symantec enterprise security manager™ policy manual for … · 2020-02-18 · symantec reserves...

Symantec Enterprise Security Manager™ Policy Manual for FISMA (NIST 800-53)

For Windows

Symantec ESM Policy Manual for FISMA (NIST 800-53) for Windows

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.060320

Copyright NoticeCopyright 2004-2006 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

TrademarksSymantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and Symantec Security Response are trademarks of Symantec Corporation.Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.

3

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that gives you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.

4

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Symantec Software License AgreementSymantec Enterprise Security Manager™

SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE”, “ACCEPT” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE”, “I DO NOT ACCEPT” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.

1. License:The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.

You may:A. use the number of copies of the Software as have been licensed to You by Symantec under a License Module. If the Software is part of a suite containing multiple Software titles, the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module, as calculated by any combination of licensed Software titles. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software You are authorized to use on a single computer; B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of

Your computer and retain the original for archival purposes;C. use the Software on a network, provided that You have a licensed copy of the Software for each computer that can access the Software over that network;D. use the Software in accordance with any written agreement between You and Symantec; andE. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license.

You may not:A. copy the printed documentation that accompanies the Software; B. sublicense, rent, or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;D. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; E. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;F. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received permission in a License Module; nor G. use the Software in any manner not authorized by this license.

2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antispam software utilize updated antispam rules; antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; policy compliance software utilize updated policy compliance updates; and vulnerability assessment products utilize updated vulnerability signatures; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to

obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.

3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.

4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF

SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC’S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec’s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.

6. Export Regulation:Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see www.bxa.doc.gov). Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State’s Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose,

nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons.

7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland , or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

8. Additional Uses and Restrictions:A. Required Software Installation and Activation:There may be technological measures in this Software that are designed to prevent unlicensed or illegal use of the Software. You agree that Symantec may use these measures. You must register the Software functions and any associated maintenance and support that are controlled by these technological measures through the use of the Internet. Symantec cannot guarantee that use of the Internet will be uninterrupted. Symantec will maintain your registration details.

B. If the Software You have licensed is Symantec Enterprise Security Manager, notwithstanding any of the terms and conditions contained herein, the following additional terms apply to the Software:

1. Permission to use the software to assess Desktop, Server, or Network devices does not constitute permission to make additional copies of the Software.

2. You may use the Software to assess up to the number of Desktop computers, on which a host-based agent is installed, as set forth under a License Module,. “Desktop” means a computer for a single end user.

3. You may use the Software to assess up to the number of Servers, on which a host-based agent is installed, as set forth under a License Module,. “Server” means a computer that is used to provide services to other computers via a network.

4. You may use the Software to assess up to the number of Virtual Machines, on which a host-based agent is installed, as set forth under a License Module.. “Virtual Machine” means a machine completely defined and implemented in software rather than hardware. Virtual Machines are run on a hosting Server and can function as a Server or Desktop.

5. You may use the Software to assess up to the number of unique Network Devices set forth under a License Module, which can be assessed by a network scan agent. “Network Devices” means an interconnected system of computers and devices.

C. If the Software you have licensed includes Cognos® Report Studio You may use the single (1) user license of Cognos Report Studio that is received with the Software only. Additional Cognos Report Studio licenses must be purchased separately.

02.03.05ENT.GLBL.EULA.ESM6.5

Contents


Introducing the policy ......................................................................................... 12About the policy ........................................................................................... 12About the Federal Information Security Management Act of 2002 .... 13Where to get more information ................................................................. 13

Installing the policy ............................................................................................. 14Before you install ......................................................................................... 14Installing the policy ..................................................................................... 14

Policy modules ..................................................................................................... 16Account Information ................................................................................... 16Account Integrity ......................................................................................... 17Active Directory ........................................................................................... 21Backup Integrity .......................................................................................... 22Discovery ....................................................................................................... 23Disk Quota ..................................................................................................... 23Encrypted File System ................................................................................ 24File Attributes .............................................................................................. 24File Watch ..................................................................................................... 26Group Policy ................................................................................................. 28Integrated Command Engine ..................................................................... 29Login Parameters ......................................................................................... 30Network Assessment ................................................................................... 31Network Integrity ........................................................................................ 33Object Integrity ............................................................................................ 35OS Patches .................................................................................................... 35Password Strength ....................................................................................... 39Registry ......................................................................................................... 42Startup Files ................................................................................................. 43Symantec Product Info ............................................................................... 45System Auditing ........................................................................................... 46

10 Contents


This document includes the following topics:

■ Introducing the policy

■ Installing the policy

■ Policy modules

12 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsIntroducing the policy

Introducing the policyThis Symantec ESM policy for FISMA assesses compliance with the Federal Information Security Management Act (FISMA) for protection of information and systems that store and distribute information.

