ad-assurance - [AD-Assurance] More Technical Guidance from US-CERT: System Integrity
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] More Technical Guidance from US-CERT: System Integrity
- Date: Tue, 21 May 2013 15:49:33 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport05.merit.edu; dkim=neutral (message not signed) header.i=none
I found a document from US-CERT that might be useful for reference to additional controls to demonstrate system integrity. Some of these may already be necessary to meet the criteria. Consider: Would greater system integrity compensate
adequately for a non-approved algorithm or storage method? -Jeff TIP-11-075-01: System Integrity Best Practices http://www.us-cert.gov/sites/default/files/publications/TIP11-075-01.pdf The two key components of system integrity are
software authenticity and the assurance of user identity. US-CERT recommends that organizations routinely evaluate how to integrate the following best practices into their current environments to achieve these objectives.
Enable strong logging.
o
Enable logging for all centralized authentication services and collect the IP address of the system accessing the service, the username, the resource accessed, and whether
the attempt was successful or not.
o
Limit the number of authentication attempts and lockout the user if the limit is reached. Security professionals should conduct a manual review before unlocking the account
and prohibit automatic unlocks after a specified time period.
o
Conduct near real-time log review for failed attempts per user and per unit of time independent of successful logins; abnormal successful logins; and lockouts. Correlate
this data to identify anomalous activity. Limit remote access.
o Restrict access by IP address wherever possible.
o Limit concurrent logins to one per user.
Apply additional defense-in-depth techniques.
o
Maximize complexity of passwords, passphrases, and personal identification numbers (PINs) whenever possible.
o
Enable defenses against key logging such as forced frequent credential changing
and updated anti-virus (AV) signatures.
Validate software.
o
Require validation of vendor-provided hash values or digital signatures prior of installation. If information is not customarily provided, request validation guidance from
the vendor.
o
Exercise additional caution when receiving unsolicited or unexpected software media.
o
Establish installation baseline (e.g., file names, versions, hash values) and periodically revalidate this information.
o
Enable revocation checking to include Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checking.
Jeff Capehart, CISA |
- [AD-Assurance] More Technical Guidance from US-CERT: System Integrity, Capehart,Jeffrey D, 05/21/2013
Archive powered by MHonArc 2.6.16.