; production, input/output controls; contingency planning; hardware and systems software maintenance; data integrity; incident response capability; identification and authentication; logical access controls; and audit trails.

As a result of testing management controls, we confirmed that controls were adequate for ITS II's risk management and review of security controls. Vulnerabilities were identified within the following management control areas:

Issue: Inadequate System Development Life Cycle (SDLC)

Condition:

The BOP has not incorporated security requirements into its ITS II SDLC procedures. During the acquisition and development phases of ITS II, the SDLC did not require the BOP to address security issues that may have arisen.

Cause:

The BOP ITS II management failed to fully implement its SDLC methodology.

Criteria:

DOJ Order 2640.2D, Information Technology Security, states that components shall develop and implement a risk-based security process to provide security throughout the life cycle of all systems supporting their operations and assets.

Risk:

Without security requirements being outlined for the development and acquisition phases of the SDLC, complications in the development process can arise that could cause system vulnerabilities to be present in the final production system.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management incorporate security requirements into the development and acquisition phases of the SDLC.

Issue: Inadequate Change Control Procedures

Condition:

ITS II does not have adequate change control procedures in place to: (a) document certification testing activities, (b) update system documentation when security controls are added, (c) retest security controls, or (d) recertify the system after changes have been made.

Cause:

BOP management failed to fully implement the SDLC methodology.

Criteria:

DOJ Order 2640.2D requires that a configuration management process be in place to maintain control of changes to any system.

Risk:

The absence of adequate change control procedures in the SDLC can lead to numerous complications if or when changes are made to ITS II. This can include system failures, system vulnerabilities, and other system flaws. In addition, any changes made for security purposes will not be documented.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management incorporate documented procedures to document certification testing activities, update system documentation when security controls are added, retest security controls, and recertify the system after changes have been made.

Issue: Operating Controls Not In Place

Condition:

Although ITS II was certified and accredited, we found that BOP management did not improve operating controls outlined in a security test and evaluation (ST&E) report completed by a contractor in June 2002. The report identified 13 areas of weaknesses and correlating recommendations for improving operating controls over ITS II. In addition, areas such as virus controls, password controls, and user level access controls outlined in a December 2000 certification statement as conditions for certification had not been met.

Cause:

BOP management did not update the system resources to fully improve security over the network.

Criteria:

DOJ Order 2640.2D requires that each component shall evaluate their IT security programs and system protection mechanisms and report deficiencies to the Chief Information Officer annually.

Risk:

Without in-place controls operating as intended, ITS II is vulnerable to security breaches that could lead to a denial of service or a full compromise of the system.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management update operating controls as outlined in the June 2002 ST&E report, and complete the "Conditions of Certification" outlined in the ITS II certification statement.

Issue: Rules of Behavior

Condition:

The BOP developed Rules of Behavior (BOP Directive 1237-12) that BOP approved to provide guidance on how to use BOP systems. BOP staff signed the Rules of Behavior; however, the ITS II contractor personnel have not. Therefore, contractor personnel are not necessarily aware of the BOP's procedures and guidelines for administering and operating ITS II.

Cause:

BOP management did not follow Department procedures requiring contractor's acknowledgement of the Rules of Behavior document.

Criteria:

NIST SP 800-18, A Guide For Developing Private Security Plans For Information Technology, states that a set of Rules of Behavior must be established for each system and should be made available to every user prior to receiving authorization for access to the system. It is recommended that the rules contain a signature page for each user to acknowledge receipt.

Risk:

Contractor personnel not signing the Rules of Behavior document could have several negative effects. For example, users could potentially find themselves in a situation where they are unsure of how to act given the circumstances and could choose an action that goes against the BOP policy. Additionally, the BOP could be unable to hold contractors and vendors accountable for their actions should they affect the BOP or ITS II negatively.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management requires all users, including vendor and contractor personnel, to read and sign the Rules of Behavior document (BOP Directive 1237-12) to ensure users are aware of its contents.

Issue: Security Plan

Condition:

While the BOP has developed a system security plan for ITS II, BOP did not address critical elements. For example, the BOP has not incorporated all aspects of NIST SP 800-18, into the security plan. In addition, the plan for ITS II was not incorporated into the BOP's overall strategic information resources management (IRM) plan.

Cause:

The current system security plan was developed by the main ITS II contractor, and was based on the contractor's standards, not those of the BOP or the Department.

Criteria:

DOJ Order 2640.2D Section 5 states: "Components shall ensure the certification and accreditation of all systems under their operational control.

1. For each classified and sensitive but unclassified (SBU) system the certification official shall:
1. Ensure a system security plan is prepared and maintained throughout the system life cycle.
2. Ensure a system test and evaluation is conducted and the results of such tests are documented."

Risk:

Without incorporating NIST SP 800-18 standards into the security plan and not incorporating the security plan into the BOP's overall strategic plan could result in aspects of the security plan being incomplete or not in accordance with overall BOP security guidelines. This could lead to a less secure system overall.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management incorporate the guidelines for developing security plans outlined in NIST SP 800-18 into the current ITS II security plan and incorporate the plan into the overall IRM strategic plan for the BOP.

