邢�唷���>�� � V�������_�^�]�\�[�Z�Y�X�W�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������DC�
��
������������������ !"#���%&'()*+,-./0123456789:���<�=>?@AB�������FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdf���ghijklmnopqrstuvwxyz{|}~€Root Entry����������� ���F�����~�� v薅�~���nWorkbook���,
����E飥�_VBA_PROJECT_CUR"���������)P漬��~�� v薅�~��MsoDataStore����*�P漬��~���$倍�~���G��D��FHU�UP��E��CKRQ==2��������P漬��~��犣�~��Item
�������������
Properties��������������Gm���B0KILQ��CN�MP�GR���Q==2����������P漬��~���$倍�~��Item
������ ����U�Properties��������������YO�MBD0018AAD2������������ ��FP漬��~��&嫸�~���Ole
��������������=������������
����
�������������������� !"#$%&'()*+,-./0123456789:;<�=>?@ABCDEF���HIJKLMNOPQRST���VWX���Z[\]^���`abcdefghijklmnopqrstu���w���y���{|}~€���-���F�!�Cover!Object 1���
����� ��F Microsoft Word 97-2003 Document
MSWordDoc�Word.Document.8�9瞦�����鄥燆鵒h�珣�+'迟0����������������� ���$�
D��P��\�
h��t��|����������������Christian, Michele [USA]����Normal.dotm��Christian, Michele [Data
����������81Table���������������$,�CompObj��
������rWordDocument��������������;��8DdO���
�����z�p����<���
����
C����A��������������€b��48��{邔[4y劃桶妳鍸奘��8�D4n���8{邔[4y劃桶妳鍸奘�塒NG
�
IHDR�O���:E伈�gAMA眻晿籀 pHYs1�2N�ン聳 IDATx滍}霑�8�e}{�p#0�侀�寧纑�CG`9��������������&�r"���鰢D�����皂耩�3����繩�Px�龷`EF鼰�.纎啎霞X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X��埮0�粻▕�+���珉啞鹹8�餭豸k蝙+紫S鱴鑴�:D玳[Q昙鍓�/[?��?H→P�T橧�5��鲞�o劍
Hu詏春禗兵�撅�1傉郴C ��]^Q鼁|��籤淰O疧鬭眣��踉黌8n#尸CR6RJU��oZ療��t餢艹亣�C剤P觞鲑�Z具躈鯚懴a鑯�F摷E���T5蜜悇b髇s#Φ鸟局n鵞.Z�W�>悪姃�9嬸�|禰F礁V,﹂�€:悷豿�斲к/{k>燌qv蒁
h駡"小膦��P�)�)熐F #閯茻鏢�澷)�!烥��麨膸澾鄇稘㎎�3+シ愠��Db鞅輒胂5抉臄骈瀗喷擌�~C馇Z凩Ca#堆`雖��耖瓬;�?瞜囈�芖O奦�!J胢��U��喷�K�伨龢a埽j\�$軇��=窸9FV�"衚T讙y唍柨�-��j�Vw�鳛!:痡<轀洱聎��烝蔌��x圢罝(顛y函S请zYKz�>儯pゎ懄R圢�=X逿*匭U/桀篌���﹞溕�o�+T�&i澒J6篌骙�K閪龈�=H'?0獦極u��愙7-宄�+�5��羺Gd糖蹴A:鵙啠��c�&~�E|轔J訏�*X@贰彶銾怤龀Ht�c恬>Z髬剢4漁g舀峼/��'~�驜丵�1|��.3臩Z鯌�$箝N�588l綉
����諆懀bjU4�&蛸ⅵ紟x/�類1f吤У#窷-秓緩lKu�!,塐簶[��豳\g�(躽�鐝熄h:\4遻5q=~��)|�*X鑠镆垩u0z竎7��C�6J踘�5}9�AF�t矲q倕r�7茇�4潌碚汎�秽�
��d4毾fぷnぐ瑚V祓H
��A?�
'b辯劼器峜鵿鈙B&IP轁戛�憢6枅姢m鴪}垲甓��i#:'燍�社絇��煛f蓍蹸陬��.4N薝蟘3�1㈱斦o僯�!4嶰qf彦3豜踥�婿"e綥阍t� W<�'a禇M�(>e5v��M�:灯_棲ゎY沅�*牴y�]馄��膹�胓%藆���=��综詵璉偲��W宷B�Ym饓輂�煏Gn崮�4<��r褎�鍌�;脔劳+�Z�栖濹�壜|V^庫��k啥�=KL)�9#╞��幯嚑M逖鶥H�涑驌dG
t仨�S 洭6�(
譝��<蠔O��3耘豵偔T蚀筟K`��k�胚��c岄檇 睿
���鹭憰/鈂鯺鑺姫
繜���>灚�1_O陉翺,���位X%騔��毪跨6��@q軳棅�榫駪��昰蠗樳I彗3<=傥憓M�:�s��謐說w韛A鯷"�摗%盎靷c艝殟�=縴�婑��T��輜t|P┾
@Y�9�[╦O��顪骊==控E /�`���多���1{込�X ��U‰�座勋c5q漋瑇亭e+稺b囊Jk墛A筸桯�呲詖�&<龀r� 勖齺9�'��聘閬筷q�<囶H8}胊8溹煛x�J殚)诪�N\}髚敇ヱy╩�Y�枹b蟮j �>5拋v峬υ溼�0咅��駵?�0`Ow�j飔劯k罒峋涍釳X�;仿>驾_�*�嶞菼饇餻鲻���郢7Q洽鈘煭&"[��m�%€�Ls
h6>%k^韓{犠�;鉂8c,z�'橹F3搟?嫱柴慎疩{騺這?YM�|R5�晪�菀�\�殓��讟T}鑔uf�x�
炜]�"H��!'顦魹��扄鼇� 娹C��鼅存�H)∮楧掀V抜}欩)�煍"橭壹��汧榋絃�0�+IO凵1�&f嗮>}O�Xw钕M�Z押�Jnr鮰w��2楡塿�&O���7>z����?��瀛l��3bS数]��'��;q��l��:M�yT'f髹E適S� � 杯+�H敌ZO��衷��n��,�慒a�`鯠�7跷嚹(�-�$襎�*�&┙鬅煝埽X阇$祠徚楺��蔌�;_Mu鵎�€焽茅�(Z�U愔�1�絬C卻1芚戤麉祼Gb�6ャ睑��(kg3豩�橘�疅蟥R�壌凎��q"��3�n雲捡���%碨R栃bK桹�,Ts~債湜�f~姅90C瓊颼���邙齾Q愽羯ㄧ默�蔿Y瞜贴T�鎠�蔐墣熱�,��'�思k��N�劢�[r邶笣Lc(燋>�-��ZA �)锋覠F��J立米A�t!�~O[蓗娛蘋��)膅绣A{�'m僡�Q缂��
