Trend Micro Deep Security 9.x Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2016-02-26
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
Trend Deep Security must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
AC-10 - Medium - CCI-000054 - V-65857 - SV-80347r1_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
TMDS-00-000005
Vuln IDs
  • V-65857
Rule IDs
  • SV-80347r1_rule
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-66505r1_chk

Review the Trend Deep Security server configuration to ensure the number of concurrent sessions is limited to one. In the administration console go to: System Settings >> Security >> Number of concurrent sessions allowed per User Review the policy to ensure no more than 1 session is permitted. If more than 1 session is permitted this is a finding.

Fix: F-71933r1_fix

Configure the Trend Deep Security server to limit the number of concurrent sessions to one. Set the current session limit to 1. Administration >> System Settings >> Security >> Number of concurrent sessions allowed per User >> 1

b
Trend Deep Security must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-65859 - SV-80349r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
TMDS-00-000010
Vuln IDs
  • V-65859
Rule IDs
  • SV-80349r1_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead.
Checks: C-66507r1_chk

Review the Trend Deep Security server configuration to ensure a session lock is initiated after a 15-minute period of inactivity. Review the application System Settings, to ensure the system timeout is set to 15 minutes or less. If the timeout session is not set to 15 minutes or less this is a finding. Administration >> System Settings >> Security >> User Security >> Session Timeout: 10 Minutes

Fix: F-71935r1_fix

Configure the Trend Deep Security server to initiate a session lock after a 15-minute period of inactivity. Set the Session Timeout to 15 minutes or less. Administration >> Security >> User Security >> Session Timeout: 10 Minutes

b
Trend Deep Security must automatically audit account creation.
AC-2 - Medium - CCI-000018 - V-65861 - SV-80351r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
TMDS-00-000020
Vuln IDs
  • V-65861
Rule IDs
  • SV-80351r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66509r1_chk

Review the Trend Deep Security server to ensure account creation is automatically audited. Verify "User Created" events is enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 650 User Created. Select: Record Select: Forward If "User Created" is not enabled this is a finding.

Fix: F-71937r1_fix

Configure the Trend Deep Security server to automatically audit account creation. Enable "User Created" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 650 User Created. Select: Record Select: Forward

b
Trend Deep Security must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-65863 - SV-80353r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
TMDS-00-000025
Vuln IDs
  • V-65863
Rule IDs
  • SV-80353r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application owners exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66511r1_chk

Review the Trend Deep Security server configuration to ensure account creation is automatically audited. Verify "User Updated" events is enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 652 User Updated. Select: Record Select: Forward If "User Updated" is not enabled this is a finding.

Fix: F-71939r1_fix

Configure the Trend Deep Security server to automatically audit account creation. Enable "User Updated" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 652 User Updated. Select: Record Select: Forward

b
Trend Deep Security must automatically audit account disabling actions.
AC-2 - Medium - CCI-001404 - V-65865 - SV-80355r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
TMDS-00-000030
Vuln IDs
  • V-65865
Rule IDs
  • SV-80355r1_rule
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66513r1_chk

Review the Trend Deep Security server configuration to ensure account disabling actions are automatically audited. Verify "User Locked Out" events are enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out. Select: Record Select: Forward If "User Locked Out" is not enabled this is a finding.

Fix: F-71941r1_fix

Configure the Trend Deep Security server to automatically audit account disabling actions. Enable "User Locked Out" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out. Select: Record Select: Forward

b
Trend Deep Security must automatically audit account removal actions.
AC-2 - Medium - CCI-001405 - V-65867 - SV-80357r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
TMDS-00-000035
Vuln IDs
  • V-65867
Rule IDs
  • SV-80357r1_rule
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals, so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/audit mechanisms meeting or exceeding access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66515r1_chk

Review the Trend Deep Security server configuration to ensure account removal actions are automatically audited. Verify "User Deleted" events are enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 651 User Deleted. Select: Record Select: Forward If "User Deleted" is not enabled this is a finding.

Fix: F-71943r1_fix

Configure the Trend Deep Security server to automatically audit account removal actions. Enable "User Deleted" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 651 User Deleted. Select: Record Select: Forward

b
Trend Deep Security must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
AC-4 - Medium - CCI-001368 - V-65869 - SV-80359r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001368
Version
TMDS-00-000040
Vuln IDs
  • V-65869
Rule IDs
  • SV-80359r1_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all system information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
Checks: C-66517r1_chk

Review the Trend Deep Security server configuration to ensure approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies are enforced. Interview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71945r1_fix

Configure the Trend Deep Security server configuration to enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. Use the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers. To restrict access, select the "Selected Computers" radio button and put a check next to the computer groups and computers that Users in this Role will have access to. Administration >> User Management >> Roles Select a Role and click Properties >> Computer Rights

b
Trend Deep Security must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
AC-4 - Medium - CCI-001414 - V-65871 - SV-80361r1_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-001414
Version
TMDS-00-000045
Vuln IDs
  • V-65871
Rule IDs
  • SV-80361r1_rule
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. The flow of all application information must be monitored and controlled so it does not introduce any unacceptable risk to the systems or data. Application specific examples of enforcement occurs in systems that employ rule sets or establish configuration settings that restrict information system services, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
Checks: C-66519r1_chk

Review the Trend Deep Security server to ensure approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies are enforced. Interview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71947r1_fix

Configure the Trend Deep Security server to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. Use the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers. To restrict access, select the "Selected Computers" radio button and put a check next to the computer groups and computers that Users in this Role will have access to. Administration >> User Management >> Roles Select a Role and click Properties >> Computer Rights

b
Trend Deep Security must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
AC-7 - Medium - CCI-000044 - V-65873 - SV-80363r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
TMDS-00-000050
Vuln IDs
  • V-65873
Rule IDs
  • SV-80363r1_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-66521r1_chk

Review the Trend Deep Security server configuration to ensure the limit of three consecutive invalid logon attempts by a user during a 15-minute time period is enforced. Verify the number of failed logon attempts. Go to Administration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3 If the number is greater than 3 this is a finding.

Fix: F-71949r1_fix

Configure the Trend Deep Security server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. Configure the number of failed logon attempts to 3. Administration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3

b
Trend Deep Security must provide audit record generation capability for DoD-defined auditable events within all application components.
AU-12 - Medium - CCI-000169 - V-65875 - SV-80365r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
TMDS-00-000060
Vuln IDs
  • V-65875
Rule IDs
  • SV-80365r1_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the application will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions.
Checks: C-66523r1_chk

Review the Trend Deep Security server configuration to ensure audit record generation capability for DoD-defined auditable events within all application components is provided. Verify the Administration >> System Settings >> System Events, are set to “Record.” - capture successful and unsuccessful logon attempts, - privileged activities or other system level access, - starting and ending time for user access to the system - concurrent logons from different workstations - successful and unsuccessful accesses to objects - all program initiations, - all direct access to the information system, - all account creation, modification, disabling, and termination actions. If these settings are not set to “Record”, this is a finding.

Fix: F-71951r1_fix

Configure Trend Deep Security to provide audit record generation capability for DoD-defined auditable events within all application components. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 160 Authentication Failed 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 604 User Unlocked 608 User Session Validation Failed 609 User Made Invalid Request 610 User Session Validated 611 User Viewed Firewall Event 613 User Viewed Intrusion Prevention Event 615 User Viewed System Event 616 User Viewed Integrity Monitoring Event 617 User Viewed Log Inspection Event 618 User Viewed Quarantined File Detail 619 User Viewed Anti-Malware Event 620 User Viewed Web Reputation Event 621 User Signed In As Tenant 650 User Created 651 User Deleted 652 User Updated 653 User Password Set 660 Role Created 661 Role Deleted 662 Role Updated 702 Credentials Generated 703 Credential Generation Failed

b
Trend Deep Security must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-65877 - SV-80367r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
TMDS-00-000065
Vuln IDs
  • V-65877
Rule IDs
  • SV-80367r1_rule
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
Checks: C-66525r1_chk

Review the Trend Deep Security server to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited. Verify the user roles and assigned permissions within the Administration >> User Management >> Roles >> Properties >> Other Rights. If a user role (e.g., Auditor) has any "View Only" for Alerts, Alert Configuration, Integrity Monitoring, and Log Inspection Rules, this is a finding.

Fix: F-71953r1_fix

Configure the Trend Deep Security server to only allow the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. Configure the assigned permissions for user roles within the Administration >> User Management >> Roles >> Properties >> Other Rights. Set the following to "View Only" Alerts Alert Configuration Integrity Monitoring Log Inspection Rule

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to access privileges occur.
AU-12 - Medium - CCI-000172 - V-65879 - SV-80369r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000070
Vuln IDs
  • V-65879
Rule IDs
  • SV-80369r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66527r1_chk

Review the Trend Deep Security server configuration to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 660 Role Created 661 Role Deleted 662 Role Updated 663 Roles Imported 664 Roles Exported If these settings are not set to “Record”, this is a finding.

Fix: F-71955r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to access privileges occur. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 660 Role Created 661 Role Deleted 662 Role Updated 663 Roles Imported 664 Roles Exported

b
Trend Deep Security must initiate session auditing upon startup.
AU-14 - Medium - CCI-001464 - V-65881 - SV-80371r1_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
TMDS-00-000075
Vuln IDs
  • V-65881
Rule IDs
  • SV-80371r1_rule
If auditing is enabled late in the startup process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Checks: C-66529r1_chk

Review the Trend Deep Security server to ensure session auditing upon startup is initiated. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated If these settings are not set to “Record”, this is a finding.