Running Symantec ESM with the FISMA policy also helps you to be compliant with FISMA section 3544(a)(1)(C), which requires an integrated information security program, and with sections 3544(a)(2)(D), 3544(b)(5), 3544(b)(5)(A), which call for periodic testing, evaluation and assessment of your information security posture.

Except where otherwise explicitly noted, all Symantec ESM checks in this policy reference FISMA section 3545(f), “Protection of Information.”

FISMA section 3544(a)(1)(B)(i) requires compliance with USC40 section 11331, which amends the National Institute of Standards and Technology Act to grant the National Institute of Standards and Technology (NIST) authority to establish information security standards for federal agencies and contractors not involved with national security matters. In turn, NIST has published Special Publication 800-53, which establishes specific requirements and guidelines for information security. Symantec ESM modules and checks are mapped to Appendix F - Security Control Catalog of Special Publication 800-53 Revision 1 Draft.

The mappings between Symantec ESM security checks and 800-53 controls provide auditors and examiners with evidence of compliance.

About the policyThis policy can be installed on Symantec ESM 5.5, 6.0 and 6.5 managers that are running Security Update 25 or later on the following operating systems:

■ Microsoft Windows 2000 Professional, Server, Domain Controller

■ Microsoft Windows Server 2003 Standard Edition, Enterprise Edition, 64-Bit Itanium Edition, and x64 Editions (Xeon and Opteron)

■ Microsoft Windows XP Professional

13Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsIntroducing the policy

About the Federal Information Security Management Act of 2002The Federal Information Security Management Act of 2002 (FISMA, P.L. 107-347, Sec. 301-305) requires federal agencies to establish risk-based information security programs that include periodic risk assessments and compliance with information security standards. Agencies and U.S. Federal contractors are required to assess the risks that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information on U.S. Federal government or contract systems.

FISMA Section 3544(a)(1)(B)(i) establishes the requirement for Agency heads to comply with Section 11331 of Title 40 USC.

Section 11331 amends section 20 of the National Institute of Standards and Technology Act (NIST) to give the Institute the responsibility for developing standards and guidelines for agencies and contractors to agencies other than national security.

NIST has developed Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST has full authority to set standards. The final version of NIST 800-53 was published in February 2005. NIST 800-53 Revision 1 Draft was published February 2006. It adds a few additional controls to the final standard.

FISMA 3545(f) specifies a requirement for “protection of information”. While NIST 800-53 mentions many practices that protect information, there is no explicit recognition of the FISMA requirement anywhere in the publication. The NIST publication focuses primarily on activities to protect systems, not data.

Where to get more informationThe complete FISMA act is available at http://www.fedcirc.gov/library/legislation/FISMA.html.

All National Institute of Standards and Technology (NIST) Special Publications are available at http://csrc.nist.gov/publications/nistpubs/.

NIST Special Publication 800-53 Final (February 2005) is available at http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf.

NIST Special Publication 800-53 Revision 1 Draft (February 26, 2006) is available at http://csrc.nist.gov/publications/drafts/800-53-rev1-ipd-clean.pdf.

The latest draft of Revision 1, dated 28 February 2006, was used to map Symantec ESM security checks to the 800-53 standard.

14 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsInstalling the policy

Installing the policy

Before you installDecide which Symantec ESM managers require the policy. Policies run on managers, so they do not need to be installed on agents. The policy runs only on Symantec ESM 5.5 or later, with Security Update 25 or later. Update any managers that do not meet these requirements.

For full check coverage, update your Symantec ESM agents to SU 25 or greater. Running this policy on Symantec ESM agents with SU 24 or earlier may result in no data for the new checks. As a reminder, you must reinstall the policy after updating to new SUs in order for all the checks to be registered.

Installing the policyThe standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a CD or the Internet to install the policy manually.

LiveUpdate installationInstall the policy by using the LiveUpdate feature in the Symantec ESM console.

To install the policy

1 Connect the Symantec ESM Enterprise Console to managers you want to install the policy on.

2 Click the LiveUpdate icon to start the LiveUpdate wizard.

3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next.

4 In the Welcome to LiveUpdate dialog box, click Next.

5 Do one of the following:

■ To install all checked products and components, click Next.

■ To omit a product from the update, uncheck it, and then click Next.

■ To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next.