Our testing confirmed that operational controls were adequate within the areas of documentation and security awareness, training, and education for ITS II. However, our testing also identified vulnerabilities within other critical areas of operational controls. The specific details identifying these vulnerabilities are listed below.

Issue: Segregation of Duties

Condition:

Currently, the BOP system administration and system security responsibilities are not adequately separated to ensure least privilege and individual accountability. In addition, different individuals do not always perform distinct systems support functions.

Cause:

According to BOP personnel, due to staff constraints, system maintenance, user maintenance, and security and network administration activities all fall under one person for the BOP and one person for the contractor. In addition, staffing constraints have resulted in one person acting as both a maintenance manager and a researcher and developer.

Criteria:

DOJ Order 2640.2D, Chapter 2, Section 23 (a) and (c), states: "Department IT systems shall have assignment and segregation of system responsibilities defined and documented�. At a minimum, there shall be a clearly defined role for a security administrator and a system administrator." Additionally, "Controls [compliant with Department access control policies] shall be in place to ensure that the user [and administrators] has access to only the resources required to accomplish their duties and no more."

Risk:

Tasking the same individuals to be responsible for development, system administration, and security administration could potentially allow an individual to commit fraudulent activity and "cover-up" his/her tracks without the BOP detecting the activity. In addition, individuals could potentially implement "backdoors" that would allow access once the individual has left the BOP.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management:

1. conduct an analysis on the current staff shortages by determining the current security and system administrator skills on the BOP team and determine what skills the BOP needs to close the "gap." If additional staff is required, hire additional personnel who are trained and experienced security and/or system administrators;
2. ensure that those individuals who currently function as both security administrators and system administrators are moved to positions where these responsibilities do not conflict; and
3. ensure that developers are not tasked with either system or security administration.

Issue: Hiring, Transfer, and Termination Documentation

Condition:

Not all BOP ITS II security staff and contractor personnel are aware of the BOP's user account maintenance policy, which provides procedures for how to handle ITS II user accounts when employees are hired, transferred or terminated.

Cause:

According to the BOP security staff, the policy had not been communicated to them or ITS II contractor personnel.

Criteria:

BOP Directive 1237-11, states: "Users shall be trained in protection of computer hardware, software, and information. This includes all persons employed by or working with the Department of Justice receiving direct or indirect compensation or none at all (Public Health Service staff, contractors, volunteers, interns, persons representing or detailed from other Government agencies, etc.). They shall be made thoroughly aware of security and contingency plans for systems they use."

Risk: Without the awareness of the documented procedures for user account maintenance, accounts may be added to the ITS II without authorized approval and accounts of employees that have transferred or been terminated may not be removed in a timely manner.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management:

1. distribute the BOP's documented procedures on how to maintain BOP ITS II user accounts to ITS II security staff and contractor personnel; and
2. enforce procedures in accordance with the BOP Directive 1237.11 and Department policy.

Issue: Physical Access

Condition:

The BOP does not have adequate physical security controls in place for ITS II. The ST&E report identified physical security weaknesses relating to 13 areas under NIST SP 800-26, which are being used for this GISRA review. These deficiencies included weaknesses in areas such as physical access to ITS II systems (routers, switches, and wiring closets), documentation of employee access to sensitive areas, reporting of suspicious activities, unauthorized viewing of computer monitors, and fire suppression and prevention.

Cause:

The BOP security management has not taken all appropriate steps to meet the Department and BOP requirements for physical security.

Criteria:

DOJ Order 2640.2D, states: "Department IT systems shall be physically protected commensurate with the highest classification or sensitivity of the information." In addition, BOP Directive 1237-11 Section 5 also outlines requirements for physical security.

Risk:

Without adequate physical security controls, unauthorized physical access to ITS II can be obtained and damage can be done to the systems. In addition, the systems may not be properly protected from disaster events such as fires and floods.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management implement all of the recommendations outlined in the June 2002 ST&E report, specifically those outlined in section 4.12.

Issue: Sensitive Media

Condition:

To date, the BOP did not develop documented procedures for handling sensitive media. No formal process has been established to ensure that only authorized individuals can pick up, receive, or deliver input and output information and media. In addition, no documented process has been established to ensure adequate audit trails are used and maintained for inventory management, and labeling of sensitive media.

Cause:

According to BOP, an inadequate number of trained security personnel are on the ITS II security team to handle the associated responsibilities for developing the formal policies and procedure for handling sensitive media and perform the daily tasks required to maintain a secure computing environment.

Criteria:

BOP Directive 1237.11, states: "Be responsible for security of individual and shared office space containing computers, sensitive printouts, and electronic storage devices/media�. Take reasonable precautions to avoid loss of or damage to Government property and information."

DOJ Order 2640.2D Chapter 2 Section 19, states: "Department IT systems shall: maintain an audit trail of activity sufficient to reconstruct security relevant events."

