Upload
bojan-mucalov
View
225
Download
0
Embed Size (px)
Citation preview
7/28/2019 Secure Computer Configuration for Wire Transfers
1/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
Secure Computer Configuration for Wire Transfers
BackgroundWire transfers are accomplished through the use of a web-based application that is provided
to the University by the financial institution. Authorized University personnel use an off the
shelf web browser to access the application. The following controls exist to preventunauthorized transactions:
The responsibilities for transaction entry and transaction approval are segregatedbetween two different groups of authorized University employees.
Authentication to the application (by all employees using this banking application)requires not only a password, but also a digital certificate that has been installed
on the employees personal computer (PC).
The employees' PCs (and any other authorized users and administrators of those PCs) are
trusted implicitly by these controls to prohibiting the following:
Transfer of the digital certificate's private key to unauthorized people or storage
locations.
Capture and/or transmission of passwords to unauthorized people or storage
locations.
Capture and/or transmission of transactions to unauthorized people or storage
locations.
Modification of transactions as they are transmitted to the financial institution.
Unfortunately, most PC software cannot be trusted to do this at the level required for wiretransfers without careful management. This document describes requirements for the
management of these PCs.
Controls
The following measures should be taken to mitigate the risks to private keys, passwords,and transactions.
1. Conduct periodic risk assessment and implement a departmental security plan incompliance with Business & Finance Bulletin IS-3: Electronic Information Security.
2. To prevent unauthorized capture, transmission, or modification of private keys,passwords and transactions, it is necessary to ensure that the web based application
provided by the Financial Institution (BA DIRECT WIRE TRANSFER PC), its operating
system, or the web browser have not been compromised or modified. The followingmeasures are intended for a single PC that is connected to a typical campus network.
2.1. Access Controls
2.1.1. The BA DIRECT WIRE TRANSFER PC must be used exclusively for BADIRECT WIRE TRANSFER functions and must not have any other uses.
2.1.2. User access to the BA DIRECT WIRE TRANSFER PC:
2.1.2.1. User must use only the local user accounts created for the BA
Page 1 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
2/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
DIRECT WIRE TRANSFER function. To ensure that only localaccounts can log on to the BA DIRECT WIRE TRANSFER PC,
the BA DIRECT WIRE TRANSFER PC must not be a member ofany NT/AD domain.
2.1.2.2. The local user accounts MUST NOT be shared for any reason.
2.1.2.3. Ensure that login accounts have no more privileges than arenecessarythe account should have no more privileges thanthose given to the built-in local Users group.
2.1.2.4. Ensure that the web browser's private key storage isencrypted by establishing a password for the Software
Security Device under Manage Security Devices of theAdvanced portion of Firefox's Preferences dialog.
2.1.3. Designation of BA DIRECT WIRE TRANSFER computers by function:
2.1.3.1. In order to enforce this segregation of function between two
types of BA DIRECT WIRE TRANSFER PCs, only the initiatorsuser accounts will be created on the Initiator BA DIRECT
WIRE TRANSFER PCs. Conversely, only the local useraccounts for approvers/releasers will be created on the
Releaser BA DIRECT WIRE TRANSFER PCs.
2.1.3.2. There will be a minimum of two separate BA DIRECT WIRE
TRANSFER PCs at a given site: an Initiator BA DIRECTWIRE TRANSFER PC dedicated to usage by the transaction
initiators, and a Releaser BA DIRECT WIRE TRANSFER PCdedicated to usage by the transaction approvers/releasers.
2.1.3.3. The Initiator computer may be shared among multipleinitiators, but not with approver/releasers. The Releaser BA
DIRECT WIRE TRANSFER PC may be shared among multipleapprovers/releasers, but never with initiators. The system
administrators for initiator computers must be different fromthe system administrators for approver/releaser computers.