a獴�3r儖#鍿塹���#嘎�r�袨5$鎼P�b=6 刚叺躗����v鰦押EfD�+罂�1E难綝T $姱莣蚪���荲{c耪D�y飯�hK謿&{�)弔�瓆5�
�貳yTV�\∵v靾耜曽��j.鍜AsT簉
穸菡� ;21豓豰殀��h崍Y屡%徻!�#磏�>粠呻q╚�����:
娎nI�
鮷N嬏4}�&彭8��Zè瘚灾�饯軞�6H啡栜姇�)*�嵻�#��
�z玞鄱��椈��愐�壃�7o=
刈罨1蛕���烇圗���@辧>…}尢= �庅��冀讓����匐��耒7EBe梭娄��c憕螾仒�
壜踸�9愛dke��5�-䙡眃伧B鼨瞳7E濹鑝]穪奶譭U0�宬l赲��罡%�~叱衵趌Lr酖轄��傐5蘤q~脢�殎
�Mb喈�諝�;v��pl_悴殂3匩�(
壞腶5隠简fH>�&Qb献0���'=得fbL歼O &邇硊Y+羯�彲訶PE笊�JW]┚3�L豅L�
猆鰱J o阮轮�Y佅賡鉴_M鎿'�6�(�腓椡$�>�歀Y嬠c躌3��1[m�U埆 %嘒�9襆'0��.�誜指��*vK尹匷��攉癔Z駞?�騈FD>觹庞2夳�絽>��wV暓����
裴_U��7��灞鵔� <漒翊��YhN嘞h1U憹搭�=H�' ��x?烞т�k���|b��條峺j鋈��r珼TP�,�8�pC疽�wq續悲鎿?犮�d娽駪慰"鍮�购璤韯裌鋏P]嘹€問k{鬳柺'餆玝�鷉����燆0輵]�'廿����)桢援筇Z�g挔�:魔0鱪Y�-藣�仸:*�1ㄧ R薺V�峎��硢��A玁�$(粪薞T�釦镢W&��iP�?貄o�pO閖��=��@Z�=嶓壦�N����x>;腼��&�邙毼=睈�V糗Sj'嫔伸�庅鶌馀4 �&*NwC瑘堺v幌�5\4c�=���:��獰_妪�8縹T��`w
C詉�?�?娨峿��娇俶kP渾�3ZGuxk屝�-��漲�
岢�K郸撊@笐� �$挈袵钲���溏青甗褠Z闖蕾丿qㄐ€�au彜��粐�龓鷸|'�絜珪赙_€嫱��v�*鰈'� 燐xZ3叙佸揘q儙X:D�2m疚�-Dzw�醟����屭��1√犒@瀟_竫U苴弢-U鷽額镳�堣巐��LK�賵臑唿诒e圝�?� /�v坾钶���v柢坘�,圻��'|`L⒏雚憉靈閍��0Q�鑰�T�'{橩籈!鮏�$,梜重稕�䦟溇鋿�'�8��N��諃𘲊孙��澊dR麎�d韞�:鴨尣�7pb鄊d?uP���€煟�搒呞7阛,z騢��4@∑鐣鰰2�,焲埤u\���
胢�16j€�=拊y住hg�9M�s���5從�'��.蛉)�lp*,€G膞s��t�九%��U鮣��婤笙遳��瘗
�3疁�����gg���絯窒豩x�y變�$嬘€煇.�滊�梍蒇�)$/掽]��辵QI姞蜔峒�&O:麫绪9����T��'�>妕�榽萴 4~€@贺s齌髢痮綋d慫旀彞�&"��_� [�$)��(�z��鐄�漁鬿髖鼏q誗n���?��鞣魔償yx++鏦"熋�%EUO�{/竦`,P�'閹^qbN� ��-�=8縍�/]氦绵島F�<�'P煬埨�噆V��i�蔋鰃u顠厩D峷Tq=4~�9卡��E[:�=佸S{�滍��u琮���r�����傛堹N2�愵o�3墟濩U%媈�M瀟��釱s瑸糕^菝y谿-蒝K�2��6������瞮Y�掯�喃遷��沢�3衻RuJn賶|���+�Z斚L'm哽)繋D��9,,�惜靓��詗謮躆∩搉䲟⊿�.!#唴遴�1劍枮烴��卺�)rt��#泷|�����爴燕nDX嫷~冶D��x�:}
hG"霠8訢D��乡5�洍∮讇褹OI鈆 C*��↓T遍 ^圢��寓�#qoWD羄襅錷^圢��J浵┒
�4擣艝B嘤��翄曩�h�z摚��4わ泗灉鄠减髖��.4y覞��4焏窱吀�B���,�瓛韃怤��頊,桉�腰膇坙 襵s伮�
貳瓞续凉b益揇�C臚旞L療E[%
aQ嶯瘴茝�*偶澞gQ%
*卥���<�告s&灤���T�q~)qg鍷櫇����#�豸梄
蒼裍坾︔L���)4爐顂舵閘�(�%�9y�3趶����潀�趹hz鶮n%�鱣|S&�)\>梳谞搊@悋3韮(倖��[鹛锨W宣楊娢`�袔D佑_�$ W躋皹`倗翔-籑l腫C��徧
*謀�櫡��郉靚��觉H
�胇0Cxj}犍螦��-.倧O�5扪轆f7鍶ht餣煷?掓韷`�搋蚙��|澗綆?闇���}鐷$=鼸击盵]卷扑g��?N灎�>峻<$��*h鼆n�瞑鵜
!*���2�S荦>||较钧"�才�緀y�������稌?\陭啅良驝嚕X斢A錏��)q競匂國O_�貅豉E劁�P�=�)N�
r�
方�罘駷�诒嶇纷WoK]娻缆>�,烓钖g�鋼縭��wo?蹚U\�2!窺A�移p4垴.��_€饉0�〈HhSBY2@�"X��bj黌衩齯E+N��;瓄鸼���7腴鵒y�� ��邾1��媨i爠3;���断i�r郈歅�q�?w傉頵|`*gBQ� 皫ō颗m���鵊瞌��獵v蛀E恰2C麅驞:Sq�x聇d忐溻┾��鬅�?r浇�/J��,P�'悰O��0[�窟会l鱝魜飯�浩<芯@籧鞨枞'��濋0�鱿o檳�1胗�漢�€绡焴����7乧=KY}H9廝Q�礂��鈗|� ?��/挟燆願鞊蝫Td輒€僱&=挴�得��嚤驃�,贷3砑�Yf�碱*}7剸兗�3l颓滯J<捻[饄�|亝OOm矁:�*殶覭D貎╃�0���>g�/困�C淢榬wDSt,鵿�&詓����on���u�!鋆��憳恵鷜CD�P������`�;葜4}��嚚勌�溸t�oS^侽��鮳G/�1�3琦侑啮*嚐N�.@~H檔l綊鶖硪�饇韒鏘�}爨E�5I
�3�$頛N�剑W澌�`阁U裍BowN���?v海NLD簑燏圎撶�遼.莳8荍:*Vn餩1狀镤� a7
�?昭A)wk鋱*B6s鱔�.輙p讬宧靊嘘袕AD絞O珰�[伙侵螿�?{l���5L巻��<膳7爭簱�6ァ烆捓蛸�孪$U��o坊lF諰悾顬鎠 )9i"�鲧p窏傝�
�]�絤鮿噑邂�P�'椉6�/l��6j;B团坖 ��k钇冬h��越3侇�湚�
嘪��複R狁裌v]�Na�媡嶂;钗卋�PWU堳9���s�5劔z�8%w_DDG輷D:卑殍鵍嗆r谭膼旙}夓彐甡�湨ぬDh.禆�_��彸塆.〦>餓睩.b=蒡#>fC樺��庭'��1橾噑嘩禣曮�?9�:扡��$(q烫TO�h��兌�*環�0S瓍矏禞葾V�尒��焅:Dh勬肄=発郶�訸慘�4N4嘢�oN芅Z舢鑈>����!
