symantec enterprise security manager™ policy manual for … · 2020-02-18 · symantec reserves...
TRANSCRIPT
Symantec ESM Policy Manual for FISMA (NIST 800-53) for Windows
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.060320
Copyright NoticeCopyright 2004-2006 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
TrademarksSymantec, the Symantec logo, Symantec Enterprise Security Manager, LiveUpdate, and Symantec Security Response are trademarks of Symantec Corporation.Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.
3
Technical support
As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.
Symantec technical support offerings include:
■ A range of support options that gives you the flexibility to select the right amount of service for any size organization
■ Telephone and Web support components that provide rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Content Updates for virus definitions and security signatures that ensure the highest level of protection
■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages
■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support
Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using.
Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.
4
When contacting the Technical Support group, please have the following:
■ Product release level
■ Hardware information
■ Available memory, disk space, NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description
■ Error messages/log files
■ Troubleshooting performed prior to contacting Symantec
■ Recent software configuration changes and/or network changes
Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information on product updates and upgrades
■ Information on upgrade insurance and maintenance contracts
■ Information on Symantec Value License Program
■ Advice on Symantec's technical support options
■ Nontechnical presales questions
■ Missing or defective CD-ROMs or manuals
Symantec Software License AgreementSymantec Enterprise Security Manager™
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU” OR “YOUR”) ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE “AGREE”, “ACCEPT” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE “I DO NOT AGREE”, “I DO NOT ACCEPT” OR “NO” BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.
1. License:The software and documentation that accompanies this license (collectively the “Software”) is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a “License Module”) that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.
You may:A. use the number of copies of the Software as have been licensed to You by Symantec under a License Module. If the Software is part of a suite containing multiple Software titles, the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module, as calculated by any combination of licensed Software titles. Your License Module shall constitute proof of Your right to make such copies. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software You are authorized to use on a single computer; B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of
Your computer and retain the original for archival purposes;C. use the Software on a network, provided that You have a licensed copy of the Software for each computer that can access the Software over that network;D. use the Software in accordance with any written agreement between You and Symantec; andE. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees in writing to the terms of this license.
You may not:A. copy the printed documentation that accompanies the Software; B. sublicense, rent, or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; C. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;D. use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version. Upon upgrading the Software, all copies of the prior version must be destroyed; E. use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and/or upgrade insurance or have otherwise separately acquired the right to use such later version;F. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received permission in a License Module; nor G. use the Software in any manner not authorized by this license.
2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antispam software utilize updated antispam rules; antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; policy compliance software utilize updated policy compliance updates; and vulnerability assessment products utilize updated vulnerability signatures; these updates are collectively referred to as “Content Updates”). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to
obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.
3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.
4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF
SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC’S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.
5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items,” as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec’s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.
6. Export Regulation:Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see www.bxa.doc.gov). Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State’s Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose,
nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons.
7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland , or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.
8. Additional Uses and Restrictions:A. Required Software Installation and Activation:There may be technological measures in this Software that are designed to prevent unlicensed or illegal use of the Software. You agree that Symantec may use these measures. You must register the Software functions and any associated maintenance and support that are controlled by these technological measures through the use of the Internet. Symantec cannot guarantee that use of the Internet will be uninterrupted. Symantec will maintain your registration details.
B. If the Software You have licensed is Symantec Enterprise Security Manager, notwithstanding any of the terms and conditions contained herein, the following additional terms apply to the Software:
1. Permission to use the software to assess Desktop, Server, or Network devices does not constitute permission to make additional copies of the Software.
2. You may use the Software to assess up to the number of Desktop computers, on which a host-based agent is installed, as set forth under a License Module,. “Desktop” means a computer for a single end user.
3. You may use the Software to assess up to the number of Servers, on which a host-based agent is installed, as set forth under a License Module,. “Server” means a computer that is used to provide services to other computers via a network.
4. You may use the Software to assess up to the number of Virtual Machines, on which a host-based agent is installed, as set forth under a License Module.. “Virtual Machine” means a machine completely defined and implemented in software rather than hardware. Virtual Machines are run on a hosting Server and can function as a Server or Desktop.
5. You may use the Software to assess up to the number of unique Network Devices set forth under a License Module, which can be assessed by a network scan agent. “Network Devices” means an interconnected system of computers and devices.
C. If the Software you have licensed includes Cognos® Report Studio You may use the single (1) user license of Cognos Report Studio that is received with the Software only. Additional Cognos Report Studio licenses must be purchased separately.
02.03.05ENT.GLBL.EULA.ESM6.5
Contents
Symantec ESM Policy Manual for FISMA (NIST 800-53) for Windows
Introducing the policy ......................................................................................... 12About the policy ........................................................................................... 12About the Federal Information Security Management Act of 2002 .... 13Where to get more information ................................................................. 13
Installing the policy ............................................................................................. 14Before you install ......................................................................................... 14Installing the policy ..................................................................................... 14
Policy modules ..................................................................................................... 16Account Information ................................................................................... 16Account Integrity ......................................................................................... 17Active Directory ........................................................................................... 21Backup Integrity .......................................................................................... 22Discovery ....................................................................................................... 23Disk Quota ..................................................................................................... 23Encrypted File System ................................................................................ 24File Attributes .............................................................................................. 24File Watch ..................................................................................................... 26Group Policy ................................................................................................. 28Integrated Command Engine ..................................................................... 29Login Parameters ......................................................................................... 30Network Assessment ................................................................................... 31Network Integrity ........................................................................................ 33Object Integrity ............................................................................................ 35OS Patches .................................................................................................... 35Password Strength ....................................................................................... 39Registry ......................................................................................................... 42Startup Files ................................................................................................. 43Symantec Product Info ............................................................................... 45System Auditing ........................................................................................... 46
Symantec ESM Policy Manual for FISMA (NIST 800-53) for Windows
This document includes the following topics:
■ Introducing the policy
■ Installing the policy
■ Policy modules
12 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsIntroducing the policy
Introducing the policyThis Symantec ESM policy for FISMA assesses compliance with the Federal Information Security Management Act (FISMA) for protection of information and systems that store and distribute information.