Fix: F-71957r1_fix

Configure the Trend Deep Security server to initiate session auditing upon startup. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated

b
Trend Deep Security must provide the capability for authorized users to capture, record, and log all content related to a user session.
AU-14 - Medium - CCI-001462 - V-65883 - SV-80373r1_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001462
Version
TMDS-00-000080
Vuln IDs
  • V-65883
Rule IDs
  • SV-80373r1_rule
Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered. This requirement does not apply to applications that do not have a concept of a user session (e.g., calculator).
Checks: C-66531r1_chk

Review the Trend Deep Security server configuration to ensure the capability for authorized users to capture, record, and log all content related to a user session is provided. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated If these settings are not set to “Record”, this is a finding.

Fix: F-71959r1_fix

Configure the Trend Deep Security server to provide the capability for authorized users to capture, record, and log all content related to a user session. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated

b
Trend Deep Security must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-65885 - SV-80375r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
TMDS-00-000085
Vuln IDs
  • V-65885
Rule IDs
  • SV-80375r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Checks: C-66533r1_chk

Review the Trend Deep Security server configuration to ensure the ISSO and SA (at a minimum) are alerted in the event of an audit processing failure. Verify any audit processing failure events within Administration >> System Settings >> System Events, are set to “Forward” If these settings are not set to “Forward”, this is a finding.

Fix: F-71961r1_fix

Configure the Trend Deep Security server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure. Go to Administration >> System Settings >> System Events, and set the following settings to “Forward.” 0 Unknown Error 266 Warnings/Errors Cleared 609 User Made Invalid Request 740 Agent/Appliance Error 801 Error Dismissed 913 Automatic Diagnostic Package Error 923 Usage Information Package Error 997 Tagging Error 998 System Event Notification Error 999 Internal Software Error 1677 Trusted Platform Module Error

b
Trend Deep Security must protect audit information from any type of unauthorized read access.
AU-9 - Medium - CCI-000162 - V-65887 - SV-80377r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
TMDS-00-000090
Vuln IDs
  • V-65887
Rule IDs
  • SV-80377r1_rule
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Checks: C-66535r1_chk

Review the Trend Deep Security server configuration to ensure audit information from any type of unauthorized read access is protected. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71963r1_fix

Configure the Trend Deep Security server to protect audit information from any type of unauthorized read access. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must protect audit information from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-65889 - SV-80379r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
TMDS-00-000095
Vuln IDs
  • V-65889
Rule IDs
  • SV-80379r1_rule
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
Checks: C-66537r1_chk

Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized modification. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71965r1_fix

Configure the Trend Deep Security server to protect audit information from unauthorized modification. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must protect audit information from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-65891 - SV-80381r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
TMDS-00-000100
Vuln IDs
  • V-65891
Rule IDs
  • SV-80381r1_rule
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit information may include data from other applications or be included with the audit application itself.
Checks: C-66539r1_chk

Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized deletion. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71967r1_fix

Configure the Trend Deep Security server to protect audit information from unauthorized deletion. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-65893 - SV-80383r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
TMDS-00-000105
Vuln IDs
  • V-65893
Rule IDs
  • SV-80383r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-66541r1_chk

Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized access. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71969r1_fix

Configure the Trend Deep Security server to protect audit tools from unauthorized access. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must protect audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-65895 - SV-80385r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
TMDS-00-000110
Vuln IDs
  • V-65895
Rule IDs
  • SV-80385r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-66543r1_chk

Review the Trend Deep Security server to ensure audit tools are protected from unauthorized modification. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71971r1_fix

Configure the Trend Deep Security server to protect audit tools from unauthorized modification. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must protect audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-65897 - SV-80387r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
TMDS-00-000115
Vuln IDs
  • V-65897
Rule IDs
  • SV-80387r1_rule
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Applications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-66545r1_chk

Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized deletion. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.

Fix: F-71973r1_fix

Configure the Trend Deep Security server to protect audit tools from unauthorized deletion. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.

b
Trend Deep Security must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Medium - CCI-001348 - V-65899 - SV-80389r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
TMDS-00-000120
Vuln IDs
  • V-65899
Rule IDs
  • SV-80389r1_rule
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.
Checks: C-66547r1_chk

Review the Trend Deep Security server configuration to ensure audit records are backed up at least every seven days onto a different system or system component than the system or component being audited. Verify the application backup frequency by reviewing the configuration settings in Administration >> System Settings >> SIEM If the "Forward System Events to a remote computer (via Syslog)" is not enabled with the proper configuration settings, this is a finding.

Fix: F-71975r2_fix

Configure the Trend Deep Security server to back up audit records at least every seven days onto a different system or system component than the system or component being audited. Configure the application to forward audit records to a log management tool for backup and storage. Go to Administration >> System Settings >> SIEM Enable "Forward System Events to a remote computer (via Syslog)" Configure the following: Hostname or IP address to which events should be sent UDP port to which events should be sent Syslog Facility Syslog Format

c
Trend Deep Security must use cryptographic mechanisms to protect the integrity of audit information.
AU-9 - High - CCI-001350 - V-65901 - SV-80391r1_rule
RMF Control
AU-9
Severity
High
CCI
CCI-001350
Version
TMDS-00-000125
Vuln IDs
  • V-65901
Rule IDs
  • SV-80391r1_rule
Audit records may be tampered with; if the integrity of audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of a cryptographic-signed hash using asymmetric cryptography. This requirement applies to applications that generate or process audit records.
Checks: C-66549r1_chk

Review the Trend Deep Security server configuration to ensure cryptographic mechanisms are used to protect the integrity of audit information. Verify PDF encryption is enabled for report generation. Go to Administration >> User Management >> Users >> Right-click an administrative user account and select "Properties". Within the "Settings" tab select "Enable PDF Encryption". If "Enable PDF Encryption" is not enabled, this is a finding.

Fix: F-71977r1_fix

Configure the Trend Deep Security server to use cryptographic mechanisms to protect the integrity of audit information. Enabled encryption for report generation. Go to Administration >> User Management >> Users >> Right-click an administrative user account and select "Properties". Within the "Settings" tab select "Enable PDF Encryption" and enter a password.

b
Trend Deep Security must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-65903 - SV-80393r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
TMDS-00-000130
Vuln IDs
  • V-65903
Rule IDs
  • SV-80393r1_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-66551r3_chk

Review the Trend Deep Security server to ensure the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, are prohibited or restricted. Review the firewall policy for approved ports, protocols and services associated within a defined group or a selected computer by selecting Computers, on the top menu bar. Choose the appropriate group and within the main page, select a computer for review. Double-click the selected computer and click "Firewall". Verify the following settings are enabled: Configuration: Inherit or On State: Activated Firewall Stateful Configurations: Inherited (If managed through a group policy) Assigned Firewall Rules: (are configured in accordance with local security policy) If the options identified are not set or configured in accordance with local policy, this is a finding.

Fix: F-71979r2_fix

Configure the Trend Deep Security server to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. From the top menu select Policies >> New >> New Policy. Enter a Name for the new policy; In Inherit from, select “None”. Click “Next” and Select “Yes”. Choose the applicable computers that will inherit this policy, and click “Next”. Ensure all options are selected from the “Select which Computer properties to base new Policy on:” window, and click “Next”. Click “Finish”.

b
Trend Deep Security must scan all media used for system maintenance prior to use.
MA-3 - Medium - CCI-000870 - V-65905 - SV-80395r1_rule
RMF Control
MA-3
Severity
Medium
CCI
CCI-000870
Version
TMDS-00-000055
Vuln IDs
  • V-65905
Rule IDs
  • SV-80395r1_rule
There are security-related issues arising from software brought into the information system specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a system in order to troubleshoot system traffic, or a vendor installing or running a diagnostic application in order to troubleshoot an issue with a vendor supported system). If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. This requirement addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).
Checks: C-66553r1_chk

Review the Trend Deep Security server to ensure all media used for system maintenance is scanned prior to use. Verify Anti-Malware is enabled on each server that is applicable to the accreditation boundary. Go to Computers. Right-click a computer from the list of systems, select properties Anti-Malware >> General Verify Configuration is set to "On" or "Inherit On". If Verify Configuration is set to "Off", this is a finding.

Fix: F-71981r1_fix

Configure the Trend Deep Security server to scan all media used for system maintenance prior to use. The scope of Malware Scans can be controlled by editing the Malware Scan Configuration that is in effect on a computer. The Malware Scan Configuration determines which files and directories are included or excluded during a scan and which actions are taken if malware is detected on a computer (for example, clean, quarantine, or delete). There are two types of Malware Scan Configurations: - Manual/Scheduled Scan Configurations - Real-Time Scan Configurations To enable Anti-Malware functionality on a computer: Go to Computers. Right-click a computer from the list of systems, select properties Anti-Malware >> General Set Configuration to "On" or "Inherit On".

b
Trend Deep Security must provide automated mechanisms for supporting account management functions.
AC-2 - Medium - CCI-000015 - V-65907 - SV-80397r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
TMDS-00-000015
Vuln IDs
  • V-65907
Rule IDs
  • SV-80397r1_rule
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.
Checks: C-66555r1_chk

Review the Trend Deep Security server configuration to ensure automated mechanisms for supporting account management functions are automated. Interview the ISSO to determine a list of authorized users and their perspective roles supporting the application. Review the identified users within the following: Administration >> User Management >> Users >> Assign Role If the identified users do not match the roles assigned within the application this is a finding.

