1、操作系統(tǒng)審計檢查表 WINDOWS 安全審核被審核部門審核人員審核日期陪同人員序號審核項目審核步驟/方法審核結果補充說明改進建議1補丁安裝情況2主要帳戶策略審查密碼長度最少8位，密碼周期最長為90天3審核策略對所有帳戶登錄事件進行審核對所有的帳戶管理事件進行審核對所有登錄事件進行審核審核失敗訪問的組件對策略更改事件進行審核審核失敗的特權事件審核所有系統(tǒng)事件4帳戶策略最小密碼歷史： 1天最長密碼周期: 90 天最小密碼長度: 8個字符密碼復雜度: Enabled密碼歷史: 24 Passwords Remembered存儲的密碼是否可用于可逆加密： Disabled5帳戶鎖定策略帳戶鎖定周期:

2、15 Minutes (minimum)帳戶鎖定條件: 3 次失敗登錄復位時間: 15 Minutes (minimum)6事件日志審核對于系統(tǒng)、安全、應用系統(tǒng)日志，審核下面的項目：最大日志容量: 80 Mb (minimum)限制GUEST帳戶訪問日志: Enabled日志保持方法： “必要時候重寫日志”7主要安全設置審核對外在的匿名用戶禁止訪問。8安全選項允許系統(tǒng)在未登錄前關閉計算機：Disabled允許格式化和彈出可移動媒體： AdministratorsAmount of Idle Time Required Before Disconnecting Session: 30 Minut

3、es (maximum)在超過登錄時間后強制注銷： Enabled系統(tǒng)關閉時清除虛存頁面文件： Enabled數(shù)字簽名客戶端通信（如可能）：Enabled數(shù)字簽名服務器端通信（如可能）：Enabled不需要按 CTRL+ALT+Delete 登錄?。?Disabled不顯示上次登錄的用戶名： EnabledLAN Manager Authentication 標準l: “Send NTLMv2 response only” (最少)用戶登錄時顯示的消息文字： Custom Message or “This system is for the use of authorized users on

4、ly.用戶登錄時顯示的消息標題： “Warning:” or custom title.可被緩存保存的前次登錄個數(shù)： 0禁止用戶安裝打印驅動: Enabled在密碼到期前多少天提示用戶更改密碼: 14 Days (minimum)恢復控制臺（允許自動管理級登錄）： Disabled恢復控制臺（允許對所有的驅動器和文件夾進行軟盤拷貝和訪問）： Disabled重命名管理員帳戶：除Administrator外的其它任何名稱重命名Guest 帳戶：除GUEST外的其它任何名稱限制只有本地登錄用戶才允許訪問軟盤： Enabled對安全通道數(shù)據(jù)進行數(shù)字加密(如可能): Enabled對安全通道數(shù)據(jù)進行數(shù)

5、字簽名（如可能）： Enabled發(fā)送為加密的密碼連接第三方 SMB 服務器：Disabled智能卡移除操作：“鎖定工作站” 6 Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled對未經(jīng)過簽名的驅動安裝行為 ： “警告, 但允許安裝” 或者 “不允許安裝”.9注冊表安全設置審核禁止 Dr. Watson 創(chuàng)建DUMPS文件: HKLMSoftwareMicrosoftDrWatsonCreateCrashDump (REG_DWORD) 0禁止系統(tǒng)的自動診斷自

6、動運行: HKLM SoftwareMicrosoftWindows NTCurrentVersionAEDebugAuto (REG_DWORD) 0禁止從任何驅動器上自動運行任何應用程序：HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun (REG_DWORD) 255禁止現(xiàn)在的用戶自動運行： HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun (REG_DWORD) 255禁止任何新用戶

7、自動運行HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun (REG_DWORD) Not Defined禁止自動登錄： HKLM SoftwareMicrosoftWindows NTCurrentVersionWinlogonAutoAdminLogon(REG_SZ) 0隱藏鍵盤輸入星號實際字符：HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkHideSharePwds (REG_DWORD) 1禁止撥號訪問

8、：HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesNetworkNoDialIn (REG_DWORD) 1禁止在藍屏死機后自動重啟：HKLMSystemCurrentControlSetControlCrashControlAutoReboot (REG_DWORD) 0禁止CD自動播放：HKLMSystemCurrentControlSetServicesCDromAutorun (REG_DWORD) 0在服務器上清除管理共享： HKLMSystemCurrentControlSetServicesLanmanServerParamet

9、ersAutoShareServer (REG_DWORD) 0保護阻止Computer Browser Spoofing 攻擊： HKLMSystemCurrentControlSetServicesMrxSmbParametersRefuseReset (REG_DWORD)保護阻止 source-routing spoofing攻擊：HKLMSystemCurrentControlSetServicesTcpipParametersDisableIPSourceRouting (REG_DWORD) 2保護 默認網(wǎng)關網(wǎng)絡設置：HKLMSystemCurrentControlSetServ

