Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the Trend Deep Security server configuration to ensure the number of concurrent sessions is limited to one. In the administration console go to: System Settings >> Security >> Number of concurrent sessions allowed per User Review the policy to ensure no more than 1 session is permitted. If more than 1 session is permitted this is a finding.
Configure the Trend Deep Security server to limit the number of concurrent sessions to one. Set the current session limit to 1. Administration >> System Settings >> Security >> Number of concurrent sessions allowed per User >> 1
Review the Trend Deep Security server configuration to ensure a session lock is initiated after a 15-minute period of inactivity. Review the application System Settings, to ensure the system timeout is set to 15 minutes or less. If the timeout session is not set to 15 minutes or less this is a finding. Administration >> System Settings >> Security >> User Security >> Session Timeout: 10 Minutes
Configure the Trend Deep Security server to initiate a session lock after a 15-minute period of inactivity. Set the Session Timeout to 15 minutes or less. Administration >> Security >> User Security >> Session Timeout: 10 Minutes
Review the Trend Deep Security server to ensure account creation is automatically audited. Verify "User Created" events is enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 650 User Created. Select: Record Select: Forward If "User Created" is not enabled this is a finding.
Configure the Trend Deep Security server to automatically audit account creation. Enable "User Created" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 650 User Created. Select: Record Select: Forward
Review the Trend Deep Security server configuration to ensure account creation is automatically audited. Verify "User Updated" events is enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 652 User Updated. Select: Record Select: Forward If "User Updated" is not enabled this is a finding.
Configure the Trend Deep Security server to automatically audit account creation. Enable "User Updated" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 652 User Updated. Select: Record Select: Forward
Review the Trend Deep Security server configuration to ensure account disabling actions are automatically audited. Verify "User Locked Out" events are enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out. Select: Record Select: Forward If "User Locked Out" is not enabled this is a finding.
Configure the Trend Deep Security server to automatically audit account disabling actions. Enable "User Locked Out" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 603 User Locked Out. Select: Record Select: Forward
Review the Trend Deep Security server configuration to ensure account removal actions are automatically audited. Verify "User Deleted" events are enabled by reviewing the following: Administration >> System Settings >> System Events >> Enable Event ID 651 User Deleted. Select: Record Select: Forward If "User Deleted" is not enabled this is a finding.
Configure the Trend Deep Security server to automatically audit account removal actions. Enable "User Deleted" events by selecting the following: Administration >> System Settings >> System Events >> Enable Event ID 651 User Deleted. Select: Record Select: Forward
Review the Trend Deep Security server configuration to ensure approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies are enforced. Interview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server configuration to enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. Use the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers. To restrict access, select the "Selected Computers" radio button and put a check next to the computer groups and computers that Users in this Role will have access to. Administration >> User Management >> Roles Select a Role and click Properties >> Computer Rights
Review the Trend Deep Security server to ensure approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies are enforced. Interview the ISSO in order to identify all users with permissions to the application. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. Use the Computer and Group Rights panel to confer viewing, editing, deleting, Alert-dismissal, and Event tagging rights to Users in a Role. These rights can apply to all computers and computer groups or they can be restricted to only certain computers. To restrict access, select the "Selected Computers" radio button and put a check next to the computer groups and computers that Users in this Role will have access to. Administration >> User Management >> Roles Select a Role and click Properties >> Computer Rights
Review the Trend Deep Security server configuration to ensure the limit of three consecutive invalid logon attempts by a user during a 15-minute time period is enforced. Verify the number of failed logon attempts. Go to Administration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3 If the number is greater than 3 this is a finding.
Configure the Trend Deep Security server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. Configure the number of failed logon attempts to 3. Administration >> System Settings >> Security >> User Security >> Number of incorrect sign-in attempts allowed (before lock out): 3
Review the Trend Deep Security server configuration to ensure audit record generation capability for DoD-defined auditable events within all application components is provided. Verify the Administration >> System Settings >> System Events, are set to “Record.” - capture successful and unsuccessful logon attempts, - privileged activities or other system level access, - starting and ending time for user access to the system - concurrent logons from different workstations - successful and unsuccessful accesses to objects - all program initiations, - all direct access to the information system, - all account creation, modification, disabling, and termination actions. If these settings are not set to “Record”, this is a finding.
Configure Trend Deep Security to provide audit record generation capability for DoD-defined auditable events within all application components. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 160 Authentication Failed 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 604 User Unlocked 608 User Session Validation Failed 609 User Made Invalid Request 610 User Session Validated 611 User Viewed Firewall Event 613 User Viewed Intrusion Prevention Event 615 User Viewed System Event 616 User Viewed Integrity Monitoring Event 617 User Viewed Log Inspection Event 618 User Viewed Quarantined File Detail 619 User Viewed Anti-Malware Event 620 User Viewed Web Reputation Event 621 User Signed In As Tenant 650 User Created 651 User Deleted 652 User Updated 653 User Password Set 660 Role Created 661 Role Deleted 662 Role Updated 702 Credentials Generated 703 Credential Generation Failed
Review the Trend Deep Security server to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited. Verify the user roles and assigned permissions within the Administration >> User Management >> Roles >> Properties >> Other Rights. If a user role (e.g., Auditor) has any "View Only" for Alerts, Alert Configuration, Integrity Monitoring, and Log Inspection Rules, this is a finding.
Configure the Trend Deep Security server to only allow the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. Configure the assigned permissions for user roles within the Administration >> User Management >> Roles >> Properties >> Other Rights. Set the following to "View Only" Alerts Alert Configuration Integrity Monitoring Log Inspection Rule
Review the Trend Deep Security server configuration to ensure only the ISSM (or individuals or roles appointed by the ISSM) is allowed to select which auditable events are to be audited. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 660 Role Created 661 Role Deleted 662 Role Updated 663 Roles Imported 664 Roles Exported If these settings are not set to “Record”, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to access privileges occur. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 660 Role Created 661 Role Deleted 662 Role Updated 663 Roles Imported 664 Roles Exported
Review the Trend Deep Security server to ensure session auditing upon startup is initiated. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated If these settings are not set to “Record”, this is a finding.
Configure the Trend Deep Security server to initiate session auditing upon startup. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated
Review the Trend Deep Security server configuration to ensure the capability for authorized users to capture, record, and log all content related to a user session is provided. Verify the following events within the Administration >> System Settings >> System Events, are set to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated If these settings are not set to “Record”, this is a finding.