2.2. Physical Controls
2.2.1. Physical security of the BA DIRECT WIRE TRANSFER PC:
2.2.1.1. Prevent unauthorized removal of the BA DIRECT WIRETRANSFER PC by securing the BA DIRECT WIRE TRANSFER
PC with an anchoring device (e.g. cable lock) or by placingthe BA DIRECT WIRE TRANSFER PC in a limited-access area
(e.g. locked room).
2.2.1.2. Prevent unauthorized access to the internal components of
the BA DIRECT WIRE TRANSFER PC by locking the chassis(some models of cable locks combine this feature with the
anchoring function).
2.2.2. Control access to devices that store digital certificates' private keys.
2.3. System Configuration
2.3.1. Use a secure operating system, such as Windows XP Professional with
SP2, including the security settings in Appendix A: Security TemplateSettings for BA DIRECT WIRE TRANSFER Computers.
Page 2 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
3/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
2.3.2. Remove all software except for the essential components of theoperating system, the web browser, the firewall software and the virus
protection software. Disable or remove all unnecessary services.
2.3.3. Ensure that only the required software will be allowed to be executed
by the user (e.g., via Software Restriction Policies in Windows XP LocalSecurity Policy).
2.3.3.1. Set the Enforcement so that the software restriction policiesapply to All users except local administrators.
2.3.3.2. Set the default Security Level to Disallowed, which is themaximally restrictive setting that does not allow any software
to run except for those that are defined as exceptions underAdditional Rules.
2.3.3.3. Specify exceptions for the allowed applications by creating
new rules (both Hash and Path).
2.3.4. Use Firefox as the BA DIRECT WIRE TRANSFER P/C's web browser.
2.3.5. Install ZoneAlarm or a similar firewall and configure it to enable
communication only with the financial institution and other requiredsystem management services, such as anti-virus and patch servers,
log servers, etc.
2.3.6. There must be no wireless connectivity to the computer.
2.3.7. There must be no back door connections to the computer or remotecontrol software, such as Windows Terminal Server or PC Anywhere.
2.3.8. Remove or disable physical media readers (e.g., CDs, floppy disks,flash drives) and disable USB.
2.3.9. Use a locally attached printer only.
2.3.10. Enable password protection on BIOS to prevent unauthorized system
reconfiguration (this is not to be confused with the power-onpassword).
2.4. System Administration and Maintenance
2.4.1. System administration and software updates (operating system and
application) must be performed in a highly-secure manner, preferablylocally, not over a network.
2.4.2. Ensure that all critical security patches are applied to the operating
system and all applications within 24 hours of release.
2.4.3. Ensure that virus, spyware scanners, etc. are installed and updatedwithin 1 week of new release of new threat definitions, unless deemed
critical.2.5. System Monitoring and Incident Response
2.5.1. Enable and monitor all appropriate log facilities for tracking useraccess and activity.
2.5.2. Auditing of logs must be conducted regularly by an establishedschedule, with a minimum frequency of once a week.
2.5.3. Install Tripwire for Servers as standalone installation and monitor
Page 3 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
4/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
system administration/change activity.
2.5.4. Monitor network traffic involving the BA DIRECT WIRE TRANSFER PCsand generate notices if unusually activity occurs. Use static IP
addresses to enhance the robustness of this monitoring.
2.5.5. If the BA DIRECT WIRE TRANSFER PCs is ever compromised, do
forensics on it to determine how it was compromised and to structurea recovery plan. (See Appendix B: Sample Incident Response CheckList.)
Page 4 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
5/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
Appendix A:Security Template Settings for BA DIRECT WIRE TRANSFERComputers
(This template is based on NIST Special Publication 800-68 (Draft) Guidance for Securing Microsoft Windows XPSystems for IT Professionals: A NIST Security Configuration Checklist, Appendix ANIST Security Template
Settings. Line items without numbers are additional UC settings.)
