Security Configuration Checklists Program for IT Products

Home | Browse Checklists Repository | Glossary | Subscribe to Mailing List | Contact Us

Browse Repository by

		Product Category
		Vendor
		Submitting Organization

Our Sponsor

Enterprise System Management Security Technical Implementation Guide

Name	Enterprise System Management Security Technical Implementation Guide, v3 Release 1
Version	v3 Release 1
Status	Final
Creation Date	2006-06-05
Revision Date	Not available.
Product Category	Management Server
Vendor	IBM Microsoft
Product	Tivoli Enterprise Management Products Microsoft Systems Management Server 2003
Product Version	Tivoli version information is not available. Microsoft Systems Management Server 2003
Product Role	Server
Checklist Summary	This Enterprise System Management (ESM) Security Technical Implementation Guide (STIG) provides security configuration guidance for software products designed to deliver enterprise-class system management functions. This document describes security requirements to be applied to ESM products used in DOD environments. While the boundaries of the ESM discipline are such that there is no authoritative definition of an ESM product, Section 2, Enterprise System Management Overview, provides a generic description of the elements characteristic of most ESM products. Section 3, Enterprise System Management Security, provides general guidance for ESM products; specific commercial products are addressed in appendices. Appendix A lists publications that were used in the creation of this STIG. Appendix B, Tivoli Security, provides guidance for securing the Tivoli suite of ESM products. Appendix C, Microsoft Systems Management Server (SMS), provides guidance for securing the Microsoft SMS. This document is intended to be used in conjunction with the other STIGs developed by the Defense Information Systems Agency (DISA). The operating system (OS) STIGs provide crucial guidance for securing the platforms on which the ESM products run. The STIGs that cover database and web server products provide guidance to ensure that those services used by ESM products also support a secure environment. The goal of this document is to provide guidance that allows the power of ESM products to be used, while preventing that power from being exploited to degrade the confidentiality, integrity, or availability of the systems being managed. The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DOD systems operating at the MAC II Sensitive level, containing unclassified but sensitive information.
Known Issues	Application of the requirements presented in this document is intended to provide a certain level of assurance. Individual sites must determine if this level of assurance is appropriate to their environment. This document provides both general and product-specific security guidance. As noted elsewhere in this document, vendor implementation of ESM functions does vary, and most commercial products provide only subsets of all the functions generally associated with ESM. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation will lead to a loss of required functionality.
Target Audience	Developped for the DOD. The information is designed to assist Security Managers, Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with the creation of more secure ESM configurations. This document assumes that the reader has experience installing and administering ESM systems.
Target Operational Environment	Enterprise and Specialized Security-Limited Functionality.
Checklist Installation Tools	Not available.
Rollback Capability	Not available.
Testing Information	Not available.
NIAP/CMVP Status	Not available.
Regulatory Compliance	DOD Directive 8500.
Comments, Warnings, Disclaimer, Miscellaneous	Refer to Known Issues.
Disclaimer	Not available.
