AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 20. Windows Security Policy (Cont. 3)

10.8.20  Windows Security Policy (Cont. 3)

10.8.20.5 
Technical Controls

10.8.20.5.4 
System and Communications Protection

10.8.20.5.4.2  (03-28-2008)
IP-Filter Ports and Descriptions

  1. For all TCP port numbers and UDP port numbers, use normal TCP/UDP numbers.

  2. All ports not specifically required for normal business operations shall be disabled.

  3. The IP Protocol ID shall use the following standards:

    1. Protocol 1 - ICMP

    2. Protocol 2 - IGMP

    3. Protocol 3 - GGP

    4. Protocol 4 - IP in IP encapsulation

    5. Protocol 5 - ST stream

    6. Protocol 6 - TCP

    7. Protocol 7 - Often used for Computer Based Training

    8. Protocol 8 - EGP

    • See Exhibit 10.8.20-24. A list of common Windows ports and the relative descriptions are defined in Exhibit 10.8.20-24.

10.8.20.5.4.3  (03-28-2008)
Network Data Protection

  1. Network data within a site (local network and subnets) is secured by the authentication protocol. For an additional level of security, administrators and users can choose to encrypt network data within a site. Using Internet Protocol Security, one can encrypt all network communication for specific clients, or for all clients in a domain. Network data passing in and out of a site (across intranets, extranets, or an Internet gateway) can be secured using the following utilities:

    1. Internet Protocol Security (IPSec) - a suite of cryptography-based protection services and security protocols;

    2. Routing and Remote Access - configures remote access protocols and routing; and

    3. Internet Authentication Service (IAS) - provides security and authentication for dial-in users.

10.8.20.5.4.3.1  (03-28-2008)
Encrypted File System (EFS)

  1. The encrypted file system provides a mechanism to secure data, which is maintained and resident on local hard drives and/or servers. This protects files from being accessed via the network, by unauthorized personnel.

  2. While this provides protection for files stored on the hard drives, files, once e-mailed, transferred, etc. will become unencrypted. The EFS protection is to protect the system, when an unauthorized user gains access to the files and directories, via the network or through a local logon policy.

  3. Recovery agents shall be established and managed to ensure data will not be lost, if the employee leaves or the system crashes. Where the system does not support this, e.g., XP, procedures shall be provided to users to ensure data may be recovered.

  4. EFS shall be used on all systems where any SBU data resides, including taxpayer data.

    1. The SA shall create and encrypt an "SBU Data" folder for encrypted data.

    2. SA shall encrypt any temp directories on systems that use EFS.

10.8.20.5.4.3.2  (03-28-2008)
Public Key Infrastructure Policies

  1. The IRS shall utilize Public Key Infrastructure (PKI) within its implementation of Windows Server 2003 and Active Directory. PKI is a system of digital certificates, certification authorities (CAs) and other registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction through the use of public key cryptography.

10.8.20.5.4.3.3  (03-28-2008)
Encryption of SBU Files In Transport

  1. At minimum, IRS owned laptops, portables, and workstations operated outside of IRS facilities shall use encryption software to protect SBU data.

  2. In Large Case sites, where Windows domains are configured, these shall be exempt from the encryption requirement, as long as:

    1. Physical security controls are in place.

    2. The domain is not connected to the IRS network.

    3. A deviation has been requested from the Cybersecurity (formally Mission Assurance and Security Services (MA&SS)), identifying the large case site, and the need for systems, which are off premise, without encryption.

  3. Encryption shall be performed using algorithms determined to be compliant with Federal Information Processing Standards Publication (FIPS) 140-2, Security Requirements for Cryptographic Modules.

  4. Approved COTS product information is available from the End User Equipment and Services (EUES) intranet web site, accessed via the authorized IRS intranet home page, at http://irweb.irs.gov/.

10.8.20.5.4.3.4  (03-28-2008)
Encrypted Data Recovery Agents

  1. All data encrypted by EFS on workstations attached to the Windows Server environment shall be recoverable. By default, the Administrator Account on the Domain Controllers shall be designated as the Default Recovery Agents (DRAs). Additional DRAs will be needed and they will have the requirement of actually performing the recovery of data.

  2. The DAA shall ensure the documentation of the DRA architecture with the IRS enterprise, within the DAA’s respective area(s) of responsibility. All actions taken by the DRAs shall be audited and reviewed by the DAA’s Data Security organization to ensure these are used, as appropriate.

