Back

Configure shared volumes to use the appropriate file system for the network protocols being operated (NT File System in Windows OS or Netware SS), and configure the security parameters.


CONTROL ID
01927
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the file permissions for %SystemRoot%\system32\at.exe., CC ID: 01929
  • Configure the file permissions for %SystemRoot%\system32\attrib.exe., CC ID: 01930
  • Configure the file permissions for %SystemRoot%\system32\cacls.exe., CC ID: 01931
  • Configure the file permissions for %SystemRoot%\system32\debug.exe., CC ID: 01932
  • Configure the file permissions for %SystemRoot%\system32\drwatson.exe., CC ID: 01933
  • Configure the file permissions for %SystemRoot%\system32\drwtsn32.exe., CC ID: 01934
  • Configure the file permissions for %SystemRoot%\system32\edlin.exe., CC ID: 01935
  • Configure the file permissions for %SystemRoot%\system32\eventcreate.exe., CC ID: 01936
  • Configure the file permissions for %SystemRoot%\system32\eventtriggers.exe., CC ID: 01937
  • Configure the file permissions for %SystemRoot%\system32\ftp.exe., CC ID: 01938
  • Configure the file permissions for %SystemRoot%\system32\net.exe., CC ID: 01939
  • Configure the file permissions for %SystemRoot%\system32\net1.exe., CC ID: 01940
  • Configure the file permissions for %SystemRoot%\system32\netsh.exe., CC ID: 01941
  • Configure the file permissions for %SystemRoot%\system32\rcp.exe., CC ID: 01942
  • Configure the file permissions for %SystemRoot%\system32\reg.exe., CC ID: 01943
  • Configure the file permissions for %SystemRoot%\regedit.exe., CC ID: 01944
  • Configure the file permissions for %SystemRoot%\system32\regedt32.exe., CC ID: 01945
  • Configure the file permissions for %SystemRoot%\system32\regsvr32.exe., CC ID: 01946
  • Configure the file permissions for %SystemRoot%\system32\rexec.exe., CC ID: 01947
  • Configure the file permissions for %SystemRoot%\system32\rsh.exe., CC ID: 01948
  • Configure the file permissions for %SystemRoot%\system32\runas.exe., CC ID: 01949
  • Configure the file permissions for %SystemRoot%\system32\sc.exe., CC ID: 01950
  • Configure the file permissions for %SystemRoot%\system32\subst.exe., CC ID: 01951
  • Configure the file permissions for %SystemRoot%\system32\telnet.exe., CC ID: 01952
  • Configure the file permissions for %SystemRoot%\system32\tftp.exe., CC ID: 01953
  • Configure the file permissions for %SystemRoot%\system32\tlntsvr.exe., CC ID: 01954
  • Configure the file permissions for %SystemDrive%\., CC ID: 01968
  • Configure the file permissions for %SystemDrive%\autoexec.bat., CC ID: 01969
  • Configure the file permissions for %SystemDrive%\boot.ini., CC ID: 01970
  • Configure the file permissions for %SystemDrive%\config.sys., CC ID: 01971
  • Configure the file permissions for %SystemDrive%\io.sys., CC ID: 01972
  • Configure the file permissions for %SystemDrive%\msdos.sys., CC ID: 01973
  • Configure the file permissions for %SystemDrive%\ntbootdd.sys., CC ID: 01974
  • Configure the file permissions for %SystemDrive%\ntdetect.com., CC ID: 01975
  • Configure the file permissions for %SystemDrive%\ntldr., CC ID: 01976
  • Configure the file permissions for %SystemDrive%\Documents and Settings., CC ID: 01977
  • Configure the file permissions for %SystemDrive%\Documents and Settings\Administrator., CC ID: 01978
  • Configure the file permissions for %SystemDrive%\Documents and Settings\All Users., CC ID: 01979
  • Configure the file permissions for %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson., CC ID: 01980
  • Configure the file permissions for %SystemDrive%\Documents and Setting\Default User., CC ID: 01981
  • Configure the file permissions for %SystemDrive%\System Volume Information., CC ID: 01982
  • Configure the file permissions for %SystemDrive%\Temp., CC ID: 01983
  • Configure the file permissions for %ProgramFiles%., CC ID: 01984
  • Configure the file permissions for %SystemDrive%\Program Files\Resource Kit., CC ID: 01985
  • Configure the file permissions for %SystemRoot%., CC ID: 01986
  • Configure the file permissions for %SystemRoot%\$NTServicePackUninstall$., CC ID: 01987