Risk:

Without these procedures in place, unauthorized individuals could potentially gain access to sensitive BOP data. The lack of adequate audit trails for inventory management could also allow someone with access to the BOP hardware and software to either accidentally or intentionally misplace system components. In addition, contractor staff may not be made aware of the BOP's procedures for handling sensitive media once they have been created.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management document a process to control the transfer of media and BOP data. In addition, the BOP management should ensure that audit trails are kept and retained for extended periods of time, capturing relevant information such as name, date, media description, and authorization.

Issue: Contingency Plan Implementation

Condition:

The current BOP contingency plan has not been distributed to all ITS II personnel. In addition, the current contingency plan for ITS II is not periodically tested and ITS II staff have not been trained in their roles and responsibilities concerning the contingency plan.

Cause:

The BOP ITS II management have not distributed the contingency plan to appropriate BOP personnel. The BOP management does not know if the plan has been distributed to the vendor's (Dyncorp) personnel.

Criteria:

BOP Directive 1237-11, states: "Users shall be trained in protection of computer hardware, software, and information�. They shall be made thoroughly aware of security and contingency plans for systems they use."

DOJ Order 2640.2D Chapter 1 Section 9, states: "Components shall plan for how they will perform their missions in the event their IT systems are unavailable and how they will recover these IT systems in the event of loss or failure. Components shall:�. Test contingency/business resumption plans annually or as soon as possible after a significant change to the environment that would alter the in-place assessed risk."

Risk:

By not properly distributing the contingency plan, the BOP's security staff may not be fully informed with the plan's details, and contractor staff may not be aware of the appropriate steps to take should a system recovery become necessary. Not testing the plan could allow deficiencies or weaknesses in the plan to go unnoticed for correction until an actual emergency situation. This also leaves the BOP personnel unfamiliar with the steps to take in the event of a disaster and unaware of who is responsible for completing each step as outlined in the plan.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management:

1. distribute the contingency plan to appropriate individuals, including contractor staff; and
2. periodically test the Contingency plan and their employees and contractor staff in their roles and responsibilities.

Issue: Security Configuration

Condition:

The ITS II operating systems were not properly configured to prevent circumvention of the security software and application controls. We observed weak passwords on ITS II (Windows NT administrator level accounts with passwords set to the account name and administrator level accounts without passwords), and numerous vulnerabilities were identified by the contractor in its ST&E report. We also identified numerous vulnerabilities in ITS II diagnostic reviews. In addition, the default settings of security features for ITS II are not as restrictive as possible (Windows NT systems allowed enumeration of users, file permissions were not restrictive, and Simple Network Management Protocol (SNMP) community strings were weak).

Cause:

These conditions exist due to the lack of a formal configuration standard for the ITS II system.

Criteria:

DOJ 2640.2D CHAPTER 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:.� Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without properly configured security settings on operating systems, attackers can compromise the ITS II.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop a configuration standard for all systems that incorporate the most restrictive security settings possible. In addition, the BOP should implement all the recommendations outlined in the ST&E report.

Issue: Integrity and Validation Controls

Condition:

Currently, the integrity and validation controls for the ITS II are not adequate. No Intrusion Detection System (IDS) has been installed on ITS II and no integrity verification programs are being used.

Cause:

The BOP does not have policy on the use of an IDS and integrity verification programs. Additionally, the BOP lacks policy on system penetration testing.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:.� Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

The lack of these controls creates an inability to ensure data integrity and to validate data. This could potentially cause BOP to be vulnerable to unauthorized data modifications. The lack of an IDS also leaves administrators without the benefit of advanced notice of unusual network or system activity. Without the warning an IDS can provide, it is more difficult to respond effectively to suspicious activity.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop policies and procedures surrounding the use of intrusion detection software and integrity validation software and implement these policies and procedures on critical servers.

Issue: Incident Handling

Condition:

In reviewing ITS II, we found the BOP's response, handling, and support procedures for security incidents are not adequate. BOP does not have a formal incident response capability implemented and information concerning incidents does not appear to be disseminated to appropriate personnel or organizations.

Cause:

The BOP does not have a policy addressing incident handling and response, or that addresses how personnel shall be trained to respond.

Criteria:

DOJ Order 2640.2D Chapter 1 Section 5, states: "For SBU systems, security incidents that meet the criteria established by the DOJ Computer Emergency Response Team (DOJCERT) shall be reported by the component to DOJCERT within time frames established by DOJCERT. For classified systems, the component shall immediately report to the Department Security Officer (DSO) any incident involving the loss, compromise, or other event affecting the security of a classified system."

Risk:

Incidents that the BOP may encounter run the risk of not being properly handled. The correct or appropriate resolution may not be reached and responsible individuals may not be informed of the incident. Also, by not sharing incident information with other organizations, a common attack or virus outbreak with a known resolution will not be as easily solved for BOP or other affected organizations.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop a policy for incident handling, response, and personnel support.

Issue: Password Management

A password is a unique string of characters that must be provided before a logon or access is authorized to a computer system. Passwords are security measures used to restrict logons to user accounts and access to computer systems and resources. The BOP password controls were found to be inadequate.

