-
Notifications
You must be signed in to change notification settings - Fork 5
Configurations for Standalone and Directory Bound Use Cases
jeffblank edited this page May 14, 2015
·
25 revisions
This page lists account configuration settings for operating systems when they are standalone, and those that they would receive when they are bound to a directory or management server. These usage scenarios face different risks. Accounts from a directory server must be managed in a way that addresses the threat of hash harvesting and subsequent password cracking. This risk does not substantially exist on standalone systems, which have one or few accounts.
These settings can be captured in a DoD Annex to the Protection Profile for General-Purpose Operating Systems, with different sections for each usage scenario. The following provides CESG's recommendations for systems in the UK:
|
The operating system must enforce a minimum 15-character password length.
configure minimum password length - 15 |
|
The operating system must enforce password complexity by requiring that at least one special character be used.
configure minimum number of special characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one numeric character be used.
configure minimum number of numeric characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one upper-case character be used.
configure minimum number of uppercase characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one lower-case character be used.
configure minimum number of lowercase characters in password - 1 |
|
The operating system must provide the capability for users to directly initiate a session lock for all connection types.
enable/disable screen lock - enable |
|
The operating system must enforce password complexity by requiring that at least one lower-case character be used.
configure screen lock inactivity timeout - 15 minutes |
|
The operating system must enforce password complexity by requiring that at least one lower-case character be used.
configure remote connection inactivity timeout - 15 minutes |
|
The operating system must enforce password complexity by requiring that at least one lower-case character be used.
enable/disable unauthenticated logon - disable |
|
The operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
configure lockout policy for unsuccessful authentication attempts - 3 in 15 minutes |
|
The operating system must enable an application firewall, if available.
and The operating system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. configure software firewall - deny-by-default policy for incoming connections |
|
The operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.
enable/disable DAR protection - enable, if system is not physically protected |
|
The operating system must provide automated mechanisms for supporting account management functions.
configure name/address of directory server to bind with - no value specified, site specific |
|
The operating system must provide automated mechanisms for supporting account management functions.
configure name/address of remote management server from which to receive management settings - site-specific value |
|
The operating system must off-load audit records onto a different system or media from the system being audited.
configure name/address of audit/logging server to which to send audit/logging records - no value specified, site-specific value |
|
The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
configure name/address of network time server - site-specific value |
| Requirement |
|---|
|
The operating system must automatically remove or disable temporary user accounts after 72 hours.
disable temporary accounts after a time period - 72 hours |
|
The operating system must prevent the use of dictionary words for passwords.
configure to reject passwords based on dictionary words |
|
The operating system must enforce password complexity by requiring that at least one upper-case character be used.
configure minimum number of uppercase characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one lower-case character be used.
configure minimum number of lowercase characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one numeric character be used.
configure minimum number of numeric characters in password - 1 |
|
The operating system must enforce password complexity by requiring that at least one special character be used.
configure minimum number of special characters in password - 1 |
|
The operating system must require the change of at least eight of the total number of characters when passwords are changed.
configure minimum number of characters that must change when password is changed - 8 |
|
Operating systems must enforce 24 hours/1 day as the minimum password lifetime.
configure minimum password lifetime - 24 hours |
|
Operating systems must enforce a 60-day maximum password lifetime restriction.
configure maximum password lifetime - 60 days |
|
The operating system must prohibit password reuse for a minimum of five generations.
prevent password reuse for a minimum number of generations - 5 |
|
The operating system must enforce a minimum 15-character password length.
configure minimum password length - 15 |
|
The operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
disable accounts after period of inactivity - 35 days |
|
The operating system must be configured such that emergency administrator accounts are never automatically removed or disabled.
configure emergency accounts to not be automatically removed |
|
The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
configure account lockout after unsuccessful logon attempts - 3 attempts in 15 minutes |