Fix: F-71983r1_fix

Configure the Trend Deep Security server to provide automated mechanisms for supporting account management functions. Configure the user permissions according to their assigned roles within the organization. Administration >> User Management >> Users >> Assign Role

b
Trend Deep Security must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-65909 - SV-80399r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
TMDS-00-000135
Vuln IDs
  • V-65909
Rule IDs
  • SV-80399r1_rule
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
Checks: C-66557r1_chk

Review the Trend Deep Security server configuration to ensure organizational users (or processes acting on behalf of organizational users) are uniquely identified and authenticated. Verify the user accounts under Administration >> User Management >> Users If the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.

Fix: F-71985r1_fix

Configure the Trend Deep Security server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). Configure the appropriate affiliation display for the specified user under Administration >> User Management >> Users Right click the user account. Click "Properties" and Select “User Name”. Enter the appropriate user identifiers.

c
Trend Deep Security must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
IA-2 - High - CCI-000770 - V-65913 - SV-80403r1_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000770
Version
TMDS-00-006030
Vuln IDs
  • V-65913
Rule IDs
  • SV-80403r1_rule
To assure individual accountability and prevent unauthorized access, application users must be individually identified and authenticated. Individual accountability mandates that each user is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the application using a single account. If an application allows or provides for group authenticators, it must first individually authenticate users prior to implementing group authenticator functionality. Some applications may not have the need to provide a group authenticator; this is considered a matter of application design. In those instances where the application design includes the use of a group authenticator, this requirement will apply. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. An example of this type of access is a web server which contains publicly releasable information.
Checks: C-66561r2_chk

Review the Trend Deep Security server to ensure users are authenticated with an individual authenticator prior to using a group authenticator. Review the settings to ensure identify management is being performed through the organizations Active Directory. Navigate to Administration >> User Management >> Users and click "Synchronize with Directory". Select "Re-Synchronize (Using previous settings)", and click "Next". If the synchronization fails, this is a finding.

Fix: F-71989r3_fix

Configure the Trend Deep Security server to authenticate users with an individual authenticator prior to using a group authenticator. Navigate to Administration >> User Management >> Users and click "Synchronize with Directory". Under Server, enter the following information: Server Address (IP of the AD Server) Access Method (UserID/Password StartTLS) UserName (Authorized, site-defined, service account used for synchronizing with Trend Deep Security) Password Click "Next". Select the authorized AD group used for managing the Trend Deep Security accounts, and Click "Next". Under "New User" Options, select the appropriate Role, click "Next". Click "Finish".

b
Trend Deep Security must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-65915 - SV-80405r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
TMDS-00-000140
Vuln IDs
  • V-65915
Rule IDs
  • SV-80405r1_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-66563r1_chk

Review the Trend Deep Security server configuration to ensure a minimum 15-character password length is enforced. Verify the policy value for minimum password length. If the value for “User password minimum length” under the Administration >> System Settings >> Security tab is not set to 15, this is a finding.

Fix: F-71991r1_fix

Configure the Trend Deep Security server to enforce a minimum 15-character password length. Configure the policy value for minimum password length. Under the Administration >> System Settings >> Security tab, set the value for “User password minimum length” to 15.

b
Trend Deep Security must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-65917 - SV-80407r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
TMDS-00-000145
Vuln IDs
  • V-65917
Rule IDs
  • SV-80407r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-66565r1_chk

Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one upper-case character be used. Verify the values for password complexity. If the "User password requires both upper-and lower-case characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.

Fix: F-71993r1_fix

Configure the Trend Deep Security server to enforce password complexity by requiring that at least one uppercase character be used. Enable the checkbox for the "User password requires both upper-and lower-case characters" policy value for password complexity under the Administration >> System Settings >> Security tab.

b
Trend Deep Security must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-65919 - SV-80409r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
TMDS-00-000155
Vuln IDs
  • V-65919
Rule IDs
  • SV-80409r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-66567r1_chk

Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one numeric character be used. Verify the values for password complexity. If the "User password requires both letters and numbers" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.

Fix: F-71995r1_fix

Configure the Trend Deep Security server to enforce password complexity by requiring that at least one numeric character be used. Enable the checkbox for the "User password requires both letters and numbers" policy value for password complexity under the Administration >> System Settings >> Security tab.

b
Trend Deep Security must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-65921 - SV-80411r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
TMDS-00-000160
Vuln IDs
  • V-65921
Rule IDs
  • SV-80411r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Checks: C-66569r1_chk

Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one special character be used. Verify the values for password complexity. If the "User password requires non-alphanumeric characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.

Fix: F-71997r1_fix

Configure the Trend Deep Security server to enforce password complexity by requiring that at least one special character be used. Enable the checkbox for the "User password requires non-alphanumeric characters" policy value for password complexity under the Administration >> System Settings >> Security tab.

b
Trend Deep Security must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-65925 - SV-80415r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
TMDS-00-000165
Vuln IDs
  • V-65925
Rule IDs
  • SV-80415r1_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. This requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.
Checks: C-66573r1_chk

Review the Trend Deep Security server configuration to ensure a 60 day maximum password lifetime restriction is enforced. Verify the policy value for minimum password length. If the value for “User password expires” under the Administration >> System Settings >> Security tab is not set to 60 Days, this is a finding.

Fix: F-72001r1_fix

Configure the Trend Deep Security server to enforce a 60 day maximum password lifetime restriction. Configure the policy value for maximum password lifetime. Under the Administration >> System Settings >> Security tab, set the value for “User password expires” to 60.

b
Trend Deep Security must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-65927 - SV-80417r1_rule
RMF Control
IA-8
Severity
Medium
CCI
CCI-000804
Version
TMDS-00-000170
Vuln IDs
  • V-65927
Rule IDs
  • SV-80417r1_rule
Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.
Checks: C-66575r1_chk

Review the Trend Deep Security server configuration to ensure non-organizational users (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated. Verify the user accounts under Administration >> User Management >> Users If the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.

Fix: F-72003r1_fix

Configure the Trend Deep Security server to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). To help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation "ctr" and all foreign nationals are identified by the inclusion of their two character country code. See ECAD-1 Affiliation Display Configure the appropriate affiliation display for the specified user under Administration >> User Management >> Users Right click the user account. Click "Properties" and Select “User Name”. Enter the appropriate user identifiers.

b
Trend Deep Security must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-65929 - SV-80419r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
TMDS-00-000175
Vuln IDs
  • V-65929
Rule IDs
  • SV-80419r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-66577r1_chk

Review the Trend Deep Security server configuration to ensure all network connections associated with a communications session are terminated at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. If the value for user session termination under the Administration >> System Settings >> Security >> Session timeout, is not set to 10 minutes, this is a finding.

Fix: F-72005r1_fix

Configure the Trend Deep Security server to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. Configure the policy value for session timeout. Under the Administration >> System Settings >> Security, set the value for “Session timeout” to 10 minutes.

b
Trend Deep Security must isolate security functions from non-security functions.
SC-3 - Medium - CCI-001084 - V-65931 - SV-80421r1_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
TMDS-00-000180
Vuln IDs
  • V-65931
Rule IDs
  • SV-80421r1_rule
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Applications restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.
Checks: C-66579r1_chk

Review the Trend Deep Security server configuration to ensure security functions are isolated from non-security functions. In order to restrict access to security functions through the use of access control mechanisms, least privilege capabilities must be enforced within the Deep Security, “User management” settings. If role-based access controls are not enforced within the Administration >> User management >> Roles, this is a finding.

Fix: F-72007r1_fix

Configure the Trend Deep Security server to isolate security functions from non-security functions. Configure role-based access controls for least privileged accounts within the Administration >> User management >> Roles.

b
Trend Deep Security must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.
SC-5 - Medium - CCI-001094 - V-65933 - SV-80423r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001094
Version
TMDS-00-000185
Vuln IDs
  • V-65933
Rule IDs
  • SV-80423r1_rule
DoS is a condition where a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources that are allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.
Checks: C-66581r1_chk

Review the Trend Deep Security server configuration to ensure the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems is restricted. Deep Security policies for Firewall Rules can be disruptive causing a denial of service to the environment if not properly configured. It is imperative that access to the firewall rule policies be restricted to authorized personnel by enforcing least privileged within the Deep Security, “User management” settings. If role-based access controls are not enforced within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights, this is a finding.

Fix: F-72009r1_fix

Configure the Trend Deep Security server to restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems. Configure the role-based access controls to prevent access to policy modifications within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights. The “Edit” option should only be enabled to authorized users.

b
Trend Deep Security must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-65935 - SV-80425r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
TMDS-00-000190
Vuln IDs
  • V-65935
Rule IDs
  • SV-80425r1_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. In the case of application DoS attacks, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for optimal performance. Web services containing complex calculations requiring large amounts of time to complete can bog down if too many requests for the service are encountered within a short period of time. The methods employed to meet this requirement will vary depending upon the technology the application utilizes. However, a variety of technologies exist to limit or, in some cases, eliminate the effects of application related DoS attacks. Employing increased capacity and bandwidth combined with specialized application layer protection devices and service redundancy may reduce the susceptibility to some DoS attacks.
Checks: C-66583r1_chk

Review the Trend Deep Security server configuration to ensure excess capacity, bandwidth, or other redundancy is managed to limit the effects of information flooding types of Denial of Service (DoS) attacks. Review the “CPU Usage Level” under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans. Depending on resource capabilities for monitored agent scans, it may be necessary to limit the “CPU Usage Level” from High to Low. If the setting is not configured in accordance with the SA best practice recommendation this is a finding.