  • Configure the file permissions for %SystemRoot%\CSC., CC ID: 01988
  • Configure the file permissions for %SystemRoot%\Debug., CC ID: 01989
  • Configure the file permissions for %SystemRoot%\Debug\UserMode., CC ID: 01990
  • Configure the file permissions for %SystemRoot%\Offline Web Pages., CC ID: 01991
  • Configure the file permissions for %SystemRoot%\Registration., CC ID: 01992
  • Configure the file permissions for %SystemRoot%\Repair., CC ID: 01993
  • Configure the file permissions for %SystemRoot%\security., CC ID: 01994
  • Configure the file permissions for %SystemRoot%\system32., CC ID: 01995
  • Configure the file permissions for %SystemRoot%\system32\Ntbackup.exe., CC ID: 01996
  • Configure the file permissions for %SystemRoot%\system32\secedit.exe., CC ID: 01997
  • Configure the file permissions for %SystemRoot%\system32\appmgmt., CC ID: 01998
  • Configure the file permissions for %SystemRoot%\config., CC ID: 01999
  • Configure the file permissions for %SystemRoot%\system32\dllcache., CC ID: 02000
  • Configure the file permissions for %SystemRoot%\system32\DTCLog., CC ID: 02001
  • Configure the file permissions for %SystemRoot%\system32\GroupPolicy., CC ID: 02002
  • Configure the file permissions for %SystemRoot%\system32\ias., CC ID: 02003
  • Configure the file permissions for %SystemRoot%\system32\NTMSData., CC ID: 02004
  • Configure the file permissions for %SystemRoot%\system32\reinstallbackups., CC ID: 02005
  • Configure the file permissions for %SystemRoot%\system32\Setup., CC ID: 02006
  • Configure the file permissions for %SystemRoot%\system32\spool\printers., CC ID: 02007
  • Configure the file permissions for %SystemRoot%\Tasks., CC ID: 02008
  • Configure the file permissions for %SystemRoot%\Temp., CC ID: 02009
  • Configure the file permissions for %SystemDrive%\Program Files\Resource Pro Kit., CC ID: 04301
  • Configure the file permissions for %SystemRoot%\system32\arp.exe., CC ID: 04304
  • Configure the file permissions for %SystemRoot%\system32\nbstat.exe., CC ID: 04305
  • Configure the file permissions for %SystemRoot%\system32\netstat.exe., CC ID: 04306
  • Configure the file permissions for %SystemRoot%\system32\nslookup.exe., CC ID: 04307
  • Configure the file permissions for %SystemRoot%\system32\regini.exe., CC ID: 04308
  • Configure the file permissions for %SystemRoot%\system32\route.exe., CC ID: 04310
  • Configure the file permissions for %SystemRoot%\system32\systeminfo.exe., CC ID: 04311
  • Disable DOSFAT.NSS., CC ID: 04462
  • Enable user directory data encryption., CC ID: 04467
  • Verify iPrint/NDPS are not on the system volume (sys)., CC ID: 04468
  • Purge files immediately after deletion., CC ID: 04469
  • Remove the SYS:Mail directory., CC ID: 04470
  • Configure the largest folder size (storage capacity) restrictions for user directories., CC ID: 04471
  • Verify only necessary system files are located on the server's system volume (sys) or boot volume., CC ID: 04472
  • Configure the file permissions for %SystemRoot%\System32\Config\AppEvent.evt., CC ID: 04506
  • Configure the file permissions for %SystemRoot%\System32\Config\SecEvent.evt., CC ID: 04507
  • Configure the file permissions for %SystemRoot%\System32\Config\SysEvent.evt., CC ID: 04508
  • Configure the file permissions for %SystemDirectory%., CC ID: 04532
  • Configure the file permissions appropriately for all shell executables., CC ID: 05619
  • Configure the file permissions for the remote copy (rcp) binary properly., CC ID: 05620
  • Configure the file permissions for the remote login (rlogin) binary properly., CC ID: 05621
  • Configure the file permissions for the rlogind binary properly., CC ID: 05622
  • Configure the file permissions for the remote shell (rsh) binary properly., CC ID: 05623
  • Configure the file permissions for the rshd binary properly., CC ID: 05624
  • Configure the file permissions for the tftp binary properly., CC ID: 05625
  • Configure the file permissions for the tftpd binary properly., CC ID: 05626
  • Configure the file permissions for %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwts32.log properly., CC ID: 05627