Running Symantec ESM with the FISMA policy also helps you to be compliant with FISMA section 3544(a)(1)(C), which requires an integrated information security program, and with sections 3544(a)(2)(D), 3544(b)(5), 3544(b)(5)(A), which call for periodic testing, evaluation and assessment of your information security posture.
Except where otherwise explicitly noted, all Symantec ESM checks in this policy reference FISMA section 3545(f), “Protection of Information.”
FISMA section 3544(a)(1)(B)(i) requires compliance with USC40 section 11331, which amends the National Institute of Standards and Technology Act to grant the National Institute of Standards and Technology (NIST) authority to establish information security standards for federal agencies and contractors not involved with national security matters. In turn, NIST has published Special Publication 800-53, which establishes specific requirements and guidelines for information security. Symantec ESM modules and checks are mapped to Appendix F - Security Control Catalog of Special Publication 800-53 Revision 1 Draft.
The mappings between Symantec ESM security checks and 800-53 controls provide auditors and examiners with evidence of compliance.
About the policyThis policy can be installed on Symantec ESM 5.5, 6.0 and 6.5 managers that are running Security Update 25 or later on the following operating systems:
■ Microsoft Windows 2000 Professional, Server, Domain Controller
■ Microsoft Windows Server 2003 Standard Edition, Enterprise Edition, 64-Bit Itanium Edition, and x64 Editions (Xeon and Opteron)
■ Microsoft Windows XP Professional
13Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsIntroducing the policy
About the Federal Information Security Management Act of 2002The Federal Information Security Management Act of 2002 (FISMA, P.L. 107-347, Sec. 301-305) requires federal agencies to establish risk-based information security programs that include periodic risk assessments and compliance with information security standards. Agencies and U.S. Federal contractors are required to assess the risks that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information on U.S. Federal government or contract systems.
FISMA Section 3544(a)(1)(B)(i) establishes the requirement for Agency heads to comply with Section 11331 of Title 40 USC.
Section 11331 amends section 20 of the National Institute of Standards and Technology Act (NIST) to give the Institute the responsibility for developing standards and guidelines for agencies and contractors to agencies other than national security.
NIST has developed Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST has full authority to set standards. The final version of NIST 800-53 was published in February 2005. NIST 800-53 Revision 1 Draft was published February 2006. It adds a few additional controls to the final standard.
FISMA 3545(f) specifies a requirement for “protection of information”. While NIST 800-53 mentions many practices that protect information, there is no explicit recognition of the FISMA requirement anywhere in the publication. The NIST publication focuses primarily on activities to protect systems, not data.
Where to get more informationThe complete FISMA act is available at http://www.fedcirc.gov/library/legislation/FISMA.html.
All National Institute of Standards and Technology (NIST) Special Publications are available at http://csrc.nist.gov/publications/nistpubs/.
NIST Special Publication 800-53 Final (February 2005) is available at http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf.
NIST Special Publication 800-53 Revision 1 Draft (February 26, 2006) is available at http://csrc.nist.gov/publications/drafts/800-53-rev1-ipd-clean.pdf.
The latest draft of Revision 1, dated 28 February 2006, was used to map Symantec ESM security checks to the 800-53 standard.
14 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsInstalling the policy
Installing the policy
Before you installDecide which Symantec ESM managers require the policy. Policies run on managers, so they do not need to be installed on agents. The policy runs only on Symantec ESM 5.5 or later, with Security Update 25 or later. Update any managers that do not meet these requirements.
For full check coverage, update your Symantec ESM agents to SU 25 or greater. Running this policy on Symantec ESM agents with SU 24 or earlier may result in no data for the new checks. As a reminder, you must reinstall the policy after updating to new SUs in order for all the checks to be registered.
Installing the policyThe standard installation method is to use the LiveUpdate feature in the Symantec ESM console. Another method is to use files from a CD or the Internet to install the policy manually.
LiveUpdate installationInstall the policy by using the LiveUpdate feature in the Symantec ESM console.
To install the policy
1 Connect the Symantec ESM Enterprise Console to managers you want to install the policy on.
2 Click the LiveUpdate icon to start the LiveUpdate wizard.
3 In the wizard, ensure that Symantec LiveUpdate (Internet) is selected, and then click Next.
4 In the Welcome to LiveUpdate dialog box, click Next.
5 Do one of the following:
■ To install all checked products and components, click Next.
■ To omit a product from the update, uncheck it, and then click Next.
■ To omit a product component, expand the product node, uncheck the component that you want to omit, and then click Next.
6 Click Next.
7 Click Finish.
8 Ensure that all managers that you want to update are checked.
15Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsInstalling the policy
9 Click Next.
10 Click OK.
11 Click Finish.
Manual installationIf you cannot use LiveUpdate to install the policy directly from a Symantec server, you can install the policy manually, using files from a CD or the Internet.