PolicyBA DIRECT WIRE
TRANSFERRequirements
Comment
A-1
1.1 Enforce password history24 passwordsremembered
1.2 Maximum password age 0
1.3 Minimum password age 1 day
1.4 Minimum password length 12 characters
1.5Password must meetcomplexity requirements
Enabled
1.6Store password usingreversible encryption for
all users in the domain
Disabled
A-2
2.1 Account lockout duration 15 minutes
2.2 Account lockout threshold10 invalid logon
attempts
2.3Reset account lockout
counter after15 minutes
A-3
3.1Audit account logonevents
Success, Failure
3.2Audit accountmanagement
Success, Failure
3.3Audit directory service
access
No auditing
3.4 Audit logon events Success, Failure3.5 Audit object access Success, Failure
3.6 Audit policy change Success
3.7 Audit privilege use Failure
3.8 Audit process tracking No auditing3.9 Audit system events Success
A-4
4.1Access this computerfrom the network
Remove all entries
4.2Act as part of the
operating systemNone
4.3Add workstations todomain
Not Defined (NotApplicable)
4.4Adjust memory quotas fora process
Not Defined
4.5 Allow logon throughTerminal Services
Remove all entries
4.6Back up files anddirectories
Administrators
4.7 Bypass traverse checking Users
4.8 Change the system time Administrators4.9 Create a pagefile Administrators
4.10 Create a token object None
4.11Create permanent sharedobjects
None
4.12 Debug programs None
Page 5 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
6/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
4.13Deny access to thiscomputer from thenetwork
Guest
4.14 Deny logon as a batch job Not Defined
4.15 Deny logon as a service Not Defined
4.16 Deny logon locally Not Defined
4.17Deny logon throughTerminal Services
Everyone
4.18Enable computer and useraccounts to be trusted for
delegation
Not Defined (Not
Applicable)
4.19Force shutdown from aremote system
Remove all entries
4.20 Generate security auditsLocal Service,
Network Service
4.21Increase schedulingpriority
Administrators
4.22Load and unload devicedrivers
Administrators
4.23 Lock pages in memory None
4.24 Log on as a batch job Not Defined4.25 Log on as a service Not Defined
4.26 Log on locally Users, Administrators
4.27 Manage auditing andsecurity log Administrators
4.28Modify firmware
environment valuesAdministrators
4.29Perform volumemaintenance tasks
Administrators
4.30 Profile single process Administrators
4.31Profile systemperformance
Administrators
4.32Remove computer fromdocking station
Users, Administrators
4.33Replace a process leveltoken
Local Service,Network Service
4.34Restore files anddirectories
Administrators
4.35 Shut down the system Users, Administrators
4.36 Synchronize directoryservice data
Not Defined (NotApplicable)
4.37Take ownership of files orother objects
Administrators
A-5
5.1Accounts: Administratoraccount status
Not Defined
5.2Accounts: Guest accountstatus
Disabled
5.3
Accounts: Limit localaccount use of blank
passwords to consolelogon only
Enabled
5.4 Accounts: Renameadministrator account
Built-in Administratoraccount should be
renamed and disabled,then a separateadministrator accountcreated for administrativepurpose.