  • Configure the directory permissions for %SystemDrive%\My Download Files properly., CC ID: 05628
  • Configure the directory permissions for %SystemRoot%\Driver Cache\I386\Driver.cab properly., CC ID: 05629
  • Configure the permissions for the %SystemRoot%\$NtUninstall* directories properly., CC ID: 05630
  • Configure the directory permissions for %SystemDrive%\NTDS properly., CC ID: 05631
  • Configure the directory permissions for %SystemRoot%\SYSVOL properly., CC ID: 05632
  • Configure the directory permissions for %SystemRoot%\SYSVOL\domain\Policies properly., CC ID: 05633
  • Configure the directory permissions for %SystemRoot%\System32\repl properly., CC ID: 05634
  • Configure the directory permissions for %SystemRoot%\System32\repl\export properly., CC ID: 05635
  • Configure the directory permissions for %SystemRoot%\System32\repl\import properly., CC ID: 05636
  • Configure the directory permissions for %ALL% properly., CC ID: 05637
  • Configure the directory permissions for %ALL%\Program Files\MQSeries properly., CC ID: 05638
  • Configure the directory permissions for %ALL%\Program Files\MQSeries\qmggr properly., CC ID: 05639
  • Configure the directory permissions for %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL properly., CC ID: 05640
  • Configure the directory permissions for %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL properly., CC ID: 05641
  • Configure the directory permissions for %SystemDrive%\perflogs properly., CC ID: 05642
  • Configure the directory permissions for %SystemDrive%\i386 properly., CC ID: 05643
  • Configure the directory permissions for %ProgramFiles%\Common Files\SpeechEngines\TTS properly., CC ID: 05644
  • Configure the directory permissions for %SystemRoot%\_default.plf properly., CC ID: 05645
  • Configure the directory permissions for %SystemRoot%\addins properly., CC ID: 05646
  • Configure the directory permissions for %SystemRoot%\appPatch properly., CC ID: 05647
  • Configure the directory permissions for %SystemRoot%\clock.avi properly., CC ID: 05648
  • Configure the directory permissions for %SystemRoot%\Connection Wizard properly., CC ID: 05649
  • Configure the file permissions for %SystemRoot%\Driver Cache properly., CC ID: 05650
  • Configure the file permissions for %SystemRoot%\explorer.scf properly., CC ID: 05651
  • Configure the file permissions for %SystemRoot%\explorer.exe properly., CC ID: 05652
  • Configure the directory permissions for %SystemRoot%\Help properly., CC ID: 05653
  • Configure the file permissions for %SystemRoot%\inf\unregmp2.exe properly., CC ID: 05654
  • Configure the directory permissions for %SystemRoot%\Java properly., CC ID: 05655
  • Configure the file permissions for %SystemRoot%\mib.bin properly., CC ID: 05656
  • Configure the directory permissions for %SystemRoot%\msagent properly., CC ID: 05657
  • Configure the file permissions for %SystemRoot%\msdfmap.ini properly., CC ID: 05658
  • Configure the directory permissions for %SystemRoot%\mui properly., CC ID: 05659
  • Configure the directory permissions for %SystemRoot%\security\templates properly., CC ID: 05660
  • Configure the directory permissions for %SystemRoot%\speech properly., CC ID: 05661
  • Configure the file permissions for %SystemRoot%\system.ini properly., CC ID: 05662
  • Configure the file permissions for %SystemRoot%\system\setup.inf properly., CC ID: 05663
  • Configure the file permissions for %SystemRoot%\system\stdole.tlb properly., CC ID: 05664
  • Configure the directory permissions for %SystemRoot%\twain_32 properly., CC ID: 05665
  • Configure the directory permissions for %SystemRoot%\System32\CatRoot properly., CC ID: 05666
  • Configure the directory permissions for %SystemRoot%\System32\configf\systemprofile properly., CC ID: 05667
  • Configure the directory permissions for %SystemRoot%\System32\dhcp properly., CC ID: 05668
  • Configure the directory permissions for %SystemRoot%\System32\drivers properly., CC ID: 05669
  • Configure the directory permissions for %SystemRoot%\System32\Export properly., CC ID: 05670
  • Configure the file permissions for %SystemRoot%\System32\ipconfig.exe properly., CC ID: 05671