6 Click Next.

7 Click Finish.

8 Ensure that all managers that you want to update are checked.

15Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsInstalling the policy

9 Click Next.

10 Click OK.

11 Click Finish.

Manual installationIf you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a CD or the Internet.

To obtain policy files

1 Connect the Symantec ESM Enterprise Console to managers you want to install the policy on.

2 From the Security Response Web site (http://securityresponse.symantec.com), download the executable files for the following operating systems:

■ Microsoft Windows 2000

■ Microsoft Windows Server 2003

■ Microsoft Windows XP

Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate.

To install the policy on a Symantec ESM manager

1 On a computer running Windows XP/2000/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site.

2 Click Next to close the Welcome dialog box.

3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes.

4 Click Yes to continue installation of the best practice policy.

5 Type the requested manager information.

6 Click Next.

If the manager’s modules have not been upgraded to Security Update 25 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 25 or later, then rerun the install program.

7 Click Finish.

16 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules

Policy modulesThe Symantec ESM policy for FISMA runs the following modules to assess compliance with FISMA regulations using the NIST 800-53 Revision 1 standard. Use this policy to assist you in assessing your compliance to FISMA.

The enabled checks of each module are listed beneath the module description. Checks with “N/A” do not map to NIST 800-53, are not applicable and are not included in the policy. See the current Security Update User’s Guide for Windows for check, message, and template details.

This FISMA policy is delivered as two separate policies:

■ 1) FISMA NIST 800-53 R1

Contains checks for all platforms, including Windows, UNIX and Linux.

■ 2) FISMA NIST 800-53 R1 for PDCs

Contains Windows 2000 Server and Windows Server 2003 checks only. Needed since some Symantec ESM checks only apply to domain controllers.

This policy is read-only. Symantec’s read-only policies occasionally get updated (overwritten) via LiveUpdate. To edit this policy, first duplicate or create a copy of this policy from within the Symantec ESM console, and then rename it. Then add organizational and user specific data, like user names and groups, to the various checks to ensure an accurate assessment.

For more information concerning the many Symantec ESM checks, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.

Account Information The Account Information module reports requested account information.

Check NIST 800-53 Rev. 1

Disabled accounts AC-2(3)(4) - Account Management

Expired accounts

(Windows 2000 Server PDCs and Windows Server 2003 PDCs only)

AC-2(2) - Account Management AC-7 - Unsuccessful Login Attempts

File/folder access for accounts AC-3 - Access Enforcement AC-5 - Separation of Duties

17Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules

Account IntegrityThe Account Integrity module reports new, changed, and deleted accounts, account name and privileges.

The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.

File/folder access for accounts (cont'd) AC-3 - Access Enforcement AC-5 - Separation of Duties

Locked out accounts AC-7 - Unsuccessful Login Attempts AC-2 - Account Management

Security groups and their users AC-3 - Access Enforcement AC-5 - Separation of Duties

Share permissions AC-3 - Access Enforcement AC-4 - Information Flow Enforcement

User information IA-2 - User Identification and Authentication IA-4 - Identifier Management

User information (cont'd) IA-2 - User Identification and Authentication IA-4 - Identifier Management

User rights for accounts

(do not exclude Administrator)

AC-3 - Access Enforcement AC-5 - Separation of Duties

Users and their security groups AC-3 - Access Enforcement AC-5 - Separation of Duties

Users with Administrator privilege AC-3(1) - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege CM-5 - Access Restrictions for Change SA-10 - Developer Configuration Management



Access this computer from network AC-17 - Remote Access CA-3 - Information System Connections SC-14 - Public Access Protections


Accounts that must be disabled IA-2 - User Identification and Authentication IA-4 - Identifier Management CM-6 - Configuration Settings

Accounts that never expire

(Windows 2000 and 2003 only)

AC-2 - Account Management

Accounts without time restrictions


IA-5 - Authenticator Management

Accounts without workstation restrictions


IA-5 - Authenticator Management

Act as part of the operating system CM-5 - Access Restrictions for Change

Add workstations to domain


CA-3 - Information System Connections CM-5 - Access Restrictions for Change CM-7 - Least Functionality

Adjust memory quotas for a process


N/A

Allow log on locally / Log on locally N/A

Allow logon through Terminal Services AC-17 - Remote Access

Automatically update snapshots N/A

Back up files and directories CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Bypass traverse checking N/A

Change the system time CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Changed groups SA-10 - Developer Configuration Management

Changed users

(Windows 2000 and 2003 PDCs only)