Condition:

• The password policy on the BOPCOF server allows blank passwords.
• The minimum password age policy is set too low allowing password changes too soon on both BOPCOF and BOPCO1 servers.
• The password history is set to less than 10 on both BOPCOF and BOPCO1 servers.
• The service pack enhancement Passfilt is not being used on the BOPCOF server.
• The resource kit utility, 'passprop', is not being utilized on both BOPCOF and BOPCO1 servers.
• The account lockout feature is not adequately set on BOPCOF and BOPCO1 servers.
• The Administrator account password is blank on the BOPCOF server.
• Nineteen users have the "password never expires" setting on the BOPCO1 server and two users have this setting on the BOPCOF server.
• The PASSLENGTH variable is set to six characters on the BOP UNIX server.
• The MAXWEEKS variable is set to 0 weeks.
• An EEPROM password has not been set.

Cause:

These vulnerabilities occurred because BOP management did not enforce compliance with Department password policies and procedures.

Criteria:

DOJ Order 2640.2D requires the Department's IT systems to implement eight-character password composed of at least three of the following: English uppercase, English lower case, numeric, and special characters. In addition, the Department's IT systems should comply with Department password management policy (DOJ-TS-001).

Risk:

Without strong password management controls, the BOP increases the risk that unauthorized persons could access sensitive ITS II resources, exposing information to unauthorized use, loss, or modification.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management enforce formal Department password policies and procedures and install and activate a password filter on all servers to enforce parameters that enforce restrictions on passwords.

Issue: Access Controls

Condition:

We found logical access controls were inadequate for restricting user activities and network access. On the network, insecure protocols are being used with the router, no formal procedures exist for changing vendor-supplied default security parameters, idle sessions are not disconnected, and no formal policy or procedures exist for firewalls.

Cause:

The BOP management did not develop documented policy and procedures dictating the implementation and use of access control software for the prevention of fraudulent activity.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:.� Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without access controls in place, BOP management is unable to prevent an individual from committing fraud.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for access controls. At a minimum, these standards and settings should:

1. Establish policy and procedures for disabling insecure protocols.
2. Establish policy dictating the reset of vendor default security parameters to more secure settings.
3. Configure network connections to automatically disconnect.
4. Establish standard firewall procedures for configuring the firewall.
5. Restrict access to tables defining network options, resources, and operator profiles.

Issue: User Authentication and Access

Condition:

User authentication and access is not properly controlled on the ITS II network. Specifically:

• Access scripts with embedded passwords are not prohibited.
• Service and administrator accounts have weak passwords.
• Inactive user accounts are not disabled after a specific period of time.
• Lost or compromised passwords are handled inappropriately.
• No formal procedures for replacing vendor-supplied passwords.
• Data owners do not periodically review access authorizations to determine whether they remain appropriate.

Cause:

The ITS II management did not have documented procedures for monitoring access scripts with embedded passwords, disabling inactive user accounts, handling lost or compromised passwords, replacing vendor-supplied passwords, service and administrator accounts with weak passwords, and data owners ability to review access authorizations so that only individuals with a need to know can access files.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to: � Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without periodic review of access permissions, it is possible that individuals without a legitimate need may gain access to sensitive information.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for user authentication and access. At a minimum, these standards and settings should:

1. Prohibit the use of access scripts with embedded passwords.
2. Require data owners to review access authorizations to determine whether they remain appropriate.

Issue: Server Configuration

Condition:

• The system key (SYSKEY) on the Windows NT servers was disabled. Enabling this option decreases the risk that password hashes will be cracked if obtained. A utility has been released that can extract the Windows NT password hashes even with SYSKEY enabled; therefore, this risk is only partially mitigated.
• Fifteen of the services on BOPCO1 and nine of the services on BOPCOF are running in an insecure context. If services running as LocalSystem are allowed to interact with the desktop, there is an increased risk that domain resources may be compromised by a locally logged on user who would have system access to server resources. If the service is compromised by an unauthorized user, they would be able to access any resources available to the user account under which it is running.
• BOPCO1 is running the spooler service, which for a Primary Domain Controller (PDC) is an unnecessary service. Both BOPCOF and BOPCO1 are running the "messenger" and "alerter" services. Running unnecessary applications, services or protocols opens the server to any vulnerabilities that exist within each one.
• For UNIX, the BOPNNM server is running nine extraneous services.
• On the Cisco router, finger and Cisco discovery protocol are running.

Cause:

The BOP management did not develop documented procedures regarding the implementation of the system key utility. In addition, services such as LocalSystem, in "interactive" mode, and "spooler" are running on the server.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:�. Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

NIST Interagency Reports (NISTIR) 5153 Section 3.2.2, states: "Each resource delivered with the system shall have the most restrictive access rights possible to permit the intended use of that resource."

Risk:

These services pose a risk to the system in that many are known to either present system users' information or have known vulnerabilities.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management:

1. implement the system key utility and restrict services so that they are running in a secure context; and
2. ensure the removal of all unnecessary services.

Issue: Networking Controls

Networking controls access the system from the network. These controls are a front-line defense for the system against intruders.