10.8.20.5.4.3.5  (03-28-2008)
Browser Security

  1. Windows installations shall include 128-bit browser encryption, which is allowed for only US and Canadian use.

    • For specific Internet Explorer security, including items relating to systems and communication protection, see IRM 10.8.20.5.2.12 - Internet Explorer Security.

10.8.20.5.4.3.6  (03-28-2008)
Security Options for Network Data Protection

  1. The following are explanations of the Windows specific Security Options dealing with network data protection.

  2. Domain member: Digitally encrypt or sign secure channel data (always)
    Windows 2000 - Secure channel: Digitally encrypt or sign secure channel data (always)

  3. Domain member: Digitally Encrypt Secure Channel Data (when possible)
    Windows 2000 - Secure channel: Digitally encrypt secure channel data (when possible)

  4. Domain member: Digitally sign secure channel data (when possible)

  5. Domain member: Require strong (Windows 2000 or later) session key
    Windows 2000 - Secure channel: Require strong (Windows 2000 or later) session key

  6. Network Access: Do not allow storage of credentials or .NET passports for network authentication

  7. Microsoft Network Client: Digitally sign communications (always)
    Windows 2000 - Digitally sign client communication (always)

  8. Microsoft Network Client: Digitally sign communications (if server agrees)
    Windows 2000: Digitally sign client communications (when possible)

  9. Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers
    Windows 2000 - Send unencrypted password to connect to third-party SMB servers

  10. Microsoft Network Server: Digitally sign communications (always)
    Windows 2000: Digitally sign communications (always)

  11. Microsoft Network Server: Digitally sign communications (if client agrees)
    Windows 2000: Digitally sign communications (when possible)

  12. Network Security: LAN manager authentication level
    Windows 2000 - LAN Manager authentication level

  13. Network Security: LDAP client signing requirements

  14. Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

  15. Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers

  16. System Cryptography: Force strong key protection for user keys stored on the computer

  17. System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

    • See Exhibit 10.8.20-4. Network Data Protection Security Options are contained in the Security Options Exhibit 10.8.20-4.

    • See Exhibit 10.8.20-32. Definitions for the Network Data Protection Security Options are contained in Exhibit 10.8.20-32, Glossary. See Network Data Protection.

10.8.20.5.4.3.7  (03-28-2008)
Security Options for Protection of Information Remnants

  1. The following are explanations of the Windows specific Security Options dealing with the protection of information remnants that could leave a system exposed.

  2. Network Security: Do not store LAN Manager password hash value on next password change
    The SAM database typically stores a LANManager (LM) hash of account passwords. The SAM database should be secure on the workstation; however, if it is captured, the LM hash can be retrieved. Many vulnerabilities exist with the LM authentication model, and brute force attacks usually succeed with ease. Removing the LM hash from the SAM database helps protect the local account passwords.

  3. Shutdown: Clear virtual memory pagefile
    (Windows 2000 - Clear virtual memory pagefile when system shuts down)
    Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of"virtual" memory available to the computer.

    • See Exhibit 10.8.20-4. Values for Security Options for Protection of Information Remnants are contained in the Security Options Exhibit 10.8.20-4.

10.8.20.5.4.4  (03-28-2008)
Security Configuration for Hummingbird Exceed Connectivity Software, Version 10.0.0

  1. Hummingbird shall not be installed on Servers.

  2. For workstations that require Hummingbird, the following minimal installation and installation modification shall be implemented. This minimal installation will only allow the X-windows component of Hummingbird to be utilized.

    1. Perform Minimal Installation

    2. Install the following components:
      i) Exceed:
      (1) Exceed Fonts

    3. The following components, and any sub-components, shall not be installed:
      i) Accessories (All)
      ii) Administrative Tools (All)
      iii) The following Exceed components:
      (1) Exceed Connection Tools
      (2) Exceed Tools (All)
      (3) Xweb
      iv) Hummingbird FTP
      v) Hummingbird Inetd (All)
      vi) HostExplorer (All)

    4. Modify the basic Minimal Install
      i) The following Shortcuts shall be removed from C:\/Documents and Settings\/All Users\/Start Menu\/Programs\/Hummingbird Connectivity 10
      (1) Shortcut for User Files
      (2) Shortcut for Exceed => Exceed XDCMP Broadcast
      (3) Shortcut for Exceed => Exceed

  3. Configure Xconfig
    (Browse to the following file and open by double clicking: %SystemDrive%\/Program Files\/Hummingbird\/Connectivity\/10.00\/Default User\/Exceed\/Exceed.xcfg)

    1. Set Password for Xconfig
      The SA shall provide a password by selecting Quick Links => Change My Password. The password shall meet minimum password requirements as defined in IRM 10.8.1.