10、icesTcpipParametersEnableDeadGWDetect (REG_DWORD) 0Ensure ICMP Routing via shortest path first: HKLMSystemCurrentControlSetServicesTcpipParametersEnableICMPRedirect (REG_DWORD) 0幫助阻止包碎片攻擊： HKLMSystemCurrentControlSetServicesTcpipParametersEnablePMTUDiscovery (REG_DWORD) 0管理 Keep-alive 時間：HKLMSystemC

11、urrentControlSetServicesTcpipParametersKeepAliveTime(REG_DWORD) 保護阻止惡意的 Name-Release 攻擊：HKLMSystemCurrentControlSetServicesNetbtParametersNoNameReleaseOnDemand (REG_DWORD) 1確保路由發(fā)現(xiàn)被禁止：HKLMSystemCurrentControlSetServicesTcpipParametersPerformRouterDiscovery (REG_DWORD) 0保護阻止SYN Flood攻擊： HKLMSystemCurr

12、entControlSetServicesTcpipParametersSynAttackProtect (REG_DWORD) 2SYN 攻擊保護 管理 TCP 最大 half-open sockets: HKLMSystemCurrentControlSetServicesTcpipParametersTcpMaxHalfOpen (REG_DWORD) 100 or 500SYN 攻擊保護 管理e TCP 最大half-open 保留 sockets: HKLMSystemCurrentControlSetServicesTcpipParametersTcpMaxHalfOpenReti

13、red (REG_DWORD) 80 or 400啟用 IPSec保護 Kerberos RSVP 傳輸：HKLMSystemCurrentControlSetServicesIPSECNoDefaultExempt (REG_DWORD) 110審核服務Alerter DisabledClipbook DisabledComputer Browser DisabledFax Service DisabledFTP Publishing Service Disabled Warning: 將 禁止 FTP 服務IIS Admin Service Disabled Warning: This w

14、ill disable Internet Information Services!Internet Connection Sharing DisabledMessenger DisabledNetMeeting Remote Desktop Sharing DisabledRemote Registry Service DisabledRouting and Remote Access DisabledSimple Mail Transfer Protocol (SMTP) Disabled Warning: 禁止在 IIS Servers上的SMTP服務。Simple Network Ma

15、nagement Protocol (SNMP) Service DisabledSimple Network Management Protocol (SNMP) Trap DisabledTelnet Disabled World Wide Web Publishing Services Disabled Warning: 將禁止 Internet Information Services!Automatic Updates Not DefinedBackground Intelligent Transfer Service Not Defined11用戶權利審核從網(wǎng)絡訪問此計算機: Us

16、ers, Administrators (or none)4.2.2 Act as part of the operating system: None增加工作站到域：Not applicable備份文件和目錄: Administrators4.2.5 Bypass traverse checking: Users更改系統(tǒng)時間: Administrators創(chuàng)建頁面文件： Administrators創(chuàng)建全局對象： None創(chuàng)建永久共享對象： None診斷程序： None拒絕從網(wǎng)絡訪問此計算機： Guests拒絕作為批處理進行登錄： None by default (others allowa

17、ble as appropriate) Not Defined拒絕作為服務登錄： None by default (others allowable as appropriate) Not Defined拒絕本地登錄: None by default (others allowable as appropriate) Not Defined從遠端強制關機：Administrators管理和審核安全日志： None增加內存配額： Administrators增加進度優(yōu)先級Administrators安裝和卸載設備驅動程序：Administrators內存中鎖定頁： None作為批作業(yè)登錄：Non

18、e (“Not Defined”)作為服務登錄：None (“Not Defined”)本地登錄：Administrators (other specific users allowable)管理審核和安全日志： Administrators更改防火墻環(huán)境選項：Administrators配置單一進程： Administrators配置系統(tǒng)性能： Administrators從插接工作站中取出計算機： Administrators替換進程級記號： None恢復文件和目錄： Administrators關閉系統(tǒng)： Administrators同步目錄服務數(shù)據(jù)：Not Applicable取得文件

19、和其他對象的所有權：Administrators12其他系統(tǒng)需求確保磁盤卷為 NTFS文件系統(tǒng)。13文件權限%SystemDrive% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List %SystemDrive%autoexec.bat Administrators: Full; System: Full%SystemDrive%boot.ini Administrators: Full; System: Full%SystemDrive%config.sys - A

20、dministrators: Full; System: Full%SystemDrive%io.sys Administrators: Full; System: Full%SystemDrive%msdos.sys Administrators: Full; System: Full%SystemDrive%ntbootdd.sys - Administrators: Full; System: Full%SystemDrive% Administrators: Full; System: Full%SystemDrive%ntldr - Administrator