SA-10 - Developer Configuration Management

Create a pagefile N/A

Create a token object N/A



Create global objects


N/A

Create permanent shared objects CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Debug programs SA-11 - Developer Security Testing

Deleted groups AC-5 - Separation of Duties AC-6 - Least Privilege

Deleted users PS-4 - Personnel Termination PS-5 - Personnel Transfer

Deny access to this computer from the network

AC-17 - Remote Access AC-3 - Access Enforcement

Deny logon as a batch job AC-3 - Access Enforcement

Deny logon as a service AC-3 - Access Enforcement

Deny logon locally AC-3 - Access Enforcement

Deny logon through Terminal Services AC-17 - Remote Access AC-3 - Access Enforcement

Disabled/expired/locked accounts AC-2 - Account Management IA-4 - Identifier Management

Enable computer and user accounts to be trusted for delegation

AC-4 - Information Flow Enforcement

Force shutdown from a remote system AU-5 - Audit Processing

Full/Display name and description required

(Windows XP only)

IA-2 - User Identification and Authentication IA-4 - Identifier Management

Generate security audits AC-13 - Supervision and Review - Access Control AU-5 - Audit Processing CM-4 - Monitoring Configuration Changes

Group member watch N/A

Groups guest belongs to AC-14 - Permitted Actions without Identification or Authentication



Impersonate a client after authentication


AC-4 - Information Flow Enforcement

Increase scheduling priority SC-6 - Resource Priority

Load and unload device drivers CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Lock pages in memory N/A

Log on as a batch job AC-4 - Information Flow Enforcement

Log on as a service AC-4 - Information Flow Enforcement

Manage auditing and security log SI-4 - Information System Monitoring Tools and Techniques AC-5 - Separation of Duties AC-13 - Supervision and Review - Access Control AU-5 - Audit Processing CM-4 - Monitoring Configuration Changes

Maximum reported messages N/A

Modify firmware environment values N/A

New groups N/A

New users IA-4 - Identifier Management

Perform volume maintenance tasks

(Windows 2003 only)

AC-5 - Separation of Duties

Profile single process N/A

Profile system performance N/A

Remove computer from docking station N/A

Rename administrator account AC-3 - Access Enforcement

Rename guest account AC-14 - Permitted Actions without Identification or Authentication

Replace a process level token N/A

Report excessive number of accounts AC-2 - Account Management



Active Directory The Active Directory module for Windows 2000 and Windows Server 2003 reports group policy objects (GPOs) that apply to users, groups, and computers in the Active Directory Service (ADS). GPOs are active directory objects that contain group policies such as the Windows security policy. GPO settings can be applied to sites, domains, and organizational units. These ADS checks do not apply to Windows XP

Restore files and directories CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Screen saver timeout N/A

Shut down the system CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Synchronize directory service data

(Servers running ADS)

CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

Take ownership of files or other objects CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings

User rights checks AC-3 - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege

Users to check AC-3 - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege



Computers with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings

Computers without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings

Enforce user logon restrictions IA-5 - Authenticator Management


Backup Integrity The Backup Integrity module introduces checks for Symantec Backup Exec settings.

Maximum lifetime for service ticket

(PDC Only)

AC-12 - Session Termination

Maximum lifetime for user ticket

(PDC Only)


Maximum lifetime for user ticket renewal

(PDC Only)


Maximum tolerance for computer clock synchronization

(PDC Only)


Security groups with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings

Security groups without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings

Security options N/A

Users with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings

Users without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings



Backup Exec last Backup Status CP-9 - Information System Backup

Backup Exec backup frequency N/A

Backup Exec version CP-9 - Information System Backup

Backups needed CP-9 - Information System Backup

Folders excluded CP-9 - Information System Backup


Discovery The Discovery module identifies systems and select applications on the network.

Disk Quota The Disk Quota module reports on disk usage thresholds for users.


Profile candidate devices IA-3 - Device Identification and Authentication RA-3 - Risk Assessment

Profile timeout IA-3 - Device Identification and Authentication

Report if found IA-3 - Device Identification and Authentication RA-3 - Risk Assessment

Scan non-responding addresses IA-3 - Device Identification and Authentication

Symantec ESM device status IA-3 - Device Identification and Authentication

Symantec Intruder Alert device status SI-4(1) - Information System Monitoring Tools and Techniques IA-3 - Device Identification and Authentication

Targets IA-3 - Device Identification and Authentication


User exceeds quota SA-2 - Allocation of Resources

User exceeds warning SA-2 - Allocation of Resources

User quota not enforced SA-2 - Allocation of Resources

Volume quota disabled SA-2 - Allocation of Resources

Volume quota enforced SA-2 - Allocation of Resources

Volume quota exceeds limit SA-2 - Allocation of Resources

Volume quota not enforced SA-2 - Allocation of Resources


Encrypted File System The Encrypted File System reports on Windows EFS settings.