慬��]�疃�'�*灢R頌摫]0�*歄桺q���潏焦駓�{�獽/I铀T[鎔�燅篌庽�.��"Onn|���倁l}^剑-a矫"4b亦�yr惚��a銖�b碗�/�<^�)瘎鸓鄑7n��F陰`杓��e"玆氐� 遜5t赱2��箒DNl鴦訃衰沘>S嵪A劭菿斱�#昊���s箳U?=練x嗉抑7墙�A��胎G~u�襔.煱惵w鴣甸灃满�1EL\/綷f<勨旬04髾院z厺�剒歄篻佼�1齣犏{�u��鉤,腤����F]\8桊児5PE暻B待9b荵i���阌��5�l]a~I黰恫�9囇e%它d莿佐�!熁`攂K�厤����詄柯w鴣t�覴鱽摝衞嶰�+���V皪O�2.安e劍步
O歄飸�?���鋦����e壕盘|霰���鍿x颦瓅�$+c止B}稻���橲躯�毖=Rxヅ#奨熤��c�%欿|��欱輠C��7c�氰�詿}@T��X顽@'罾bn"垯藡Zv鬏Qe�(b^艙�i[}⺪滎喗KA∵,�8R�处镶獮GK韏�#L�蔗�z䲟�6曱7
齠關�S=C#���v��Q7+姕w欺B&o竆詞鵯姕ⅱE}�表桊�� 贍笵翙���憇`/'讘墰�4Qr)q��ik )奺-1鉈薥猸戎�席��菗2皘cx{戫颥%糉9!s蟓9Y楼竽r躲1����<)匾妁\[N�S蝹邚k椢at~\慏姇�/#�涇.0�m趁�bp�<煂�((v`膴/]憔鸡舊鎁鹅x夶矄L,刿筯-卜葛矰q|.�&棴�\A铢�R糵遤\l苲xb諌Wx�覻咍楃�>�vH5+��a��.2_�潂k扚 煙�&��砡堶���'�4����<儧ゆ铻礥lF祑��IEE褟伉�葩矮镤�3迖"x蜂屜饕
!孖痆脞�=
吒N枣|檊dd��9健���瘐s膳&缕�Mc�b�T嵯誶麮���1偮3u�珚偿�)��\qy慂)鸸`�/�2&A�-0���婯�瀟�幷O%勮幾wV兗�<侇檊����B點x&t���涾倎JP蘼p'�剼恓1演��0e*氖&巏蝋%_恶 u]�2c奡坩l�M�8壪D単坟�肹m�"茣��肸s�a��鼚I$擎g鷒鐑p9携/駲6滗荅起�'L�讏e�3f��T*R�漮z'<"�)=<�
>�3>�>欝�"燅s"�:Y#闵焻攡珕��瀟 N笕疱鹜)�3�*���#5��V啣衖
夏掇楿x鐓鄙猹;��諄pn_徏��渎砿w�<�*覇Sx陏��fM�:讶諳' .��mj� �r鍔>抟�"��踤�*N湴T�4pN
c 祴喢\髷)�1 瀧o晓�n釛臹
鄸翝��霛WX沝rq迲曱俐y喍0]遻tVg8�藕�?�*秞��夙n��烕瞵耖t刲�o趵�:p;F�荼�&�-WJ�熝]�0壛歕O��X単>.鷰腺)��8堕駏��吜霄锄鶎础吜;族"�齿�缚�:杫诲驰�=��吓�菒虫窎愢瀩驳/熝�"黳厂���+廀慈頴傀酏皤�:来&�补鋝辫�&膅霳剢碍��柏鰃�<�8︱慺或e圼���M铓Ц}曵��鴮詘V峁�����8$�,;<���?w��vG8偞�$纆��蕔-鍄;,*帿�=戝Qx膗壓衊w�*�勰��逕炜絧�厨蓬沥�:賌檲c溘Wqxd]躲Y儯b畴烶T鎬歸翿fE"z�勐a0�Z1褬��ю娖a4嶶�犽杮IM吁灧��褏鶎矪I*跺迨罰E膓�,.蟗�Plv釲�M哯zm噳�;Q|F�JL������〓#qL 豾bKzo尮�6\�#|3誫刳/疐鸟�c啋嶧3懾V淯xd�1醍醖y���驺#U睟|蠼q|F,~`C�5>鵩G11]銖藶�#瑈�=~h宎ucX!�-�q|毀��诨 剌>=':B釞~[h�*NV�|=M�△彆�骚92Y�
瓨(傃�苘罞�* 烆����蛌蘤x�
�%���吝瞪� ��$+兂鬺単歰a熡B単氿趰1�8M@T鼀�-q
缋=k挛 肠;p�1N�/J㏄餓e�U躃煢況k��燂�/倯P雌�G"�釞�篨�E�7@� ?煿顖�)8謰�阚(|&�� �浄嵊<]_Em矱�#屆�V�╘l迗相bS��待M/��2(�載|��駃zy�8���y嫑燕糴燉給�'沣+�-kF3X@i��烱;�钡�-^�(氎綕€�蚬�#裮6y羸��軘O�"7?T�悧�,G/Qd艒鵏隁僱�cL�氰税��|F3P6戲"逮ヘ|�>嶉蒢�力惭懬.皫(洱嵽#�下�1骋镯血顡�)滨诸�锄��夏�1η飞叠��濒椯坱��牗炢弈�緃�1迟忣)杀触��?<>齿釰欰驰�<+�狒� �?蕋/d�冕瘅 狘C梂OC謇丑鶝#��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬���W���铒棼Q~?|q^�R皭�2j�砠�%餐"錏仒h鍢缗蔳^瑋媾蔳^瑋媾蔳^瑋媾蔳^瑋媾蔳^瑋鎱g>$�轻p偛xW.>體��徯�@Y攐磰J�褲狘S魟qzx�:饤雝棹�蝞�4╓%s馱�洹紽1k鰕m袎糍���嗨鲌O�2g��?Y��3:镉踏�&錬�舠U匽���烓��|b`���,纴鸙����€服骧l饓乌 鄈�& �W(舳|2\詉|��赲��焳1�婉筛墩�K^�9��(�vS>貰� |�9� >吊7莽�6Nc嬷BB�"|釾g▁>8���.熤45千p|粺��烇瀃Q�噌骿{ヽ��褞e��鬴u��;)X�&~J颧浭5垈'|�茽笗#2揲C 翧姲��餞.�g�€臃t獬媽�����偸�s滚鬘�妧
p��烠茈v┖m盁暱�煁��钀>x揪~謑遒 bj;�T躛x綶T?穃M荚瓖应叹1=�枙qzY溗P��)<弓�<�衿
�辱撔禍樽l�=湳P<溹缌簅��7贠O�<骲8��IQg檔泪$剞E絈垒��汸�
聿}8玲褝�c�父炏耜�2=sTr`�:��+踫Dv历&��飨 �┤4� 攦�t钕��流�E{終0��頙溷s�嗀�砄齘0uX扉岑tヲ�%蚝庶縸停�6^磣^ }U赆C詈 餺醩�/R灨�
�庻�!籇佄�;���,��iO蘴輋讱OW��€_L遳RluEN_�魻鮭�崡鋼樶炫卜�).椷6忖%踅P/曮��.Z旾驄稛競�蠒1�栉#�畷|�%���5?ruY���板鵡