Configure the Trend Deep Security server to provide the capability for authorized users to capture, record, and log all content related to a user session. Go to Administration >> System Settings >> System Events, and set the following settings to “Record.” 600 User Signed In 601 User Signed Out 602 User Timed Out 603 User Locked Out 608 User Session Validation Failed 610 User Session Validated
Review the Trend Deep Security server configuration to ensure the ISSO and SA (at a minimum) are alerted in the event of an audit processing failure. Verify any audit processing failure events within Administration >> System Settings >> System Events, are set to “Forward” If these settings are not set to “Forward”, this is a finding.
Configure the Trend Deep Security server to alert the ISSO and SA (at a minimum) in the event of an audit processing failure. Go to Administration >> System Settings >> System Events, and set the following settings to “Forward.” 0 Unknown Error 266 Warnings/Errors Cleared 609 User Made Invalid Request 740 Agent/Appliance Error 801 Error Dismissed 913 Automatic Diagnostic Package Error 923 Usage Information Package Error 997 Tagging Error 998 System Event Notification Error 999 Internal Software Error 1677 Trusted Platform Module Error
Review the Trend Deep Security server configuration to ensure audit information from any type of unauthorized read access is protected. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit information from any type of unauthorized read access. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized modification. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit information from unauthorized modification. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server configuration to ensure audit information is protected from unauthorized deletion. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit information from unauthorized deletion. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized access. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit tools from unauthorized access. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server to ensure audit tools are protected from unauthorized modification. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit tools from unauthorized modification. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server configuration to ensure audit tools are protected from unauthorized deletion. Interview the ISSO in order to identify all users and their permissions to the audit records. The ISSO must identify each user along with their assigned role configured for the appropriate information systems allowed. Verify the information gathered against the application's, "Computer and Group Rights" for each "Role" created along with the users assigned. If the information gathered does not match the settings within the application this is a finding.
Configure the Trend Deep Security server to protect audit tools from unauthorized deletion. Edit the audit permission according the local policy by modifying the roles under: Administration >> User Management >> Roles Select the applicable role. Click "Computer Rights" to modify user permissions. Next select “Other Rights” and modify accordingly.
Review the Trend Deep Security server configuration to ensure audit records are backed up at least every seven days onto a different system or system component than the system or component being audited. Verify the application backup frequency by reviewing the configuration settings in Administration >> System Settings >> SIEM If the "Forward System Events to a remote computer (via Syslog)" is not enabled with the proper configuration settings, this is a finding.
Configure the Trend Deep Security server to back up audit records at least every seven days onto a different system or system component than the system or component being audited. Configure the application to forward audit records to a log management tool for backup and storage. Go to Administration >> System Settings >> SIEM Enable "Forward System Events to a remote computer (via Syslog)" Configure the following: Hostname or IP address to which events should be sent UDP port to which events should be sent Syslog Facility Syslog Format
Review the Trend Deep Security server configuration to ensure cryptographic mechanisms are used to protect the integrity of audit information. Verify PDF encryption is enabled for report generation. Go to Administration >> User Management >> Users >> Right-click an administrative user account and select "Properties". Within the "Settings" tab select "Enable PDF Encryption". If "Enable PDF Encryption" is not enabled, this is a finding.
Configure the Trend Deep Security server to use cryptographic mechanisms to protect the integrity of audit information. Enabled encryption for report generation. Go to Administration >> User Management >> Users >> Right-click an administrative user account and select "Properties". Within the "Settings" tab select "Enable PDF Encryption" and enter a password.
Review the Trend Deep Security server to ensure the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments, are prohibited or restricted. Review the firewall policy for approved ports, protocols and services associated within a defined group or a selected computer by selecting Computers, on the top menu bar. Choose the appropriate group and within the main page, select a computer for review. Double-click the selected computer and click "Firewall". Verify the following settings are enabled: Configuration: Inherit or On State: Activated Firewall Stateful Configurations: Inherited (If managed through a group policy) Assigned Firewall Rules: (are configured in accordance with local security policy) If the options identified are not set or configured in accordance with local policy, this is a finding.
Configure the Trend Deep Security server to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. From the top menu select Policies >> New >> New Policy. Enter a Name for the new policy; In Inherit from, select “None”. Click “Next” and Select “Yes”. Choose the applicable computers that will inherit this policy, and click “Next”. Ensure all options are selected from the “Select which Computer properties to base new Policy on:” window, and click “Next”. Click “Finish”.
Review the Trend Deep Security server to ensure all media used for system maintenance is scanned prior to use. Verify Anti-Malware is enabled on each server that is applicable to the accreditation boundary. Go to Computers. Right-click a computer from the list of systems, select properties Anti-Malware >> General Verify Configuration is set to "On" or "Inherit On". If Verify Configuration is set to "Off", this is a finding.
Configure the Trend Deep Security server to scan all media used for system maintenance prior to use. The scope of Malware Scans can be controlled by editing the Malware Scan Configuration that is in effect on a computer. The Malware Scan Configuration determines which files and directories are included or excluded during a scan and which actions are taken if malware is detected on a computer (for example, clean, quarantine, or delete). There are two types of Malware Scan Configurations: - Manual/Scheduled Scan Configurations - Real-Time Scan Configurations To enable Anti-Malware functionality on a computer: Go to Computers. Right-click a computer from the list of systems, select properties Anti-Malware >> General Set Configuration to "On" or "Inherit On".
Review the Trend Deep Security server configuration to ensure automated mechanisms for supporting account management functions are automated. Interview the ISSO to determine a list of authorized users and their perspective roles supporting the application. Review the identified users within the following: Administration >> User Management >> Users >> Assign Role If the identified users do not match the roles assigned within the application this is a finding.
Configure the Trend Deep Security server to provide automated mechanisms for supporting account management functions. Configure the user permissions according to their assigned roles within the organization. Administration >> User Management >> Users >> Assign Role
Review the Trend Deep Security server configuration to ensure organizational users (or processes acting on behalf of organizational users) are uniquely identified and authenticated. Verify the user accounts under Administration >> User Management >> Users If the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.
Configure the Trend Deep Security server to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). Configure the appropriate affiliation display for the specified user under Administration >> User Management >> Users Right click the user account. Click "Properties" and Select “User Name”. Enter the appropriate user identifiers.
Review the Trend Deep Security server to ensure users are authenticated with an individual authenticator prior to using a group authenticator. Review the settings to ensure identify management is being performed through the organizations Active Directory. Navigate to Administration >> User Management >> Users and click "Synchronize with Directory". Select "Re-Synchronize (Using previous settings)", and click "Next". If the synchronization fails, this is a finding.