File AttributesThe File Attributes module detects and reports changes to:

■ File creation and modification times

■ File sizes

■ CRC/MD5 checksum signatures

■ Access Control Lists (ACLs)

■ Results of checksum checks

The File Attributes module also reports folders where the Everyone group has Full Control permissions and violations of file permissions that are specified in template entries.


Volume quota not logged SI-4 - Information System Monitoring Tools and Techniques

Volume quota not supported SA-2 - Allocation of Resources

Volume warning exceeds limit SA-2 - Allocation of Resources

Volume warning not logged SI-4 - Information System Monitoring Tools and Techniques



EFS not supported AC-3 - Access Enforcement

File recovery agents not authorized AC-3 - Access Enforcement

Files can be decrypted by others AC-3 - Access Enforcement

Percentage of encrypted files AC-3 - Access Enforcement


Allow any privileged account AC-3 - Access Enforcement


Auditing ACLs AC-3 - Access Enforcement AC-5 - Separation of Duties


Changed file (signature) CA-2 - Security Assessment SI-7 - Software and Information Integrity

Changed file (size) CA-2 - Security Assessment SI-7 - Software and Information Integrity

Changed file (times) CA-2 - Security Assessment SI-7 - Software and Information Integrity

Display fully qualified names in Name field IA-2 - User Identification and Authentication IA-4 - Identifier Management

Do not notify if file permissions are increased in security

N/A

Do not notify if User/Group in ACL is not on system

AC-3 - Access Enforcement

Event log info AC-13 - Supervision and Review - Access Control

File ACLs AC-3 - Access Enforcement CM-6 - Configuration Settings

File and folder attributes CM-6 - Configuration Settings

File and folder ownership CM-6 - Configuration Settings

File and folder permissions N/A

Files giving all users Full Control CM-6 - Configuration Settings CA-2 - Security Assessment AC-5 - Separation of Duties AC-6 - Least Privilege

File Version

(Windows XP and 2000 only)

N/A

Hidden files and folders N/A

Keywords list (Supports AC-3 and AC-5)

Maximum reported messages N/A

Template file list (Supports AC-3 and AC-5)



File Attributes template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Each default File Attributes template is for a specific operating system. The default File Attributes template files have the following names and extensions.

You can add new File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.

For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.

File WatchThe File Watch module reports new and deleted files and folders, and changed files. It creates and maintains a snapshot file for each agent where you run the module that stores file information. The Malicious files check helps to meet requirements under sections 3546(a)(1) and 3546(a)(3) of FISMA.


Operating system File name Template name

Windows 2000 primary domain controller fileatt.s50 File

Windows 2000 Server fileatt.s50 File

Windows Server 2003 fileatt.s52 File

Windows 2000 Professional fileatt.w50 File

Windows XP fileatt.w51 File

All Windows windows.fkl File Keywords




File Watch and Malicious File Watch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Each default File Watch template is for a specific operating system. Malicious File Watch templates identify known attack signatures for Malicious files checks.

Note: Do not edit Malicious File Watch files without renaming them first

The default File Watch and Malicious File Watch template files have the following names and extensions.

Changed files (ownership) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Changed files (signature) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Event Log Info AC-13 - Supervision and Review - Access Control

Files/folders to watch (Supports SI-3)

Ignore directories N/A

Invalid signature N/A

Keywords list (Supports CM-4 and SI-7)

Malicious files SI-3 - Malicious Code Protection

New files CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Removed files CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity


Windows 2000 Server and domain controller w2ksysroot.fw File Watch

Windows 2000 w2ksysroot.fw File Watch

Windows XP xpsysroot.fw File Watch

Windows Server 2003 ws3sysroot.fw File Watch



You can add new File Watch templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.

Group PolicyThe Active Directory module for Windows 2000 and Windows Server 2003 reports group policy objects (GPOs) that apply to users, groups, and computers in the Active Directory Service. GPOs are active directory objects that contain group policies such as the Windows security policy. GPO settings can be applied to sites, domains, and organizational units. These GPO checks do not apply to Windows XP.