  • Configure the directory permissions for %SystemRoot%\System32\LogFiles properly., CC ID: 05672
  • Configure the file permissions for %SystemRoot%\System32\mshta.exe properly., CC ID: 05673
  • Configure the directory permissions for %SystemRoot%\System32\mui properly., CC ID: 05674
  • Configure the directory permissions for %SystemRoot%\System32\ShellExt properly., CC ID: 05675
  • Configure the directory permissions for %SystemRoot%\System32\wbem properly., CC ID: 05676
  • Configure the directory permissions for %SystemRoot%\System32\wbem\mof properly., CC ID: 05677
  • Configure the directory permissions for %SystemRoot%\System32\wbem\repository properly., CC ID: 05678
  • Configure the directory permissions for %SystemRoot%\System32\wbem\logs properly., CC ID: 05679
  • Configure the directory permissions for %AllUsersProfile% properly., CC ID: 05680
  • Configure the directory permissions for %AllUsersProfile%\Application Data properly., CC ID: 05681
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft properly., CC ID: 05682
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys properly., CC ID: 05683
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys properly., CC ID: 05684
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson properly., CC ID: 05685
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log properly., CC ID: 05686
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\HTML Help properly., CC ID: 05687
  • Configure the directory permissions for %AllUsersProfile%\Application Data\Microsoft\MediaIndex properly., CC ID: 05688
  • Configure the directory permissions for %AllUsersProfile%\Documents\desktop.ini properly., CC ID: 05689
  • Configure the directory permissions for %AllUsersProfile%\DRM properly., CC ID: 05690
  • Configure the directory permissions for %SystemRoot%\Debug\UserMode\userenv.log properly., CC ID: 05691
  • Configure the file permissions for %SystemRoot%\Installer properly., CC ID: 05692
  • Configure the file permissions for %SystemRoot%\Prefetch properly., CC ID: 05693
  • Configure the directory permissions for %SystemRoot%\Registration\CRMLog properly., CC ID: 05694
  • Configure the file permissions for %SystemRoot%\System32\ciadv.msc properly., CC ID: 05695
  • Configure the file permissions for %SystemRoot%\System32\Com\comexp.msc properly., CC ID: 05696
  • Configure the file permissions for %SystemRoot%\System32\compmgmt.msc properly., CC ID: 05697
  • Configure the file permissions for %SystemRoot%\System32\Config properly., CC ID: 05698
  • Configure the file permissions for %SystemRoot%\System32\Config\*.evt properly., CC ID: 05699
  • Configure the file permissions for %SystemRoot%\System32\devmgmt.msc properly., CC ID: 05700
  • Configure the file permissions for %SystemRoot%\System32\dfrg.msc properly., CC ID: 05701
  • Configure the file permissions for %SystemRoot%\System32\diskmgmt.msc properly., CC ID: 05702
  • Configure the file permissions for %SystemRoot%\system32\eventvwr.msc properly., CC ID: 05703
  • Configure the file permissions for %SystemRoot%\System32\fsmgmt.msc properly., CC ID: 05704
  • Configure the file permissions for %SystemRoot%\System32\gpedit.msc properly., CC ID: 05705
  • Configure the directory permissions for %SystemRoot%\System32\lusrmgr.msg properly., CC ID: 05706
  • Configure the directory permissions for %SystemRoot%\System32\MSDTC properly., CC ID: 05707
  • Configure the file permissions for %SystemRoot%\System32\ntmsoprq.msc properly., CC ID: 05708
  • Configure the file permissions for %SystemRoot%\System32\ntmsmgr.msc properly., CC ID: 05709
  • Configure the file permissions for %SystemRoot%\System32\perfmon.msc properly., CC ID: 05710
  • Configure the file permissions for %SystemRoot%\System32\RSoP.msc properly., CC ID: 05711
  • Configure the file permissions for %SystemRoot%\System32\secpol.msc properly., CC ID: 05712
  • Configure the file permissions for %SystemRoot%\System32\services.msc properly., CC ID: 05713
  • Configure the file permissions for %SystemRoot%\System32\wmimgmt.msc properly., CC ID: 05714
  • Configure the directory permissions for %SystemRoot%\Web properly., CC ID: 05715