To obtain policy files
1 Connect the Symantec ESM Enterprise Console to managers you want to install the policy on.
2 From the Security Response Web site (http://securityresponse.symantec.com), download the executable files for the following operating systems:
■ Microsoft Windows 2000
■ Microsoft Windows Server 2003
■ Microsoft Windows XP
Note: To avoid conflicts with updates that are performed by standard LiveUpdate installations, copy or extract the files into the LiveUpdate folder, which is usually Program Files/Symantec/LiveUpdate.
To install the policy on a Symantec ESM manager
1 On a computer running Windows XP/2000/Server 2003 that has network access to the manager, run the executable that you downloaded from the Symantec Security Response Web site.
2 Click Next to close the Welcome dialog box.
3 In the License Agreement dialog box, if you agree to the terms of the agreement, click Yes.
4 Click Yes to continue installation of the best practice policy.
5 Type the requested manager information.
6 Click Next.
If the manager’s modules have not been upgraded to Security Update 25 or later, the install program returns an error message and aborts the installation. Upgrade the manager to SU 25 or later, then rerun the install program.
7 Click Finish.
16 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Policy modulesThe Symantec ESM policy for FISMA runs the following modules to assess compliance with FISMA regulations using the NIST 800-53 Revision 1 standard. Use this policy to assist you in assessing your compliance to FISMA.
The enabled checks of each module are listed beneath the module description. Checks with “N/A” do not map to NIST 800-53, are not applicable and are not included in the policy. See the current Security Update User’s Guide for Windows for check, message, and template details.
This FISMA policy is delivered as two separate policies:
■ 1) FISMA NIST 800-53 R1
Contains checks for all platforms, including Windows, UNIX and Linux.
■ 2) FISMA NIST 800-53 R1 for PDCs
Contains Windows 2000 Server and Windows Server 2003 checks only. Needed since some Symantec ESM checks only apply to domain controllers.
This policy is read-only. Symantec’s read-only policies occasionally get updated (overwritten) via LiveUpdate. To edit this policy, first duplicate or create a copy of this policy from within the Symantec ESM console, and then rename it. Then add organizational and user specific data, like user names and groups, to the various checks to ensure an accurate assessment.
For more information concerning the many Symantec ESM checks, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.
Account Information The Account Information module reports requested account information.
Check NIST 800-53 Rev. 1
Disabled accounts AC-2(3)(4) - Account Management
Expired accounts
(Windows 2000 Server PDCs and Windows Server 2003 PDCs only)
AC-2(2) - Account Management AC-7 - Unsuccessful Login Attempts
File/folder access for accounts AC-3 - Access Enforcement AC-5 - Separation of Duties
17Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Account IntegrityThe Account Integrity module reports new, changed, and deleted accounts, account name and privileges.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
File/folder access for accounts (cont'd) AC-3 - Access Enforcement AC-5 - Separation of Duties
Locked out accounts AC-7 - Unsuccessful Login Attempts AC-2 - Account Management
Security groups and their users AC-3 - Access Enforcement AC-5 - Separation of Duties
Share permissions AC-3 - Access Enforcement AC-4 - Information Flow Enforcement
User information IA-2 - User Identification and Authentication IA-4 - Identifier Management
User information (cont'd) IA-2 - User Identification and Authentication IA-4 - Identifier Management
User rights for accounts
(do not exclude Administrator)
AC-3 - Access Enforcement AC-5 - Separation of Duties
Users and their security groups AC-3 - Access Enforcement AC-5 - Separation of Duties
Users with Administrator privilege AC-3(1) - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege CM-5 - Access Restrictions for Change SA-10 - Developer Configuration Management
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Access this computer from network AC-17 - Remote Access CA-3 - Information System Connections SC-14 - Public Access Protections
18 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Accounts that must be disabled IA-2 - User Identification and Authentication IA-4 - Identifier Management CM-6 - Configuration Settings
Accounts that never expire
(Windows 2000 and 2003 only)
AC-2 - Account Management
Accounts without time restrictions
(Windows 2000 and 2003 only)
IA-5 - Authenticator Management
Accounts without workstation restrictions
(Windows 2000 and 2003 only)
IA-5 - Authenticator Management
Act as part of the operating system CM-5 - Access Restrictions for Change
Add workstations to domain
(Windows 2000 and 2003 only)
CA-3 - Information System Connections CM-5 - Access Restrictions for Change CM-7 - Least Functionality
Adjust memory quotas for a process
(Windows 2000 and 2003 only)
N/A
Allow log on locally / Log on locally N/A
Allow logon through Terminal Services AC-17 - Remote Access
Automatically update snapshots N/A
Back up files and directories CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Bypass traverse checking N/A
Change the system time CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Changed groups SA-10 - Developer Configuration Management
Changed users
(Windows 2000 and 2003 PDCs only)
SA-10 - Developer Configuration Management
Create a pagefile N/A
Create a token object N/A
Check NIST 800-53 Rev. 1
19Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Create global objects
(Windows 2000 and 2003 only)
N/A
Create permanent shared objects CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Debug programs SA-11 - Developer Security Testing
Deleted groups AC-5 - Separation of Duties AC-6 - Least Privilege
Deleted users PS-4 - Personnel Termination PS-5 - Personnel Transfer