Windows 2000 Server and ADS w2ksysroot.mfw Malicious File Watch

Windows 2000 Professional w2ksysroot.mfw Malicious File Watch

Windows XP xpsysroot.mfw Malicious File Watch

Windows Server 2003 and ADS ws3sysroot.mfw Malicious File Watch



Account Policies - Account Lockout Policy


AC-2(3) - Account Management

Account Policies - Password Policy


IA-5 - Authentication Management

Account Policies - Kerberos Policy


N/A

Event Log


AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

File System


N/A


Integrated Command Engine The Integrated Command Engine module allows users to add custom checks by running external scripts and executables and return the results back to Symantec ESM as if they were native security checks.

Local Policies - Audit Policy


AC-13 - Supervision and Review - Access Control

Local Policies - Security Options


N/A

Local Policies - User Rights Assignment


AC-3 - Access Enforcement

Registry


N/A

Restricted Groups


N/A

System Services


N/A



Check Return Code N/A

Command Engine Templates N/A

Copy scripts (All) N/A

Failed messages SI-11 - Error Handling

Information messages N/A

Not Applicable messages N/A

Not Available messages N/A

Overwrite scripts (All) N/A

Passed messages N/A

Redirect Stderr to Stdout N/A

Report All Stderr messages SI-11 - Error Handling


Login ParametersThe Login Parameters module checks to see if the control setting for account lockout is enabled, if the lockout threshold is properly set, if locked accounts must be reactivated by an administrator, and if the autologon feature is disabled.

Script Missing messages SI-11 - Error Handling

Unmapped messages SI-11 - Error Handling

User 1/0 messages N/A

















Account lockout duration AC-2(3) - Account Management AC-7 - Unsuccessful Login Attempts CA-2 - Security Assessments AC-9 - Previous Logon Notification CM-6 - Configuration Settings


Network Assessment The Network Assessment module allows you to scan systems and devices for vulnerabilities. This optional module is sold as an add-on to Symantec ESM. A Windows ESM agent is required to host the scan engine, even though Windows, UNIX, Linux, routers and other network applications are targeted.

Account lockout threshold AC-2(3) - Account Management AC-7 - Unsuccessful Login Attempts CA-2 - Security Assessments AC-9 - Previous Logon Notification CM-6 - Configuration Settings

Autologon disabled IA-4 - Identifier Management AC-2 - Account Management CM-5 - Access Restrictions to Change

Bad logon counter reset AC-7 - Unsuccessful Login Attempts

Display fully qualified names

(Windows 2003 only)

IA-2 - User Identification and Authentication IA-4 - Identifier Management

Expired logon hours disconnect



Inactive accounts AC-2(3) - Account Management AC-11 - Session Lock

Inactive accounts timeout AC-2(3) - Account Management AC-11 - Session Lock

Inactive accounts with unchanged passwords

AC-2(3) - Account Management

Last user name hidden IA-2 - User Identification and Authentication IA-4 - Identifier Management

Legal notice AC-8 - System Use Notification

Shutdown without logon CM-4 - Monitoring Configuration Changes



As a reminder, you must reinstall the policy after installing the network assessment module in order for all the checks to be registered properly.

Network assessment template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Each default Network Assessment template is for a specific operating system or application. The default Network Assessment template files have the following names and extensions.

To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.



ESM Agents to perform scan and systems to scan

RA-5 - Vulnerability Scanning

Template file list RA-5 - Vulnerability Scanning


Windows XP, 2000, and 2003 cisco.net Network

Windows XP, 2000, and 2003 exposure.net Network

Windows XP, 2000, and 2003 mail.net Network

Windows XP, 2000, and 2003 other.net Network

Windows XP, 2000, and 2003 samba.net Network

Windows XP, 2000, and 2003 unix.net Network

Windows XP, 2000, and 2003 web.net Network

Windows XP, 2000, and 2003 windows.net Network


Network IntegrityThe Network Integrity module reports system configuration settings that pertain to authentication and remote access.



Anonymous LANMan access disabled AC-17 - Remote Access IA-2 - User Identification and Authorization IA-4 - Identifier Management

Anonymous SID/name translation

(Windows Server 2003)

N/A


Deleted listening TCP ports N/A

Deleted listening UDP ports N/A

Deleted network shares N/A

File security more restrictive than share security

N/A

Hidden shares AC-17 - Remote Access

ICMP Messages N/A

ICS exposed network services CM-7 - Least Functionality

Internet Connection Firewall AC-4 - Information Flow Enforcement AC-20 - Personally Owned Information Systems SI-4(4) - Information System Monitoring Tools and Techniques