Fix: F-72011r1_fix

Configure the Trend Deep Security server to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. Configure the “CPU Usage Level” in accordance with the SA best practice under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans.

b
Trend Deep Security must automatically update malicious code protection mechanisms.
SI-3 - Medium - CCI-001247 - V-65937 - SV-80427r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001247
Version
TMDS-00-000195
Vuln IDs
  • V-65937
Rule IDs
  • SV-80427r1_rule
Malicious software detection applications need to be constantly updated in order to identify new threats as they are discovered. All malicious software detection software must come with an update mechanism that automatically updates the application and any associated signature definitions. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection software updates. Examples of relevant updates include anti-virus signatures, detection heuristic rule sets, and/or file reputation data employed to identify and/or block malicious software from executing. Malicious code includes viruses, worms, Trojan horses, and Spyware. This requirement applies to applications providing malicious code protection.
Checks: C-66585r1_chk

Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are automatically updated. Analyze the system using the Administration >> System Settings >> Updates page. Verify that the “Automatically download updates to imported software” option is checked. If this option is not enabled, this is a finding.

Fix: F-72013r1_fix

Configure the Trend Deep Security server to automatically update malicious code protection mechanisms. Go to the Administration >> System Settings >> Updates page, and scroll down to Software Updates. Check the box to enable “Automatically download updates to imported software”.

b
Trend Deep Security must notify ISSO and ISSM of failed security verification tests.
SI-6 - Medium - CCI-001294 - V-65939 - SV-80429r1_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-001294
Version
TMDS-00-000200
Vuln IDs
  • V-65939
Rule IDs
  • SV-80429r1_rule
If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing.
Checks: C-66587r2_chk

Review the Trend Deep Security server configuration to ensure the ISSO and ISSM are notified of failed security verification tests. From Administration >> User Management >> Users Select the account associated with the ISSM or ISSO and double-click. Under the Contact Information tab, verify the Contact Information is associated with account is complete and accurate. If the account information is missing or incorrect, this is a finding. Next, verify the "Receive Alert Email" check box is selected. If the "Receive Alert Email" checkbox is not selected, this is finding.

Fix: F-72015r2_fix

Configure the Trend Deep Security server to notify ISSO and ISSM of failed security verification tests. Go to Administration >> User Management >> Users Select the account associated with the ISSM or ISSO and double-click. Under the “Contact Information” tab enter the users Contact Information. Next, select the checkbox for “Receive Alert Emails”.

b
Trend Deep Security must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SI-3 - Medium - CCI-001240 - V-65941 - SV-80431r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001240
Version
TMDS-00-000205
Vuln IDs
  • V-65941
Rule IDs
  • SV-80431r1_rule
Malicious code includes viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code may also be able to run and attach programs, which may allow the unauthorized distribution of malicious mobile code. Once this code is installed on endpoints within the network, unauthorized users may be able to breach firewalls and gain access to sensitive data. This requirement applies to applications providing malicious code protection. Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. Malicious code protection mechanisms (including signature definitions and rule sets) must be updated when new releases are available.
Checks: C-66589r1_chk

Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are updated whenever new releases are available in accordance with organizational configuration management policy and procedures. Analyze the system using the Administration >> System Settings >> Updates page. Verify that the “Automatically download updates to imported software” option is enabled. If this option is not enabled, this is a finding.

Fix: F-72017r1_fix

Configure the Trend Deep Security server to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. Go to the Administration >> System Settings >> Updates page, and scroll down to Software Updates. Check the box to enable “Automatically download updates to imported software”.

b
Trend Deep Security must configure malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days.
SI-3 - Medium - CCI-001241 - V-65943 - SV-80433r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001241
Version
TMDS-00-000210
Vuln IDs
  • V-65943
Rule IDs
  • SV-80433r1_rule
Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and Spyware. It is not enough to simply have the software installed; this software must periodically scan the system to search for malware on an organization-defined frequency. This requirement applies to applications providing malicious code protection.
Checks: C-66591r1_chk

Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms perform periodic scans of the information system every seven (7) days. Analyze one of the custom policies under the “Policies” tab, by right clicking and selecting “Details.” Verify the following settings are enabled: 1. Under the Overview >> General tab, "Anti-Malware" is set to “On” 2. Under the Anti-Malware >> General tab, “Real-Time Scan” is set to “Default” 3. Under the Anti-Malware >> General tab, a custom “Malware Scan Configuration” is enabled with a Schedule configured to no more than 7 days. If "Anti-Malware" is set anything other than “On” this is a finding. If “Malware Scan Configuration” is set to “No Configuration,” this is a finding.

Fix: F-72019r1_fix

Configure the Trend Deep Security server malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days. To enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab. Under “Policies” right clicking and selecting “Details.” Configure the following settings: 1. Under the Overview >> General tab, set "Anti-Malware" to “On” 2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default” 3. Under the Anti-Malware >> General tab, set a weekly scan under “Scheduled” by selecting “New”. Name the scheduled scan “Weekly” and configure it for a select day and time of the week. Click “OK” when finished.

b
Trend Deep Security must be configured to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
SI-3 - Medium - CCI-001242 - V-65945 - SV-80435r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001242
Version
TMDS-00-000215
Vuln IDs
  • V-65945
Rule IDs
  • SV-80435r1_rule
Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and Spyware. It is not enough to simply have the software installed; this software must periodically scan the system to search for malware on an organization-defined frequency. This requirement applies to applications providing malicious code protection.
Checks: C-66593r1_chk

Review the Trend Deep Security server to ensure real-time malicious code protection scans are performed on files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. Verify the Anti-Malware, Real-Time Scan is enabled by reviewing the following settings under the “Policies” tab. Under “Policies” right click and select “Details” and choose “Anti-Malware. Review the following settings: Anti-Malware State is set to “On” and the “Real-Time Scan” is set to “Default.” If the two settings are not configured accordingly, this is a finding.

Fix: F-72021r1_fix

Configure the Trend Deep Security server to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. To enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab. Under “Policies” right clicking and selecting “Details.” Configure the following settings: 1. Under the Overview >> General tab, set "Anti-Malware" to “On” 2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default”. Click “OK” when finished.

b
Trend Deep Security must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SI-3 - Medium - CCI-001243 - V-65947 - SV-80437r1_rule
RMF Control
SI-3
Severity
Medium
CCI
CCI-001243
Version
TMDS-00-000220
Vuln IDs
  • V-65947
Rule IDs
  • SV-80437r1_rule
Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be caused by malicious code, it is imperative that malicious code is identified and eradicated. Applications providing this capability must be able to perform actions in response to detected malware. Responses include blocking, quarantining, deleting, and alerting. Other technology- or organization-specific responses may also be employed to satisfy this requirement. Malicious code includes viruses, worms, Trojan horses, and Spyware. This requirement applies to applications providing malicious code protection.
Checks: C-66595r1_chk

Review the Trend Deep Security server configuration to ensure malicious code is blocked and quarantined upon detection, then send an immediate alert to appropriate individuals. Verify the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware. - Under “Policies” tab right click any of the selected policies and click “Details.” - Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete. - Click “Edit” and select “Actions.” - Under the “Recognized Malware” verify the following settings: - For Virus: Clean - For Trojans: Quarantine - For Packer: Quarantine - For Spyware: Quarantine - For Other Threats: Clean - Under “Possible Malware” verify “Quarantine” is selected. If any of the settings are not configured accordingly, this is a finding.

Fix: F-72023r1_fix

Configure the Trend Deep Security server to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. Configure the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware. - Under “Policies” tab right click any of the selected policies and click “Details.” - Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete. - Click “Edit” and select “Actions.” - Under the “Recognized Malware” configure the following settings: - For Virus: Clean - For Trojans: Quarantine - For Packer: Quarantine - For Spyware: Quarantine - For Other Threats: Clean - Under “Possible Malware” select “Quarantine.”

b
Trend Deep Security must notify System Administrators and Information System Security Officers when accounts are created.
AC-2 - Medium - CCI-001683 - V-65949 - SV-80439r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
TMDS-00-000225
Vuln IDs
  • V-65949
Rule IDs
  • SV-80439r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66597r1_chk

Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are created. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.

Fix: F-72025r1_fix

Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are created. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record and Forward”.

b
Trend Deep Security must notify System Administrators and Information System Security Officers when accounts are modified.
AC-2 - Medium - CCI-001684 - V-65951 - SV-80441r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001684
Version
TMDS-00-000230
Vuln IDs
  • V-65951
Rule IDs
  • SV-80441r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSOs) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66599r1_chk

Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are modified. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Updated” Event ID 652. If the options for “Record” and “Forward” are not enabled for "User Updated", this is a finding.

Fix: F-72027r1_fix

Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are modified. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration > System Settings > Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration > System Settings > System Events for “User Updated” Event ID 652. Select the options for Record and Forward.

b
Trend Deep Security must notify System Administrators and Information System Security Officers for account disabling actions.
AC-2 - Medium - CCI-001685 - V-65953 - SV-80443r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001685
Version
TMDS-00-000235
Vuln IDs
  • V-65953
Rule IDs
  • SV-80443r1_rule
When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66601r1_chk

Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are disabled. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603. If the options for “Record” and “Forward” are not enabled for "User Locked Out", this is a finding.

Fix: F-72029r1_fix

Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account disabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603. Select the options for “Record” and “Forward”.

b
Trend Deep Security must notify System Administrators and Information System Security Officers for account removal actions.
AC-2 - Medium - CCI-001686 - V-65955 - SV-80445r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001686
Version
TMDS-00-000240
Vuln IDs
  • V-65955
Rule IDs
  • SV-80445r1_rule
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66603r1_chk

Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are removed. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651. If the options for “Record” and “Forward” are not enabled for "User Deleted", this is a finding.