Product Support	It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.
Submitting Organization/Authors	Defense Information Systems Agency
Point of Contact	Not available.
Sponsor	Not available.
Licensing	Not available.
Checklist Homepage	http://iase.disa.mil/stigs/stig/index.html
Download Package	http://iase.disa.mil/stigs/stig/ESM_STIG_V1R1.pdf
Integrity	SHA1 Digest (ESM_STIG_V1R1.pdf) = f0efbb8bbbf7458d166562827df5f617a8bbe9ac SHA256 Digest (ESM_STIG_V1R1.pdf) = de7a251dbe18099a6b26b8bf61f4aab62d0cdfe2 f0c423f9bd853fcdf252bc76
Change History	v1 Release 0: 2004-10-29 v3 Release 1: 2006-06-05
Dependency/Requirement	Not available.
References	Government Publications: Chairman of the Joint Chiefs of Staff (CJCS) Manual 6510.01, “Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND),” 25 March 2003. Committee on National Security Systems (CNSS) Instruction No. 4009, “National Information Assurance (IA) Glossary,” May 2003. CNSS, “National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11,” July 2003. Department of Defense Directive 8500.1, “Information Assurance (IA),” 24 October 2002. Department of Defense Instruction 5200.40, “DOD Information Technology Security Certification and Accreditation Process (DITSCAP),” 30 December 1997. Department of Defense Instruction 8500.2, “Information Assurance (IA) Implementation,” 6 February 2003. Department of Defense Instruction 8520.2, "Public Key Infrastructure (PKI) and Public Key (PK) Enabling", 1 April 2004. Department of Defense Instruction 8551.1, “Ports, Protocols, and Services Management (PPSM),” 13 August 2004. Department of Defense Memorandum, “Department of Defense (DOD) Information Assurance Vulnerability Alert (IAVA),” 30 December 1999. Department of Defense Memorandum, “Open Source Software (OSS) in the Department of Defense (DOD)”, 28 May 2003. Department of Defense Memorandum, “Policy Guidance for Use of Mobile Code Technologies in Department of Defense (DOD) Information Systems,” 7 November 2000. Defense Information Systems Agency (DISA), “Database Security Technical Implementation Guide,” Version 6, Release 1, 7 July 2003. DISA, “Enclave Security Security Technical Implementation Guide,” Version 2 Release 1, 1 July 2004. DISA, “Network Infrastructure Security Technical Implementation Guide,” Version 5, Release 2, 29 September 2003. DISA, “OS/390 Security Technical Implementation Guide,” Version 4, Release 1, 4 August 2003. DISA, “UNIX Security Technical Implementation Guide,” Version 4, Release 4, 15 September 2003. DISA, “Web Server Security Technical Implementation Guide,” Version 4, Release 1, 29 August 2003. DISA, “Windows NT/2000/XP Addendum,” Version 4, Release 1, 26 February 2004. National Security Agency, “Information Assurance Technical Framework (IATF),” Release 3.1, September 2002. Vendor Publications: IBM, “Tivoli Business Systems Manager Administrator’s Guide,” Version 2.1.1, with Fix Packs 1-10 GC32-0799-01. IBM, “Tivoli Business Systems Manager Getting Started,” Version 2.1.1, with Fix Packs 1-10, GC32-0801-01. IBM, “Tivoli Business Systems Manager Installation and Configuration Guide,” Version 2.1.1, Re-released with Fix Packs 1–10 GC32-0800-02. IBM, “Tivoli Business Systems Manager Release Notes,” Version 2.1.1, SC23-4841-01. IBM, “Tivoli Enterprise Console Adapters Guide,” Version 3.9, SC32-1242-00. IBM, “Tivoli Enterprise Console Command and Task Reference,” Version 3.9, SC32-1232-00. IBM, “Tivoli Enterprise Console Installation Guide,” Version 3.9, SC32-1233-00. IBM, “Tivoli Enterprise Console Release Notes,” Version 3.9, SC32-1238-00. IBM, “Tivoli Enterprise Console Rule Developer’s Guide,” Version 3.9, SC32-1234-00. IBM, “Tivoli Enterprise Console Rule Set Reference,” SC32-1282-00. IBM, “Tivoli Enterprise Console User’s Guide,” Version 3.9, SC32-1235-00. IBM, “Tivoli Monitoring for Business Integration Installation and Setup