Internet Connection Sharing CA-3 - Information System Connections

IP Security Policies


N/A

IPv6 Protocol

(Windows Server 2003 only)

N/A


Listening TCP ports CM-6 - Configuration Settings SC-14 - Public Access Protections

Listening UDP ports CM-6 - Configuration Settings SC-14 - Public Access Protections

Local groups N/A

Modified network shares AC-17 - Remote Access

NetBIOS info via SNMP AC-17 - Remote Access

New listening TCP ports CM-6 - Configuration Settings SC-14 - Public Access Protections

New listening UDP ports CM-6 - Configuration Settings SC-14 - Public Access Protections

New network shares AC-17 - Remote Access CA-3 - Information System Connections CM-7 - Least Functionality

Permitted IP protocols CM-7 - Least Functionality

Permitted TCP ports AC-6 - Least Privilege CM-7 - Least Functionality

Permitted UDP ports AC-6 - Least Privilege CM-7 - Least Functionality

Plain text authentication IA-2 - User Identification and Authentication IA-5 - Authenticator Management

RRAS enabled AC-17 - Remote Access CM-6 - Configuration Settings SC-14 - Public Access Protections

RRAS NetBIOS gateway disabled AC-17 - Remote Access

RRAS requires account callbacks AC-17 - Remote Access

RRAS requires preset number for callback AC-17 - Remote Access

Share permissions AC-17 - Remote Access

Shared folders AC-17 - Remote Access



Object IntegrityThe Object Integrity module reports volumes that do not have Access Control Lists (ACLs).

Note: Volumes without ACLs provide no protection against unauthorized access. ACLs are required to control and audit access to directories and files.

OS PatchesThe OS Patches (Patch) module reports Windows security patches that have been released by Microsoft Corporation but are not installed on the system.

Install all patches that are defined in the Windows patch template files for Windows XP, Windows 2000 and Windows Server 2003 operating systems to harden your operating systems.

Define operating system patches that the Patch template searches for on each agent. New patch template files are available every two weeks through LiveUpdate.

Shared folders giving all users Full Control AC-17 - Remote Access CM-6 - Configuration Settings AC-5 - Separation of Duties AC-6 - Least Privilege

Shared printers AC-17 - Remote Access

Trusted domains


CA-3 - Information System Connections



Local accounts

(Non-PDCs only)

N/A

Volumes without ACL control AC-3 - Access Enforcement CA-2 - Security Assessment CM-6 - Configuration Settings


Comparisons: (Supports SI-2, RA-5, and SA-7)


File dates (Supports SI-2, RA-5, and SA-7)

File versions (Supports SI-2, RA-5, and SA-7)

Registry keys (Supports SI-2, RA-5, and SA-7)

Disable module SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-20 - Personally Owned Information Systems

Installed patches SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems

Patch Keywords templates SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems

Patch not installed and process not running SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems

Patch results summary SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems



OS patch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer system.

Each default Patch template is for a specific operating system or application. The default Patch template files have the following names and extensions.

You can add new Patch file templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.

Note: Do not edit, move, or change your Patch template files in any way.

For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://

Patch templates SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems

Relaxed (Supports SI-2, RA-5, and SA-7)

Strict (Supports SI-2, RA-5, and SA-7)

Superseded SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software


Windows 2000 Workstation patch.pw5 File

Windows 2000 Server patch.ps5 File

Windows Server 2003 patch.p6s File

Windows XP patch.pwx File



securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.


Password StrengthThe Password Strength module examines system parameters that control the construction, change, aging, expiration, and storage of passwords. It reports:

■ Weak passwords (those that don’t match)

■ Any user name in the system

■ Any word in word list files

■ Passwords typed in all uppercase and all lowercase

■ Accounts that do not require passwords are reported

■ Passwords that have not been changed within a specified number of days

■ Accounts with a maximum password age greater than a specified value.


Accounts without passwords IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Display name as distinguished name IA-2 - User Identification and Authentication IA-4 - Identifier Management

Double occurrences IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Maximum password age


IA-2 - User Identification and Authentication IA-5 - Authenticator Management

MD4 hashes IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Minimum password age



Minimum password length



Password = any username IA-2 - User Identification and Authentication IA-5 - Authenticator Management


Password = username IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Password = wordlist word IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Password changes IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Password must expire IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Password stored using reversible encryption

AC-3 - Access Enforcement IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Password uniqueness



Plural IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Prefix IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Reverse order IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Suffix IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Syskey encryption IA-2 - User Identification and Authentication IA-5 - Authenticator Management

Users to check IA-2 - User Identification and Authentication IA-5 - Authenticator Management



Password Strength word filesThis policy ships with two word files (dictionaries) that are enabled by default: lenglish.wrd and ntcrack.wrd. In addition, there are many disabled word files that can be enabled. To enable additional word files, copy and rename the policy.