Configure the Trend Deep Security server to authenticate users with an individual authenticator prior to using a group authenticator. Navigate to Administration >> User Management >> Users and click "Synchronize with Directory". Under Server, enter the following information: Server Address (IP of the AD Server) Access Method (UserID/Password StartTLS) UserName (Authorized, site-defined, service account used for synchronizing with Trend Deep Security) Password Click "Next". Select the authorized AD group used for managing the Trend Deep Security accounts, and Click "Next". Under "New User" Options, select the appropriate Role, click "Next". Click "Finish".
Review the Trend Deep Security server configuration to ensure a minimum 15-character password length is enforced. Verify the policy value for minimum password length. If the value for “User password minimum length” under the Administration >> System Settings >> Security tab is not set to 15, this is a finding.
Configure the Trend Deep Security server to enforce a minimum 15-character password length. Configure the policy value for minimum password length. Under the Administration >> System Settings >> Security tab, set the value for “User password minimum length” to 15.
Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one upper-case character be used. Verify the values for password complexity. If the "User password requires both upper-and lower-case characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.
Configure the Trend Deep Security server to enforce password complexity by requiring that at least one uppercase character be used. Enable the checkbox for the "User password requires both upper-and lower-case characters" policy value for password complexity under the Administration >> System Settings >> Security tab.
Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one numeric character be used. Verify the values for password complexity. If the "User password requires both letters and numbers" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.
Configure the Trend Deep Security server to enforce password complexity by requiring that at least one numeric character be used. Enable the checkbox for the "User password requires both letters and numbers" policy value for password complexity under the Administration >> System Settings >> Security tab.
Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one special character be used. Verify the values for password complexity. If the "User password requires non-alphanumeric characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.
Configure the Trend Deep Security server to enforce password complexity by requiring that at least one special character be used. Enable the checkbox for the "User password requires non-alphanumeric characters" policy value for password complexity under the Administration >> System Settings >> Security tab.
Review the Trend Deep Security server configuration to ensure a 60 day maximum password lifetime restriction is enforced. Verify the policy value for minimum password length. If the value for “User password expires” under the Administration >> System Settings >> Security tab is not set to 60 Days, this is a finding.
Configure the Trend Deep Security server to enforce a 60 day maximum password lifetime restriction. Configure the policy value for maximum password lifetime. Under the Administration >> System Settings >> Security tab, set the value for “User password expires” to 60.
Review the Trend Deep Security server configuration to ensure non-organizational users (or processes acting on behalf of non-organizational users) are uniquely identified and authenticated. Verify the user accounts under Administration >> User Management >> Users If the accounts configured do not uniquely specify the organizational user's affiliation, this is a finding.
Configure the Trend Deep Security server to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). To help prevent inadvertent disclosure of controlled information, all contractors are identified by the inclusion of the abbreviation "ctr" and all foreign nationals are identified by the inclusion of their two character country code. See ECAD-1 Affiliation Display Configure the appropriate affiliation display for the specified user under Administration >> User Management >> Users Right click the user account. Click "Properties" and Select “User Name”. Enter the appropriate user identifiers.
Review the Trend Deep Security server configuration to ensure all network connections associated with a communications session are terminated at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. If the value for user session termination under the Administration >> System Settings >> Security >> Session timeout, is not set to 10 minutes, this is a finding.
Configure the Trend Deep Security server to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. Configure the policy value for session timeout. Under the Administration >> System Settings >> Security, set the value for “Session timeout” to 10 minutes.
Review the Trend Deep Security server configuration to ensure security functions are isolated from non-security functions. In order to restrict access to security functions through the use of access control mechanisms, least privilege capabilities must be enforced within the Deep Security, “User management” settings. If role-based access controls are not enforced within the Administration >> User management >> Roles, this is a finding.
Configure the Trend Deep Security server to isolate security functions from non-security functions. Configure role-based access controls for least privileged accounts within the Administration >> User management >> Roles.
Review the Trend Deep Security server configuration to ensure the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems is restricted. Deep Security policies for Firewall Rules can be disruptive causing a denial of service to the environment if not properly configured. It is imperative that access to the firewall rule policies be restricted to authorized personnel by enforcing least privileged within the Deep Security, “User management” settings. If role-based access controls are not enforced within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights, this is a finding.
Configure the Trend Deep Security server to restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems. Configure the role-based access controls to prevent access to policy modifications within the Administration >> User management >> Roles >> [Policy Name] >> Properties >> Policy Rights. The “Edit” option should only be enabled to authorized users.
Review the Trend Deep Security server configuration to ensure excess capacity, bandwidth, or other redundancy is managed to limit the effects of information flooding types of Denial of Service (DoS) attacks. Review the “CPU Usage Level” under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans. Depending on resource capabilities for monitored agent scans, it may be necessary to limit the “CPU Usage Level” from High to Low. If the setting is not configured in accordance with the SA best practice recommendation this is a finding.
Configure the Trend Deep Security server to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. Configure the “CPU Usage Level” in accordance with the SA best practice under Administration >> System Settings >> Advanced >> CPU Usage During Recommendation Scans.
Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are automatically updated. Analyze the system using the Administration >> System Settings >> Updates page. Verify that the “Automatically download updates to imported software” option is checked. If this option is not enabled, this is a finding.
Configure the Trend Deep Security server to automatically update malicious code protection mechanisms. Go to the Administration >> System Settings >> Updates page, and scroll down to Software Updates. Check the box to enable “Automatically download updates to imported software”.
Review the Trend Deep Security server configuration to ensure the ISSO and ISSM are notified of failed security verification tests. From Administration >> User Management >> Users Select the account associated with the ISSM or ISSO and double-click. Under the Contact Information tab, verify the Contact Information is associated with account is complete and accurate. If the account information is missing or incorrect, this is a finding. Next, verify the "Receive Alert Email" check box is selected. If the "Receive Alert Email" checkbox is not selected, this is finding.
Configure the Trend Deep Security server to notify ISSO and ISSM of failed security verification tests. Go to Administration >> User Management >> Users Select the account associated with the ISSM or ISSO and double-click. Under the “Contact Information” tab enter the users Contact Information. Next, select the checkbox for “Receive Alert Emails”.
Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms are updated whenever new releases are available in accordance with organizational configuration management policy and procedures. Analyze the system using the Administration >> System Settings >> Updates page. Verify that the “Automatically download updates to imported software” option is enabled. If this option is not enabled, this is a finding.
Configure the Trend Deep Security server to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. Go to the Administration >> System Settings >> Updates page, and scroll down to Software Updates. Check the box to enable “Automatically download updates to imported software”.