    2. Security, Access Control and System Administration Settings
      Select the "Security, Access Control and System Administration" category. The following settings can be updated from this menu:
      i) Set default user xhost.txt as Host Access Control List
      Under the "Security" Tab, configure "Host Access Control List" to select "File => %SystemDrive%\/Program Files\/Hummingbird\/Connectivity\/10.00\/Default User\/Exceed\/xhost.txt" . To do this, select Browse and then browse to defined location. Note: By default the browse begins in the %SystemDrive\/Documents and Settings\/<username>\/....directory.
      ii) Update xhost.txt to contain authorized hosts
      Under the "Security " Tab, select "Edit" next to "File => xhost.txt" . The SA shall ensure this file contains only authorized hosts.
      iii) Do Not Allow Clients to Modify Host Access List
      Under the "Security" Tab, ensure " Allow Clients to Modify Host Access List" is not selected.

  4. Set Hummingbird Directory File Permissions
    See Exhibit 10.8.20-6, Program Files Folder Permissions for Hummingbird Directory File Permissions.

10.8.20.5.4.5  (03-28-2008)
Exchange Server

  1. The mandatory requirements for Window Server 2003 operating Microsoft Exchange Server are detailed in Exhibit 10.8.20-27.

10.8.20.5.4.6  (03-28-2008)
Virtual Machines

  1. The mandatory requirements for operating Virtual Machines are detailed in Exhibit 10.8.20-28.

10.8.20.5.4.7  (03-28-2008)
Enterprise Disk Encryption (EDE) Base Servers

  1. The mandatory requirements for Enterprise Disk Encryption (EDE) Base Servers are detailed in Exhibit 10.8.20-29.

  2. See See Exhibit 10.8.20-32, Glossary for description of the necessary services for EDE.

10.8.20.6  (07-31-2008)
Deviations

  1. Deviations from this policy shall be processed according to IRM 10.8.1.

Exhibit 10.8.20-1  (03-28-2008)
Backup and Recovery Configuration Settings

See IRM 10.8.20.4.1.1.2 for explanations

Backup and Recovery Configuration Setting XP Workstation 2000 Server 2003 Server
Baseline system backup or imaging Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost Yes    
 
Emergency Repair Disks (ERD) Created with Ntbackup.exe GUI program. Now only backs up autoexec.nt, config.nt and setup.log. It no longer contains security information. No Yes Yes  
 
Regular system backups, including System State data Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost Yes      
 
Data and Application backups;
Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost 		Yes      
 
Safe Mode Usage (F8 during startup) Available by Default on all Systems Yes Yes Yes  
 
Safe Mode with Networking Available by Default on all Systems Yes Yes Yes  
 
Safe Mode with Command Prompt Available by Default on all Systems Yes Yes Yes  
 
Recovery Console
The Recovery Console shall be installed from the Install CDROM by using the /CMDCONS flag. 		No      
 

Exhibit 10.8.20-2  (03-28-2008)
Account Policies

See IRM 10.8.20.5.1.7. for explanations

Account Policy XP Workstation 2000
Server		 2003
Server
Password Policy
Enforce Password History See IRM 10.8.1 See IRM 10.8.1 See IRM 10.8.1
Maximum Password Age 60 days or less (cannot be equal to 0) 60 days or less (cannot be equal to 0) 60 days or less (cannot be equal to 0)
Minimum Password Age 1 day or greater 1 day or greater 1 day or greater
 
Minimum Password Length 12 Characters or greater 12 Characters or greater 12 Characters or greater  
Password Complexity Enabled,
See IRM 10.8.1 for more information. 		Enabled,
See IRM 10.8.1 for more information. 		Enabled,
See IRM 10.8.1 for more information. 		 
 