Fix: F-72031r1_fix

Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account removal actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651. Select the options for “Record” and “Forward”.

b
Trend Deep Security must automatically audit account enabling actions.
AC-2 - Medium - CCI-002130 - V-65957 - SV-80447r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
TMDS-00-000245
Vuln IDs
  • V-65957
Rule IDs
  • SV-80447r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSO) exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66605r1_chk

Review the Trend Deep Security server configuration to ensure account enabling actions are automatically audited. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.

Fix: F-72033r1_fix

Configure the Trend Deep Security server to automatically audit account enabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.

b
Trend Deep Security must notify SA and ISSO of account enabling actions.
AC-2 - Medium - CCI-002132 - V-65959 - SV-80449r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002132
Version
TMDS-00-000250
Vuln IDs
  • V-65959
Rule IDs
  • SV-80449r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, applications must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Checks: C-66607r1_chk

Review the Trend Deep Security server configuration to ensure the SA and ISSO are notified of account enabling actions. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.

Fix: F-72035r1_fix

Configure the Trend Deep Security server to notify SA and ISSO of account enabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.

b
Trend Deep Security must audit the execution of privileged functions.
AC-6 - Medium - CCI-002234 - V-65967 - SV-80457r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
TMDS-00-000255
Vuln IDs
  • V-65967
Rule IDs
  • SV-80457r1_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and identify the risk from insider threats and the advanced persistent threat.
Checks: C-66615r1_chk

Review the Trend Deep Security server to ensure the execution of privileged functions are audited. Interview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc.). Verify the list against the Administration >> System Settings >> System Events tab. If the events are not to Record and Forward, this is a finding.

Fix: F-72043r1_fix

Configure the Trend Deep Security server to audit the execution of privileged functions. Enable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events tab.

b
Trend Deep Security must off-load audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-65969 - SV-80459r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
TMDS-00-000265
Vuln IDs
  • V-65969
Rule IDs
  • SV-80459r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-66617r1_chk

Review the Trend Deep Security server configuration to ensure audit records are off-loaded onto a different system or media than the system being audited. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration> > System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog) option” is Enabled. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.

Fix: F-72045r1_fix

Configure the Trend Deep Security server to off-load audit records onto a different system or media than the system being audited. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, set the Forward System Events to a remote computer (via Syslog) option. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations.)

b
Trend Deep Security must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
AU-5 - Medium - CCI-001855 - V-65971 - SV-80461r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
TMDS-00-000270
Vuln IDs
  • V-65971
Rule IDs
  • SV-80461r1_rule
If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion.
Checks: C-66619r1_chk

Review the Trend Deep Security server configuration to ensure an immediate warning is provided to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. 1. Analyze the system using the Administration > System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events tab for “Manager Available Disk Space Too Low” Event ID 170. If the options for “Record” and “Forward” are not enabled for “Manager Available Disk Space Too Low”, this is a finding

Fix: F-72047r1_fix

Configure the Trend Deep Security server to provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “Manager Available Disk Space Too Low” Event ID 170. Select the options for “Record” and “Forward”.

b
Trend Deep Security must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
AU-5 - Medium - CCI-001858 - V-65973 - SV-80463r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
TMDS-00-000275
Vuln IDs
  • V-65973
Rule IDs
  • SV-80463r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-66621r1_chk

Review the Trend Deep Security server configuration to ensure an immediate real-time alert is provided to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.

Fix: F-72049r1_fix

Configure the Trend Deep Security server to provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Insert a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.

b
Trend Deep Security must alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected.
CM-11 - Medium - CCI-001811 - V-65975 - SV-80465r1_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001811
Version
TMDS-00-000280
Vuln IDs
  • V-65975
Rule IDs
  • SV-80465r1_rule
Unauthorized software not only increases risk by increasing the number of potential vulnerabilities, it also can contain malicious code. Sending an alert (in real time) when unauthorized software is detected allows designated personnel to take action on the installation of unauthorized software. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).
Checks: C-66623r1_chk

Review the Trend Deep Security server configuration to ensure the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) are alerted when the unauthorized installation of software is detected. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “Software Added” Event ID 151. If the options for “Record” and “Forward” are not enabled for “Software Added”, this is a finding.

Fix: F-72051r1_fix

Configure the Trend Deep Security server to alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “Software Added” Event ID 151. Select the options for “Record” and “Forward”.

b
Trend Deep Security must prohibit user installation of software without explicit privileged status.
CM-11 - Medium - CCI-001812 - V-65977 - SV-80467r1_rule
RMF Control
CM-11
Severity
Medium
CCI
CCI-001812
Version
TMDS-00-000285
Vuln IDs
  • V-65977
Rule IDs
  • SV-80467r1_rule
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Application functionality will vary, and while users are not permitted to install unapproved applications, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The application must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization. This requirement applies, for example, to applications that provide the ability to extend application functionality (e.g., plug-ins, add-ons) and software management applications.
Checks: C-66625r1_chk

Review the Trend Deep Security server configuration to ensure user installation of software without explicit privileged status is prohibited. Analyze the system using Administration >> User Management >> Roles. Review each role created that is not “Full Access”. Right-Click >> Properties on the desired role, and select “Other Rights.” The “Updates” setting should be set to “View Only” or “Hide.” If any other option is selected other than “View Only” or “Hide”, this is a finding.

Fix: F-72053r1_fix

Configure the Trend Deep Security server to prohibit user installation of software without explicit privileged status. Configure the application to prevent non-authorized users from updating Deep Security by selecting Administration >> User Management >> Roles. Right-Click >> Properties on any of the roles listed and choose “Other Rights.” Set the “Updates” setting to “View Only” or “Hide”.

b
Trend Deep Security must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
CM-3 - Medium - CCI-001744 - V-65979 - SV-80469r1_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
TMDS-00-000290
Vuln IDs
  • V-65979
Rule IDs
  • SV-80469r1_rule
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include, but are not limited to the following: halting application processing; halting selected application functions; or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.
Checks: C-66627r1_chk

Review the Trend Deep Security server configuration to ensure organization-defined automated security responses are implemented if baseline configurations are changed in an unauthorized manner. Deep Security, Policies, are policy templates that specify the security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events tab to ensure the following events are enabled: 350 Policy Created Record Forward 351 Policy Deleted Record Forward 352 Policy Updated Record Forward 353 Policies Exported Record Forward 354 Policies Imported Record Forward If the options for “Record” and “Forward” are not enabled on these events, this is a finding

Fix: F-72055r1_fix

Configure the Trend Deep Security server to implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner. Configure the application to prevent unauthorized changes to the baseline policies by selecting Administration >> System Settings >> System Events. Enable the Record and Forward option for each of the following: 350 Policy Created 351 Policy Deleted 352 Policy Updated 353 Policies Exported 354 Policies Imported

b
Trend Deep Security must enforce access restrictions associated with changes to application configuration.
CM-5 - Medium - CCI-001813 - V-65981 - SV-80471r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
TMDS-00-000295
Vuln IDs
  • V-65981
Rule IDs
  • SV-80471r1_rule
Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).
Checks: C-66629r1_chk

Review the Trend Deep Security server configuration to ensure access restrictions associated with changes to application configuration are enforced. Inspect the settings used for enforcing least privilege through access restrictions under Administration >> User Management >> Roles. Select a role under the “Roles” menu and click "Properties". 1. Select the “Computer Rights” tab and verify the settings configured under the “Computer and Group Rights” area. If non-authorized users have access to anything other than “View”, this is a finding. 2. Select the “Policy Rights” tab and verify the settings configured under the “Policy Rights” area. If non-authorized users have access to anything other than “View,” this is a finding. 3. Select the “User Rights” tab and verify the settings configured under the “User Rights” area. If non-authorized users have access to anything other than “Change own password and contact information only”, this is a finding. 4. Select the Other Rights, tab and verify the settings configured under the “Other Rights” area. If non-authorized users have access to anything other than "View-Only" or "Hide", this is a finding.

Fix: F-72057r1_fix

Configure the Trend Deep Security server to enforce access restrictions associated with changes to application configuration. Enforce access restrictions associated with changes to application configuration. Under Administration >> User Management >> Roles, select a role and click “Properties”. 1. Click Computer Rights >> Computer and Group Rights, and select only the “View” checkbox. 2. Click Policy Rights >> Policy Rights, and select only the “View” checkbox. 3. Click User Rights >> User Rights, and select “Change own password and contact information only.” 4. Click Other Rights >> Other Rights, select "View-Only" or "Hide" for all options according to local policy for the roles permission. 5. Click "OK".

b
Trend Deep Security must audit the enforcement actions used to restrict access associated with changes to the application.
CM-5 - Medium - CCI-001814 - V-65983 - SV-80473r1_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001814
Version
TMDS-00-000300
Vuln IDs
  • V-65983
Rule IDs
  • SV-80473r1_rule
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Checks: C-66631r1_chk

Review the Trend Deep Security server configuration to ensure the enforcement actions used to restrict access associated with changes to the application are audited. System Events include changes to the configuration of an Agent/Appliance, the Deep Security Manager, or Users. They also include errors that may occur during normal operation of the Trend Deep Security system. To ensure the necessary events are captured, verify the Administration >> System Settings >> System Events, against the local policy established by the ISSO. If the settings configured do not match local policy, this is a finding.