Deny access to this computer from the network
AC-17 - Remote Access AC-3 - Access Enforcement
Deny logon as a batch job AC-3 - Access Enforcement
Deny logon as a service AC-3 - Access Enforcement
Deny logon locally AC-3 - Access Enforcement
Deny logon through Terminal Services AC-17 - Remote Access AC-3 - Access Enforcement
Disabled/expired/locked accounts AC-2 - Account Management IA-4 - Identifier Management
Enable computer and user accounts to be trusted for delegation
AC-4 - Information Flow Enforcement
Force shutdown from a remote system AU-5 - Audit Processing
Full/Display name and description required
(Windows XP only)
IA-2 - User Identification and Authentication IA-4 - Identifier Management
Generate security audits AC-13 - Supervision and Review - Access Control AU-5 - Audit Processing CM-4 - Monitoring Configuration Changes
Group member watch N/A
Groups guest belongs to AC-14 - Permitted Actions without Identification or Authentication
Check NIST 800-53 Rev. 1
20 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Impersonate a client after authentication
(Windows 2000 and 2003 only)
AC-4 - Information Flow Enforcement
Increase scheduling priority SC-6 - Resource Priority
Load and unload device drivers CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Lock pages in memory N/A
Log on as a batch job AC-4 - Information Flow Enforcement
Log on as a service AC-4 - Information Flow Enforcement
Manage auditing and security log SI-4 - Information System Monitoring Tools and Techniques AC-5 - Separation of Duties AC-13 - Supervision and Review - Access Control AU-5 - Audit Processing CM-4 - Monitoring Configuration Changes
Maximum reported messages N/A
Modify firmware environment values N/A
New groups N/A
New users IA-4 - Identifier Management
Perform volume maintenance tasks
(Windows 2003 only)
AC-5 - Separation of Duties
Profile single process N/A
Profile system performance N/A
Remove computer from docking station N/A
Rename administrator account AC-3 - Access Enforcement
Rename guest account AC-14 - Permitted Actions without Identification or Authentication
Replace a process level token N/A
Report excessive number of accounts AC-2 - Account Management
Check NIST 800-53 Rev. 1
21Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Active Directory The Active Directory module for Windows 2000 and Windows Server 2003 reports group policy objects (GPOs) that apply to users, groups, and computers in the Active Directory Service (ADS). GPOs are active directory objects that contain group policies such as the Windows security policy. GPO settings can be applied to sites, domains, and organizational units. These ADS checks do not apply to Windows XP
Restore files and directories CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Screen saver timeout N/A
Shut down the system CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Synchronize directory service data
(Servers running ADS)
CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
Take ownership of files or other objects CM-5 - Access Restrictions for Change CM-4 - Monitoring Configuration Changes CM-6 - Configuration Settings
User rights checks AC-3 - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege
Users to check AC-3 - Access Enforcement AC-5 - Separation of Duties AC-6 - Least Privilege
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Computers with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Computers without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Enforce user logon restrictions IA-5 - Authenticator Management
22 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Backup Integrity The Backup Integrity module introduces checks for Symantec Backup Exec settings.
Maximum lifetime for service ticket
(PDC Only)
AC-12 - Session Termination
Maximum lifetime for user ticket
(PDC Only)
AC-12 - Session Termination
Maximum lifetime for user ticket renewal
(PDC Only)
AC-12 - Session Termination
Maximum tolerance for computer clock synchronization
(PDC Only)
AC-12 - Session Termination
Security groups with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Security groups without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Security options N/A
Users with applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Users without applied GPOs AC-3 - Access Enforcement CA-3 - Information System Connections CM-6 - Configuration Settings
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Backup Exec last Backup Status CP-9 - Information System Backup
Backup Exec backup frequency N/A
Backup Exec version CP-9 - Information System Backup
Backups needed CP-9 - Information System Backup
Folders excluded CP-9 - Information System Backup
23Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Discovery The Discovery module identifies systems and select applications on the network.
Disk Quota The Disk Quota module reports on disk usage thresholds for users.
Check NIST 800-53 Rev. 1
Profile candidate devices IA-3 - Device Identification and Authentication RA-3 - Risk Assessment
Profile timeout IA-3 - Device Identification and Authentication
Report if found IA-3 - Device Identification and Authentication RA-3 - Risk Assessment
Scan non-responding addresses IA-3 - Device Identification and Authentication
Symantec ESM device status IA-3 - Device Identification and Authentication
Symantec Intruder Alert device status SI-4(1) - Information System Monitoring Tools and Techniques IA-3 - Device Identification and Authentication
Targets IA-3 - Device Identification and Authentication
Check NIST 800-53 Rev. 1
User exceeds quota SA-2 - Allocation of Resources
User exceeds warning SA-2 - Allocation of Resources
User quota not enforced SA-2 - Allocation of Resources
Volume quota disabled SA-2 - Allocation of Resources
Volume quota enforced SA-2 - Allocation of Resources
Volume quota exceeds limit SA-2 - Allocation of Resources
Volume quota not enforced SA-2 - Allocation of Resources
24 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Encrypted File System The Encrypted File System reports on Windows EFS settings.