Condition:

Specifically, we found:

• Of the two Windows NT servers tested, the auditors discovered both BOPCO1 and BOPCOF allow users to login with cached login information. This means the user name information of the last user is already provided at the login prompt. With this information provided, an attacker already has 50 percent of the login information required to gain access to the system.
• Routing updates sent by a router may advertise internal network topologies to groups or third parties that may be untrusted. In addition, interfaces that routinely advertise routing information may impede network efficiency, especially if neighboring routers are using other routing protocols or using static routes.

Cause:

The BOP management did not develop documented procedures for networking controls.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:.� Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without formal networking control procedures, ITS II user logon information is vulnerable in the event of an unauthorized user gaining access to the system.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for networking controls. At a minimum, these standards and settings should include:

1. The registry key on Windows NT servers, HKLM\Software\Microsoft\WindowsNT\CurrentVersion \Winlogon\CachedLogonsCount, should be set to 0.
2. The command on routers in global configuration mode: Passive-interface type number where "type" refers to the interface type and "number" is the interface number.

Issue: User and Group Management Controls

Management of users and groups is key to controlling access to the system. Proper user and group management can help to enhance overall system security.

Condition: Specifically, we found:

• Accounts that have not been logged into for an extended period of time have not been disabled on both BOPCOF and BOPCO1. Having outstanding accounts that are no longer needed increases the risk of unauthorized access.
• The default administrator accounts need to be renamed and given strong passwords on BOPCOF and BOPCO1. The 'Administrator' accounts are known to exist on all Windows NT systems. Consequently, they are among the first accounts that an intruder will attempt to use. The 'Administrator' account on Windows NT has all system rights and therefore should be the most protected account on the system. If these accounts are not renamed, an attacker would only need to guess the password. Depending on other system settings, this might be easy to achieve in a relatively short period of time without being detected.
• The BOPCOF\Domain Users group is a member of the Local Administrators group. The resulting effect is Domain users, which are members of the local administrators group, have administrator access to the server.
• The special group "Everyone" is being used on the BOPCOF and BOPCO1 servers. Access control lists for files and directories include the "Everyone" group on BOPCOF. The special group "Everyone" is anyone, to includes domain users, null session connections, and other trusted domain users. Using the special group "Everyone" is very broad and could inadvertently allow an intruder to gain access to system resources.
• An FTP users file (/etc/ftpusers) has not been created to restrict FTP access to authorized users.

Cause:

The ITS II management lack procedures for renaming the administrator and guest accounts and assigning strong passwords. In addition, account activity is not being reviewed on a regular basis.

Criteria:

NISTIR 5153 Section 3.2.2, states: "Each resource delivered with the system shall have the most restrictive access rights possible to permit the intended use of that resource."

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to: � Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Federal Bureau of Prisons (FBOP) 1237.11, Information Security Programs, Section 6, Paragraph b, regarding Movement of Personnel, states: "A new user ID shall be issued at a staff member's new duty station. The ISO at the transferring location shall disable the old user ID within one working day of the employee's departure and delete the ID within 30 days. For a SENTRY ID that cannot be created at the new duty station, use procedures prescribed in c.(3), following. On the UNICOR MCS system, the old user ID shall be permanently disabled, rather than deleted. For all involuntary separations and home duty assignments, the departing employee's access to all computer systems shall be immediately disabled and his/her supervisor or the ISO shall confiscate accessible media. For routine voluntary permanent separations, the employee's access shall be terminated no later than one working day following departure."

Risk:

Without the existence of the /etc/ftpusers file, any user listed in the /etc/passwd file can transfer files across the network. This increases the risk that unauthorized files are transferred across the network. In addition, the 'Administrator' account is known to exist on all Windows NT systems. Consequently, it is among the first accounts that an intruder will attempt to use. The 'Administrator' account on Windows NT has all system rights and therefore should be the most protected account on the system. If the account is not renamed, an attacker would only have to guess the password. Depending on other system settings, this might be easy to achieve in a relatively short period of time without being detected.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for user and group management controls. At a minimum, these standards and settings should include:

1. Review user account activity and disable or remove accounts that have been inactive for an extended period of time or are no longer needed.
2. Develop procedures for renaming the Administrator accounts and assigning strong passwords that are a minimum of eight characters and contain alphanumeric and special characters.
3. Remove domain users from the local administrator group.
4. Replace references to the special group 'Everyone' with 'Domain users', 'Authenticated Users' or Domain application groups.
5. Create the /etc/ftpusers file.

Issue: Account Integrity Management

A system administrator manages user and account rights to ensure that account information conforms to system security policy. A system of user rights and advanced user rights control account integrity. User rights define what a user can do on the system. These rights may include the right to logon directly at a computer (local logon) or the right to logon to a computer over the network (remote logon). Advanced user rights are reserved for users involved in programming efforts.

Typically, administrators can create two types of accounts-user and group accounts. A user account belongs to one person only; rights assigned affect only that account. A group account is a collection of users with common rights. In addition, to maintain account integrity, users must be clearly identified on the system in order to track their use of system resources. Account integrity is also strengthened by renaming Administrator and Guest accounts to make them unidentifiable to unauthorized users and making sure that users can be clearly identified in order to track their use of system resources.