Fix: F-72059r1_fix

Configure the Trend Deep Security server to audit the enforcement actions used to restrict access associated with changes to the application. To configure the application to captured the events identified by the ISSO, go to the Administration >> System Settings >> System Events tab. Enable all applicable policies with “Record” and “Forward.”

b
Trend Deep Security must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SC-23 - Medium - CCI-002470 - V-65985 - SV-80475r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
TMDS-00-000305
Vuln IDs
  • V-65985
Rule IDs
  • SV-80475r1_rule
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).
Checks: C-66633r1_chk

Review the Trend Deep Security server configuration to ensure only the use of DoD PKI established certificate authorities are allowed for verification of the establishment of protected sessions. Verify the certificate CA and by reviewing the issued to and validity date by clicking the certificate icon in the web browser and selecting View Certificates, Certificate Information, etc. (browser dependent). If the certificate is not issued by a DoD CA, this is a finding.

Fix: F-72061r1_fix

Configure the Trend Deep Security server to only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. 1. Run the following command to create a CSR for your CA to sign: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -certreq -keyalg RSA -alias tomcat -file certrequest.csr 2. Send the certrequest.csr to your CA to sign. In return you will get two files. One is a "certificate reply" and the second is the CA certificate itself. 3. Run the following command to import the CA cert in JAVA trusted keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias root -trustcacerts -file cacert.crt -keystore "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" 4. Run the following command to import the CA certificate in your keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias root -trustcacerts -file cacert.crt (say yes to warning message) 5. Run the following command to import the certificate reply to your keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias tomcat -file certreply.txt 6. Run the following command to view the certificate chain in you keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -list -v 7. Copy the .keystore file from your user home directory C:\Documents and Settings\Administrator to C:\Program Files\ Trend Micro \Deep Security Manager\ 8. Open the configuration.properties file in folder C:\Program Files\Trend Micro\Deep Security Manager. It will look something like: keystore File=C\:\\\\Program Files\\\\Trend Micro\\\\Deep Security Manager\\\\.keystore port=4119 keystorePass=$1$85ef650a5c40bb0f914993ac1ad855f48216fd0664ed2544bbec6de80160b2f installed=true serviceName= Trend Micro Deep Security Manager 9. Replace the password in the following string: keystorePass=xxxx where "xxxx" is the password you supplied in step five 10. Save and close the file 11. Restart the Deep Security Manager service 12. Connect to the Deep Security Manager with your browser and you will notice that the new SSL certificate is signed by your CA.

b
Trend Deep Security must maintain a separate execution domain for each executing process.
SC-39 - Medium - CCI-002530 - V-65987 - SV-80477r1_rule
RMF Control
SC-39
Severity
Medium
CCI
CCI-002530
Version
TMDS-00-000310
Vuln IDs
  • V-65987
Rule IDs
  • SV-80477r1_rule
Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. An example is a web browser with process isolation that provides tabs that are separate processes using separate address spaces to prevent one tab crashing the entire browser.
Checks: C-66635r1_chk

Review the Trend Deep Security server configuration to ensure a separate execution domain for each executing process is maintained. Review the network topology supporting Deep Security for separation of zones and host OS. If the architecture does separate the Deep Security Manager (DSM) from the Database, this is a finding.

Fix: F-72063r1_fix

Configure the Trend Deep Security server to maintain a separate execution domain for each executing process. Install the Deep Security Manager on a dedicated server within a management zone. Next, connect the DSM to the assigned database provided. The database should be in separate zone with the necessary firewall rules established for communication between the application server and the DB.

b
Trend Deep Security must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards.
SC-5 - Medium - CCI-002385 - V-65989 - SV-80479r1_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
TMDS-00-000315
Vuln IDs
  • V-65989
Rule IDs
  • SV-80479r1_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of applications to mitigate the impact of DoS attacks that have occurred or are ongoing on application availability. For each application, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or restricting the number of sessions the application opens at one time). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Checks: C-66637r1_chk

Review the Trend Deep Security server configuration to ensure the effects of all types of Denial of Service (DoS) attacks are protected against or limited by employing organization-defined security safeguards. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the “Computers” area. Click the “Firewall” menu and review the configuration setting under the “General” tab. If Firewall >> Configuration is set to "Off", this is a finding. Click the “Intrusion Prevention” menu and review the configuration setting under the “General” tab. If Intrusion Prevention >> Configuration is set to “Off”, this is a finding.

Fix: F-72065r1_fix

Configure the Trend Deep Security server to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards. 1. Create a new Policy based on a Recommendation Scan of a computer: - On the “Computers" page, Right-click the computer, and select Actions >> Scan for Recommendations. - When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. - When prompted, choose to base the new Policy on "an existing computer's current configuration". - Select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. 2. Create a new Firewall policy based on a Recommendation Scan of a computer: - On the “Computers” page, Double-click on a computer, and select Firewall >> Scan for Open Ports. - Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.

b
Trend Deep Security must implement organization-defined security safeguards to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-65991 - SV-80481r1_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
TMDS-00-000320
Vuln IDs
  • V-65991
Rule IDs
  • SV-80481r1_rule
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-66639r1_chk

Review the Trend Deep Security server configuration to ensure organization-defined security safeguards are implemented to protect its memory from unauthorized code execution. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the “Computers” window. Click the “Firewall” option and review the Configuration setting under the “General” tab. If this is set to “Off”, this is a finding. Click the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. If this is set to “Off”, this is a finding

Fix: F-72067r1_fix

Configure the Trend Deep Security server to implement organization-defined security safeguards to protect its memory from unauthorized code execution. 1. Create a new Policy based on a Recommendation Scan of a computer: - On the “Computers" page, Right-click the computer, and select Actions >> Scan for Recommendations. - When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. - When prompted, choose to base the new Policy on "an existing computer's current configuration". - Select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. 2. Create a new Firewall policy based on a Recommendation Scan of a computer: - On the “Computers” page, Double-Click on a computer, and select Firewall >> Scan for Open Ports. - Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.

b
Trend Deep Security must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SI-2 - Medium - CCI-002605 - V-65993 - SV-80483r1_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
TMDS-00-000325
Vuln IDs
  • V-65993
Rule IDs
  • SV-80483r1_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-66641r1_chk

Review the Trend Deep Security server configuration to ensure security-relevant software updates are installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Review the Scheduled Tasks under Administration >> Scheduled Tasks to see if “Daily Check for Security Updates” is present. If “Daily Check for Security Updates” is not present, this is a finding.

Fix: F-72069r1_fix

Configure the Trend Deep Security server to install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Go to Scheduled Tasks under the “Administration” tab and click “New”. Under “Type”, select “Check for Security Updates.” Choose the” Daily” option, and click “Next”. Select a start date and time for the daily tasks, then choose “Every Day” and click “Next”. Select the computers or groups according to the organizations custom policy, and click “Next”. Enter a unique name for the scheduled task, chose the “Task Enabled” option, and click “Finish”.

b
Trend Deep Security detection application must detect network services that have not been authorized or approved by the organization-defined authorization or approval processes.
SI-4 - Medium - CCI-002683 - V-65995 - SV-80485r1_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002683
Version
TMDS-00-000330
Vuln IDs
  • V-65995
Rule IDs
  • SV-80485r1_rule
Unauthorized or unapproved network services lack organizational verification or validation and therefore, may be unreliable or serve as malicious rogues for valid services. This requirement can be addressed by a host-based IDS capability or by remote scanning functionality.
Checks: C-66643r1_chk

Review the Trend Deep Security server configuration to ensure network services that have not been authorized or approved by the organization-defined authorization or approval processes are detected. Review the Intrusion Detection policy for approved ports, protocols and services associated within a defined group or a selected computer by: - Selecting “Computers”, on the top menu bar. - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click “Intrusion Detection” - Verify the following settings are enabled: - Configuration: is set to On - Intrusion Prevention Behavior is set to Prevent or Detect; review local security policy for appropriate setting. - Assigned Intrusion Prevention Rules: review local security policy for appropriate setting If the Assigned Intrusion Prevention Rules do not match the local defined policy, this is a finding.

Fix: F-72071r1_fix

Configure the Trend Deep Security server to detect network services that have not been authorized or approved by the organization-defined authorization or approval processes. To configure Deep Security to detect unauthorized services through the Intrusion Detection module, go to Policies >> Intrusion Prevention>> Select New >> New intrusion Prevention Rule - Under Details >> Application type>> Select “New” - Enter Name of the network services - Choose the appropriate direction - Select the appropriate protocol - Choose the applicable ports

b
Trend Deep Security must, when unauthorized network services are detected, log the event and alert the ISSO, ISSM, and other individuals designated by the local organization.
SI-4 - Medium - CCI-002684 - V-65997 - SV-80487r1_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002684
Version
TMDS-00-000335
Vuln IDs
  • V-65997
Rule IDs
  • SV-80487r1_rule
Unauthorized or unapproved network services lack organizational verification or validation and therefore, may be unreliable or serve as malicious rogues for valid services. The detection of such unauthorized services must be logged and appropriate personnel must be notified. This requirement can be addressed by a host-based IDS capability or by remote scanning functionality.
Checks: C-66645r2_chk

Review the Trend Deep Security server configuration to ensure the event is logged, and the ISSO, ISSM, and other individuals designated by the local organization are alerted when unauthorized network services are detected. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the list. Under Firewall >> General Tab >> Firewall area, verify "Configuration" is set to "On". If "Configuration" is set to “Off”, this is a finding. Under Intrusion Detection >> General Tab >> Intrusion Detection area, verify "Configuration" is set to "On". If "Configuration" is set to “Off”, this is a finding.

