Level 4 Policies

The Level 4 policies help you determine the right level of security for each system.

Use the...

to...

L4 NT Server policy

run checks from the L3 NT Server policy, and add attacks based on brute force account guessing, vulnerabilities that require exploit tools, or complex multi-stage attacks

This policy also tests for missing operating system patches.

L4 NT Web Server policy

run checks from the L4 NT Server policy and the L3 NT Web Server policy, and add checks that would allow an attacker to read important information from the system via Web methods

This information can relate either to system integrity (for example, system configuration files) or to data confidentiality (for example, lists of customers).

Note: This policy does not test for potential Denial of Service risks in Web server applications. When scanning Web servers, use this policy instead of the L4 NT Server policy.

L4 Router & Switch policy

run checks from the L3 Router & Switch policy, and add checks for which automated attack programs exist (for example, buffer overflow exploits), as well as exploits requiring more detailed knowledge by the attacker

This policy also includes a limited number of Denial of Service checks that can be performed safely, by using those checks that will not result in a Denial of Service situation.

L4 Unix Server policy

run checks from the L3 Unix Server policy, and add checks for which automated attack programs exist (for example, buffer overflow exploits), as well as exploits requiring more detailed knowledge by the attacker (an understanding of shell metacharacter use, for example)

This policy also detects if systems provide user account information that could be used in brute force login attacks.

L4 Unix Web Server policy

run checks from the L4 Unix Server policy and the L3 Unix Web Server policy, and add checks that would allow an attacker to read important information from the system via Web methods

This information can either relate to system integrity (for example, system configuration files) or to data confidentiality (for example, lists of customers). When scanning Web servers, use this policy instead of the L4 Unix Server policy.

Use the...	to...
L4 NT Server policy	run checks from the L3 NT Server policy, and add attacks based on brute force account guessing, vulnerabilities that require exploit tools, or complex multi-stage attacks This policy also tests for missing operating system patches.
L4 NT Web Server policy	run checks from the L4 NT Server policy and the L3 NT Web Server policy, and add checks that would allow an attacker to read important information from the system via Web methods This information can relate either to system integrity (for example, system configuration files) or to data confidentiality (for example, lists of customers). Note: This policy does not test for potential Denial of Service risks in Web server applications. When scanning Web servers, use this policy instead of the L4 NT Server policy.
L4 Router & Switch policy	run checks from the L3 Router & Switch policy, and add checks for which automated attack programs exist (for example, buffer overflow exploits), as well as exploits requiring more detailed knowledge by the attacker This policy also includes a limited number of Denial of Service checks that can be performed safely, by using those checks that will not result in a Denial of Service situation.
L4 Unix Server policy	run checks from the L3 Unix Server policy, and add checks for which automated attack programs exist (for example, buffer overflow exploits), as well as exploits requiring more detailed knowledge by the attacker (an understanding of shell metacharacter use, for example) This policy also detects if systems provide user account information that could be used in brute force login attacks.
L4 Unix Web Server policy	run checks from the L4 Unix Server policy and the L3 Unix Web Server policy, and add checks that would allow an attacker to read important information from the system via Web methods This information can either relate to system integrity (for example, system configuration files) or to data confidentiality (for example, lists of customers). When scanning Web servers, use this policy instead of the L4 Unix Server policy.