Condition:

Specifically, we found:

• Unauthenticated users can access this computer from the network. Lack of a standard user rights assignment policy for Windows NT users allows the \Everyone group to access this computer from the network. The special \Everyone group includes unauthenticated users.
• On BOPCOF the Local Administrators group has "Backup files and Directories" right. There should be a segregation of duties between administrators, users, and individuals who can backup files. Individuals with this user right can bypass the access control list (ACL) of a file and read any file. This is an issue because the domain users group is also a member of the local administrators group.
• The "Change the system time" standard user right is not restricted on BOPCO1. Accuracy of the system time is a prerequisite for an audit trail because knowing who was accessing resources at a specified time could implicate a user. The entire audit, event monitoring, and logging system is based on time and therefore, requires that time not be tampered with. Security policies, such as those for account lockout and expiration, are based on the system time.
• The "Log on locally" standard user is not restricted on BOPCOF. Although, a security control inherent in Windows NT is that the first entry in the new log states that the old log was cleared and by whom. Only authorized individuals, such as the Security Officer or the Internal Auditor, should be given this right. Those types of individuals should be members of an auditors group.
• The "Restore file and directories" standard user right is not restricted. There should be a segregation of duties between Administrators, users, and individuals who can restore files. Individuals with this user right can bypass the ACL of a file and read or write to any file on the server.
• The "Shut down the system" standard user right is not restricted on both servers. Individuals who can shut down the Primary Domain Controller (PDC) could cause a denial of service or degrade the performance of the network performance subject to Backup Domain Controller (BDC) configurations.
• The "Take ownership of files or other objects" standard user right is not restricted on BOPCOF. This is a very powerful user right because individuals can ignore the ACL of an object, take ownership of the object, and change the ACL.
• The 'Act as Part of the Operating System' advanced user right is not restricted on BOPCO1. The right is one of the most powerful rights within Windows NT. It allows the designated accounts to act as a trusted part of the operating system and can therefore perform any activity regardless of other rights.
• The "Log on as a service" advanced user right is not restricted on both servers. The "Log on as a Service" right allows a user to log on as a service, similar to those required by virus scanners and faxing software. These services run in the background without any interaction from any additional users. Some services have full control over the system and could be very powerful if configured in that manner.
• "Increase scheduling priority" and "profile single process" advanced user rights are assigned inappropriately on BOPCOF. These advanced user rights could be used to compromise the PDC if they are granted to the wrong individuals other than administrators. The advanced rights are very powerful and do not need to be granted to normal users.

Cause:

The BOP management did not develop a documented user rights assignment policy.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:�. Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more."

Risk:

Without policy and procedures in place for account integrity management, ITS II is exposed to attacks from unauthenticated users.

Recommendation:

1. We recommend that the Director of the BOP ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for account integrity management. At a minimum, these standards and settings should include:

1. "Log on locally,"
2. "Access this computer from the network,"
3. "Restore files and directories,"
4. "Shut down the system,"
5. "Take ownership of files or other objects,"
6. "Act as part of the operating system,"
7. "Log on as a service," and
8. "Increase scheduling priority."

Issue: File System Access

Access to the file system can be controlled at the group or user level. Inappropriate settings for file system access can leave sensitive system information vulnerable to unauthorized disclosure or modifications.

Condition:

Specifically, we found:

• The \Everyone group has access to directories containing applications or sensitive files. The special group 'Everyone' is anyone, to include domain users, null session connections, and other trusted domain users. Using the special group 'Everyone' is very broad and could inadvertently allow an intruder to gain access to system resources.
• Users without a legitimate business requirement have access to sensitive system utilities in the \winnt directory. If user accounts are granted access to potentially sensitive utilities there is an increased risk that the user may gain information that could be used to compromise the security of the domain, or perform actions that may affect the security and productivity of the domain.
• The BOPNNM server has an excessive number of world-writeable files and directories. Files that are world-writeable allow any user on the system the ability to modify or delete their contents. Improper permissions on home directories could potentially allow a user to obtain the level of access of another ID on the server. If the compromised ID is business-critical, then this vulnerability is high-risk and could be exploited to gain privileged access on the server.
• Network File System (NFS) shares are not adequately secured. Read, write, and export to the world permissions exist on one of the directories. NFS exported directories could potentially expose the NFS servers to greater risk. It is possible to "mis-configure" the NFS export file and potentially allow remote users from NFS clients to gain root access on the NFS server.

Cause:

The BOP security management did not develop documented procedures for exporting and sharing users' directories.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:�. Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without ITS II procedures in place, NFS directories exported to everyone can be mounted by any remote user without authentication. An attacker does not need to actually break into a remote system. Instead, all that is necessary is to mount a file system via NFS.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for file system access. At a minimum, these standards and settings should:

1. Replace references to the special group 'Everyone' with 'Domain users', 'Authenticated Users', or Domain application groups.
2. Remove access to sensitive system utilities from accounts that do not require access.
3. Review and remove unnecessary permissions on files and directories.
4. Restrict access to the network file system shares.

Issue: Maintenance Controls

For purposes of the operating system server review, maintenance controls relate to standard user profiles and the use of password protected screen savers and login warning banners.