Fix: F-72073r2_fix

Configure the Trend Deep Security server to log the event and alert the ISSO, ISSM, and other individuals designated by the local organization, when unauthorized network services are detected. Create a new Policy based on a Recommendation Scan of a computer. To do so, right click the computer on the “Computers” page and select Actions >> Scan for Recommendations. When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. When prompted, choose to base the new Policy on "an existing computer's current configuration". Then select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. Firewall rules should be created for each individual computer in order to prevent services from being disrupted. You can create a new Firewall policy based on a Recommendation Scan of a computer. To do so, double click on a computer on the Computers page and select Firewall >> Scan for Open Ports. Assign the necessary Firewall rules based on the open ports identified. Apply other rules as necessary.

b
Trend Deep Security must continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.
SI-4 - Medium - CCI-002661 - V-65999 - SV-80489r1_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002661
Version
TMDS-00-000340
Vuln IDs
  • V-65999
Rule IDs
  • SV-80489r1_rule
Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to information system inbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but are not limited to, host-based intrusion detection, anti-virus, and malware applications.
Checks: C-66647r1_chk

Review the Trend Deep Security server configuration to ensure inbound communications traffic is continuously monitored for unusual or unauthorized activities or conditions. Verify the state of the Intrusion Prevent policies: - Select “Computers” on the top menu bar - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click “Intrusion Prevention” - Verify the following settings are enabled: - Configuration: is set to Inherit or On - “State:” is listing “Activated” - Policies are defined under the Assigned Intrusion Prevention Rules. If any of these settings are not configured, this is a finding

Fix: F-72075r1_fix

Configure the Trend Deep Security server to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions. To enable Intrusion Prevent within Deep Security, go to “Computers”, on the top menu bar. - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click Intrusion Prevention. - Enable the following settings: - Configuration: Set to Inherit or On (according to local security policies) - Verify “State:” is listing “Activated” - Assign the appropriate policies under the Assigned Intrusion Prevention Rules.

b
Trend Deep Security must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.
SI-4 - Medium - CCI-002664 - V-66001 - SV-80491r1_rule
RMF Control
SI-4
Severity
Medium
CCI
CCI-002664
Version
TMDS-00-000345
Vuln IDs
  • V-66001
Rule IDs
  • SV-80491r1_rule
When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including, audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but are not limited to, host-based intrusion detection, anti-virus, and malware applications.
Checks: C-66649r1_chk

Review the Trend Deep Security server configuration to ensure ISSO, ISSM, and other individuals designated by the local organization are alerted when the following Indicators of Compromise (IOCs) or potential compromise are detected: real time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution group for system administrators and ISSOs, this is a finding. 2. Select Computers from the top menu and double click on any computer from the “Computers” window. Click the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. If “Intrusion Prevention” is set to “Off”, this is a finding 3. Select a rule from the “Assigned Intrusion Prevention Rules” and double click to bring up the properties. Click “Options” and verify that the “Alert” tab is set to “On”. If “Alert” is set to “Off”, this is a finding.

Fix: F-72077r1_fix

Configure the Trend Deep Security server to alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. Enable Intrusion Prevention by selecting the “Computers” tab from the top menu and double click on the computer that is to be configured from list. Click Intrusion Prevention >> General. Select “On” under “Configuration”. Enable Alerts by selecting a rule from the “Assigned Intrusion Prevention Rules” by double clicking to bring up the properties. Select the “Options” tab and set the “Alert” tab to “On”.

b
Trend Deep Security must notify the system administrator when anomalies in the operation of the security functions are discovered.
SI-6 - Medium - CCI-002702 - V-66005 - SV-80495r1_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
TMDS-00-002125
Vuln IDs
  • V-66005
Rule IDs
  • SV-80495r1_rule
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This requirement applies to applications performing security functions and the applications performing security function verification/testing.
Checks: C-66653r3_chk

Review the Trend Deep Security server configuration to ensure the system administrator is notified when anomalies in the operation of the security functions are discovered. Verify Intrusion Prevention is enabled for all connected host systems by navigating to Policy >> Policy Editor. Navigate to Intrusion Prevention >> General, verify that the intrusion prevention module is "On" and configured with assigned rules. If "Intrusion Prevention" is not set to "On", this is a finding.

Fix: F-72081r3_fix

Configure the Trend Deep Security sever to notify the system administrator when anomalies in the operation of the security functions are discovered. To enable Intrusion Prevention functionality on a computer: In the Policy/Computer editor, go to Intrusion Prevention >> General Select "On", and then click "Assign/Unassign". Select the appropriate rules applicable to the information system being monitored. Click "Save".

b
Trend Deep Security must implement security safeguards when integrity violations are discovered.
SI-7 - Medium - CCI-002715 - V-66007 - SV-80497r1_rule
RMF Control
SI-7
Severity
Medium
CCI
CCI-002715
Version
TMDS-00-002130
Vuln IDs
  • V-66007
Rule IDs
  • SV-80497r1_rule
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Information includes metadata, such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Organizations may define different integrity checking and anomaly responses by type of information (e.g., firmware, software, user data); by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, restarting the information system, notification to the appropriate personnel or roles, or triggering audit alerts when unauthorized modifications to critical security files occur. This capability must take into account operational requirements for availability for selecting an appropriate response.
Checks: C-66655r1_chk

Review the Trend Deep Security server configuration to ensure security safeguards are implemented when integrity violations are discovered. Verify Integrity Monitoring is enabled for all connected host systems by navigating to Policy >> Policy Editor. Navigate to Integrity Monitoring >> General, verify that the Integrity Monitoring module is "On" and configured with assigned rules. If "Integrity Monitoring" is not set to "On", this is a finding.

Fix: F-72083r3_fix

Configure the Trend Deep Security server to implement security safeguards when integrity violations are discovered. To enable Integrity Monitoring functionality on a computer: In the Policy/Computer editor, go to Integrity Monitoring >> General Select "On", and then click "Assign/Unassign". Select the appropriate rules applicable to the information system being monitored. Click "Save".

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify privileges occur.
AU-12 - Medium - CCI-000172 - V-66011 - SV-80501r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000350
Vuln IDs
  • V-66011
Rule IDs
  • SV-80501r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66659r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify privileges occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. If the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to delete privileges, this is a finding

Fix: F-72087r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify privileges occur. Configure the alert using the Administration >> System Settings >> System Events for the successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following: - Event ID: 102 Trend Micro Deep Security Customer Account Changed - Event ID: 130 Credentials Generated - Event ID: 131 Credential Generation Failed - Event ID: 290 Group Added - Event ID: 291 Group Removed - Event ID: 291 Group Removed - Event ID: 652 User Updated - Event ID: 660 Role Created - Event ID: 651 User Deleted - Event ID: 661 Role Deleted - Event ID: 662 Role Updated - Event ID: 663 Roles Imported - Event ID: 1900 Cloud Account Added - Event ID: 1901 Cloud Account Removed - Event ID: 1902 Cloud Account Updated

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify security objects occur.
AU-12 - Medium - CCI-000172 - V-66013 - SV-80503r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000355
Vuln IDs
  • V-66013
Rule IDs
  • SV-80503r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66661r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security objects occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security objects. If the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to modify security objects, this is a finding

Fix: F-72089r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security objects occur. Configure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful attempts to modify security objects. Select the “Record” and “Forward” options for the following: - Event ID: 116 Rule Update Applied - Event ID: 180 Alert Type Updated - Event ID: 191 Alert Changed - Event ID: Relay Group Assigned to Computer - Event ID: 290 Group Added - Event ID: 292 Group Updated - Event ID: 306 Rebuild Baseline Requested - Event ID: 352 Policy Updated - Event ID: 378 Virtual Machine unprotected after move to another ESXi - Event ID: 412 Firewall Rule Updated - Event ID: 422 Firewall Stateful Configuration Updated - Event ID: 462 Application Type Updated - Event ID: 472 Intrusion Prevention Rule Updated - Event ID: 482 Integrity Monitoring Rule Updated - Event ID: 492 Log Inspection Rule Updated - Event ID: 507 Context Updated - Event ID: 512 IP List Updated - Event ID: 522 Port List Updated - Event ID: 532 MAC List Updated - Event ID: 542 Proxy Updated - Event ID: 552 Schedule Updated - Event ID: 575 Asset Value Updated - Event ID: 622 Access from Primary Tenant Enabled - Event ID: 623 Access from Primary Tenant Disabled - Event ID: 711 Agent Software Deployed - Event ID: 713 Agent Software Removed - Event ID: 720 Policy Sent - Event ID: 734 Computer Clock Change - Event ID: 942 Auto-Tag Rule Updated - Event ID: 1502 Malware Scan Configuration Updated - Event ID: 1512 File Extension List Updated - Event ID: 1517 File List Updated - Event ID: 1550 Web Reputation Settings Updated - Event ID: 1554 Firewall Stateful Configuration Updated - Event ID: 1555 Intrusion Prevention Configuration Updated - Event ID: 2002 Scan Cache Configuration Object Updated

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to modify security levels occur.
AU-12 - Medium - CCI-000172 - V-66017 - SV-80507r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000360
Vuln IDs
  • V-66017
Rule IDs
  • SV-80507r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66665r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security levels occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. If the “Record” and “Forward” options for successful/unsuccessful attempts to modify security levels are not enabled, this is a finding.

Fix: F-72093r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security levels occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. Select the “Record” and “Forward” options for the following: - Event ID: 253 Policy Assigned to Computer - Event ID: 350 Policy Created - Event ID: 352 Policy Updated - Event ID: 720 Policy Sent - Event ID: 410 Firewall Rule Created - Event ID: 420 Firewall Stateful Configuration Created - Event ID: 460 Application Type Created - Event ID: 470 Intrusion Prevention Rule Created - Event ID: 480 Integrity Monitoring Rule Created - Event ID: 490 Log Inspection Rule Created - Event ID: 495 Log Inspection Decoder Created - Event ID: 573 Asset Value Created - Event ID: 1500 Malware Scan Configuration Created - Event ID: 1510 File Extension List Created

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to delete privileges occur.
AU-12 - Medium - CCI-000172 - V-66019 - SV-80509r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000365
Vuln IDs
  • V-66019
Rule IDs
  • SV-80509r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66667r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete privileges occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. If the “Record” and “Forward” options for successful/unsuccessful attempts to delete privileges are not enabled, this is a finding.