Review the Trend Deep Security server configuration to ensure malicious code protection mechanisms perform periodic scans of the information system every seven (7) days. Analyze one of the custom policies under the “Policies” tab, by right clicking and selecting “Details.” Verify the following settings are enabled: 1. Under the Overview >> General tab, "Anti-Malware" is set to “On” 2. Under the Anti-Malware >> General tab, “Real-Time Scan” is set to “Default” 3. Under the Anti-Malware >> General tab, a custom “Malware Scan Configuration” is enabled with a Schedule configured to no more than 7 days. If "Anti-Malware" is set anything other than “On” this is a finding. If “Malware Scan Configuration” is set to “No Configuration,” this is a finding.
Configure the Trend Deep Security server malicious code protection mechanisms to perform periodic scans of the information system every seven (7) days. To enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab. Under “Policies” right clicking and selecting “Details.” Configure the following settings: 1. Under the Overview >> General tab, set "Anti-Malware" to “On” 2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default” 3. Under the Anti-Malware >> General tab, set a weekly scan under “Scheduled” by selecting “New”. Name the scheduled scan “Weekly” and configure it for a select day and time of the week. Click “OK” when finished.
Review the Trend Deep Security server to ensure real-time malicious code protection scans are performed on files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. Verify the Anti-Malware, Real-Time Scan is enabled by reviewing the following settings under the “Policies” tab. Under “Policies” right click and select “Details” and choose “Anti-Malware. Review the following settings: Anti-Malware State is set to “On” and the “Real-Time Scan” is set to “Default.” If the two settings are not configured accordingly, this is a finding.
Configure the Trend Deep Security server to perform real-time malicious code protection scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. To enable malicious code protection via the anti-malware, configure the following settings under the “Policies” tab. Under “Policies” right clicking and selecting “Details.” Configure the following settings: 1. Under the Overview >> General tab, set "Anti-Malware" to “On” 2. Under the Anti-Malware >> General tab, set “Real-Time Scan” to “Default”. Click “OK” when finished.
Review the Trend Deep Security server configuration to ensure malicious code is blocked and quarantined upon detection, then send an immediate alert to appropriate individuals. Verify the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware. - Under “Policies” tab right click any of the selected policies and click “Details.” - Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete. - Click “Edit” and select “Actions.” - Under the “Recognized Malware” verify the following settings: - For Virus: Clean - For Trojans: Quarantine - For Packer: Quarantine - For Spyware: Quarantine - For Other Threats: Clean - Under “Possible Malware” verify “Quarantine” is selected. If any of the settings are not configured accordingly, this is a finding.
Configure the Trend Deep Security server to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. Configure the “Custom remediation actions” for “Recognized Malware” under the Policy settings for Anti-Malware. - Under “Policies” tab right click any of the selected policies and click “Details.” - Choose “Anti-Malware” and deselect “Default Real-Time Scan Configuration.” Be sure to re-enable this option once the review is complete. - Click “Edit” and select “Actions.” - Under the “Recognized Malware” configure the following settings: - For Virus: Clean - For Trojans: Quarantine - For Packer: Quarantine - For Spyware: Quarantine - For Other Threats: Clean - Under “Possible Malware” select “Quarantine.”
Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are created. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.
Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are created. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record and Forward”.
Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are modified. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Updated” Event ID 652. If the options for “Record” and “Forward” are not enabled for "User Updated", this is a finding.
Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers when accounts are modified. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration > System Settings > Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration > System Settings > System Events for “User Updated” Event ID 652. Select the options for Record and Forward.
Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are disabled. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603. If the options for “Record” and “Forward” are not enabled for "User Locked Out", this is a finding.
Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account disabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Locked Out” Event ID 603. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure System Administrators and Information System Security Officers are notified when accounts are removed. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651. If the options for “Record” and “Forward” are not enabled for "User Deleted", this is a finding.
Configure the Trend Deep Security server to notify System Administrators and Information System Security Officers for account removal actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Deleted” Event ID 651. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure account enabling actions are automatically audited. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.
Configure the Trend Deep Security server to automatically audit account enabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure the SA and ISSO are notified of account enabling actions. 1. Analyze the system using the Administration >> System Settings >> Alerts. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “User Created” Event ID 650. If the options for “Record” and “Forward” are not enabled for "User Created", this is a finding.
Configure the Trend Deep Security server to notify SA and ISSO of account enabling actions. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “User Created” Event ID 650. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server to ensure the execution of privileged functions are audited. Interview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc.). Verify the list against the Administration >> System Settings >> System Events tab. If the events are not to Record and Forward, this is a finding.
Configure the Trend Deep Security server to audit the execution of privileged functions. Enable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events tab.
Review the Trend Deep Security server configuration to ensure audit records are off-loaded onto a different system or media than the system being audited. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration> > System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog) option” is Enabled. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.
Configure the Trend Deep Security server to off-load audit records onto a different system or media than the system being audited. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, set the Forward System Events to a remote computer (via Syslog) option. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations.)
Review the Trend Deep Security server configuration to ensure an immediate warning is provided to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. 1. Analyze the system using the Administration > System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events tab for “Manager Available Disk Space Too Low” Event ID 170. If the options for “Record” and “Forward” are not enabled for “Manager Available Disk Space Too Low”, this is a finding
Configure the Trend Deep Security server to provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “Manager Available Disk Space Too Low” Event ID 170. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure an immediate real-time alert is provided to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding.
Configure the Trend Deep Security server to provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Insert a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system.
Review the Trend Deep Security server configuration to ensure the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) are alerted when the unauthorized installation of software is detected. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrators and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events for “Software Added” Event ID 151. If the options for “Record” and “Forward” are not enabled for “Software Added”, this is a finding.
Configure the Trend Deep Security server to alert the ISSO, ISSM, and other designated personnel (deemed appropriate by the local organization) when the unauthorized installation of software is detected. 1. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. 2. Configure the alert using the Administration >> System Settings >> System Events for “Software Added” Event ID 151. Select the options for “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure user installation of software without explicit privileged status is prohibited. Analyze the system using Administration >> User Management >> Roles. Review each role created that is not “Full Access”. Right-Click >> Properties on the desired role, and select “Other Rights.” The “Updates” setting should be set to “View Only” or “Hide.” If any other option is selected other than “View Only” or “Hide”, this is a finding.
Configure the Trend Deep Security server to prohibit user installation of software without explicit privileged status. Configure the application to prevent non-authorized users from updating Deep Security by selecting Administration >> User Management >> Roles. Right-Click >> Properties on any of the roles listed and choose “Other Rights.” Set the “Updates” setting to “View Only” or “Hide”.