H瞥窡�烰8=T谤祧瞋��鋉`^�╓E騏=~�殷�煣氛珶��*(6{7靚���SU�6欩��.�^���麸蟴���^o�旔竪+畹#��緸'K�-X F�=焑'嚛�O�=p岁E顊�t琬�^o^罯叆�=熮y�/?bZ琈�S蹅��N鸏抩呖ko(賁葼�.伩
穔?n惜�*k�1��脃�6*.^z葡`�
�航镰1b嵶委�)絞喑臬k�窣z沒��`S裣泈h<区h[y兯謈]�鞣��牘b瀡蓃焑假鳸矩I� �鮑黯擨=U概L�/=哮��櫩q膂夞杀i�/坊$��:�Q設%櫌I薇韫O
+�>�<�耩齛�x骝;�蛹O瘭(I�磢癅镛�?�
呗c€後�%T轺�.�%���勭紵雙俴�%骳�钘��雧gy�/^忹%彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��+焬彬��騸癮/б9梊~+入G轁?eY咀穂妄穊9�Pl�z鲽}qU鹹诳䴗緀攴频贩]巄�6负�铞�婑� 兘魆�'惯�9煜廋�!� r饄鷾A萶�,悖嘯x庿w"蟲篾se��蝠賓戲; �<卒�qx茔搬��缦堢髸����宄膻>
�(U�)s�鬙噒佪��ナ虻噉x劽 蔅綊镂�=/b��叮Ir姊v���t尃ll晴O(淀跑蘈暥@���G q)��c诠�屋�5�*>潒糢狈虫础頟��儅箩専翱儷��虫瑱赟�7�竐;调奥坷谤�?��别疧(触奥�存埦鑦娊赌翱鳇塲蝰夊蹃��劈贰駚'9耻5?硐翱幰颈�别奥�顿菓渖>櫹�宽���植舷�辞%痯����?�D础直携馒辩蕓笓�.��铺��1塃请!<圫>蒇=~磹螦
8减伥�熻na��g��(33緘��8繅較�淞捭魬萛わ腝Rs �]�0v1窩����贉�&浊亁S3潶镓�2气孀鑬GTG�彳�98\*�>E鳣�8;��BJ��坄a壏��I�F|鞙熼|�鰓詶灳��Bg吗▲��抨��>醟��1#!��C圢R膆}鱝�'Q鮹嶜兮泉Q徴洁b╉齆鉭漾~i�R��隥�4��E謘�>/��书l?恹xjc�1G^���2��Q襰杀��&歄澥'鉅x2喒E∠顽犣t┐革筎袏媗�驩T`��T,熍�%珀擓灶醚LF忕�2褓操L烳瓜�L�\z骿h耣�釥
z橡y甁,篑|"
�
Bū�j9禊��€炍wF鑭w����0齩Js�\亝�H�壶T�T蠲伷��潂熂忄��k�-�熣嶩�橗���L�>�!抨�?�y漎�+$�)訷:zo虳�� V觃〒�>桴|謈+嚌@2�8��€3c栳\甊�1o皹 ���9f桎+�<��甽?媣J�=荵惩杲-av$r1v����#孔��髚螘鮯;辖湤w轡n;
o�R|⌒湷L 蠓2p�笸\_�)鼉誤l��8��[氹0D菧啐J>�-l���*末毽縪頍2�KV零诙m憥耡I灻錩4�鷠柕�揉{鼯0��駖疽Zk<�|帐{妣芟��@�6饄07M夲N唢褍镎�;��6`�锺1�粅峨�.纜挬B�;馜:9壡���*馀恴搛摫箹� 賌"�L=扚���#跴巚�編��嘶��5亇伷� 橭颐�#策?t�g帵��4
�$|閤��p{骐泓韞,聱嗚覃e詬囕众&.�,ki簽�饘/€5o姧H莥v吭Z譽#屧F飼1��馵灯�9o橑OLE+缔��p�0橭B聊��R鄖v媓�
蕾祫_r*6�'轡�'鞂�'Me薗0O龻Vo��磤��g=U(睺�1鎖嚧zg澧�4+��艽��髣�i揈酥�(牒n[�9蚙AZ盁亅薸亸d厦耷E_��UQ�
壒d試儱p�鍯��)蝩磗
i匔�.*�9銓腒遲|�2n
詭昢?┞7cP�惩愒銎 妃+�uL珶袋�ZI��l��/倏D驑雥�屋%�窇堩�伃葴餞卐N|襺��N憲餓ka����舒����l<恬OY%F鶎|� -烄�.��镯p稖�T烉匧�簨:狉崗9�)16�燖�'勹��:t.蹮Lr(靦Li�!p�緺崞w曘肩賫铄撾讹�
�#敖鐖燧�.鈸v��O覇o癘�贪co��靱拦锽}J^爃��
�佚���鶨|R呑N襝�4:j瞬槎怬|斻��X��HR误濪m��鬱W�鑶朤鰓亀 ���喃�≦7t徶趻*遧膙菥�嫅�栮漹�v委q顧
�q櫶V�?K�曃��篏k��.甙�97蹒�$夊窹烮帙癢�6��Z尠迯���?X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X嫊霞X嫈�2輞Q�,�����仲OㄔK��Ⅸ������E鵡莑鍆.t惹蒽l銠�苗i�齹�u��?_��坔?考�M�揪�伙!萭鱖�? 卟栨邚�焈��_痖s�����>?闯綥'��;瘃y�$*庼��||F遝鰑萈掃�烗煣��-;葀;貃��Rw蒮剣蟧��y眣佒[禊�?��焪�zP��G鯠羨�)∮�咥o�$����E櫤奋苗�酗r>秙谤溌辞���"0<<��
U鶠劬镛A�5滝?�'ǹ纞@芽�?�)�
��e鐥侯��:埜P弭�8;_(树茈I����鍼Lm��9�-/�9">�^w酁嫂嶅m筬��:霤e=>BH埠莋�6蘟�!*2咷偪J绋`�百魾��)�s��岢�恈l鰅/鹲o葢讨艇崾X� �絣谷�)�?m�
f#TL�=窀scb>[��=萳逤c[�鱺>妍L衋fOT徼�A�?U祂盆3紈N哥a1熓渒��搡f�=2l棾懰����哳�(��d>�_�jS穊� 潏P魔蚠m�y珟�荮�>溅盞h缞.#�曺���*稭繉N桺魔��C{べ鲘綇�GE/晢來�!漁��^n姑������
���6喲戦�-u/崌� G�'��撛尊Y�呕'|�1涕ERYU嫀课責訇辺鳯屺"�甥&��逦��i��嶉1荱L�缱霓�期diqq麴Y呥`t�亱鹃檽黝刽4>#��誺�韱5漤�历蔄>蔂鈷訰魇葇2甽斊Ov,��喜p@?娤H沄穱r熅&2H珗�j�-//o榆z┫��=U�鯎┧y籟萭旝#� E%�,~滟o虬����8+糢豳;N.|捼絘?o霞k=��裉98夋3���E瓖漭c"氱吃ZO#f��{DH磲撠J齓&R��揙;��u夆�0喯XB/v6v09薃��祮酳����ig躾讃�$s |q秵洞3烪H`��豲蛹耢f橊頁��>s縃馿W╠B弛叻嶴q颰Z噡O7澡烬x戋���缷kh�襳髐���鸬狎��锱B)ⅱE彐�旐(昼Z}繳aR輜�阑���}~傦曦儉怶\�5茦�
