ECAN-1

ECAN-1 Access for Need-to-Know

Overview

Access to all DoD information (classified, sensitive, and public) is determined by both its classification and user need-to-know. Need-to-know is established by the Information Owner and enforced by discretionary or role-based access controls. Access controls are established and enforced for all shared or networked file systems and internal websites, whether classified, sensitive, or unclassified. All internal classified, sensitive, and unclassified websites are organized to provide at least three distinct levels of access: 1. Open access to general information that is made available to all DoD authorized users with network access. Access does not require an audit transaction. 2. Controlled access to information that is made available to all DoD authorized users upon the presentation of an individual authenticator. Access is recorded in an audit transaction.

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE	High	Enclave Computing Environment

Details

Threat
Unauthorized access could be made to classified and sensitive information that must be protected from unauthorized disclosure, modification, or destruction. This implementation guide is aimed to help web administrators/network administrators implement proper discretionary or role based access controls, as well as user authenticators and audit trails to prevent and detect unauthorized access to system data effectively.

Threat

Unauthorized access could be made to classified and sensitive information that must be protected from unauthorized disclosure, modification, or destruction. This implementation guide is aimed to help web administrators/network administrators implement proper discretionary or role based access controls, as well as user authenticators and audit trails to prevent and detect unauthorized access to system data effectively.

Guidance
1. For the system that provides public information without restrictions, the web administrator shall implement the following for the external web server: a. Implement an external router between the external web server and the Internet to filter the traffic to the external web server. b. Configure the web server in accordance with the DISA Web Server STIG c. Configure the web server operating system in accordance with proper DISA STIGs (e.g., Windows, Unix) d. Provide only Read access to Public e. Disable the public access auditing feature to prevent system crash f. Restrict access to a limited number of people for web content management 2. For the system that provides classified and/or sensitive information to all DOD authorized users with network access, the web administrator shall implement the following for the internal web server: a. Implement internal firewalls, routers, and switches in accordance with DOD SIPRNET and NIPRNET Connection Approval Process b. Configure the internal web server in accordance with DISA Web Server STIG c. Configure the web server operating system (e.g., Windows, Unix) in accordance with proper DISA STIGs, which require DOD approved user ID and authenticators (e.g., password, token) prior to system access d. Configure the database containing classified and sensitive information made available to all DOD users in accordance with DISA Database STIG for role based access controls in the areas of table and column privileges and file permissions e. Configure the web application properly to prevent any direct access of users to the database f. Configure the audit features of the system components (e.g., operating system, database, and application) to capture security related activities (e.g., logon/logoff) g. Maintain and update a list of user accounts regularly to prevent unauthorized access 3. For the system that is available only to an authorized community of interest, the system/network administrator shall implement the following: a. Configure the system server operating system in accordance with proper DISA STIGs (e.g., Windows, Unix) or NSA security guides b. Assign user accounts and authenticators based on need to know in accordance with DOD and organization’s security policies c. Configure the system to request user ID and authenticator prior to system access d. Maintain and update a list of user accounts regularly in accordance with DOD personnel security program and organization’s guidance e. Configure the databases containing classified and/or sensitive information in accordance with the DISA Database STIGs, NSA database security guides, and vendor’s security administration guide to provide role based access controls in the areas of table and column privileges and file permissions f. Configure the auditing features of the operating system, database, and application to record security related events, to include logon/logoff and all failed access attempts)

Guidance

1.   For the system that provides public information without restrictions, the web administrator shall implement the following for the external web server:
  a. Implement an external router between the external web server and the Internet to filter the traffic to the external web server.
  b. Configure the web server in accordance with the DISA Web Server STIG
  c. Configure the web server operating system in accordance with proper DISA STIGs (e.g., Windows, Unix)
  d. Provide only Read access to Public
  e. Disable the public access auditing feature to prevent system crash
  f. Restrict access to a limited number of people for web content management
2. For the system that provides classified and/or sensitive information to all DOD authorized users with network access, the web administrator shall implement the following for the internal web server:
  a. Implement internal firewalls, routers, and switches in accordance with DOD SIPRNET and NIPRNET Connection Approval Process
  b. Configure the internal web server in accordance with DISA Web Server STIG
  c. Configure the web server operating system (e.g., Windows, Unix) in accordance with proper DISA STIGs, which require DOD approved user ID and authenticators (e.g., password, token) prior to system access
  d. Configure the database containing classified and sensitive information made available to all DOD users in accordance with DISA Database STIG for role based access controls in the areas of table and column privileges and file permissions
  e. Configure the web application properly to prevent any direct access of users to the database
  f. Configure the audit features of the system components (e.g., operating system, database, and application) to capture security related activities (e.g., logon/logoff)
  g. Maintain and update a list of user accounts regularly to prevent unauthorized access
3. For the system that is available only to an authorized community of interest, the system/network administrator shall implement the following:
  a. Configure the system server operating system in accordance with proper DISA STIGs (e.g., Windows, Unix) or NSA security guides
  b. Assign user accounts and authenticators based on need to know in accordance with DOD and organization’s security policies
  c. Configure the system to request user ID and authenticator prior to system access
  d. Maintain and update a list of user accounts regularly in accordance with DOD personnel security program and organization’s guidance
  e. Configure the databases containing classified and/or sensitive information in accordance with the DISA Database STIGs, NSA database security guides, and vendor’s security administration guide to provide role based access controls in the areas of table and column privileges and file permissions
  f. Configure the auditing features of the operating system, database, and application to record security related events, to include logon/logoff and all failed access attempts)

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Web Server STIG, 26 July 2004
DISA Windows NT Security Checklist, 10 December 2004
DISA Windows 2003 Security Checklist (draft), 10 December 2004
DISA Unix STIG, 15 September 2003
DISA UNISYS STIG, 22 July 2003
DISA Solaris Security Checklist, 20 January 2004
DOD Database STIG, 24 July 2004
DOD Web Site Administration Policy and Procedures, 11 January 2002
DOD OC/390 RACF Checklist October 2004
DOD OC/390 ACF2 Checklist October 2004
DOD OC/390 TSS Checklist October 2004
NSA Microsoft SQL Server Guides, 02 October 2003
NSA Oracle Database Server Guides, 02 October 2003
NSA Secure Configuration of the Apache Web Server, Apache Server Version 1.3.3 on Red Hat Linux 5.1, 10 November 2003
NSA Guide to the Secure Configuration and Administration of the iPlanet Web Server, Enterprise Edition 4.1, 10 November 2003
NSA Guide to the Secure Configuration and Administration of Microsoft Internet Information Server 4.0, 10 November 2003
NIST SP 800-44, Guidelines on Securing Public Web Servers, September 2002
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002
Service/agency specific references/guidelines/manuals