Review the Trend Deep Security server configuration to ensure organization-defined automated security responses are implemented if baseline configurations are changed in an unauthorized manner. Deep Security, Policies, are policy templates that specify the security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution for system administrator and ISSOs, this is a finding. 2. Analyze the system using the Administration >> System Settings >> System Events tab to ensure the following events are enabled: 350 Policy Created Record Forward 351 Policy Deleted Record Forward 352 Policy Updated Record Forward 353 Policies Exported Record Forward 354 Policies Imported Record Forward If the options for “Record” and “Forward” are not enabled on these events, this is a finding
Configure the Trend Deep Security server to implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner. Configure the application to prevent unauthorized changes to the baseline policies by selecting Administration >> System Settings >> System Events. Enable the Record and Forward option for each of the following: 350 Policy Created 351 Policy Deleted 352 Policy Updated 353 Policies Exported 354 Policies Imported
Review the Trend Deep Security server configuration to ensure access restrictions associated with changes to application configuration are enforced. Inspect the settings used for enforcing least privilege through access restrictions under Administration >> User Management >> Roles. Select a role under the “Roles” menu and click "Properties". 1. Select the “Computer Rights” tab and verify the settings configured under the “Computer and Group Rights” area. If non-authorized users have access to anything other than “View”, this is a finding. 2. Select the “Policy Rights” tab and verify the settings configured under the “Policy Rights” area. If non-authorized users have access to anything other than “View,” this is a finding. 3. Select the “User Rights” tab and verify the settings configured under the “User Rights” area. If non-authorized users have access to anything other than “Change own password and contact information only”, this is a finding. 4. Select the Other Rights, tab and verify the settings configured under the “Other Rights” area. If non-authorized users have access to anything other than "View-Only" or "Hide", this is a finding.
Configure the Trend Deep Security server to enforce access restrictions associated with changes to application configuration. Enforce access restrictions associated with changes to application configuration. Under Administration >> User Management >> Roles, select a role and click “Properties”. 1. Click Computer Rights >> Computer and Group Rights, and select only the “View” checkbox. 2. Click Policy Rights >> Policy Rights, and select only the “View” checkbox. 3. Click User Rights >> User Rights, and select “Change own password and contact information only.” 4. Click Other Rights >> Other Rights, select "View-Only" or "Hide" for all options according to local policy for the roles permission. 5. Click "OK".
Review the Trend Deep Security server configuration to ensure the enforcement actions used to restrict access associated with changes to the application are audited. System Events include changes to the configuration of an Agent/Appliance, the Deep Security Manager, or Users. They also include errors that may occur during normal operation of the Trend Deep Security system. To ensure the necessary events are captured, verify the Administration >> System Settings >> System Events, against the local policy established by the ISSO. If the settings configured do not match local policy, this is a finding.
Configure the Trend Deep Security server to audit the enforcement actions used to restrict access associated with changes to the application. To configure the application to captured the events identified by the ISSO, go to the Administration >> System Settings >> System Events tab. Enable all applicable policies with “Record” and “Forward.”
Review the Trend Deep Security server configuration to ensure only the use of DoD PKI established certificate authorities are allowed for verification of the establishment of protected sessions. Verify the certificate CA and by reviewing the issued to and validity date by clicking the certificate icon in the web browser and selecting View Certificates, Certificate Information, etc. (browser dependent). If the certificate is not issued by a DoD CA, this is a finding.
Configure the Trend Deep Security server to only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. 1. Run the following command to create a CSR for your CA to sign: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -certreq -keyalg RSA -alias tomcat -file certrequest.csr 2. Send the certrequest.csr to your CA to sign. In return you will get two files. One is a "certificate reply" and the second is the CA certificate itself. 3. Run the following command to import the CA cert in JAVA trusted keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias root -trustcacerts -file cacert.crt -keystore "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" 4. Run the following command to import the CA certificate in your keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias root -trustcacerts -file cacert.crt (say yes to warning message) 5. Run the following command to import the certificate reply to your keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -alias tomcat -file certreply.txt 6. Run the following command to view the certificate chain in you keystore: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -list -v 7. Copy the .keystore file from your user home directory C:\Documents and Settings\Administrator to C:\Program Files\ Trend Micro \Deep Security Manager\ 8. Open the configuration.properties file in folder C:\Program Files\Trend Micro\Deep Security Manager. It will look something like: keystore File=C\:\\\\Program Files\\\\Trend Micro\\\\Deep Security Manager\\\\.keystore port=4119 keystorePass=$1$85ef650a5c40bb0f914993ac1ad855f48216fd0664ed2544bbec6de80160b2f installed=true serviceName= Trend Micro Deep Security Manager 9. Replace the password in the following string: keystorePass=xxxx where "xxxx" is the password you supplied in step five 10. Save and close the file 11. Restart the Deep Security Manager service 12. Connect to the Deep Security Manager with your browser and you will notice that the new SSL certificate is signed by your CA.
Review the Trend Deep Security server configuration to ensure a separate execution domain for each executing process is maintained. Review the network topology supporting Deep Security for separation of zones and host OS. If the architecture does separate the Deep Security Manager (DSM) from the Database, this is a finding.
Configure the Trend Deep Security server to maintain a separate execution domain for each executing process. Install the Deep Security Manager on a dedicated server within a management zone. Next, connect the DSM to the assigned database provided. The database should be in separate zone with the necessary firewall rules established for communication between the application server and the DB.
Review the Trend Deep Security server configuration to ensure the effects of all types of Denial of Service (DoS) attacks are protected against or limited by employing organization-defined security safeguards. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the “Computers” area. Click the “Firewall” menu and review the configuration setting under the “General” tab. If Firewall >> Configuration is set to "Off", this is a finding. Click the “Intrusion Prevention” menu and review the configuration setting under the “General” tab. If Intrusion Prevention >> Configuration is set to “Off”, this is a finding.
Configure the Trend Deep Security server to protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing organization-defined security safeguards. 1. Create a new Policy based on a Recommendation Scan of a computer: - On the “Computers" page, Right-click the computer, and select Actions >> Scan for Recommendations. - When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. - When prompted, choose to base the new Policy on "an existing computer's current configuration". - Select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. 2. Create a new Firewall policy based on a Recommendation Scan of a computer: - On the “Computers” page, Double-click on a computer, and select Firewall >> Scan for Open Ports. - Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.