File AttributesThe File Attributes module detects and reports changes to:
■ File creation and modification times
■ File sizes
■ CRC/MD5 checksum signatures
■ Access Control Lists (ACLs)
■ Results of checksum checks
The File Attributes module also reports folders where the Everyone group has Full Control permissions and violations of file permissions that are specified in template entries.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
Volume quota not logged SI-4 - Information System Monitoring Tools and Techniques
Volume quota not supported SA-2 - Allocation of Resources
Volume warning exceeds limit SA-2 - Allocation of Resources
Volume warning not logged SI-4 - Information System Monitoring Tools and Techniques
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
EFS not supported AC-3 - Access Enforcement
File recovery agents not authorized AC-3 - Access Enforcement
Files can be decrypted by others AC-3 - Access Enforcement
Percentage of encrypted files AC-3 - Access Enforcement
Check NIST 800-53 Rev. 1
Allow any privileged account AC-3 - Access Enforcement
25Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Auditing ACLs AC-3 - Access Enforcement AC-5 - Separation of Duties
Automatically update snapshots N/A
Changed file (signature) CA-2 - Security Assessment SI-7 - Software and Information Integrity
Changed file (size) CA-2 - Security Assessment SI-7 - Software and Information Integrity
Changed file (times) CA-2 - Security Assessment SI-7 - Software and Information Integrity
Display fully qualified names in Name field IA-2 - User Identification and Authentication IA-4 - Identifier Management
Do not notify if file permissions are increased in security
N/A
Do not notify if User/Group in ACL is not on system
AC-3 - Access Enforcement
Event log info AC-13 - Supervision and Review - Access Control
File ACLs AC-3 - Access Enforcement CM-6 - Configuration Settings
File and folder attributes CM-6 - Configuration Settings
File and folder ownership CM-6 - Configuration Settings
File and folder permissions N/A
Files giving all users Full Control CM-6 - Configuration Settings CA-2 - Security Assessment AC-5 - Separation of Duties AC-6 - Least Privilege
File Version
(Windows XP and 2000 only)
N/A
Hidden files and folders N/A
Keywords list (Supports AC-3 and AC-5)
Maximum reported messages N/A
Template file list (Supports AC-3 and AC-5)
Check NIST 800-53 Rev. 1
26 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
File Attributes template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.
Each default File Attributes template is for a specific operating system. The default File Attributes template files have the following names and extensions.
You can add new File templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.
For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.
File WatchThe File Watch module reports new and deleted files and folders, and changed files. It creates and maintains a snapshot file for each agent where you run the module that stores file information. The Malicious files check helps to meet requirements under sections 3546(a)(1) and 3546(a)(3) of FISMA.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
Operating system File name Template name
Windows 2000 primary domain controller fileatt.s50 File
Windows 2000 Server fileatt.s50 File
Windows Server 2003 fileatt.s52 File
Windows 2000 Professional fileatt.w50 File
Windows XP fileatt.w51 File
All Windows windows.fkl File Keywords
Check NIST 800-53 Rev. 1
Automatically update snapshots N/A
27Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
File Watch and Malicious File Watch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.
Each default File Watch template is for a specific operating system. Malicious File Watch templates identify known attack signatures for Malicious files checks.
Note: Do not edit Malicious File Watch files without renaming them first
The default File Watch and Malicious File Watch template files have the following names and extensions.
Changed files (ownership) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Changed files (signature) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Event Log Info AC-13 - Supervision and Review - Access Control
Files/folders to watch (Supports SI-3)
Ignore directories N/A
Invalid signature N/A
Keywords list (Supports CM-4 and SI-7)
Malicious files SI-3 - Malicious Code Protection
New files CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Removed files CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Operating system File name Template name
Windows 2000 Server and domain controller w2ksysroot.fw File Watch
Windows 2000 w2ksysroot.fw File Watch
Windows XP xpsysroot.fw File Watch
Windows Server 2003 ws3sysroot.fw File Watch
Check NIST 800-53 Rev. 1
28 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
You can add new File Watch templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files. For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide.
Group PolicyThe Active Directory module for Windows 2000 and Windows Server 2003 reports group policy objects (GPOs) that apply to users, groups, and computers in the Active Directory Service. GPOs are active directory objects that contain group policies such as the Windows security policy. GPO settings can be applied to sites, domains, and organizational units. These GPO checks do not apply to Windows XP.
Windows 2000 Server and ADS w2ksysroot.mfw Malicious File Watch
Windows 2000 Professional w2ksysroot.mfw Malicious File Watch
Windows XP xpsysroot.mfw Malicious File Watch
Windows Server 2003 and ADS ws3sysroot.mfw Malicious File Watch
Operating system File name Template name
Check NIST 800-53 Rev. 1
Account Policies - Account Lockout Policy
(Windows 2000 and 2003 only)
AC-2(3) - Account Management
Account Policies - Password Policy
(Windows 2000 and 2003 only)
IA-5 - Authentication Management
Account Policies - Kerberos Policy
(Windows 2000 and 2003 only)
N/A
Event Log
(Windows 2000 and 2003 only)
AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
File System
(Windows 2000 and 2003 only)
N/A
29Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Integrated Command Engine The Integrated Command Engine module allows users to add custom checks by running external scripts and executables and return the results back to Symantec ESM as if they were native security checks.