Guide,” Version 5.1.1, SC32-1402-00. IBM, “Tivoli NetView for UNIX Release Notes,” Version 7.1.4, SC32-1239-00. IBM, “Tivoli NetView for Windows Release Notes,” Version 7.1.4, SC32-1240-00. Microsoft Corporation, “Microsoft Systems Management Server 2003 Concepts, Planning, and Deployment Guide”. Microsoft Corporation, “Microsoft Systems Management Server 2003 Operations Guide”. Microsoft Corporation, “Scenarios and Procedures for Microsoft Systems Management Server 2003: Security”. Tivoli Systems, “Application Development Environment Release Notes,” Version 3.6.5, 8 January 2001. Tivoli Systems, “Application Development with TME 10 ADE,” Version 3.6, September 1998. Tivoli Systems, “Tivoli Enterprise Firewall Security Toolbox User’s Guide,” Version 1.3.1, GC23-4826-01. Tivoli Systems, “Tivoli Enterprise Installation Guide,” Version 4.1.1, GC32-0804-01. Tivoli Systems, “Tivoli Event Integration Facility Reference,” Version 3.9, SC32-1241-00. Tivoli Systems, “Tivoli Inventory Release Notes Version 3.6.2,” December 1999. Tivoli Systems, “Tivoli Management Framework, Version 4.1.1. Documentation Road Map,” November 2003, GI11-0891-01. Tivoli Systems, “Tivoli Management Framework Maintenance and Troubleshooting Guide,” Version 4.1.1, GC32-0807-01. Tivoli Systems, “Tivoli Management Framework Planning for Deployment Guide,” Version 4.1.1, GC32-0803-01. Tivoli Systems, “Tivoli Management Framework Release Notes,” Version 4.1.1, GI11-0890-01. Tivoli Systems, “Tivoli Management Framework User’s Guide,” Version 4.1.1, GC32-0805-01. Tivoli Systems, “Tivoli Manager for MQSeries Revised February 14, 2003, Release Notes,” Version 2.4.0, GI10-3059-06. Tivoli Systems, “Tivoli NetView for UNIX Administrator’s Guide, Version 7 1, SC321246-00. Tivoli Systems, “Tivoli NetView for Windows User’s Guide,” Version 7, Release 1.4, SC32-1245-00. Tivoli Systems, “TME 10 ADE Application Services Manual, Volume I,” Version 3.6, September 1998. Tivoli Systems, “TME 10 ADE Application Services Manual Volume II,” Version 3.6, September 1998. Tivoli Systems, “TME 10 AEF User’s Guide,” Version 3.6, September 1998. Tivoli Systems, “TME 10 AEF Release Notes,” Version 3.6, September 1998. Tivoli Systems, “TME 10 Inventory User’s Guide Version 3.6,” September 1998. Tivoli Systems, “TME 10 Software Distribution AutoPack User’s Guide Version 3.6,” September 1998. Tivoli Systems, “TME 10 Software Distribution Release Notes Version 3.6,” September 1998. Tivoli Systems, “TME 10 Software Distribution User’s Guide Version 3.6,” September 1998. Other Publications: International Telecommunication Union (ITU), “CCITT Recommendation X.700 (09/92), Management Framework for Open Systems Interconnection (OSI) for CCITT Applications”. International Telecommunication Union (ITU), “ITU-T Recommendation M.3400 (02/2000), TMN Management Functions”. Web Sites: Carnegie Mellon Software Engineering Institute’s Software Technology Roadmap. http://www.sei.cmu.edu/str/ Distributed Management Task Force (DMTF). http://www.dmtf.org/ DOD Ports and Protocols Program. http://www.cert.mil/portsandprotocols/ IBM Tivoli Documentation. http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Information Assurance Support Environment. http://iase.disa.mil/ Information Assurance Technical Framework (IATF) Forum. http://www.iatf.net/ Internet Engineering Task Force (IETF). http://www.ietf.org/ Microsoft Security Bulletin Search. http://www.microsoft.com/technet/ security/current.aspx Microsoft SMS Home. http://www.microsoft.com/smserver/ Microsoft SMS 2003 Toolkit 1. http://www.microsoft.com/smserver/ downloads/2003/tools/toolkit.asp Microsoft TechNet: Systems Management Server. http://www.microsoft.com/technet/ prodtechnol/sms/default.mspx National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC). http://csrc.nist.gov/pcig/cig.html
NIST Identifier	1064