AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 20. Windows Security Policy (Cont. 2)

10.8.20  Windows Security Policy (Cont. 2)

10.8.20.5 
Technical Controls

10.8.20.5.2 
Access Control

10.8.20.5.2.10 
Active Directory Service

10.8.20.5.2.10.3  (03-28-2008)
Active Directory Dynamic DNS

  1. All Domain Controllers can operate the Dynamic DNS Service.

  2. Add the following to Group Policy for Domain Controllers employing Dynamic DNS:

    1. Zone transfers should be disabled, unless needed. To improve the security of the DNS infrastructure, zone transfers should only be allowed for either the DNS servers in the name server tag, or for specified DNS servers

    2. Secure Cache Against Pollution; and

    3. Change the DNS Log File Maximum Size. Change the registry entry, HKLM\/System\/CurrentControlSet\/Services\/DNS\/Parameters\/LogFileMaxSize, REG_DWORD value to 64KB.

10.8.20.5.2.10.4  (03-28-2008)
Object-based Access Control

  1. Along with user authentication, administrators are allowed to control access to resources or objects on the network. To do this, administrators shall assign security descriptors to objects that are stored in Active Directory. A security descriptor lists the users and groups that are granted access to an object and the specific permissions assigned to those users and groups. A security descriptor also specifies the various access events to be audited for an object. By managing properties on objects, administrators can set permissions, assign ownership, and monitor user access. Not only can administrators control access to a specific object, they can also control access to a specific attribute of that object.

  2. In order to secure a computer and its resources, the SA shall take into consideration what rights users shall have:

    1. Securing a computer or multiple computers by granting users or groups specific user rights.

    2. Securing an object, such as a file or folder, through assigning permissions to allow users or groups to perform specific actions on that object.

10.8.20.5.2.10.5  (03-28-2008)
Windows Server 2003 Security Services

  1. The sections below define elements of Windows Server 2003 Security Services.

10.8.20.5.2.10.6  (03-28-2008)
Flexible Single Master Operations (FSMOs)

  1. Certain operations within a domain and forest shall be centrally coordinated from a single authoritative source. These operations are handled by only one domain controller within the domain and are divided into five distinct operational categories. These categories are referred to as Flexible Single Master Operations (FSMOs).

  2. The IRS may utilize all of the FSMO roles.

10.8.20.5.2.10.7  (03-28-2008)
FSMO Roles

  1. Schema Master
    This role is held by only one domain controller per Forest. This role coordinates all changes to the Active Directory schema, and is required in order to process any schema updates. Only the schema master is permitted to replicate schema changes to other domain controllers in a forest.

  2. Domain Naming Master
    This role is held by only one domain controller per Forest. This role handles all changes to the forest-wide domain namespace, and is the only role that can process the addition or removal of a domain to or from the forest.

  3. Relative Identifier (RID) Master
    This role is held by only one domain controller per Domain. This role manages the relative identifier pool for the domain. This role is also responsible for moving objects from one domain to another within a forest.

  4. PDC Emulator
    This role is held by only one domain controller per Domain. This role is the central authority for time synchronization within a domain, and emulates the functionality of a Windows Domain Controller (DC). Pre-Windows 2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact the DC emulator to change user and computer passwords. The DC emulator is also responsible for processing account lockouts. Finally, any failed logon attempts are first forwarded to the DC emulator before returning a bad logon message to the client.

  5. Infrastructure Master
    This role is held by only one domain controller per Domain. This role updates object SIDs and distinguished names (DNs) in cross-domain object references.

10.8.20.5.2.10.8  (03-28-2008)
Best Practices for Placing FSMOs

  1. In a multiple-domain forest, never place the infrastructure master role on a domain controller that is also a GC server. The infrastructure master’s job is to update cross-domain references, and it does so by looking for references it does not itself possess. Since a GC contains a reference to every object in the entire forest, the infrastructure master will never be without a reference, and will therefore fail to perform its job properly.