Store passwords using reversible encryption Disabled Disabled Disabled  
Account Lockout Policy  
Account Lockout Duration 15 minutes or greater 15 minutes or greater 15 minutes or greater  
Account Lockout Threshold 5 invalid logon attempts or less (cannot be equal to 0) 5 invalid logon attempts or less (cannot be equal to 0) 5 invalid logon attempts or less (cannot be equal to 0)  
Reset account lockout counter after 15 minutes or greater 15 minutes or greater 15 minutes or greater  
Kerberos Policy  
Enforce user logon restrictions Enabled Enabled Enabled  
Maximum lifetime for service ticket 600 Minutes 600 Minutes 600 Minutes  
Maximum lifetime for user ticket 10 Hours 10 Hours 10 Hours  
Maximum lifetime for user ticket renewal 7 Days 7 Days 7 Days  
Maximum tolerance for computer clock synchronization 5 Minutes 5 Minutes 5 Minutes  

Exhibit 10.8.20-3  (03-28-2008)
User Password Settings

See IRM 10.8.20.5.1.8. for explanations.

User Password Setting XP Workstation 2000 Server 2003 Server
User Must Change Password at Next Logon Enabled / Checked
(when account is created or password reset)		 Enabled / Checked
(when account is created or password reset)		 Enabled / Checked
(when account is created or password reset)
 
Password Never Expires
* only possible exceptions are Service accounts.		 Never Enabled / Checked
* Possibly enabled for Service accounts.		 Never Enabled / Checked
* Possibly enabled for Service accounts.		 Never Enabled / Checked
* Possibly enabled for Service accounts.		  
 
Enable Automatic Logon
* Only possible exception is during unattended installations of the operating system.		 Disabled
* Can be enabled only during unattended installations of the operating system and shall not be used on production systems.		 Disabled
* Can be enabled only during unattended installations of the operating system and shall not be used on production systems.		 Disabled
* Can be enabled only during unattended installations of the operating system and shall not be used on production systems.		  
 

Exhibit 10.8.20-4  (03-28-2008)
Security Options

Security Option XP Workstation 2000 Server 2003 Server Reference
Accounts: Administrator account status Enabled N/A
(Though not a security option in 2000, account shall be Enabled) 		Enabled See IRM 10.8.20.5.1.9.
 
Accounts: Guest account status Disabled N/A
(Though not a security option in 2000, account shall be Disabled) 		Disabled See IRM 10.8.20.5.1.9.  
 
Accounts: Limit local account use of blank passwords to console logon only Enabled N/A Enabled See IRM 10.8.20.5.1.9.  
Accounts: Rename administrator account
2000 - Rename administrator account		 Shall be renamed Shall be renamed Shall be renamed See IRM 10.8.20.5.1.9.  
 
Accounts: Rename guest account
2000 - Rename guest account		 Shall be renamed Shall be renamed Shall be renamed See IRM 10.8.20.5.1.9.  
 
Audit: Audit the access of global system objects
2000 - Audit the access of global system objects		 Disabled Disabled Disabled See IRM 10.8.20.5.3.3.  
 
Audit: Audit the use of backup and restore privilege
2000 - Audit the use of backup and restore privilege		 Disabled Not Defined Not Defined See IRM 10.8.20.5.3.3.  
 
Audit: Shut down system immediately if unable to log security audits
2000 - Shut down system immediately if unable to log security audits		 Disabled Disabled Disabled See IRM 10.8.20.5.3.3.  
 
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
(Available in 2003 SP1 and XP SP2 or greater only) 		Not Defined N/A Not Defined See IRM 10.8.20.5.2.6.  
 
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Available in 2003 SP1 and XP SP2 or greater only) Not Defined N/A Not Defined See IRM 10.8.20.5.2.6.  
 
Devices: Allow undock without having to log on Disabled N/A Disabled See IRM 10.8.20.5.2.5.  
Devices: Allowed to format and eject removable media
2000 - Allowed to eject removable NTFS media		 Administrators Administrators Administrators See IRM 10.8.20.5.2.5.  
 
Devices: Prevent users from installing printer drivers
2000 - Prevent users from installing printer drivers		 Disabled Enabled Enabled See IRM 10.8.20.5.2.5.  
 
Devices: Restrict CD-ROM access to locally logged-on user only
2000 - Restrict CD-ROM access to locally logged-on user only		 Disabled Enabled Enabled See IRM 10.8.20.5.2.5.  
 
Devices: Restrict floppy access to locally logged-on user only
2000 - Restrict floppy access to locally logged-on user only		 Disabled Enabled Enabled See IRM 10.8.20.5.2.5.  
 
Devices: Unsigned driver installation behavior
2000 - Unsigned driver installation behavior		 Do not allow installation*

*

Note:

See Exhibit 10.8.20-34for deviated setting.

Warn, but allow installation Warn, but allow installation See IRM 10.8.20.5.2.5.  
 
Domain controller: Allow serv