Note: Using more word lists will increase processing time for the check.


RegistryThe Registry module reports violations of registry key settings that are specified in template files and changed key values.



Allow any privileged account AC-1 - Access Control Policy and Procedures

Auditing Permissions AC-5 - Separation of Duties


Changed key (time) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Changed value (signature) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Changed value (size) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Do not notify if key permissions are increased in security

CM-4 - Monitoring Configuration Changes

Key and value existence CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Key ownership CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Key permissions CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity

Template file list (Supports CM-4 and SI-7)


Registry template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.

Each default Registry template is for a specific operating system. The default Registry template files have the following names and extensions.

You can add new Registry templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.


Startup FilesThe Startup Files module reports forbidden services that are running, required services that are not running, new and deleted services, run keys, and remote registry access.



Windows 2000 Professional registry.rw5 Registry

Windows 2000 Server and Windows 2000 Server with ADS

registry.rs5 Registry

Windows XP registry.rwx Registry

Windows Server 2003 and Windows Server 2003 with ADS

registry.rs6 Registry




Changed services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Contents of Run keys CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Deleted services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Disallowed services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Disallowed services cont. N/A

Filter disallow services not running N/A

Installed services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Maximum reported messages (Supports CM-7, AC-6, and CM-6)

New services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Remote Procedure Call (RPC) Disabled RC-17 - Remote Access CM-6 - Configuration Settings

Remote registry access RC-17 - Remote Access SC-14 - Public Access Protections CM-6 - Configuration Settings

Remote registry access (non-Administrators)

RC-17 - Remote Access SC-14 - Public Access Protections CM-6 - Configuration Settings

Required services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings

Services using specified user accounts to run

(Supports CM-7, AC-6, and CM-6)

Services using system account to run (Supports CM-7, AC-6, and CM-6)



Symantec Product InfoThe Symantec Product Info module reports information about installed Symantec products to detect, quarantine and correct malicious software.

Note: SAVCE minimum version: 9.0 (default).

Unknown services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings



Either Symantec AntiVirus CE or Norton AntiVirus


SI-3 - Malicious Code Protection SI-2 - Flaw Remediation SI-8 - Spam Protection AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems

File System Auto-Protected

(Symantec AntiVirus Corporate Edition)

SI-3 - Malicious Code Protection SI-2 - Flaw Remediation

LiveUpdate frequency

(Symantec AntiVirus Corporate Edition and Norton AntiVirus)

SI-3 - Malicious Code Protection SI-2 - Flaw Remediation AC-20 - Personally Owned Information Systems

Minimum version


SI-3 - Malicious Code Protection SI-2 - Flaw Remediation

Scan frequency


SI-3 - Malicious Code Protection SI-2 - Flaw Remediation AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems


System AuditingThe System Auditing module reports security events that are audited for failure or success and what happens when the log file is full.

Norton AntiVirus



Symantec AntiVirus Corporate Edition

(Windows XP and 2000)




Application event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

Days until security events are overwritten AU-5 - Audit Processing AU-9 - Protection of Audit Information AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

Guest access to event logs AU-5 - Audit Processing AU-9 - Protection of Audit Information AC-14 - Permitted Actions without Identification or Authentication

Security event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques


Security events auditing (success and failure) name listsThe following list explains the events that should be audited in the Windows Audit Policy as well as the conditions under which an audit log entry is generated.

Security events do not overwrite security log

AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

Security events failure auditing AU-2 - Auditable Events AC-13 - Supervision and Review - Access Control

Security events success auditing AU-2 - Auditable Events AC-13 - Supervision and Review - Access Control

System event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

System halts when security log full AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques

Platform Audit for Success Audit for Failure

Windows 2000 Professional

■ Audit account logon events

■ Audit account management

■ Audit logon events

■ Audit policy change

■ Audit privilege use




■ Audit object access

■ Audit policy changes


■ Audit system events



Windows 2000 Server













Windows 2000 Server with ADS








■ Audit directory service access






Windows XP ■ Audit account logon events










■ Audit system event

Windows Server 2003












Windows Server 2003 with ADS







■ Audit directory service access






Platform Audit for Success Audit for Failure

symantec enterprise security manager™ policy manual for … · 2020-02-18 · symantec reserves...

Documents