  2. Since the PDC emulator holds such a crucial, central role in Active Directory, the SA shall place the PCD emulator on a domain controller that has the best possible connectivity to other domain controllers in the domain. The PDC emulator in the forest root domain synchronizes time for all other PDC emulators in the forest, and shall have a reliable network connection to the domain controllers holding the role in each domain.

10.8.20.5.2.10.9  (03-28-2008)
Group Policy Objects

  1. The IRS shall use security templates defined within Group Policy Objects (GPOs) to configure security settings in the Windows Server 2003 Active Directory environment. Administrators can define configurations servers that are part of the domain, then use a GPO to set policies that apply across a given site, domain, or range of Organizational Units (OU) in the Active Directory.

10.8.20.5.2.10.10  (03-28-2008)
Using Group Policy

  1. Administrators use Group Policy and Active Directory together to define policy across sites, domains, and OUs according to the following rules:

    1. GPOs are stored on a per-domain basis.

    2. Multiple GPOs can be associated with a single site, domain, or OU.

    3. Multiple sites, domains, or OUs can use a single GPO.

    4. Any site, domain, or OU can be associated with any GPO, even across domains (although doing so slows performance).

    5. The effect of a GPO can be filtered to target particular groups of users or computers based on membership in a security group or through WMI filters.

  2. To set Group Policy for a selected Active Directory object, an administrator shall have read and write permission to access the system volume of domain controllers (Sysvol folder) and to modify rights to the currently selected directory object. The system volume folder is created automatically when a domain controller (or a server promoted to a domain controller) is installed.

10.8.20.5.2.10.11  (03-28-2008)
Computer and User Configuration

  1. Administrators can configure specific desktop environments and enforce policy settings on groups of computers and users on the network as follows:

    1. Computer Configuration
      Computer-related policies specify operating system behavior, desktop behavior, application settings, security settings, assigned applications options, and computer startup and shutdown scripts. Computer-related policy settings are applied when the machine is rebooted and during a periodic refresh of Group Policy.

    2. User Configuration
      User-related policies specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policy settings are applied when users log on to the computer and during the periodic refresh of Group Policy.

10.8.20.5.2.10.12  (03-28-2008)
Group Policy Management Console

  1. GPOs are managed in the IRS Windows Server 2003 environment using the Group Policy Management Console (GPMC). GPMC is a new feature in Windows Server 2003 that provides an interface for deploying and managing Group Policy implementations and enables script-based management of Group Policy operations. Together with new features such as backup, restore, copy, and scriptable operations, the GPMC simplifies Group Policy deployments. Table 1 shows the features of GPMC.

10.8.20.5.2.10.13  (03-28-2008)
Applying Security Settings to Systems

  1. Exhibit 10.8.20-12 contains permissions that shall be applied to GPOs. Two types of GPOs are listed. A Default GPO is a GPO that only has the default group, Authenticated Users, in the Security Filtering Section with default permissions. Single-Purpose GPOs are created to enable services and user-rights not authorized in the default (baseline) GPOs. The Single-Purpose GPO is a GPO that has Authenticated Users replaced with a unique Security Filtering Group.

  2. Exhibit 10.8.20-16 contains allowable exceptions for an Active Directory Domain Controller.

10.8.20.5.2.10.14  (03-28-2008)
Security Configuration Manager

  1. The Security Configuration Manager toolset allows the ability to create, apply and edit security variables for a local computer, organizational unit, or domain. See Table 2 for a description of the tools in the security configuration manager.

10.8.20.5.2.10.15  (03-28-2008)
Active Directory Sites

  1. An IRS Active Directory Site is defined as a set of well-connected IP subnets. Typically, within the overall network, each Local Area Network is a separate site and is connected to other Sites via the Wide Area Network (WAN). These sites represent a physical topology of the Active Directory. Forests, domains, organizational units represent a logical topology in the Active Directory. Sites are based on the physical network such as LAN connectivity and the overall network topology.

  2. Active Directory sites are used for the following purposes:

    1. Active Directory Replication Updates to objects in the directory partitions of Active Directory are transferred within sites and between sites.