Review the Trend Deep Security server configuration to ensure organization-defined security safeguards are implemented to protect its memory from unauthorized code execution. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the “Computers” window. Click the “Firewall” option and review the Configuration setting under the “General” tab. If this is set to “Off”, this is a finding. Click the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. If this is set to “Off”, this is a finding
Configure the Trend Deep Security server to implement organization-defined security safeguards to protect its memory from unauthorized code execution. 1. Create a new Policy based on a Recommendation Scan of a computer: - On the “Computers" page, Right-click the computer, and select Actions >> Scan for Recommendations. - When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. - When prompted, choose to base the new Policy on "an existing computer's current configuration". - Select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. 2. Create a new Firewall policy based on a Recommendation Scan of a computer: - On the “Computers” page, Double-Click on a computer, and select Firewall >> Scan for Open Ports. - Assign the necessary Firewall rules based on the open ports identified. Repeat for all rules as necessary.
Review the Trend Deep Security server configuration to ensure security-relevant software updates are installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Review the Scheduled Tasks under Administration >> Scheduled Tasks to see if “Daily Check for Security Updates” is present. If “Daily Check for Security Updates” is not present, this is a finding.
Configure the Trend Deep Security server to install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Go to Scheduled Tasks under the “Administration” tab and click “New”. Under “Type”, select “Check for Security Updates.” Choose the” Daily” option, and click “Next”. Select a start date and time for the daily tasks, then choose “Every Day” and click “Next”. Select the computers or groups according to the organizations custom policy, and click “Next”. Enter a unique name for the scheduled task, chose the “Task Enabled” option, and click “Finish”.
Review the Trend Deep Security server configuration to ensure network services that have not been authorized or approved by the organization-defined authorization or approval processes are detected. Review the Intrusion Detection policy for approved ports, protocols and services associated within a defined group or a selected computer by: - Selecting “Computers”, on the top menu bar. - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click “Intrusion Detection” - Verify the following settings are enabled: - Configuration: is set to On - Intrusion Prevention Behavior is set to Prevent or Detect; review local security policy for appropriate setting. - Assigned Intrusion Prevention Rules: review local security policy for appropriate setting If the Assigned Intrusion Prevention Rules do not match the local defined policy, this is a finding.
Configure the Trend Deep Security server to detect network services that have not been authorized or approved by the organization-defined authorization or approval processes. To configure Deep Security to detect unauthorized services through the Intrusion Detection module, go to Policies >> Intrusion Prevention>> Select New >> New intrusion Prevention Rule - Under Details >> Application type>> Select “New” - Enter Name of the network services - Choose the appropriate direction - Select the appropriate protocol - Choose the applicable ports
Review the Trend Deep Security server configuration to ensure the event is logged, and the ISSO, ISSM, and other individuals designated by the local organization are alerted when unauthorized network services are detected. Policies are templates that specify the settings and security rules to be configured and enforced automatically for one or more computers. These compact, manageable rule sets make it simple to provide comprehensive security without the need to manage thousands of rules. Default Policies provide the necessary rules for a wide range of common computer configurations. Select “Computers” from the top menu and double click on any computer from the list. Under Firewall >> General Tab >> Firewall area, verify "Configuration" is set to "On". If "Configuration" is set to “Off”, this is a finding. Under Intrusion Detection >> General Tab >> Intrusion Detection area, verify "Configuration" is set to "On". If "Configuration" is set to “Off”, this is a finding.
Configure the Trend Deep Security server to log the event and alert the ISSO, ISSM, and other individuals designated by the local organization, when unauthorized network services are detected. Create a new Policy based on a Recommendation Scan of a computer. To do so, right click the computer on the “Computers” page and select Actions >> Scan for Recommendations. When the scan is complete, return to the “Policies” page and click “New” to display the “New Policy” wizard. Enter the policy name and choose “None” from the “Inherit From” option. When prompted, choose to base the new Policy on "an existing computer's current configuration". Then select "Recommended Application Types and Intrusion Prevention Rules", "Recommended Integrity Monitoring Rules", and "Recommended Log Inspection Rules" from among the computer's properties. Firewall rules should be created for each individual computer in order to prevent services from being disrupted. You can create a new Firewall policy based on a Recommendation Scan of a computer. To do so, double click on a computer on the Computers page and select Firewall >> Scan for Open Ports. Assign the necessary Firewall rules based on the open ports identified. Apply other rules as necessary.
Review the Trend Deep Security server configuration to ensure inbound communications traffic is continuously monitored for unusual or unauthorized activities or conditions. Verify the state of the Intrusion Prevent policies: - Select “Computers” on the top menu bar - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click “Intrusion Prevention” - Verify the following settings are enabled: - Configuration: is set to Inherit or On - “State:” is listing “Activated” - Policies are defined under the Assigned Intrusion Prevention Rules. If any of these settings are not configured, this is a finding
Configure the Trend Deep Security server to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions. To enable Intrusion Prevent within Deep Security, go to “Computers”, on the top menu bar. - Choose the appropriate group and within the main page and select a computer for review. - Double click the selected computer and click Intrusion Prevention. - Enable the following settings: - Configuration: Set to Inherit or On (according to local security policies) - Verify “State:” is listing “Activated” - Assign the appropriate policies under the Assigned Intrusion Prevention Rules.
Review the Trend Deep Security server configuration to ensure ISSO, ISSM, and other individuals designated by the local organization are alerted when the following Indicators of Compromise (IOCs) or potential compromise are detected: real time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B. 1. Analyze the system using the Administration >> System Settings >> Alerts tab. Review the email address listed in the “Alert Event Forwarding (From The Manager).” If this email address is not present or does not belong to a distribution group for system administrators and ISSOs, this is a finding. 2. Select Computers from the top menu and double click on any computer from the “Computers” window. Click the “Intrusion Prevention” option and review the Configuration setting under the “General” tab. If “Intrusion Prevention” is set to “Off”, this is a finding 3. Select a rule from the “Assigned Intrusion Prevention Rules” and double click to bring up the properties. Click “Options” and verify that the “Alert” tab is set to “On”. If “Alert” is set to “Off”, this is a finding.
Configure the Trend Deep Security server to alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B. Configure Events and Alerts to notify the SA and ISSO using the Administration >> System Settings >> Alerts tab. Inset a distribution email address into the “Alert Event Forwarding (From The Manager).” The distribution email address must be configured within Exchange or other email server and must associate the SA and ISSO accounts reviewing and/or managing the system. Enable Intrusion Prevention by selecting the “Computers” tab from the top menu and double click on the computer that is to be configured from list. Click Intrusion Prevention >> General. Select “On” under “Configuration”. Enable Alerts by selecting a rule from the “Assigned Intrusion Prevention Rules” by double clicking to bring up the properties. Select the “Options” tab and set the “Alert” tab to “On”.