Local Policies - Audit Policy
(Windows 2000 and 2003 only)
AC-13 - Supervision and Review - Access Control
Local Policies - Security Options
(Windows 2000 and 2003 only)
N/A
Local Policies - User Rights Assignment
(Windows 2000 and 2003 only)
AC-3 - Access Enforcement
Registry
(Windows 2000 and 2003 only)
N/A
Restricted Groups
(Windows 2000 and 2003 only)
N/A
System Services
(Windows 2000 and 2003 only)
N/A
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Check Return Code N/A
Command Engine Templates N/A
Copy scripts (All) N/A
Failed messages SI-11 - Error Handling
Information messages N/A
Not Applicable messages N/A
Not Available messages N/A
Overwrite scripts (All) N/A
Passed messages N/A
Redirect Stderr to Stdout N/A
Report All Stderr messages SI-11 - Error Handling
30 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Login ParametersThe Login Parameters module checks to see if the control setting for account lockout is enabled, if the lockout threshold is properly set, if locked accounts must be reactivated by an administrator, and if the autologon feature is disabled.
Script Missing messages SI-11 - Error Handling
Unmapped messages SI-11 - Error Handling
User 1/0 messages N/A
User 1/1 messages N/A
User 1/2 messages N/A
User 1/3 messages N/A
User 1/4 messages N/A
User 2/0 messages N/A
User 2/1 messages N/A
User 2/2 messages N/A
User 2/3 messages N/A
User 2/4 messages N/A
User 3/0 messages N/A
User 3/1 messages N/A
User 3/2 messages N/A
User 3/3 messages N/A
User 3/4 messages N/A
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Account lockout duration AC-2(3) - Account Management AC-7 - Unsuccessful Login Attempts CA-2 - Security Assessments AC-9 - Previous Logon Notification CM-6 - Configuration Settings
31Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Network Assessment The Network Assessment module allows you to scan systems and devices for vulnerabilities. This optional module is sold as an add-on to Symantec ESM. A Windows ESM agent is required to host the scan engine, even though Windows, UNIX, Linux, routers and other network applications are targeted.
Account lockout threshold AC-2(3) - Account Management AC-7 - Unsuccessful Login Attempts CA-2 - Security Assessments AC-9 - Previous Logon Notification CM-6 - Configuration Settings
Autologon disabled IA-4 - Identifier Management AC-2 - Account Management CM-5 - Access Restrictions to Change
Bad logon counter reset AC-7 - Unsuccessful Login Attempts
Display fully qualified names
(Windows 2003 only)
IA-2 - User Identification and Authentication IA-4 - Identifier Management
Expired logon hours disconnect
(Windows 2000 and 2003 only)
AC-12 - Session Termination
Inactive accounts AC-2(3) - Account Management AC-11 - Session Lock
Inactive accounts timeout AC-2(3) - Account Management AC-11 - Session Lock
Inactive accounts with unchanged passwords
AC-2(3) - Account Management
Last user name hidden IA-2 - User Identification and Authentication IA-4 - Identifier Management
Legal notice AC-8 - System Use Notification
Shutdown without logon CM-4 - Monitoring Configuration Changes
Check NIST 800-53 Rev. 1
32 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
As a reminder, you must reinstall the policy after installing the network assessment module in order for all the checks to be registered properly.
Network assessment template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.
Each default Network Assessment template is for a specific operating system or application. The default Network Assessment template files have the following names and extensions.
To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.
For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.
Check NIST 800-53 Rev. 1
ESM Agents to perform scan and systems to scan
RA-5 - Vulnerability Scanning
Template file list RA-5 - Vulnerability Scanning
Operating system File name Template name
Windows XP, 2000, and 2003 cisco.net Network
Windows XP, 2000, and 2003 exposure.net Network
Windows XP, 2000, and 2003 mail.net Network
Windows XP, 2000, and 2003 other.net Network
Windows XP, 2000, and 2003 samba.net Network
Windows XP, 2000, and 2003 unix.net Network
Windows XP, 2000, and 2003 web.net Network
Windows XP, 2000, and 2003 windows.net Network
33Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Network IntegrityThe Network Integrity module reports system configuration settings that pertain to authentication and remote access.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
Check NIST 800-53 Rev. 1
Anonymous LANMan access disabled AC-17 - Remote Access IA-2 - User Identification and Authorization IA-4 - Identifier Management
Anonymous SID/name translation
(Windows Server 2003)
N/A
Automatically update snapshots N/A
Deleted listening TCP ports N/A
Deleted listening UDP ports N/A
Deleted network shares N/A
File security more restrictive than share security
N/A
Hidden shares AC-17 - Remote Access
ICMP Messages N/A
ICS exposed network services CM-7 - Least Functionality
Internet Connection Firewall AC-4 - Information Flow Enforcement AC-20 - Personally Owned Information Systems SI-4(4) - Information System Monitoring Tools and Techniques
Internet Connection Sharing CA-3 - Information System Connections
IP Security Policies
(Windows 2000 and 2003 only)
N/A
IPv6 Protocol
(Windows Server 2003 only)
N/A
34 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Listening TCP ports CM-6 - Configuration Settings SC-14 - Public Access Protections
Listening UDP ports CM-6 - Configuration Settings SC-14 - Public Access Protections
Local groups N/A
Modified network shares AC-17 - Remote Access
NetBIOS info via SNMP AC-17 - Remote Access
New listening TCP ports CM-6 - Configuration Settings SC-14 - Public Access Protections
New listening UDP ports CM-6 - Configuration Settings SC-14 - Public Access Protections
New network shares AC-17 - Remote Access CA-3 - Information System Connections CM-7 - Least Functionality
Permitted IP protocols CM-7 - Least Functionality
Permitted TCP ports AC-6 - Least Privilege CM-7 - Least Functionality
Permitted UDP ports AC-6 - Least Privilege CM-7 - Least Functionality
Plain text authentication IA-2 - User Identification and Authentication IA-5 - Authenticator Management
RRAS enabled AC-17 - Remote Access CM-6 - Configuration Settings SC-14 - Public Access Protections
RRAS NetBIOS gateway disabled AC-17 - Remote Access
RRAS requires account callbacks AC-17 - Remote Access
RRAS requires preset number for callback AC-17 - Remote Access
Share permissions AC-17 - Remote Access
Shared folders AC-17 - Remote Access
Check NIST 800-53 Rev. 1
35Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Object IntegrityThe Object Integrity module reports volumes that do not have Access Control Lists (ACLs).