    2. System Volume (Sysvol) Replication The system volume provides a default Active Directory location for files that shall be replicated throughout a domain, including GPO’s and logon scripts.

    3. Client Logon Sites and their associated subnet addresses are used by the domain controller locator to ensure that a client finds a domain controller in the same site (if one is available in that site) or else in the nearest site through automatic site coverage.

    4. Service Location Requested services such as printing and file services are located within the same site, as well as site-specific services including distributed file system and the Sysvol tree.

  3. Modernization and Information Technology Services (MITS) is responsible for establishing and managing the active directory network topology.

10.8.20.5.2.10.16  (03-28-2008)
Active Directory Groups

  1. At present, only the IRS default settings are permitted for the groups defined herein.

  2. Incoming Forest Trust Builders Group
    Members of this group can create incoming, one-way trusts to the forest. This group has no default members and only exists on domain controllers.

  3. Network Configuration Operators
    Members can modify TCP/IP settings on domain controllers in the domain. This group has no default members

  4. Remote Desktop Users
    Members of this group can log on remotely to domain controllers in the domain. There are no default members of this group.

  5. Performance Log Users
    Members have remote access to logged performance counters on domain controllers. There are no default members of this group.

  6. Group Policy Creator Owners
    Members of this group can modify domain Group Policy. Administrator is a member of this group by default.

  7. Enterprise Admins
    Members of this universal group have full power over all domains in the forest. It is only seen in the forest root domain. Enterprise Admins is a member of all Administrators group on all DC’s in the forest. Administrator is a member of this group by default.

  8. Schema Admins
    This universal group only appears in the forest root domain. Members have the ability to modify the AD schema. Administrator is a member of this group by default.

10.8.20.5.2.11  (03-28-2008)
Windows Explorer Settings

  1. Properly configuring Windows Explorer is important for overall system security.

    • See Exhibit 10.8.20-17. The Windows Explorer shall be configured as defined in Exhibit 10.8.20-17.

10.8.20.5.2.12  (03-28-2008)
Internet Explorer and Active X Settings

  1. There are inherent security risks any time users are allowed to access the Internet. Some of these threats can be caused by malicious code, viruses introduced when downloading files, data compromise by eavesdropping when communicating with non secure sites, etc.

  2. Properly configuring IE is very important to preventing ActiveX from being run on a user’s computer but does not completely protect a user from having an ActiveX control run on their machine.

  3. This section addresses the security features, which shall be implemented to allow business activities to continue but also minimizing risk to IRS systems.

  4. All systems shall be configured to default to the IRS home page.

  5. The version of Internet Explorer shall be equal to the following versions, which show appropriate versions numbers for each Operating System:

    1. Windows 2000: Version 6.00.2800.1106 or greater

    2. Windows XP: Version 6.00.2900.2180 or greater

    3. Windows 2003: Version 6.00.3790.3959 or greater

  6. Additional security configurations shall be configured within the Internet browser to provide the necessary additional controls.

    • All browser software shall be configured using the configurations identified in Exhibit 10.8.20-18.

10.8.20.5.2.12.1  (03-28-2008)
ActiveX, JAVA, and Mobile Code

  1. The term "mobile code" typically refers to interpreted or executable content that can be downloaded and run on a user workstation, while using the Internet. ActiveX and ActiveX controls can be grouped under the category of mobile code.

  2. Mobile code allows Internet users to view rich and dynamic Internet content and allows users visiting web sites or to automate common tasks. Examples of these include: Microsoft’s Visual Basic Script (VBScript), Sun Microsystems’ Java and Jscript, and ActiveX.

  3. Like any robust tool, the same mechanisms that have made mobile code and ActiveX desirable can be used for malicious purposes as well. ActiveX and mobile code create a serious risk to the IRS, if not properly managed.

  4. Unlike Java, the ActiveX objects do not operate within a " sandbox" environment; rather, they inherit the same permissions of the user accessing the Internet, including modifying or deleting files, settings, or access network connections. As a result, the ActiveX poses a greater risk to users.