  • Configure the BitLocker setting appropriately for fixed disk drives and removable disk drives., CC ID: 06064
  • Configure the settings for fixed disk drives, removable disk drives, and operating system disk drives., CC ID: 06065
  • Configure the BitLocker identifiers., CC ID: 06066


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All disk storage volumes should be upgraded to Novell Storage Services (NSS). NSS volumes are journaled, so if the disk becomes unavailable suddenly, incomplete transactions will be completed when the volume becomes available. (§ 8.1, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Ensure that all disk volumes are using the NTFS file system. After a disk is set up for NTFS, default security must be applied. For workstations, type the following command: "secedit /configure /db default.sdb /cfg %windir%\inf\defltwk.inf /areas filestore" and for servers: "secedit /configure /db d… (Pg 26, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • If you have a dual-boot system with Windows 95/98/Me, do not do this. The other operating system will not work and cannot be recovered. Using NTFS provides more security than FAT or FAT32. If you have a FAT system, open a command prompt and type "Convert C: /fs:ntfs" to convert to NTFS. Then you mus… (§ 4.3.1, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • Ensure that all disk volumes are using the NTFS file system. After a disk is set up for NTFS, default security must be applied. For workstations, type the following command: "secedit /configure /db default.sdb /cfg %windir%\inf\defltwk.inf /areas filestore" and for servers: "secedit /configure /db d… (§ 26, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • If you have a dual-boot system with Windows 95/98/Me, do not do this. The other operating system will not work and cannot be recovered. Using NTFS provides more security than FAT or FAT32. If you have a FAT system, open a command prompt and type "convert C: /fs:ntfs" to convert to NTFS. Then you mus… (§ 4.3.1, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • Computers with a dual-boot system with Windows 95/98/Me should not be converted to NTFS. The other operating system will not work and cannot be recovered. Using NTFS provides more security than FAT or FAT32. If a computer has a FAT system, users should open a command prompt and type "convert C: /fs:… (Pg 26, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • NTFS interoperability has come a long way since its initial introduction. It can be bypassed if the system can be rebooted, but it is the ONLY way that any file-level security can be enforced while system is operating. (§ 4.3.1, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) (§ A.1.2.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Table F-1: For Windows 2000 Server, the organization must configure all disk volumes to use the NTFS file system. Table F-2: For Windows 2003 Server, the organization must configure all disk volumes to use the NTFS file system. Table F-3: For Windows 2000 Professional, the organization must configur… (Table F-1, Table F-2, Table F-3, Table F-4, Table F-5, CMS Business Partners Systems Security Manual, Rev. 10)
  • All drives should be configured to use the NTFS format. This format will allow the use of the security and auditing features of Windows Server 2003. (§ 5.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • All computer drives should be configured using the NT File System (NTFS) format. (§ 3.3 (2.008), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • The NT File System (NTFS) format should be used for all local drives. Without the NTFS formatting, the Windows XP security and auditing features cannot be enabled. (§ 5.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Ensure that all disk volumes are using the NTFS file system. After a disk is set up for NTFS, default security must be applied. For workstations, type the following command: "secedit /configure /db default.sdb /cfg %windir%\inf\defltwk.inf /areas filestore" and for servers: "secedit /configure /db d… (§ 7.1.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)