Note: Volumes without ACLs provide no protection against unauthorized access. ACLs are required to control and audit access to directories and files.
OS PatchesThe OS Patches (Patch) module reports Windows security patches that have been released by Microsoft Corporation but are not installed on the system.
Install all patches that are defined in the Windows patch template files for Windows XP, Windows 2000 and Windows Server 2003 operating systems to harden your operating systems.
Define operating system patches that the Patch template searches for on each agent. New patch template files are available every two weeks through LiveUpdate.
Shared folders giving all users Full Control AC-17 - Remote Access CM-6 - Configuration Settings AC-5 - Separation of Duties AC-6 - Least Privilege
Shared printers AC-17 - Remote Access
Trusted domains
(Windows 2000 and 2003 only)
CA-3 - Information System Connections
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Local accounts
(Non-PDCs only)
N/A
Volumes without ACL control AC-3 - Access Enforcement CA-2 - Security Assessment CM-6 - Configuration Settings
Check NIST 800-53 Rev. 1
Comparisons: (Supports SI-2, RA-5, and SA-7)
36 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
File dates (Supports SI-2, RA-5, and SA-7)
File versions (Supports SI-2, RA-5, and SA-7)
Registry keys (Supports SI-2, RA-5, and SA-7)
Disable module SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-20 - Personally Owned Information Systems
Installed patches SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Patch Keywords templates SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Patch not installed and process not running SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Patch results summary SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Check NIST 800-53 Rev. 1
37Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
OS patch template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer system.
Each default Patch template is for a specific operating system or application. The default Patch template files have the following names and extensions.
You can add new Patch file templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.
Note: Do not edit, move, or change your Patch template files in any way.
For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://
Patch templates SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Relaxed (Supports SI-2, RA-5, and SA-7)
Strict (Supports SI-2, RA-5, and SA-7)
Superseded SI-2 - Flaw Remediation RA-5 - Vulnerability Scanning SA-7 - User Installed Software
Operating system File name Template name
Windows 2000 Workstation patch.pw5 File
Windows 2000 Server patch.ps5 File
Windows Server 2003 patch.p6s File
Windows XP patch.pwx File
Check NIST 800-53 Rev. 1
38 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.
39Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Password StrengthThe Password Strength module examines system parameters that control the construction, change, aging, expiration, and storage of passwords. It reports:
■ Weak passwords (those that don’t match)
■ Any user name in the system
■ Any word in word list files
■ Passwords typed in all uppercase and all lowercase
■ Accounts that do not require passwords are reported
■ Passwords that have not been changed within a specified number of days
■ Accounts with a maximum password age greater than a specified value.
Check NIST 800-53 Rev. 1
Accounts without passwords IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Display name as distinguished name IA-2 - User Identification and Authentication IA-4 - Identifier Management
Double occurrences IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Maximum password age
(Windows 2000 and 2003 only)
IA-2 - User Identification and Authentication IA-5 - Authenticator Management
MD4 hashes IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Minimum password age
(Windows 2000 and 2003 only)
IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Minimum password length
(Windows 2000 and 2003 only)
IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password = any username IA-2 - User Identification and Authentication IA-5 - Authenticator Management
40 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Password = username IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password = wordlist word IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password changes IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password must expire IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password stored using reversible encryption
AC-3 - Access Enforcement IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Password uniqueness
(Windows 2000 and 2003 only)
IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Plural IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Prefix IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Reverse order IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Suffix IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Syskey encryption IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Users to check IA-2 - User Identification and Authentication IA-5 - Authenticator Management
Check NIST 800-53 Rev. 1
41Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Password Strength word filesThis policy ships with two word files (dictionaries) that are enabled by default: lenglish.wrd and ntcrack.wrd. In addition, there are many disabled word files that can be enabled. To enable additional word files, copy and rename the policy.
Note: Using more word lists will increase processing time for the check.
42 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
RegistryThe Registry module reports violations of registry key settings that are specified in template files and changed key values.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
Check NIST 800-53 Rev. 1
Allow any privileged account AC-1 - Access Control Policy and Procedures
Auditing Permissions AC-5 - Separation of Duties
Automatically update snapshots N/A
Changed key (time) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Changed value (signature) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Changed value (size) CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Do not notify if key permissions are increased in security
CM-4 - Monitoring Configuration Changes
Key and value existence CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Key ownership CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Key permissions CM-4 - Monitoring Configuration Changes SI-7 - Software and Information Integrity
Template file list (Supports CM-4 and SI-7)
43Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Registry template filesSymantec uses LiveUpdate every two weeks to overwrite the default template files that are loaded on your computer.
Each default Registry template is for a specific operating system. The default Registry template files have the following names and extensions.