  5. ActiveX shall be implemented with sufficient security measures to prevent malicious use.

10.8.20.5.2.12.2  (03-28-2008)
ActiveX Trusted Sites

  1. Organizations may use mobile code (e.g., Active-X) only on IRS Intranet or trusted sites. A trusted site is one that has established, documented and IRS-approved controls to guarantee that no adverse effects are possible.

  2. These controls shall be documented in a Memorandum of Understanding (MOU) or an Interagency Service Agreement (ISA) in accordance with NIST SP 800-47.

  3. Cybersecurity (formally Mission Assurance and Security Services (MA&SS)) shall coordinate the approval of each trusted site for the CIO, who shall formally concur on the identification and documentation of the trusted sites and submit a deviation to Treasury for approval.

  4. This process shall be the authoritative process for deviation from the Treasury Directive (TD) 85-01 requirements.

  5. Sites listed in the ActiveX Trusted Sites shall be reviewed annually to ensure that they should continue to be listed.

10.8.20.5.2.12.3  (03-28-2008)
Internet Explorer Zones

  1. Zones shall be used to allow managers to control access to the Internet based upon business need.

  2. The zones used for the IRS Windows environment include:

    1. Local Intranet Zone – Sites in this zone are defined by not being a part of any other zone, are resident in the Proxy’s Local Address Table, or are explicitly defined to be resident in the local intranet (these sites can be identified by hostname, Internet Protocol (IP) address, Domain Name System (DNS) domain, or IP sub-network).

      The default security level for this zone is Medium.

    2. Trusted Sites Zone – SAs trust the sites in this zone. The sites are those that the user should feel comfortable with downloading or running files without worry of damage or manipulation of their own systems. The user can define specific sites by Uniform Resource Locator (URL), IP address, DNS domain, or IP sub-network. The zone can also require that the site uses Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) for server authentication to be trusted.

      The default security level for this zone is Low.

    3. Restricted Sites Zone – This zone consists of sites that the user should not trust. Administrators or users do not know whether downloading or running files from these sites will damage their local computers. The user can define specific sites by URL, IP address, DNS domain, or IP sub-network.

      The default security setting for this zone is High.

    4. Internet Zone – This zone consists of all other sites that are not located in the other zones.

      The default security setting for this zone is Medium.

10.8.20.5.2.12.4  (03-28-2008)
Internet Explorer Security Zone Customized Settings

  1. The IRS currently has a policy regarding IE zones and employees are grouped by level of need for access to dynamic content.

  2. In the Restricted Zone, every setting shall be disabled. Further, e-mail clients such as Microsoft Outlook and Outlook Express shall be configured to use the Restricted Zone. ActiveX controls, both signed and unsigned are disabled in this zone.

    • See Exhibit 10.8.20-19. Exhibit 10.8.20-19 contains the configuration settings for Internet Explorer Zones.

10.8.20.5.2.12.5  (03-28-2008)
Use of Group Policy or IE Administration Kit (IEAK) To Distribute Pre-configured Settings

  1. Organizational administrators can use the IEAK or Windows Group Policy to define settings and distribute them across the entire organization. Using IEAK, it is possible to distribute IE over the network or develop a compact disk read-only memory (CD-ROM) to distribute to users.
    These customized versions can be configured with any of the security settings discussed earlier.

  2. Group Policy allows the administrator to automatically apply settings every time a user logs onto a system or for a designated amount of time.

  3. Where Group Policy is not implemented or if IEAK is not available, it is possible to distribute the following registry key that contains all of the IE Security Zone settings:

    1. [HKEY_CURRENT_USER \/Software \/Microsoft \/Windows \/CurrentVersion \/Internet Settings \/Zones

    2. Under this registry key is a group of sub-keys that store settings for that particular zone:

    3. 0 = My Computer
      (1) The My Computer Zone is a zone that contains files located on the local computer. Settings for this shall not be modified unless through the IEAK.