�爬蟆�艚≠�8;[萸顏誻"渐褿梃Ⅺ蓨���_桵�樽_1`F玿脶w[7+煱攠�裎橗1v'�战i澷
侴H釹娛嶠憑厦`�;馝昴�/O�齄樠麚��8�咷晔
掚fJt�#礴鷫顰~y$輳P�p鑯t4坹��窯瞶笵洗蟺0熋旋�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6��6�6��6�6�6�6�6�6�6�6��6�6�6�6�6�6�6�6�6�6�6�6�h�H�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6�6���6�2������������� �0�@�P�`�p�€��������������2�(����� �0�@�P�`�p�€�������������� �0�@�P�`�p�€�������������� �0�@�P�`�p�€�������������� �0�@�P�`�p�€�������������� �0�@�P�`�p�€�������������� �0�@�P�`�p�€���8�X�������V�~��_H��mH �nH �sH �tH �N`��N���Normal,n��dh��CJ�OJ�QJ�_H��mH �sH �tH ����@�"����pHeading 1,1 ghost,g,Ghost,ghost,g ,1ghost,Ghost +,h1,Chapter Number,Divider Page Text,og,Heading,Ghos,g1,Graphic �����@&�CJ�*��@�2*����Heading 2,2 headline,h,headline,h2,h headline,Heading 11,heading 1,H2,heading 2,Heading 12,oh,Header1,Heading 121,h g2,Heading 1211,Heading 12111,2 hheadline,01 Headline,Heading 13,Heading 121111,Heading 1211111,Heading 12111111,2 headline1,2 headline2������@&�
���#�@�5��;��0���20����Heading 3,3 bullet,b,2,bullet,SECOND,Bullet,Second,4 bullet,h3,BLANK2,B1,b1,blank1,3 dbullet,ob,bbullet,3 gbullet,dot,second,3bullet,Bulle,bdullet,heading 3,Bullet 1,3 dd,3 cb,3 Ggbullet,02 Bullet,bul,B,Heading 21,3 bbullet,Heading 211,3 bulle�,h 2,Dot����#��凢��勢鼲&�]�#�^凢�`勢�`��B`���Heading 4,4 dash,d,3����8��刐��勢鼲&�]�8�^刐�`勢�n��Rn���Heading 5,5 sub-bullet,sb,4���刐��剘��勢鼲&�]刐�^剘�`勢�f��bf���Heading 6,sub-dash,sd,5���刾��創
�勢鼲&�]刾�^創
`勢�F�@��F�� Heading 7���$��$�@&�a$��CJ$OJ�QJ�N�@��N�� Heading 8���$��$��勑��@&�]勑�a$��5�丆J�DA ��D���Default Paragraph FontVi��V�
0��Table Normal :V����4�����4���
�la����(k ��(
0��No List��J﨩��J��center bold,cbo���$��dh�a$��5��@�����@��center plain,cp���$�a$�b﨩���b��col text,9 col text,ct���d����
����@�CJ�.�����"�.��|col bullet,cb,Center Bold,col bulletcsb,u,cbbullet,C2 Col Bullet,cb 10pt,col bullet1,cb1,c,Center Bcbold,6 chart,Chart,chart��
�������@�劵�凟�^劵`凟�N��!�2�N��col dash,cd��
� �����k�@�劸��匌⺗劸�`匌�J�﨩�B�J���col heading,8 col heading,ch,Col Heading,8 col heading,8�col�heading,9 col heading,e,ColHead,C1 col heading,8�col�heading,C0 Col Heading���$��d����a$�
5��;�丆J�Z��!�R�Z��col sub-bullet,csb��
�������勑��勵⺗勑�`勵�L��Q�b�L��col sub-dash,csd���勁��匌⺗勁�`匌�F﨩A�r�F��col sub-heading,csh���;��B﨩���B� first,f,1����#��勢齘�#�`勢��CJ�> @���>���Footer���d��
���P��2���CJ�J&`���J���Footnote Reference�6�丆J�EH�H*T�@���T��
Footnote Text���刪��剺��d��^刪�`剺��6�丆J�P﨩���P��footnote,fn���刪��剺��d��^刪�`剺��6�丆J�L﨩���L��harvey ball���$�������a$��CJ�OJ�QJ�>�@���>���Header���d��
���P��2���CJ�B﨩���B��note,no����#��勢齘�#�`勢��6�丆J�R﨩���R��numbered text,nt� ��#��勢齘�#�`勢��5��;�丯�����N��oversized graphic�!�剺��剺⺌剺⺗剺�@���"�@��paragraph,p�"��#��d��`�#�T﨩�2�T� source,so #
�������剫��剈��d��^剫�`剈��6�丆J�>﨩�B�>��step,st�$��8��勅鸮�8�`勅��5��<�﨩!R�<���sub-heading,sh�%�;��F﨩�b�F��table title�&�$��d��a$��5�丆J�Z��!�Z��trailer,7 trailer,t�'�#$��勽��劆2/劵.劵.)���.���Page NumberJ﨩���J��TitlePageBottom�)�$��d��a$��CJ�XT@���X��
Block Text�*�$��剏��凜�]剏�^凜�a$��5��;�丆J$OJ�QJ�J䁖���J��File Name in Footer�CJ�OJ�QJ�^﨩���^��facing page #,fp�,�&@#$��匋��勽��劆2/劵.劵�5�丆J�PK�����!檗�����[Content_Types].xml瑧薔�0�E鱄鼉�-J湶@�%閭菐洽|廊�$�韶钵UL襎B� �l,�3鳛;鉹���得槣B+$��G]ミ7O侪V墎��$����┇最����!)O赹齬虲$駓@摪磔��/瓂H*��橊劥�)戅祶鬟粖譛Db俙}"譹蹕擩讞枻�肵^�)I`n蘀��紛p)���杵li筕[]�1M<斷�绒�彥O蠵擊6r�=�瘔抸纆b營�g吜��u崘S賓��b嘱€O缽嗕掘�肦罝郢櫉反qu 痝嫎Z岸串o~俸lAp發x妏T0��+[�}�`j�纂鹾絲A�帮儲V�2虵蒳朄鰍瀡分�5\|夻蕼汰Nвle瞂��d��s趈cs倭�惻7琊嵨f坊赅
肉W琊�+唻7爤唁`���陲g��葮稠J��雷j�|唫h(��驞-姷�咩��
dX��﹊J曝�(钼x$(���:隶�;渌�!��I_蠺到�S��1w犍鳢�?E����?勉�?ZB为m渼錟/魁煜���?瀪篁��誼Y�'奎鼀5�襣&螊/燑鲮蓩�>籊�餗丟e鴲艱��眢��3Vq%'#q����域娡$�8翚K�秊��敉)f檞�9:牡���澹
x}r��x�墘��渨⒇�顁�:\TZaG�*檡8I耲鎎R祈c|X呕��强絀
u3�KG駈D�1��N��IB�襰鼆�
眍R曦u楘侹>V�.E�L+M2�#'歠嫸i�~橵��l硔�u8z��篐�
�*���鏄�:�(�W��鈽�
~�J攘T鴈\O*餿H�G絸HY垫�}KN吡P�*菥甩眿���T鸭�9/#辐A7聁Z���$*c?�����韖U�咤n嗚w��N�蝴�%幓O��穒鑸4��=3��炯N��績)�cbJ
�u�4峦(Tn酸�
7斒�_?異鹠-贈皗U逄鰤B��w�襷消╪湐鞘�"Z���x娬J躗氺�p;嫇熟��劐辿�/��<��P;檸,)''K蠶踜5棝�騫邛苝N喦8�疜軬b�耬摨�
鸖撡d洯\17 阷鮝�>ОS�R!��枒
3晠K4'+�r�蘻Q
TT3I辈�琉疘�vt]K芻猥渤K#趘�5+�D���眽厍鄜�獱O@%\w槉燺鄋N[跮古9K候崢临q桃�g錠炆�n
R!儁+��篣蕁�;�*&�/H時��蟃邀 �>����>\
�宼Υ=.T摹
��觖���S; Z鄜��!ㄠ傏��銹��9gi槾咰ぺ�!���#� B鰻,欒;匵=刍,I��2�U�W��9$l╧嗒捋=�Aj挄��;�顊朅79鍇s*Y摈��;�浱爺[嘙C撣��県�f华]o栫{oY�=1k��yV骋V惺隐5E8鏥k+譁扑蚛8疴计0X4D)�!!���?*|f縱�
u洒《"鴛A谸T_矋�����帬q矁6�4)k诂u襐�7��顃��'尛%;嬁蟟膦9s�9箈懫�,熵趲-45x鰀娐�8?��菢蟙�/Y|t������&LI�L饾J`琛�&� �-G硉�/���PK�����!
褠煻��'theme/theme/_rels/themeManager.xml.rels剰M
�0�匃倃�oo雍��&輬协��勪5
6?$Q祉
�,�.嘺緳i粭澤�c2�1h���:闀q毩m胳嶡R�N壻;d癭値o7��g慘(M&$R(.1榬�'J摐袏T鶂�8V�"&A然蠬鱱}狇��|�$絙�{��朠�除8�塯/��]As賲�(⑵锑#洩L�蔥汉倪���PK��-���!檗�����[Content_Types].xmlPK��-���!ブх�6��0�_rels/.relsPK��-���!ky�������theme/theme/themeManager.xmlPK��-���!0軨)�������theme/theme/theme1.xmlPK��-���!