Condition:

• On BOPCOF, a password protected screen saver is not being used.
• The Unix server does not display a system warning message when users log on the server.

Cause:

The BOP management currently is not following policy regarding password protected screen savers and system warning banners.

Criteria:

FBOP 1237.11, 6.h.2 states: "All personal computers designated as sensitive systems or "STAFF ONLY" shall have software that will, after a specified period of keyboard inactivity, blank the display and require a password for further access. The maximum time of inactivity shall be 10 minutes. All Novell or Windows NT workstations shall use software requiring the network password. This shall be adequate for a staff member to leave a workstation unattended for a short period. The Bureau standard, related requirements, and exceptions are stated in the previous subsection."

DOJ Order 2640.2D Chapter 2 Section 20, states: "All Department IT systems shall implement a system banner that provides warnings: to employees that accessing the system constitutes consent to system monitoring for law enforcement and other purposes; and to unauthorized users that their use of the system may subject them to criminal prosecution and/or criminal or civil penalties."

Risk:

By not enabling the Windows NT screen saver with password protection, risk is increased that the server will be exposed to unauthorized access when left unattended. BOP's ability to prosecute criminals may be impacted by the BOP's ability to prove they abused BOP systems with the knowledge these systems were supposed to be used only for official purposes. Also, it is a good practice to proactively inform users that they are subject to audit.

Recommendation:

1. We recommend that the Director of the BOP ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for maintenance controls. At a minimum, these standards and settings should:

1. Enable a password protected screen saver on the server.
2. Display a system-warning message when users log on the server.

Issue: NT Registry Settings

A registry is a database used by the Windows NT operating to store configuration information. Most Windows applications write data to the registry, at least during installation.

Condition:

• Users, besides administrators, can install print drivers.
• The CD-ROM and floppy drives are accessible to users not logged on locally.
• Unauthenticated users can read the RunOnce registry key.
• Unauthenticated users can read the PerfLib, WinLogon, and LSA registry keys.
• Unauthenticated users have access to 17 registry keys that contain server configuration information.
• Unauthenticated users can query information from the server.
• A Default user name is displayed at login.
• There are no restrictions on who can define system attributes.
• Idle users are not disconnected after 15 minutes.
• Pagefile is not cleared at shutdown.
• Integrity checking is not being performed.
• The LMCompatibilityLever registry key is not securely set.
• The minimum security that is used for programs that use the NTLM Security Support Provider (SSP), or uses secure Remote Procedure Call [RPC] is not specified.
• Server Message Block (SMB) Signing is not being used.
• Users are allowed to schedule jobs on the server.
• Guests can view the system event and system application logs.

Cause:

The ITS II management did not develop documented standard configuration policy for securing Windows NT registry settings.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:.� Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

By not having the registry keys set to their most secure setting, the system is vulnerable to misuse and overall system security is weakened.

Recommendations:

1. We recommend that the BOP Director ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for NT registry settings. At a minimum, these standards and settings should include reconfiguring the registry settings to a more secure configuration.

Issue: Security Patches

Security patches contain update information for the operating system that correct bugs or vulnerabilities in the software.

Condition:

The operating system software is not kept up to date with respect to security patches.

Cause:

The ITS II management has not developed documented procedures for updating computer security patches.

Criteria:

NIST SP 800-13 Section 5.10, Telecommunications Security Guidelines for Telecommunications Management Network, states: "All new software features and patches shall be tested first on a development system and approved by an appropriate testing organization, prior to installation on an operational system. Tests that modify live data shall not be performed. A risk analysis shall be conducted of proposed software changes to determine their impact on network element (NE) security. Any changes to security features or security defaults shall be documented and made available to the user before the software is distributed."

Risk:

If the version of the operating system and the security patches are not current, there is an increased risk that an unauthorized user may be able to exploit weaknesses.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management obtain the latest security patches from the operating system vendor. The patches should be properly installed and configured.

Issue: Router Configuration

Condition:

• Source routing can be used to bypass the router's route tables and potentially gain access to unauthorized portions of the network.
• Administrators can use the Internet protocol (IP) alias command to assign multiple IP addresses to the router. For example, in addition to the primary alias address, addresses can be specified that correspond to lines or rotary groups. Using the IP alias command in this way makes the process of connecting to a specific rotary group transparent to the user. If the IP alias command is enabled on Cisco products, transmission control protocol (TCP) connections to any destination port are considered valid connections.
• The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts SYN packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.
• Encryption is not being used on the router. Sensitive information may be the target of sniffing attacks by unauthorized users. If transactions are occurring that contain highly confidential information, it may be vulnerable to sniffing if it is not encrypted. Hash algorithms will help mitigate against a loss of data integrity should the data be manipulated in transit.

Cause:

The ITS II management has not properly configured the Cisco router.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:�. Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Without properly configuring the Cisco router, attackers can potentially gain access to unauthorized portions of the network.

Recommendation:

1. We recommend that the Director of the BOP ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for router configuration. At a minimum, these standards and settings should:

1. Issue the "no ip source-route" command in interface configuration mode.
2. Issue the "no ip alias" command in configuration mode.
3. Issue the command: "ip tcp intercept list yyy," (where yyy is the access list number to which the connections will be intercepted), in configuration mode.
4. Enable encryption via the "crypto map" command.