    4. 1 = Local Internet

    5. 2 = Trusted Sites

    6. 3 = Internet

    7. 4 = Restricted Sites

10.8.20.5.2.12.6  (03-28-2008)
Code Signing with ActiveX

  1. Ensuring integrity and authenticity are the two main security issues regarding mobile content, but more specifically, regarding ActiveX.

  2. Microsoft addresses security in ActiveX with the use of code signing.

  3. Packaged software uses trusted sales outlets (retail stores) to assure users of integrity but this is not available when code is transmitted across the Internet.

  4. Currently, code signing is the only way to completely validate the integrity and authenticity of code being distributed across a network.

  5. IRS shall ensure it accepts only code, which has been signed.

    • See Exhibit 10.8.20-19. Exhibit 10.8.20-19 contains the configuration settings for Internet Explorer Zones.

10.8.20.5.2.12.7  (03-28-2008)
Authenticode and Certificate Services

  1. Many code-signing and certificate-servicing third-party tools are available. One example is Microsoft Authenticode, which digitally signs and verifies any executable code.

  2. The signcode.exe tool allows signing the given program and prompts the signer for the certificate to be store in the Cryptographic Application Programming Interface (CryptoAPI).

  3. The certificate can be developed through having a corporate CA using Windows 2000 Certificate Services or simply by using a commercial CA such as VeriSign.

  4. In any organization where there is distributed code being developed, digitally signing the code is required to prevent developers from producing dangerous code that does not conform to corporate policy.

  5. Code signing allows management to ensure policies remain intact.

10.8.20.5.2.12.8  (03-28-2008)
Internet Groups

  1. Internet groups shall be created that a user can be placed into to allow them access to the information they need to perform their job.

  2. A Form 5081 signed by a second level manager shall be required to place users in groups that allow accesses which could be insecure.

  3. Approval of the Chief Information Officer or designee shall be required accesses that are insecure by nature such as downloading unsigned ActiveX controls from trusted sites.

  4. The IRS is not locked into specific names or groups, but functionality shall be separated. Examples of some of the possible membership rights are listed below:

    1. Basic Internet access. This level of access would provide basic Internet access.

    2. Scripting Access - Users in this kind of group(s) would have the ability to access sites that use JavaScript, VBScript or ActiveX controls and possibly will have the ability to submit non-encrypted form data.

    3. ActiveX - Membership in this group(s) would allow web sites to download, install, and invoke ActiveX controls, possibly signed controls only or signed and unsigned controls from trusted sites. There shall be no policy that would permit downloading unsigned controls from the Internet.

10.8.20.5.2.12.9  (03-28-2008)
ActiveX Management Controls

  1. In order for this change to effectively implement Treasury and Service policy, there shall be significant senior management involvement in taking actions that will negate required protective mechanisms, while avoiding significant management burden for safer use of the Internet. Senior management approval is required for two classes of actions:

    1. Adding specific users to groups that allow ActiveX access.

    2. Placing non-IRS sites into a "Trusted Sites" listed group.

  2. No non-IRS site shall be placed into any "Intranet" listed group.

  3. In order to qualify for listing as a Trusted Site, the site shall meet the following criteria:

    1. Be operated in a secure manner,

    2. Be located within United States legal jurisdiction,

    3. Be a government owned and operated site for which a continuing need for access is apparent (e.g., tsp, employee express), or

    4. Be a site operated by an approved IRS vendor, with whom we have negotiated sufficient protective measures, such as having an ISA, a CM process to prevent improper changes to the IRS environment (e.g., Choice Point).

  4. End User Computing, Enterprise Operations and Web Services shall maintain, with coordination by Office of Security Services, a master listing of each such "Trusted Site" , its sponsor, and the security and technology issues surrounding it (e.g., ISA, CM process, security awareness level).