Review the Trend Deep Security server configuration to ensure the system administrator is notified when anomalies in the operation of the security functions are discovered. Verify Intrusion Prevention is enabled for all connected host systems by navigating to Policy >> Policy Editor. Navigate to Intrusion Prevention >> General, verify that the intrusion prevention module is "On" and configured with assigned rules. If "Intrusion Prevention" is not set to "On", this is a finding.
Configure the Trend Deep Security sever to notify the system administrator when anomalies in the operation of the security functions are discovered. To enable Intrusion Prevention functionality on a computer: In the Policy/Computer editor, go to Intrusion Prevention >> General Select "On", and then click "Assign/Unassign". Select the appropriate rules applicable to the information system being monitored. Click "Save".
Review the Trend Deep Security server configuration to ensure security safeguards are implemented when integrity violations are discovered. Verify Integrity Monitoring is enabled for all connected host systems by navigating to Policy >> Policy Editor. Navigate to Integrity Monitoring >> General, verify that the Integrity Monitoring module is "On" and configured with assigned rules. If "Integrity Monitoring" is not set to "On", this is a finding.
Configure the Trend Deep Security server to implement security safeguards when integrity violations are discovered. To enable Integrity Monitoring functionality on a computer: In the Policy/Computer editor, go to Integrity Monitoring >> General Select "On", and then click "Assign/Unassign". Select the appropriate rules applicable to the information system being monitored. Click "Save".
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify privileges occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. If the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to delete privileges, this is a finding
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify privileges occur. Configure the alert using the Administration >> System Settings >> System Events for the successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following: - Event ID: 102 Trend Micro Deep Security Customer Account Changed - Event ID: 130 Credentials Generated - Event ID: 131 Credential Generation Failed - Event ID: 290 Group Added - Event ID: 291 Group Removed - Event ID: 291 Group Removed - Event ID: 652 User Updated - Event ID: 660 Role Created - Event ID: 651 User Deleted - Event ID: 661 Role Deleted - Event ID: 662 Role Updated - Event ID: 663 Roles Imported - Event ID: 1900 Cloud Account Added - Event ID: 1901 Cloud Account Removed - Event ID: 1902 Cloud Account Updated
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security objects occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security objects. If the options for “Record” and “Forward” are not enabled for successful/unsuccessful attempts to modify security objects, this is a finding
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security objects occur. Configure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful attempts to modify security objects. Select the “Record” and “Forward” options for the following: - Event ID: 116 Rule Update Applied - Event ID: 180 Alert Type Updated - Event ID: 191 Alert Changed - Event ID: Relay Group Assigned to Computer - Event ID: 290 Group Added - Event ID: 292 Group Updated - Event ID: 306 Rebuild Baseline Requested - Event ID: 352 Policy Updated - Event ID: 378 Virtual Machine unprotected after move to another ESXi - Event ID: 412 Firewall Rule Updated - Event ID: 422 Firewall Stateful Configuration Updated - Event ID: 462 Application Type Updated - Event ID: 472 Intrusion Prevention Rule Updated - Event ID: 482 Integrity Monitoring Rule Updated - Event ID: 492 Log Inspection Rule Updated - Event ID: 507 Context Updated - Event ID: 512 IP List Updated - Event ID: 522 Port List Updated - Event ID: 532 MAC List Updated - Event ID: 542 Proxy Updated - Event ID: 552 Schedule Updated - Event ID: 575 Asset Value Updated - Event ID: 622 Access from Primary Tenant Enabled - Event ID: 623 Access from Primary Tenant Disabled - Event ID: 711 Agent Software Deployed - Event ID: 713 Agent Software Removed - Event ID: 720 Policy Sent - Event ID: 734 Computer Clock Change - Event ID: 942 Auto-Tag Rule Updated - Event ID: 1502 Malware Scan Configuration Updated - Event ID: 1512 File Extension List Updated - Event ID: 1517 File List Updated - Event ID: 1550 Web Reputation Settings Updated - Event ID: 1554 Firewall Stateful Configuration Updated - Event ID: 1555 Intrusion Prevention Configuration Updated - Event ID: 2002 Scan Cache Configuration Object Updated
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to modify security levels occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. If the “Record” and “Forward” options for successful/unsuccessful attempts to modify security levels are not enabled, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to modify security levels occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to modify security levels. Select the “Record” and “Forward” options for the following: - Event ID: 253 Policy Assigned to Computer - Event ID: 350 Policy Created - Event ID: 352 Policy Updated - Event ID: 720 Policy Sent - Event ID: 410 Firewall Rule Created - Event ID: 420 Firewall Stateful Configuration Created - Event ID: 460 Application Type Created - Event ID: 470 Intrusion Prevention Rule Created - Event ID: 480 Integrity Monitoring Rule Created - Event ID: 490 Log Inspection Rule Created - Event ID: 495 Log Inspection Decoder Created - Event ID: 573 Asset Value Created - Event ID: 1500 Malware Scan Configuration Created - Event ID: 1510 File Extension List Created
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete privileges occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. If the “Record” and “Forward” options for successful/unsuccessful attempts to delete privileges are not enabled, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete privileges occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete privileges. Select the “Record” and “Forward” options for the following: - Event ID: 124 Rule Update Deleted - Event ID: 661 Role Deleted - Event ID: 671 Contact Deleted - Event ID: 291 Group Removed - Event ID: 1901 Cloud Account Removed
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful attempts to delete security objects occur. Review the system using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. If the “Record” and “Forward" options for are not enabled for successful/unsuccessful attempts to delete security objects, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful attempts to delete security objects occur. Configure the alert using the Administration >> System Settings >> System Events tab for successful/unsuccessful attempts to delete security objects. Select the “Record” and “Forward” options for the following: - Event ID: 124 Rule Update Deleted - Event ID: 152 Software Deleted - Event ID: 295 Interface Deleted - Event ID: 296 Interface IP Deleted - Event ID: 331 SSL Configuration Deleted - Event ID: 351 Policy Deleted - Event ID: 411 Firewall Rule Deleted - Event ID: 421 Firewall Stateful Configuration Deleted - Event ID: 461 Application Type Deleted - Event ID: 471 Intrusion Prevention Rule Deleted - Event ID: 481 Integrity Monitoring Rule Deleted - Event ID: 491 Log Inspection Rule Deleted - Event ID: 496 Log Inspection Decoder Deleted - Event ID: 506 Context Deleted - Event ID: 574 Asset Value Deleted - Event ID: 593 Relay Group Deleted - Event ID: 595 Event-Based Task Deleted - Event ID: 931 Certificate Deleted - Event ID: 941 Auto-Tag Rule Deleted - Event ID: 943 Tag Deleted - Event ID: 1501 Malware Scan Configuration Deleted - Event ID: 1501 Malware Scan Configuration Deleted - Event ID: 1511 File Extension List Deleted - Event ID: 1516 File List Deleted - Event ID: 1951 Tenant Deleted - Event ID: 1954 Tenant Database Server Deleted
Review the Trend Deep Security server configuration to ensure audit records are generated when successful/unsuccessful logon attempts occur. Review the system using the Administration >> System Settings >> System Events for successful/unsuccessful attempts for "User Signed In" (Event ID 600). If the options for “Record” and “Forward” are not enabled, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful logon attempts occur. Configure the alert using the Administration >> System Settings >> System Events for successful/unsuccessful for "User Signed In" (Event ID 600). Select “Record” and “Forward”.