5.5Accounts: Rename guest
accountNot Defined
5.6Audit: Audit the access ofglobal system objects
Enabled
5.7Audit: Audit the use ofBackup and Restoreprivilege
Enabled
Page 6 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
7/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
5.8Audit: Shut down systemimmediately if unable tolog security audits
Enabled
5.9Devices: Allow undock
without having to log onDisabled
5.10Devices: Allowed toformat and ejectremovable media
Administrators
5.11Devices: Prevent usersfrom installing printerdrivers
Enabled
5.12
Devices: Restrict CD-ROM
access to locally logged-on user only
Enabled
5.13Devices: Restrict floppyaccess to locally logged-on user only
Enabled
5.14Devices: Unsigned driverinstallation behavior
Warn but allowinstallation
5.15
Domain controller: Allow
server operators toschedule tasks
Not Defined (NotApplicable)
5.16
Domain controller: LDAP
server signingrequirements
Not Defined (Not
Applicable)
5.17Domain controller: Refusemachine accountpassword changes
Not Defined (NotApplicable)
5.18
Domain member:Digitally encrypt or signsecure channel data(always)
Enabled
5.19
Domain member:Digitally encrypt securechannel data (whenpossible)
Enabled
5.20
Domain member:Digitally sign secure
channel data (when
possible)
Enabled
5.21Domain member: Disablemachine accountpassword changes
Disabled
5.22Domain member:Maximum machineaccount password age
30 Days
5.23Domain member: Requirestrong (Windows 2000 orlater) session key
Enabled
5.24Interactive logon: Do notdisplay last user name
Enabled
5.25Interactive logon: Do notrequire CTRL+ALT+DEL
Disabled
5.26
Interactive logon:
Message text for usersattempting to log on
Should be edited to
contain message contentpertinent to UC policy.
5.27Interactive logon:Message title for usersattempting to log on
Should be edited tocontain message contentpertinent to UC policy.
5.28
Interactive logon:Number of previouslogons to cache (in casedomain controller is notavailable)
0
Page 7 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
8/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
5.29Interactive logon: Promptuser to change passwordbefore expiration
14 Days
5.30
Interactive logon: Require
Domain Controllerauthentication to unlockworkstation
Not Defined
5.31
Interactive logon: Smart
card removal behavior Lock Workstation
5.32Microsoft network client:Digitally signcommunications (always)
Enabled
5.33
Microsoft network client:Digitally signcommunications (if serveragrees)
Enabled
5.34
Microsoft network client:Send unencryptedpassword to third-partySMB servers
Disabled
5.35
Microsoft network server:Amount of idle time
required before
suspending session
15 minutes
5.36Microsoft network server:Digitally sign
communications (always)
Enabled
5.37
Microsoft network server:Digitally signcommunications (if clientagrees)
Enabled
5.38Microsoft network server:Disconnect clients whenlogon hours expire
Enabled
5.39Network access: Allowanonymous SID/Nametranslation
Disabled
5.40
Network access: Do notallow anonymous
enumeration of SAMaccounts
Enabled
5.41
Network access: Do notallow anonymousenumeration of SAM
accounts and shares
Enabled
5.42
Network access: Do notallow storage ofcredentials or .NETPassports for networkauthentication
Enabled
5.43Network access: LetEveryone permissionsapply to anonymous users
Disabled
5.44Network access: NamedPipes that can beaccessed anonymously
None
5.45Network access:Remotely accessible
registry paths
Not Defined
5.46Network access: Sharesthat can be accessedanonymously
None
5.47Network access: Sharingand security model forlocal accounts
Classic
Page 8 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
9/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
5.48Network access: Sharingand security model forlocal accounts
Enabled
5.49
Network security: Force
logoff when logon hoursexpire
Enabled
5.50Network security: LANManager authentication
level
Send NTLMv2, Refuse
LM and NTLM
5.51Network security: LDAPclient signingrequirements
Require Signing
5.52
Network security:Minimum session securityfor NTLM SSP based(including secure RPC)clients
Require MessageIntegrity, Message
Confidentiality,NTLMv2 SessionSecurity, 128-bit
Encryption
5.53
Network security:Minimum session securityfor NTLM SSP based(including secure RPC)servers
Require MessageIntegrity, Message
Confidentiality,NTLMv2 SessionSecurity, 128-bit
Encryption
5.54Recovery Console: Allowautomatic administrativelogon
Disabled
5.55Recovery console: Allowfloppy copy and access toall drives and all folders
Not Defined
5.56Shutdown: Allow systemto be shut down without
having to log on
Disabled
5.57Shutdown: Clear virtualmemory pagefile
Enabled
5.58
System cryptography:Use FIPS compliantalgorithms for encryption,hashing, and signing
Enabled
5.59
System objects: Defaultowner for objects createdby members of theAdministrators group
Object Creator
5.60
System objects: Require
case insensitivity for non-Windows subsystems
Enabled
5.61
System objects:Strengthen defaultpermissions of internalsystem objects (e.g.