Issue: Fail-over Capabilities

Fail-over is hardware or software backup to which the system switches to in the event of a failure.

Condition:

The Cisco's fail-over capabilities are not in place.

Cause:

The BOP ITS II security management did not develop documented configuration standards for securing BOP's Cisco routers. In addition, Cisco's hot standby router protocol (HSRP) fail-over capability has not been implemented on the router.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to:�. Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Cisco internet operating system (IOS) and hardware offers advanced fail-over capabilities in case of hardware or software failure. Mission critical routers (typically core routers) may be good candidates to take advantage of the Cisco fail-over capabilities.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management implement Cisco's fail-over capabilities by configuring HSRP on critical external routers.

Issue: Command Line Access

Information on the router configuration can be retrieved or entered via command-line access.

Condition:

• Different levels of PRIV EXEC access have not been defined. It may not be necessary for all administrators or users to have full privileged access to the router. Administrators that do not require this functionality can make unauthorized changes to the configuration.
• Anyone on the BOP network can access a login prompt to the router. Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.
• Telnet is being used to access the router. Telnet sessions transmit information, including usernames and passwords, in clear text. If an unauthorized user were to capture this information, it may place critical network devices at risk of compromise.
• AAA (Authentication, Authorization, and Accounting) has not been implemented. AAA provides for more granular levels of accounting and access privileges. These can be helpful in complex environments where resources are being accessed by different users in multiple ways.
• Timeout values have not been assigned to all console terminals on the router. Timeout sessions provide additional security against consoles that are left unattended. If a user can gain access to a console left unattended they can modify the router's configuration.

Cause:

The BOP management did not develop documented configuration standards for securing BOP's Cisco routers.

Criteria:

DOJ Order 2640.2D Chapter 2 Section 16, states: "Access controls shall be in place and operational for all Department IT systems to: Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure."

Risk:

Allowing anyone on the network access to the login prompt increases the risk of unauthorized access to the router.

Recommendation:

1. We recommend that the Director of the BOP ensure that BOP management develop, implement, and monitor documented policy establishing specific security standards and settings for command line access. At a minimum, these standards and settings should include:

1. Enter the following command: privilege level command, in global configuration mode.
2. Create an appropriate access-list using the access-list command in configuration mode. Once the access list has been created, apply it to the appropriate terminal (typically vty 0 4) using the access-group <basic access list number> in command.
3. Enable SSH on the router.
4. Enable Authentication, Authorization, and Accounting.
5. Establish a session timeout.

Issue: Activity Logs

Condition:

System activities are not adequately logged and reviewed on a regular basis on the BOP ITS II system.

Cause:

The ITS II management did not develop procedures for collecting, reviewing and archiving activity logs.

Criteria:

DOJ Order 2640.2D Chapter 2, Section 19, states: "Department IT systems shall:

1. Maintain an audit trail of activity sufficient to reconstruct security relevant events.
2. Include in the audit trail the identity of each entity accessing the system, time and date of the access, time and date the entity terminated access, activities performed using an administrator's identification, and activities that could modify, bypass, or negate the system's security safeguards.
3. Protect the audit trail from actions such as unauthorized access, modification, and destruction that would negate its forensic value.
4. Retain the audit trail for a period of 90 days, the minimum record retention period specified by the component, or the period specified in the system security plan, whichever is longer.

1. Audit trails shall be reviewed in compliance with the review period specified for the audit trail in the system's security plan.
2. IT systems operating in the Dedicated Mode of Operation or in a stand-alone environment that do not implement an audit trail must be justified and documented in the risk analysis and certification process."

Risk:

Insufficient logging will result in the lack of an audit trail in the event of unauthorized access or use. Insufficient reviewing of audit logs will result in administrators not being alerted to any unauthorized activity as early as possible. Also, with good logging and monitoring, administrators are often given early warnings for hardware and software errors or problems.

Recommendation:

1. We recommend that the BOP Director ensure that BOP management develop procedures for logging and monitoring system activity and require that audit logs be reviewed periodically.

Our review disclosed that security controls need improvement to fully protect the ITS II from unauthorized use, loss, or modification. Specifically, we found security vulnerabilities in the areas of life cycle, authorize processing, system security plan, personnel security, physical and environmental protection, production, input/output controls, contingency planning, hardware and systems software maintenance, data integrity, incident response capability, identification and authentication, logical access controls, and audit trails.

We concluded that these vulnerabilities occurred because BOP management did not fully develop, document, or enforce agency-wide policies in accordance with current Department policies and procedures. Additionally, the Department did not enforce its security policies and procedures to ensure the ITS II was protected from unauthorized use, loss, or modification through its certification and accreditation process.

What is the principle behind Microsoft operating system using a UAC?

Is the period of time during which a system is unprotected from an exploit?

Which of the following is a text file provided by a website to a client that is stored on a user's hard drive in order to track and record information about the user?

What is a passphrase quizlet?