Review the Trend Deep Security server configuration to ensure audit records are generated for privileged activities or other system-level access. Interview the ISSO for a list of functions identified as privileged within the application “System Events.” Privileged functions within the system events will include but are not limited to: Computer Created, Computer Deleted, User Added, etc. Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.
Configure the Trend Deep Security server to generate audit records for privileged activities or other system-level access. Enable the necessary privileged functions by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.
Review the Trend Deep Security server to ensure audit records are generated when successful/unsuccessful accesses to objects occur. Interview the ISSO for a list of functions identified as objects that should be audited within the application “System Events.” Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.
Configure the Trend Deep Security server to generate audit records when successful/unsuccessful accesses to objects occur. Enable the necessary objects required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.
Review the Trend Deep Security server to ensure audit records are generated for all direct access to the information system. Interview the ISSO for a list of direct access objects that should be audited within the application “System Events.” Verify the list against the Administration >> System Settings >> System Events tab. If the events are not set to “Record” and “Forward”, this is a finding.
Configure the Trend Deep Security server to generate audit records for all direct access to the information system. Enable the necessary audit setting to capture direct access to the system by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.
Review the Trend Deep Security server to ensure audit records are generated for all account creations, modifications, disabling, and termination events. Verify all creations, modifications, disabling, and termination events identified within the Trend Deep Security System Events are set to “Record” and “Forward”. If the events are not set to “Record” and “Forward”, this is a finding.
Configure the Trend Deep Security server to generate audit records for all account creations, modifications, disabling, and termination events. Enable the necessary setting required for audit by selecting “Record” and “Forward” within the Administration >> System Settings >> System Events, system settings.
Review the Trend Deep Security server to ensure audit records are generated for all kernel module load, unload, and restart events and, also for all program initiations. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.
Configure the Trend Deep Security server to generate audit records for all kernel module load, unload, and restart events and, also for all program initiations. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations).
Review the Trend Deep Security server configuration to ensure, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. Verify that audit records are off-loaded by configuring the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the System Event Notification (from the Manager) area, verify the “Forward System Events to a remote computer (via Syslog)" box is checked. 3. Verify the IP address to the selected host name is entered. 4. Verify UDP port 514 or agency selected port is provided. 5. Verify the appropriate Syslog facility and Common Event Settings If any of these settings are missing from the SIEM configuration, this is a finding.
Configure the Trend Deep Security server to, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly. To configure the Manager to instruct all managed computers to use Syslog: 1. Go to the Administration >> System Settings >> SIEM tab. 2. In the “System Event Notification (from the Manager)” area, check the “Forward System Events to a remote computer (via Syslog)” box. 3. Type the hostname or the IP address of the Syslog computer. 4. Enter which UDP port to use (usually 514). 5. Select which Syslog facility to use. 6. Select the "Common Event Format" log format. (The "Basic Syslog" format is listed only for legacy support and should not be used for new integrations).
Review the Trend Deep Security server to ensure synchronization occurs with Active Directory on a daily (or AO-defined) basis. Under Administration >> Scheduled Tasks, review the scheduled tasks listed for "Daily Sync Users". If a task for syncing user's accounts with AD does not exist, this is a finding.
Configure the Trend Deep Security server to synchronize with Active Directory on a daily (or AO-defined) basis. Under Administration >> Scheduled Tasks, click "New". From the "Type" drop down menu, select "Synchronize Users/Contacts". Select "Daily", and click "Next". Enter start date, start time, and select "Every Day". Click "Next". Enter a unique name for this scheduled task or leave the default. Check the box for" Task Enabled", click "Finish".
Review the Web Server hosting Trend Deep Security to ensure multifactor authentication has been configured. 1. Open Internet Information Services (IIS) Manager. 2. In the console tree, expand the server name. 3. In the server Home page, double-click Authentication to open the Authentication page. 4. In the Authentication page, right-click AD Client Certificate Authentication, and ensure "Enable" is selected. 5. Close the Authentication page. 6. In the server Home page, double-click SSL Settings to open the SSL Settings page. 7. Ensure the "Require SSL" Checkbox is checked, and "Require" radio button is selected. 8. Close the SSL Settings page. 9. Close IIS Manager. If "Enable" is not selected in the Authentication page, this is a finding. If "Require SSL" is not selected in the SSL Settings page, this is a finding. If "Ignore" or "Accept" radio buttons are selected in the SSL settings page, this is a finding.
Configure the Web Server hosting Trend Deep Security for multifactor authentication. To configure the authentication method in IIS: 1. Open Internet Information Services (IIS) Manager. 2. In the console tree, expand the server name. 3. In the server Home page, double-click Authentication to open the Authentication page. 4. In the Authentication page, right-click AD Client Certificate Authentication, and click "Enable". 5. Close the Authentication page. 6. In the server Home page, double-click SSL Settings to open the SSL Settings page. 7. Select the "Require SSL" Checkbox, and "Require" radio button. 8. Close the SSL Settings page. 9. Close IIS Manager.
Review the Trend Deep Security server configuration to ensure password complexity is enforced by requiring that at least one lower-case character be used. Verify the values for password complexity. If the "User password requires both upper-and lower-case characters" value for password complexity under the Administration >> System Settings >> Security tab has not been set, this is a finding.
Configure the Trend Deep Security server to enforce password complexity by requiring that at least one lower-case character be used. Enable the checkbox for the "User password requires both upper-and lower-case characters" policy value for password complexity under the Administration >> System Settings >> Security tab.