Symbolic Links)
Enabled
A-6
6.1Maximum application logsize
16 MB
6.2Maximum security logsize 80 MB
6.3 Maximum system log size 16 MB
6.4Prevent local guestsgroup from accessingapplication log
Enabled
6.5Prevent local guestsgroup from accessingsecurity log
Enabled
6.6
Prevent local guests
group from accessingsystem log
Enabled
Page 9 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
10/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
6.7 Retain application log Not Defined
6.8 Retain security log Not Defined
6.9 Retain system log Not Defined
6.10Retention method forapplication log
Not Defined
6.11Retention method forsecurity log
Not Defined
6.12
Retention method for
system log Not DefinedA-7
7.1 Power Users None7.2 Remote Desktop Users None
A-88.1 Alerter Disabled
Application LayerGateway
DisabledPer UCOP CommonDesktop Initiativeconfiguration.
8.2 Clipbook Disabled
8.3 Computer Browser Disabled
Distribute Link TrackingClient
DisabledPer UCOP CommonDesktop Initiativeconfiguration.
Error Reporting Disabled
Per UCOP Common
Desktop Initiativeconfiguration.
Fast User SwitchingCompatibility
DisabledPer UCOP CommonDesktop Initiativeconfiguration.
8.4 Fax Service Disabled8.5 FTP Publishing Service Disabled
8.6 IIS Admin Service Disabled8.7 Indexing Service Disabled
8.8 Messenger Disabled
8.9 Net Logon Disabled
Per UCOP Common
Desktop Initiativeconfiguration.
8.10Netmeeting RemoteDesktop Sharing
Disabled
Network LocationAwareness (NLA) Disabled
Per UCOP Common
Desktop Initiativeconfiguration.
8.11Remote Desktop Help
Session ManagerDisabled
8.12 Remote Registry Disabled
8.13Routing and RemoteAccess
Disabled
8.14Simple Mail TransferProtocol (SMTP)
Disabled
8.15Simple NetworkManagement Protocol(SNMP) Service
Disabled
8.16Simple NetworkManagement Protocol(SNMP) Trap
Disabled
8.17 Task Scheduler Disabled8.18 Telnet Disabled
8.19 Terminal Services Disabled
8.20Universal Plug and PlayDevice Host
Disabled
Volume Shadow Copy DisabledPer UCOP CommonDesktop Initiativeconfiguration.
WebClient DisabledPer UCOP CommonDesktop Initiativeconfiguration.
Page 10 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
11/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
Wireless ZeroConfiguration
DisabledPer UCOP CommonDesktop Initiativeconfiguration.