You can add new Registry templates to a copy of this policy or you can add files to copies of default templates to expand the scope of files that are monitored for changes. To meet your company’s security policy needs, you must change the default values by copying and renaming the policy files.
For instructions and more information about specific checks and messages, see the current Symantec ESM Security Update User’s Guide or (Security Update 17 User's Guide for Windows (PDF)) and in the release notes (Security Update 25 Release Notes (PDF)) of each quarterly security update (SU) posted on http://securityresponse.symantec.com --> Security Updates: Symantec Enterprise Security Manager --> ESM Security Updates.
Startup FilesThe Startup Files module reports forbidden services that are running, required services that are not running, new and deleted services, run keys, and remote registry access.
The module also creates and maintains snapshot files. Run the module one time to create the baseline snapshot file on each agent, then periodically rerun the module to detect change.
Operating system File name Template name
Windows 2000 Professional registry.rw5 Registry
Windows 2000 Server and Windows 2000 Server with ADS
registry.rs5 Registry
Windows XP registry.rwx Registry
Windows Server 2003 and Windows Server 2003 with ADS
registry.rs6 Registry
Check NIST 800-53 Rev. 1
Automatically update snapshots N/A
44 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Changed services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Contents of Run keys CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Deleted services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Disallowed services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Disallowed services cont. N/A
Filter disallow services not running N/A
Installed services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Maximum reported messages (Supports CM-7, AC-6, and CM-6)
New services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Remote Procedure Call (RPC) Disabled RC-17 - Remote Access CM-6 - Configuration Settings
Remote registry access RC-17 - Remote Access SC-14 - Public Access Protections CM-6 - Configuration Settings
Remote registry access (non-Administrators)
RC-17 - Remote Access SC-14 - Public Access Protections CM-6 - Configuration Settings
Required services CM-7 - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Services using specified user accounts to run
(Supports CM-7, AC-6, and CM-6)
Services using system account to run (Supports CM-7, AC-6, and CM-6)
Check NIST 800-53 Rev. 1
45Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Symantec Product InfoThe Symantec Product Info module reports information about installed Symantec products to detect, quarantine and correct malicious software.
Note: SAVCE minimum version: 9.0 (default).
Unknown services CM-7(1) - Least Functionality AC-6 - Least Privilege CM-6 - Configuration Settings
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Either Symantec AntiVirus CE or Norton AntiVirus
(Windows XP and 2000 only)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation SI-8 - Spam Protection AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
File System Auto-Protected
(Symantec AntiVirus Corporate Edition)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation
LiveUpdate frequency
(Symantec AntiVirus Corporate Edition and Norton AntiVirus)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation AC-20 - Personally Owned Information Systems
Minimum version
(Symantec AntiVirus Corporate Edition and Norton AntiVirus)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation
Scan frequency
(Symantec AntiVirus Corporate Edition and Norton AntiVirus)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
46 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
System AuditingThe System Auditing module reports security events that are audited for failure or success and what happens when the log file is full.
Norton AntiVirus
(Windows XP and 2000 only)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation SI-8 - Spam Protection AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Symantec AntiVirus Corporate Edition
(Windows XP and 2000)
SI-3 - Malicious Code Protection SI-2 - Flaw Remediation SI-8 - Spam Protection AC-19 - Access Control for Portable and Mobile Systems AC-20 - Personally Owned Information Systems
Check NIST 800-53 Rev. 1
Check NIST 800-53 Rev. 1
Application event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
Days until security events are overwritten AU-5 - Audit Processing AU-9 - Protection of Audit Information AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
Guest access to event logs AU-5 - Audit Processing AU-9 - Protection of Audit Information AC-14 - Permitted Actions without Identification or Authentication
Security event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
47Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Security events auditing (success and failure) name listsThe following list explains the events that should be audited in the Windows Audit Policy as well as the conditions under which an audit log entry is generated.
Security events do not overwrite security log
AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
Security events failure auditing AU-2 - Auditable Events AC-13 - Supervision and Review - Access Control
Security events success auditing AU-2 - Auditable Events AC-13 - Supervision and Review - Access Control
System event log size AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
System halts when security log full AC-13 - Supervision and Review - Access Control SI-4 - Information System Monitoring Tools and Techniques
Platform Audit for Success Audit for Failure
Windows 2000 Professional
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit object access
■ Audit policy changes
■ Audit privilege use
■ Audit system events
Check NIST 800-53 Rev. 1
48 Symantec ESM Policy Manual for FISMA (NIST 800-53) for WindowsPolicy modules
Windows 2000 Server
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit object access
■ Audit policy changes
■ Audit privilege use
■ Audit system events
Windows 2000 Server with ADS
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit account management
■ Audit directory service access
■ Audit logon events
■ Audit object access
■ Audit policy changes
■ Audit privilege use
■ Audit system events
Windows XP ■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit logon events
■ Audit object access
■ Audit policy change
■ Audit privilege use
■ Audit system event
Windows Server 2003
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit logon events
■ Audit object access
■ Audit policy change
■ Audit privilege use
■ Audit system event
Windows Server 2003 with ADS
■ Audit account logon events
■ Audit account management
■ Audit logon events
■ Audit policy change
■ Audit privilege use
■ Audit account logon events
■ Audit directory service access
■ Audit logon events
■ Audit object access
■ Audit policy change
■ Audit privilege use
■ Audit system event
Platform Audit for Success Audit for Failure