10.8.20.5.2.12.10  (03-28-2008)
Internet Browsing On Servers

  1. Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure to potential security attacks. To reduce the risk on servers of potential attacks from malicious Web-based content:

    1. Servers shall not be used for Internet browsing.

    2. In order to disable access to the Internet from servers, the proxy settings shall be modified in a way that make the Internet inaccessible. If at a later time, a different method for disabling Internet access is established, this policy will be updated to reflect this update. Refer to Exhibit 10.8.20-30 to view required server proxy configuration.

    3. On servers, other web browsers, including but not limited to Mozilla Firefox, Safari, Opera, and Netscape, shall not be installed.

    4. Client workstation shall be utilized to download drivers, service packs, and other required updates.

    5. Servers will be allowed to utilize Internet Explorer to access IRS intranet sites. The settings defined in Exhibit 10.8.20-19 for the Intranet Zone shall be followed.

10.8.20.5.2.12.11  (03-28-2008)
Internet Browsing On Workstations

  1. To reduce the risk of malicious code on Internet websites, all web browsing shall be performed using a standard non-Administrator account.

10.8.20.5.2.13  (03-28-2008)
Remote Access

  1. As the IRS allows employees to access the network, from non-IRS sites, and remote IRS sites, remote access security is necessary to ensure network integrity.

  2. Only IRS approved mechanisms for remote access shall be used, and guidance for such approved mechanisms shall be followed.

    • IRM 10.8.1, IT Security Policy and Guidance for more information.

10.8.20.5.2.14  (03-28-2008)
Terminal Services

  1. Terminal Services may be used by administrators for remote administration of Windows machines. The following guidance shall be followed to secure Terminal Services.

  2. User accounts are placed into a new, locked down Organizational Unit (OU). Create Terminal-Server-only user accounts and place them in a new, locked down OU. Allow user logons to the Terminal Server for only these users by using the Terminal Server Configuration MMC snap-in. Instruct the users to only use these accounts on the Terminal Server.

  3. Only the Terminal Server computer object is placed into the locked down OU. After installing and configuring all applications on the Terminal Server, place the Terminal Server computer object into the locked down OU.

  4. Policies for the locked down OU shall be as restrictive as possible.

  5. The Terminal Services Configuration tool shall be used to secure Terminal Services.

  6. For additional guidance see the Microsoft document, Locking Down Windows Server 2003 Terminal Server Sessions , at http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx .

    • See Exhibit 10.8.20-20. Terminal Services shall be configured according to the settings in Exhibit 10.8.20-20.

10.8.20.5.2.15  (03-28-2008)
Antivirus, Spam and Spyware Protection

  1. All Windows systems shall be protected with Service-approved virus detection software, using current virus definitions. Current standards are:

    1. Vendor: Symantec Antivirus

    2. Minimum Versions:
      • Servers: 10.1.6.6010 or more recent version
      • Desktops/laptops: 10.1.5.5010 or more recent version

    3. For the latest IRS approved version: http://mtb0120vpvmsp01.ds.irsnet.gov/sites/anti-virus/default.aspx .

    4. Virus Definitions shall not be greater than 9 days old on any IRS system.

  2. Scans shall allow for:

    1. Periodic scan of local hard drives, which shall take place no less than weekly;

    2. System to be scanned, using memory resident program, so that inbound files can detect a virus and corrected immediately; and

    3. User to manually scan a diskette and/or CD.

  3. Workstation users shall have the ability to manually scan diskettes.

    • Antivirus guidelines are available at the following web site: http://mtb0120vpvmsp01.ds.irsnet.gov/sites/anti-virus/default.aspx .

10.8.20.5.2.16  (03-28-2008)
Host-based Intrusion Detection Sensors (HIDS)

  1. All Windows servers shall be protected with Service-approved Host-based Intrusion Detection Sensor configured per IRS specifications.

    1. Vendor: ISS RealSecure IDS

    2. Minimum Version: 7.0 SR 4.4. For the latest IRS approved version is available at the following website: http://www.csirc.web.irs.gov/services/detection/hids/realsecure/ .