8.21World Wide Web
Publishing ServicesDisabled
A-9
9.1%SystemRoot%\system32\at.exe
Administrators: Full;System: Full
9.2%SystemRoot%\system32\attrib.exe
Administrators: Full;System: Full
9.3%SystemRoot%\system32\cacls.exe
Administrators: Full;System: Full
9.4%SystemRoot%\system32\debug.exe
Administrators: Full;System: Full
9.5%SystemRoot%\system32\drwatson.exe
Administrators: Full;System: Full
9.6%SystemRoot%\system32\drwtsn32.exe
Administrators: Full;System: Full
9.7%SystemRoot%\system32\edlin.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
9.8
%SystemRoot%
\system32\eventcreate.exe
Administrators: Full;
System: Full
9.9
%SystemRoot%
\system32\eventtriggers.exe
Administrators: Full;System: Full
910%SystemRoot%\system32\ftp.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
911%SystemRoot%\system32\net.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
9.12%SystemRoot%\system32\net1.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,
Ex
9.13%SystemRoot%\system32\netsh.exe
Administrators: Full;System: Full
9.14%SystemRoot%\system32\rcp.exe
Administrators: Full;System: Full
9.15%SystemRoot%\system32\reg.exe
Administrators: Full;System: Full
9.16%SystemRoot%\regedit.exe
Administrators: Full;System: Full
9.17%SystemRoot%\system32\regedt32.exe
Administrators: Full;System: Full
9.18%SystemRoot%\system32\regsvr32.exe
Administrators: Full;System: Full
9.19%SystemRoot%\system32\rexec.exe
Administrators: Full;System: Full
9.20%SystemRoot%\system32\rsh.exe
Administrators: Full;System: Full
9.21%SystemRoot%
\system32\runas.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
9.22%SystemRoot%\system32\sc.exe
Administrators: Full;System: Full
9.23%SystemRoot%\system32\subst.exe
Administrators: Full;System: Full
Page 11 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
12/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
9.24%SystemRoot%\system32\telnet.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
9.25%SystemRoot%\system32\tftp.exe
Administrators: Full;System: Full;
INTERACTIVE: Read,Ex
9.26%SystemRoot%\system32\tlntsvr.exe
Administrators: Full;System: Full
A-10
10.1 HKLM\Software
Administrators: Full;
System: Full; CreatorOwner: Full; Users:
Read
10.2HKLM\Software\Microsoft\Windows\CurrentVersion\Installer
Administrators: Full;System: Full; Users:
Read
10.3HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
Administrators: Full;System: Full;
Authenticated Users:Read
10.4 HKLM\System
Administrators: Full;
System: Full; CreatorOwner: Full; Users:Read
10.5HKLM\System\CurrentControlSet\Enum
Administrators: Full;System: Full;
Authenticated Users:Read
10.6
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
Administrators: Full;System: Full; Creator
Owner: Full
10.7
HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
Administrators: Full;System: Full; Creator
Owner: Full
10.8
HKLM\Software\Microsoft\
Windows\CurrentVersion\policies\Ratings
Administrators: Full;Users: Read
10.9HKLM\Software\Microsoft\MSDTC
Administrators: Full;System: Full;
Network Service:
Query Value, SetValue, Create
Subkey, EnumerateSubkeys, Notify,
Read Permissions;Users: Read
10.10HKU\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Administrators: Full;System: Full; Users:
Read
10.11
HKLM\Software\Microsoft\
WindowsNT\CurrentVersion\SecEdit
Administrators: Full;
System: Full; Users:Read
A-11
11.1HKLM\Software\Microsoft\DrWatson\CreateCrashDump
0
11.2
HKLM\Software\Microsoft\
WindowsNT\CurrentVersion\AEDebug\Auto
0
Page 12 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
13/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
11.3
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
255
11.4
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
255
11.5
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AutoAdminLogon
0
11.6HKLM\System\CurrentControlSet\Control\CrashCont
rol\AutoReboot
0
11.7HKLM\System\CurrentControlSet\Services\Cdrom\Autorun
0
11.8
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
0
11.9
HKLM\System\CurrentCon
trolSet\Services\MrxSmb\Parameters\RefuseReset 1
11.10
HKLM\System\CurrentCon
trolSet\Services\Tcpip\Parameters\DisableIPSourceRouting
2
11.11
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWD
etect
0
11.12
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedir
ect
0
11.13
HKLM\System\CurrentControlSet\Services\Tcpip\Par
ameters\EnablePMTUDiscovery
0
11.14HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
300000
11.15
HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
1
11.16
HKLM\System\CurrentControlSet\Services\Tcpip\Par
ameters\PerformRouterDiscovery
0
11.17HKLM\System\CurrentControlSet\Services\Tcpip\Par
ameters\SynAttackProtect
2
11.18HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
100
11.19
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
80
11.20HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt
1
Page 13 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
14/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
11.21HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
1
11.22
HKLM\System\CurrentCon
trolSet\Control\SessionManager\SafeDllSearchMode
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType
Disables the XP-style
Welcome logon screenand reverts to the"classic" Windows 2000logon screen.