21、s: Full; System: Full%SystemDrive%Documents and Settings Administrators: Full; System: Full; Users: Read and Execute, List%SystemDrive%Documents and SettingsAdministrator Administrators: Full; System: Full%SystemDrive%Documents and SettingsAll Users Administrators: Full; System: Full; Users: Read an

22、d Execute,List%SystemDrive%Documents and SettingsAll UsersDocuments DrWatson Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read ExtendedAttributes, Read Permissions (This folder, subfolders, and files); Users: Tra

23、verse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only)%SystemDrive%Documents and SettingsDefault User Administrators: Full; System: Full; Users: Read and Execute, List%SystemDrive%System Volume Information (Do not allow permissions on this folder to

24、 be replaced)%SystemDrive%Temp - Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folders/ExecuteFiles, Create Files/Write Data, Create Folders/Append Data%ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List%SystemDrive%Progr

25、am FilesResource Kit Administrators: Full; System: Full%SystemRoot% Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List%SystemRoot%$NtServicePackUninstall$ Administrators: Full; System: Full%SystemRoot%CSC Administrators: Full; System: Full%SystemRoot%Debug - Admin

26、istrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List%SystemRoot%DebugUserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data

27、(Files only)%SystemRoot%Offline Web Pages (Do not allow permissions on this key to be replaced)%SystemRoot%Registration - Administrators: Full; System: Full; Users: Read%SystemRoot%repair - Administrators: Full; System: Full%SystemRoot%security - Administrators: Full; System: Full; Creator Owner: Fu

28、ll%SystemRoot%system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List%SystemRoot%system32at.exe Administrators: Full; System: Full0 %SystemRoot%system32Ntbackup.exe Administrators: Full; System: Full1 %SystemRoot%system32rcp.exe Administrators:

29、 Full; System: Full2 %SystemRoot%regedit.exe Administrators: Full; System: Full%SystemRoot%system32regedt32.exe Administrators: Full; System: Full%SystemRoot%system32rexec.exe Administrators: Full; System: Full%SystemRoot%system32rsh.exe Administrators: Full; System: Full%SystemRoot%system32s

30、ecedit.exe Administrators: Full; System: Full%SystemRoot%system32appmgmt Administrators: Full; System: Full; Users: Read and Execute, List%SystemRoot%config Administrators: Full; System: Full%SystemRoot%system32dllcache Administrators: Full; System: Full; Creator Owner: Full%SystemRoot%system32DTCLo

31、g - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List%SystemRoot%system32GroupPolicy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List%SystemRoot%system32ias - Administrators: Full; System: Full; Creator Owner: FullThe Center for Int

32、ernet SecurityWindows 2000 Server - Level 2 Benchmark for Stand-Alone and Domain-Member ServersPage 18 of 56%SystemRoot%system32NTMSData Administrators: Full; System: Full%SystemRoot%system32reinstallbackups Administrators: Full; System: Full; Creator Owner: Full%SystemRoot%system32Setup Administrat

33、ors: Full; System: Full; Users: Read and Execute, List%SystemRoot%system32spoolprinters Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data%SystemRoot%Tasks - (Do not allow permissions on this key t

34、o be replaced)%SystemRoot%Temp - Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folders/ExecuteFiles, Create Files/Write Data, Create Folders/Append Data14文件和注冊表審核%SystemDrive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files)

35、HKLMSoftware Everyone: Failures (this key, propagate inheritable permission to all subkeys)HKLMSystem Everyone: Failures (this key, propagate inheritable permission to all subkeys)15注冊表權限HKLMSoftwareClasses - Administrators: Full; System: Full; Creator Owner: Full; Users: ReadHKLMSoftware Administra

36、tors Full; System: Full; Creator Owner: Full; Users: ReadHKLMSoftwareMicrosoftNetDDE Administrators: Full; System: FullHKLMSoftwareMicrosoftOS/2 Subsystem for NT Administrators: Full; System: Full; Creator Owner: FullHKLMSoftwareMicrosoftWindows NTCurrentVersionAsrCommands Administrators: Full; Syst

37、em: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys)HKLMSoftwareMicrosoftWindows NTCurrentVersionPerflib Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key an

38、d subkeys)HKLMSoftwareMicrosoftWindowsCurrentVersionGroup Policy - Administrators: Full; System: Full;Authenticated Users: ReadHKLMSoftwareMicrosoftWindowsCurrentVersionInstaller - Administrators Full; System: Full; Users: ReadHKLMSoftwareMicrosoftWindowsCurrentVersionPolicies - Administrators: Full; System: Full; AuthenticatedUsers: ReadHKLMSystem - Administrators Full; System: Full; Creator Owner: Full; Users: ReadHKLMSystemClone Allow inheritable permissions to propagate to this objectHKL