10.8.20.5.3  (03-28-2008)
Audit and Accountability

  1. The IRS shall create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

10.8.20.5.3.1  (03-28-2008)
Auditing Overview and Strategy

  1. See IRM 10.8.1,IT Security, Policy and Guidance and IRM 10.8.3,Audit Logging Security Standards, for general and specific non-Windows audit requirements.

10.8.20.5.3.2  (03-28-2008)
Audit Policy

  1. All activity shall be audited, except for process tracking. Below is an explanation of the Windows specific settings dealing with audit policies.

    1. Audit Account Logon Events

    2. Audit Account Management

    3. Audit Directory Service Access - No auditing of Directory Service Access is required on Windows 2000 Servers that are member or stand-alone servers, because Directory Service Access can only be audited on Windows 2000 (or later) domain controllers.

    4. Audit Logon Events

    5. Audit Object Access

    6. Audit Policy Change

    7. Audit Privilege Use

    8. Audit Process Tracking

    9. Audit System Events

    • See Exhibit 10.8.20-21. Audit Policy settings are contained in Exhibit 10.8.20-21.

    • See Exhibit 10.8.20-32. Definitions for Audit Policies are contained in Exhibit 10.8.20–32, Glossary (See Audit Policies).

10.8.20.5.3.3  (03-28-2008)
Audit Security Options

  1. Below is an explanation of the Windows specific Security Options dealing with auditing.

  2. Audit: Audit the access of global system objects
    Windows 2000 - Audit the access of global system objects

  3. Audit: Audit the use of backup and restore privilege
    Windows 2000 - Audit the use of backup and restore privilege

  4. Audit: Shut Down system immediately if unable to log security alerts
    Windows 2000 - Shut down system immediately if unable to log security audits

    • See Exhibit 10.8.20-4. Audit Security Options are contained in the Security Options Exhibit 10.8.20-4.

    • See Exhibit 10.8.20-32. Definitions for Audit Security Options are contained in Exhibit 10.8.20-32, Glossary. See Audit.

10.8.20.5.3.4  (03-28-2008)
File System Auditing

  1. File system auditing allows sensitive and/or critical files to be audited to ensure tampering of these files can be detected. The business owner identifies critical files. Examples of critical files include taxpayer case files, taxpayer database files, and operation sensitive information.

10.8.20.5.3.5  (03-28-2008)
Auditing Registry Changes

  1. Auditing of registry keys can track changes made by users or applications. The business owner identifies critical registry keys.

10.8.20.5.3.6  (03-28-2008)
Event Log Auditing

  1. The Security, Application, and System event logs contain information generated by the specified audit settings. In addition Windows 2003 might have additional event logs for File Replication Service, Directory Service and DNS Server.

  2. In order to record, retrieve, and store event logs on a Windows system, an administrator shall enable auditing and configure the events to be audited as outlined in the Local Policies section earlier in this chapter. In addition to the enabled audit settings, auditing of other system objects such as specific files, registry keys, and printers can be enabled.

  3. Audit logs on servers shall be copied to the security servers on a regularly scheduled basis; this will ensure that all audit logs are created and archived for legal purposes.

10.8.20.5.3.6.1  (03-28-2008)
Event Log Settings

  1. The following are an explanation of the Windows specific Event Log Settings

  2. Maximum Application Log Size

  3. Maximum Security Log Size

  4. Maximum System Log Size

    Inadequate audit log size could result in overwriting log file data. If events are overwritten before they can be reviewed, there is an increased risk that continuous unauthorized activity may go undetected.


  5. Restrict Guest Access to Application Log

  6. Restrict Guest Access to Security Log

  7. Restrict Guest Access to Systems Log

  8. Prevent local guests group from accessing application log

  9. Prevent local guests group from accessing security log

  10. Prevent local guests group from accessing system log

    If these policies are enabled, guests are prevented from access to the application, security and system event logs.


  11. Retention Method for Application Log

  12. Retention Method for Security Log

  13. Retention Method for Systems Log

    The retain method determines the "wrapping" method for the logs.