1. Objectives

This section describes the objectives of the Baseline Security Standard. It also references related Baseline Standards such as the Generic Standard and specific product Baseline Standards in cases where it is being introduced as part of a package of such standards. Finally, it discusses the limitations of Baseline Standards and points out that a more formal security review should be undertaken once the Baseline Standards are in place.

2. Standards

This section discusses the concept of standards and explains the applicability of this one. In cases where it is being modified for a particular organization, it may also discuss such issues as how to obtain exemptions to the standard.

3. Account Security

The following sections discuss the security measures to be put in place for different categories of user accounts. Some aspects of account security are consistent across all platforms; these aspects are normally discussed in the Generic Baseline Security Standard. An example of this would be minimum password lengths for different categories of account.

3.1. Normal (non-privileged) Accounts

This section describes the minimum security measures to be taken for "normal" accounts. These accounts include all those not used for such things as system administration. Depending on the organization and the specific platform, even application development accounts may qualify as normal accounts; in other cases, they may require privileges.

3.2. Privileged (Root) Accounts

This section describes security measures for privileged accounts. In some cases, such as Unix, there is only one category of privileged account; in others, such as VMS, there may be many different degrees of privilege. This section is tailored for each platform to take these differences into account. It also provides some guidelines as to when privileged accounts should be granted; these guidelines are also tailored by platform.

3.3. Other Accounts

This section discusses security measures for all accounts which do not fall into the previous categories. While this section is again tailored to each platform, in general it may include two categories of account. The first category is that of special accounts provided with the platform. These would typically include accounts intended for the supplier to carry out maintenance activities and the like.

The second category is that of special purpose accounts provided by the organization owning the machine. Examples would include guest accounts and accounts intended for anonymous access. In general, these accounts will only be commented on if there are security features specific to them or if there are specific measures which should be taken for the platform, such as Anonymous FTP accounts for some flavours of Unix.

4. Resource Security

The following sections discuss the protection of the resources on the platform. The specific sub-sections may depend on the capabilities of the particular platform.

4.1. File, Directory, and Device Protection

The subject of this section is self-explanatory. The title above assumes that device protection is available and that it works in the same way as protection of files and directories. If device protection is not available, or if it works differently, or if there are other resources which can be protected in the same way as files and directories, the title and contents may change.

4.2. Other Resources

This section assumes that there are other resources which can be protected and, in particular, that they are protected in different ways than are files and directories. Again, this may vary from platform to platform.

5. Network and Communications

These sections refer not to the overall topic of network and communications security, but to those aspects of it which are handled specifically by the platform. Examples would include the allocation and protection of ports in Unix systems or the protection of DECnet objects in VMS systems.

5.1. Network Security

This is the section which discusses most network and communication platform specific security measures. It usually assumes local area network connectivity but, depending on the platform, may also include aspects of wide area network security.

5.2. Communications Security

This section is very platform specific and may or may not appear at all. It tends to focus on point to point connectivity rather than network connectivity. If a specific platform has built in measures for protecting dial-up access, they would be discussed here.

6. System Auditing

The following sections differ dramatically between platforms as there are few areas of security in which capabilities differ more than in auditing. In some cases, audit events are on a user by user basis while in others they are "all or nothing". Factors such as these will affect the specific measures for each platform.

6.1. Mandatory Audit Events

These are the events which should always be in place for the specific platform. The most usual are, of course, login failures perhaps with a threshold lower limit, depending on the platform.

6.2. Recommended Audit Events

These are audit events which are highly recommended. A typical example, if available, would be failed access attempts to particularly sensitive resources.

6.3. Optional Audit Events

These are audit events which can be of value in diagnosing problems but which are not essential. They are only recommended if the system and human resources are available both to record and to analyze them.

7. Backups

This is an example of additional sections which may exist for particular platforms. For one platform, there were specific security concerns around aspects of the Backup program. This section recommended measures which should be taken on this platform.

This particular section may never appear in another Baseline Security Standard, but there may well be other sections not included in the sample table of contents which would appear for other platforms.

Top of Page

Back