A-1212.1 HKLM\Software Everyone: Failures
12.2 HKLM\System Everyone: Failures
Page 14 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
15/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
Appendix B:Sample Incident Response Check List
Campus incident response procedures will vary to some extent, depending on the
organization of the business functions, information technology, public information, law
enforcement, etc. In general, all incident response procedures would include the followingelements.
Ensure that the right people are involved. At a minimum, the incident response
team includes: the affected system's proprietor and custodian, the campus IT security
and policy officers, the campus Chief Information Officer, and the Associate VicePresident Information Resources and Communications (UCOP) if public disclosure is
required. In some circumstances, other campus experts may need to be involved (e.g.Chancellors office, campus police, legal counsel, public affairs, risk management,
internal audit, the campus payment card coordinator, the campus HIPAA security officer,or national and international IT security organizations (e.g., the US CERT).
Secure the area. Electronic evidence can be very perishable and can be easily
destroyed resulting in an inability to prosecute or inability to determine if personalinformation was compromised. Secure the scene and all the persons on the scene, then
visually identify potential evidence, both conventional (physical) and electronic, anddetermine if perishable evidence exists. Take care not to alter the condition of any
electronic device: If it is off, leave it off. If it is on, leave it on. Inventory and evaluatethe scene and then formulate a plan.
Incident Response Process Steps: Incident response processes are unpredictable.
For this reason, proper documentation at every stage in the process is essential.
1. Notify. Provide initial notification of the breach to the affected system'sproprietor and custodian, the campus IT security and compliance/policy officers,
and any other people required by the circumstances. Provide updates asappropriate throughout the incident response process.
2. Assess the need for forensic investigation. The factors to consider includethe potential value of forensic information vs. the immediate need to protect and
restore University resources and services. It may be necessary to delaysubsequent steps until an appropriate criminal investigation has been conducted.
3. Regain control. Once required forensic information has been collected, regaincontrol of the compromised system. This may include network disconnection,
process termination, a reboot, etc.4. Analyze the intrusion. Understand the nature of the intrusion and its impact on
information and process integrity. Determine if restricted information may have
been acquired by unauthorized individuals. Determine what address information isavailable for individuals whose data may have been acquired by unauthorized
individuals.5. Document results of analysis. Prepare a report on the nature of the incident,
the nature of the information that has been compromised, the numbers of
individuals affected, address information on impacted individuals.6. Submit report. Notify the campus IT leadership, executive managers, legal
counsel, and the Associate Vice President Information Resources andCommunications if there is a possibility that public disclosure will be required.
7. Recover from the intrusion. Perform whatever steps are needed to restore theintegrity of the affected information and processes.
Page 15 of 16 Rev. 65/05/2006
7/28/2019 Secure Computer Configuration for Wire Transfers
16/16
UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer
8. Correct system or application vulnerabilities. Correct the condition thatallowed the intrusion to occur.
9. Restore the service. Once everything is complete, service can be restored10. Assemble team to determine if notification is required. Work with
executive management to determine whether to make public disclosures.Determining the Threshold for Security Breach Notification
(http://www.ucop.edu/irc/itsec/security_breach_notification.pdf) contains issuesthat should be considered when evaluating the incident and determining whetherto notify affected individuals in compliance with Californias security breach
notification requirement. Campus counsel and public affairs should be included in
the determination evaluation.11. Close the incident. Ensure notification of the incident's final resolution to the
affected system's proprietor and custodian, the campus IT security andcompliance/policy officers, the campus IT leader, the Associate Vice President
Information Resources and Communications, and any other individuals who shouldbe engaged in this process.
Page 16 of 16 Rev. 65/05/2006