Fix: F-72095r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete privileges occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following: - Event ID: 124 Rule Update Deleted - Event ID: 661 Role Deleted - Event ID: 671 Contact Deleted - Event ID: 291 Group Removed - Event ID: 1901 Cloud Account Removed

b
Trend Deep Security must generate audit records when successful/unsuccessful attempts to delete security objects occur.
AU-12 - Medium - CCI-000172 - V-66023 - SV-80513r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000375
Vuln IDs
  • V-66023
Rule IDs
  • SV-80513r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66671r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete security objects occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. If the “Record” and “Forward" options for are not enabled for successful/unsuccessful attempts to delete security objects, this is a finding.

Fix: F-72099r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete security objects occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. Select the “Record” and “Forward” options for the following: - Event ID: 124 Rule Update Deleted - Event ID: 152 Software Deleted - Event ID: 295 Interface Deleted - Event ID: 296 Interface IP Deleted - Event ID: 331 SSL Configuration Deleted - Event ID: 351 Policy Deleted - Event ID: 411 Firewall Rule Deleted - Event ID: 421 Firewall Stateful Configuration Deleted - Event ID: 461 Application Type Deleted - Event ID: 471 Intrusion Prevention Rule Deleted - Event ID: 481 Integrity Monitoring Rule Deleted - Event ID: 491 Log Inspection Rule Deleted - Event ID: 496 Log Inspection Decoder Deleted - Event ID: 506 Context Deleted - Event ID: 574 Asset Value Deleted - Event ID: 593 Relay Group Deleted - Event ID: 595 Event-Based Task Deleted - Event ID: 931 Certificate Deleted - Event ID: 941 Auto-Tag Rule Deleted - Event ID: 943 Tag Deleted - Event ID: 1501 Malware Scan Configuration Deleted - Event ID: 1501 Malware Scan Configuration Deleted - Event ID: 1511 File Extension List Deleted - Event ID: 1516 File List Deleted - Event ID: 1951 Tenant Deleted - Event ID: 1954 Tenant Database Server Deleted

b
Trend Deep Security must generate audit records when successful/unsuccessful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-66025 - SV-80515r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000380
Vuln IDs
  • V-66025
Rule IDs
  • SV-80515r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66673r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful logon attempts occur. Review the system using the Administration >> System Settings >> System Events for successful/unsuccessful attempts for "User Signed In" (Event ID 600). If the options for “Record” and “Forward” are not enabled, this is a finding.

Fix: F-72101r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful logon attempts occur. Configure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful for "User Signed In" (Event ID 600). Select “Record” and “Forward”.

b
Trend Deep Security must generate audit records for privileged activities or other system-level access.
AU-12 - Medium - CCI-000172 - V-66027 - SV-80517r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000385
Vuln IDs
  • V-66027
Rule IDs
  • SV-80517r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66675r1_chk

Review the Trend Deep Security server configuration to ensure audit records are generated for privileged activities or other system-level access. Interview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc. Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.

Fix: F-72103r1_fix

Configure the Trend Deep Security server to generate audit records for privileged activities or other system-level access. Enable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.

b
Trend Deep Security must generate audit records when successful/unsuccessful accesses to objects occur.
AU-12 - Medium - CCI-000172 - V-66029 - SV-80519r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000390
Vuln IDs
  • V-66029
Rule IDs
  • SV-80519r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66677r1_chk

Review the Trend Deep Security server to ensure audit records are generated when successful/unsuccessful accesses to objects occur. Interview the ISSO for a list of functions identified as objects that should be audited within the application “System Events.” Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.

Fix: F-72105r1_fix

Configure the Trend Deep Security server to generate audit records when successful/unsuccessful accesses to objects occur. Enable the necessary objects required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.

b
Trend Deep Security must generate audit records for all direct access to the information system.
AU-12 - Medium - CCI-000172 - V-66031 - SV-80521r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000395
Vuln IDs
  • V-66031
Rule IDs
  • SV-80521r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66679r1_chk

Review the Trend Deep Security server to ensure audit records are generated for all direct access to the information system. Interview the ISSO for a list of direct access objects that should be audited within the application “System Events.” Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.

Fix: F-72107r1_fix

Configure the Trend Deep Security server to generate audit records for all direct access to the information system. Enable the necessary audit setting to capture direct access to the system by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.

b
Trend Deep Security must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-66033 - SV-80523r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000400
Vuln IDs
  • V-66033
Rule IDs
  • SV-80523r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66681r1_chk

Review the Trend Deep Security server to ensure audit records are generated for all account creations, modifications, disabling, and termination events. Verify all creations, modifications, disabling, and termination events identified within the Trend Deep Security System Events are set to “Record” and “Forward”. If the events are not set to “Record” and “Forward”, this is a finding.

Fix: F-72109r1_fix

Configure the Trend Deep Security server to generate audit records for all account creations, modifications, disabling, and termination events. Enable the necessary setting required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.

b
Trend Deep Security must generate audit records for all kernel module load, unload, and restart events and, also for all program initiations.
AU-12 - Medium - CCI-000172 - V-66035 - SV-80525r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
TMDS-00-000405
Vuln IDs
  • V-66035
Rule IDs
  • SV-80525r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-66683r1_chk

Review the Trend Deep Security server to ensure audit records are generated for all kernel module load, unload, and restart events and, also for all program initiations. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.

Fix: F-72111r1_fix

Configure the Trend Deep Security server to generate audit records for all kernel module load, unload, and restart events and, also for all program initiations. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations).

b
Trend Deep Security must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
AU-4 - Medium - CCI-001851 - V-66037 - SV-80527r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
TMDS-00-000410
Vuln IDs
  • V-66037
Rule IDs
  • SV-80527r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-66685r1_chk

Review the Trend Deep Security server configuration to ensure, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.

Fix: F-72113r1_fix

Configure the Trend Deep Security server to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations).

b
Trend Deep Security must synchronize with Active Directory on a daily (or AO-defined) basis.
CM-6 - Medium - CCI-000366 - V-66043 - SV-80533r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
TMDS-00-004515
Vuln IDs
  • V-66043
Rule IDs
  • SV-80533r1_rule
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-66687r2_chk

Review the Trend Deep Security server to ensure synchronization occurs with Active Directory on a daily (or AO-defined) basis. Under Administration >> Scheduled Tasks, review the scheduled tasks listed for "Daily Sync Users". If a task for syncing user's accounts with AD does not exist, this is a finding.

Fix: F-72119r2_fix

Configure the Trend Deep Security server to synchronize with Active Directory on a daily (or AO-defined) basis. Under Administration >> Scheduled Tasks, click "New". From the "Type" drop down menu, select "Synchronize Users/Contacts". Select "Daily", and click "Next". Enter start date, start time, and select "Every Day". Click "Next". Enter a unique name for this scheduled task or leave the default. Check the box for" Task Enabled", click "Finish".

c
Trend Deep Security must reside on a Web Server configured for multifactor authentication.
CM-6 - High - CCI-000366 - V-66045 - SV-80535r1_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
TMDS-00-004520
Vuln IDs
  • V-66045
Rule IDs
  • SV-80535r1_rule
Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.
Checks: C-66689r1_chk

Review the Web Server hosting Trend Deep Security to ensure multifactor authentication has been configured. 1. Open Internet Information Services (IIS) Manager. 2. In the console tree, expand the server name. 3. In the server Home page, double-click Authentication to open the Authentication page. 4. In the Authentication page, right-click AD Client Certificate Authentication, and ensure "Enable" is selected. 5. Close the Authentication page. 6. In the server Home page, double-click SSL Settings to open the SSL Settings page. 7. Ensure the "Require SSL" Checkbox is checked, and "Require" radio button is selected. 8. Close the SSL Settings page. 9. Close IIS Manager. If "Enable" is not selected in the Authentication page, this is a finding. If "Require SSL" is not selected in the SSL Settings page, this is a finding. If "Ignore" or "Accept" radio buttons are selected in the SSL settings page, this is a finding.

Fix: F-72121r1_fix

Configure the Web Server hosting Trend Deep Security for multifactor authentication. To configure the authentication method in IIS: 1. Open Internet Information Services (IIS) Manager. 2. In the console tree, expand the server name. 3. In the server Home page, double-click Authentication to open the Authentication page. 4. In the Authentication page, right-click AD Client Certificate Authentication, and click "Enable". 5. Close the Authentication page. 6. In the server Home page, double-click SSL Settings to open the SSL Settings page. 7. Select the "Require SSL" Checkbox, and "Require" radio button. 8. Close the SSL Settings page. 9. Close IIS Manager.

b
Trend Deep Security must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-66047 - SV-80537r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
TMDS-00-000150
Vuln IDs
  • V-66047
Rule IDs
  • SV-80537r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-66691r1_chk

Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one lower-case character be used. Verify the values for password complexity. If the "User password requires both upper-and lower-case characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.

Fix: F-72123r1_fix

Configure the Trend Deep Security server to enforce password complexity by requiring that at least one lower-case character be used. Enable the checkbox for the "User password requires both upper-and lower-case characters" policy value for password complexity under the Administration >> System Settings >> Security tab.