褠煻��'� theme/theme/_rels/themeManager.xml.relsPK����]��
���������� �������������������8����������@������€€€����饞����������0���(� ���
������養�
�����S������������� ?���������#�2� ���������刪��剺�����h��^刪�`剺﨩J�QJ�o(�ю��#�2���������������_y6�5F��V���蚦�06��<�����@�����@����Unknown������������������G��������������*郃x� ��Times New Roman5���������������€Symbol3.�������������*郈x� ��ArialA����������������Book AntiquaY���
��Harvey BallsCourier New;������€WingdingsA����������������$B��Cambria Math@
"�1�垬鹦�h��JK喫泫f鵬K&.c������������Y���������€�0��アS��K����哌���HX ���$P���������������������2!����xx��������Christian, Michele [USA]�Christian, Michele [USA]����欹�y� ���������bjbj���� ��0�遻遻�
���������������$�$�$�$�$�����%%%88%�D%�%Y'��P%P%P%P%P%+&+&+&�&��&�&�&�&�&�&3)���+��&��$+&+&+&+&+&�&�$�$P%P%��'�+&+&+&+&�$P%�$P%�&))
+&+&�&+&+&��&��&P%����@Xs��~������+&�&��&�)'0Y'�&�o,+&o,��&o,�$�&4+&+&+&+&+&+&+&+&�&�&+&+&+&+&Y'+&+&+&+&��������������������������������������������������������������������o,+&+&+&+&+&+&+&+&+&�� ��#:���� ��
�
�
�
�
������������� ���������黧腌腌腌腌���h�5F��j�h�5FU����h�<���j�h蚦�U��������������
���
��������������������d����.:p�����)� 班=!���"���#悹�$悹�%��靶��靶��愋��SummaryInformation(������������DocumentSummaryInformation8��������������,�VBA������������$倍�~��0毁��~��Module1���������_��USA]��46��Microsoft Office Word@�蕳1@�K詇M��@嗗鮂J��@[�~��������������胀諟.��摋�+,0���h�p����������������
��������BOOZ-ALLEN & HAMILTON���������������������Title�� ����f2��蓘����������\p Strategic Support-Communications B���a����=����������������
�����ThisWorkbook���������������=��<�x<��8�E�@���"���������1�������Arial1�������Arial1�������Arial1�������Arial1����������Arial1���$������Arial1��������Arial1��� �����Arial1��������Arial1��� �����Arial1��������Arial1���������Arial1���������Arial1���������Arial1���������Arial1���������Arial1���������Arial1��������Arial1��������Arial1��
�����Arial1�� �����Arial1���������Calibri1�� ������Calibri1���������Calibri1���4������Calibri1��� ������Calibri1����������Calibri1���������Calibri1�,��>������Calibri1����>������Calibri1���>������Calibri1��>������Calibri1��4������Calibri1���������Calibri1���?������Calibri1�h��>������Cambria1����������Calibri1��
������Calibri1��� ������Arial1���(������Arial1���������Tahoma1��� ������Arial1�� ������Arial�����"$"#,##0_);\("$"#,##0\)��!��"$"#,##0_);[Red]\("$"#,##0\)��"��"$"#,##0.00_);\("$"#,##0.00\)��'�""$"#,##0.00_);[Red]\("$"#,##0.00\)��7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_)��.))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)��?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)��6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)�����"Yes";"Yes";"No"�����"True";"True";"False"�����"On";"On";"Off"��]�,�[$� -2]\ #,##0.00_);[Red]\([$� -2]\ #,##0.00\)�� ��0.0%�����[$-409]d\-mmm\-yy;@�����0.0��� � ���� �� ���� �� ���� �� ���� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� �� ��� � ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��� ���� ��������� ���� 攆f������ ���+� �� ���)� �� ���+� �� ���,� �� ���*� �� ���� �� ������ ���� ��� ���� �P
� ���� �P�� ���� � €�� ���� �� ������ �� � ��������� ��!� �`�� ��"� ��� ���� � ���� � ���� � ���� ��������� ��#� ��������� ��� � �� ��$� �� ��%� �a�
� ��&� �� ����
x��@ @ � ��
�
x��@ @ �� ��
1�
|��@ @ �� ����
x� ���� x� ���
p��@ @ � ���*p��@ @ � ��
��x��@ @ �� ��� ��@ @ � �����x��@ @ � ���� h� ����"x� �����x� ���� x� ��
�)x� ��
�!x� ��
��x� ��
��Zx�@ �� �����|��@ @ � �����x��@ @ � ����*x� ���� (��@ @ � ���� �� ���� h��@ @ � ���� �� ����"�� ���
p� ����"x��@ @ �� �� ��8��@ @ � �� �8��@ @ � �� ��<��@ @ � �� ���<��@ @ � �����8��@ @ � ����
x��@ @ � ����&x�"@@ �� ����&x"@ �� ����&x " @ �� ����&x�"@@ �� ����&x""@ @ �� ���
p��@ @ �� ����
t!�@ @ � ���
p��@ @ � ���
p��@ @ �
����
x��@ @ �� ����
x!�@ @ � ���
p�!@ @ � ���*p�!@ @ � ����
x!!@ @ � ������x��@ @ �� ������x��@ @ �� �����x��@ @ � ������0��@ @ � ������x��@ @ � ������x��@ @ � �����x��@ � ��� `��@@ �7 ��� `�@ �7 ��� `�� @ �7 ��
��x��@ @ �� ��'�"x��@ @ �� ��� ��������� ��� ��������� ��� `��@ @ �� ��� `��@ @ �� ����(8��@ @ � ���*p� ����(x��@ @ � ����)x��@ @ � ��'��
|��@ @ �� ����*�� ����)x� �����
x��@ @ � �����
x��@ @ � ������x��@ @ � ���� x��@ @ � ��� � ���� H� ���� h��@ @ � ��� x��@ @ � ���� 8��@ @ � ��� 0��@ @ � ����
8��@ @ � ����� x��@ @ � ����� x��@ @ � ����� x� ��� p��@ @ � ����� 0��@ @ � ���1� |��@ @ � ���� x��@ @ � ����
x��@ � �����x��@ @ � �����
���@ � ��� ���@ @ � ���
���@ @ � ���� x��@ @ � ��
�
x��@@ �� ��
�
x�� @ �� ���� h� ����
x��@ @ � ������p��@ @ � ������x��@ @ � �� ��<��@ @ � �� ���<��@ @ � �����x��@ @ � ���
x��@ @ � �����8��@ @ � ����0��@ @ � ����� p��@ @ � �����8��@ @ � ���� 8��@ @ � ����� 8��@ @ � ���� t��@ @ � ����p��@ @ � �����x��@ @ � �����p��@ @ � �����x��@ @ � ��� t��@ @ � ��� p� ���p� ��'��
|��@ @ �� ��
�
x��@ @ �� ��
1�
|��@ @ �� ����p��@ @ � ��� `� ���)p� ��
�
x�@�� ����� x�@ � ����
x��@ � ���� x��@ � ����(x��@ � ����
x��@ @� ��� ��@ @� ����� 0��@ @� ���� 8��@ @� ����� x��@ @� ����0��@ @� ����� x��@ @� ����(x��@ @� ��� 0��@ @� ��
��x��@ @ �� ��
�
x�@ �� ���� 8� ���� (��@ @� ����� 0�@ � ����� 8�@ � ����"x� ����!x� ���"p��@ @� ���� x��@ @� ����� 0��@ � ����� x��@ � ��� 0��@ � ����
x� ��� p� ��� `� ����p��@ @ � ����� p��@ @ � �����x��@ @ � ����(x��@ @ � ��� p��@ @ � ���� (� �����*<�� ����*x� ����(x� ����*8� ����(8� �����8��@ @� ����0��@ � ����
8��@ @� ���"p� ���"p� ����"x��@@ �� ����"x�@ �� ����"x�� @ �� ����(8��@@ � ����(8�@ � ����(8�� @ � ��(��8��@@�� ��(��8�@�� ��(��8�� @�� ��(��8�@�� ��(��8�� ��(��8� �� ��(��8��@ �� ��(��8� �� ��(��8�� �� ���� 8��@@� ����0�@� ����0 � @� ����0�@� ����0� ����0 � ����0� @ � ����0 � ����0 � ��
��x��@@ �� ��
��x�� @ �� ����"x�� ��
�)x� ��
�!x� ����� � ��*��*X�� ��+��"X�� �����(�� ����� @�� �����(�� ����� �� ����� �� ����� �� ���q� �� |��|����窔檥�A}���
���00_)������ef�[$� -}�A}���
���00_)������ef�[$� -}�A}���
���00_)������ef�[$� -}�A}���
���00_)������ef�[$� -}�A}���
���00_)������ef�[$� -}�A}���
���00_)������ef [$� -}�A}���
���00_)������蘈�[$� -}�A}���
���00_)������蘈�[$� -}�A}���
���00_)������蘈�[$� -}�A}���
���00_)������蘈�[$� -}�A}���
���00_)������蘈�[$� -}�A}���
���00_)������蘈 [$� -}�A}���
��00_)������23�[$� -}�A}���
��00_)������23�[$� -}�A}���
��00_)������23�[$� -}�A}���
��00_)������23�[$� -}�A}� �
��00_)������23�[$� -}�A}�!�
��00_)������23 [$� -}�A}�"�
��00_)�������[$� -}�A}�#�
��00_)�������[$� -}�A}�$�
��00_)�������[$� -}�A}�%�
��00_)�������[$� -}�A}�&�
��00_)�������[$� -}�A}�'�
��00_)������ [$� -}�A}�(�
�����00_)�������俏�[$� -}��}�)�
��鷠�00_)������蝌�[$� -����##0.���� ���
���}��}�*�
��00_)������ゥ�[$� -���???�##0.���???� ��???�
��???�}�-}�0�
���00_)���}�A}�2�
��a�00_)������骑�[$� -}�A}�3�
���00_)�������[$� -}�A}�4�
���00_)�������?�[$� -}�A}�5�
���00_)������23�[$� -}�-}�6�
���00_)���}��}�8�
��??v�00_)�������虣�[$� -����##0.���� ���
���}�A}�9�
��鷠�00_)�������€��[$� -}�A}�:�
��渆�00_)�������霚�[$� -}�-}�=�
���00_)���}�x}�>�������00_)���膊��霚�[$���膊��## ��膊��
��膊��}��}�?�
��???�00_)������蝌�[$������???�## �����???�
�� ��???�
��???�}�-}�A�
���00_)���}�U}�B�
���00_)�������[$�������## ��}�-}�C�
����00_)���}�<�}��
��00_)�����[$}�P}�€����00_)����[$
���##}�d}������00_)����[$ ���##
��???� }�(}������挽00_)}�(}��������00_)}�(}���
��00_)}�(}������00_)}�(}������00_)}�<�}���
��00_)�����[$}�(}�������00_)}�(}�������00_)}�(}�������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}������00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�(}���
��p�00_)}�<�}�
��
��00_)�����[$}�<�}����
��00_)�����[$}�(}��������00_)�����������癙���������������������������������������癙���������������������������������������癙���������������������������������������癙������������������������������8�������+���������� �!�%���8�������
��������� �!�%���8�������2櫶�������� �!�%������������癙���������������������������������������癙���������������������������������������癙������������������������������8�������+���������� �!�%���8�������
��������� �!�%���8�������2櫶�������� �!�%���������������������������������������櫶���8�������+���������� �!�%���8�������
��������� �!�%���8�������2櫶�������� �!�%�����
20% - Accent1��M������
20% - Accent1�����ef苕������%������
20% - Accent2��M����"�
20% - Accent2�����ef蜍������%������
20% - Accent3��M����&�
20% - Accent3�����ef腭������%������
20% - Accent4��M����*�
20% - Accent4�����ef溥������%������
20% - Accent5��M����.�
20% - Accent5�����ef陬������%������
20% - Accent6��M����2�
20% - Accent6���� ef������%������
40% - Accent1��M������
40% - Accent1�����蘈柑������%������
40% - Accent2��M����#�
40% - Accent2�����蘈娓������%������
40% - Accent3��M����'�
40% - Accent3�����蘈劁������%������
40% - Accent4��M����+�
40% - Accent4�����蘈汤������%������
40% - Accent5��M����/�
40% - Accent5�����蘈忿������%������
40% - Accent6��M����3�
40% - Accent6���� 蘈����������������������������������������������������������������������������������������������������������������������������������������%������
60% - Accent1��M���� �
60% - Accent1�����23暢��������%������
60% - Accent2��M����$�
60% - Accent2�����23跂��������%������
60% - Accent3��M����(�
60% - Accent3�����23淖��������%������
60% - Accent4��M����,�
60% - Accent4�����23睜��������%�����
60% - Accent5��M����0�
60% - Accent5�����23捦��������%�����!
60% - Accent6��M����4�
60% - Accent6���� 23��������%�����"�Accent1��A�������Accent1�����O伣��������%�����#�Accent2��A����!��Accent2�����繮M��������%�����$�Accent3��A����%��Accent3�����浕Y��������%�����%�Accent4��A����)��Accent4�����€d��������%�����&�Accent5��A����-��Accent5�����K��������%�����'�Accent6��A����1��Accent6���� 鳀F��������%�����(�Bad��9�������Bad������俏��������%�����)�Calculation����������Calculation�����蝌�����鷠�%�������������������� ��������*
Check Cell��������
Check Cell�����ゥ��������%������???������???������???�� ���???�����+€���� �������Comma���,€����(������ Comma [0]���-�Comma 2���.€����&�������Currency���/€����.�������Currency [0]���0�Explanatory Text��G����5��Explanatory Text������%�����1€ ���:���� ��Followed Hyperlink�� 2�Good��;�������Good�����骑�����a�%�����3 Heading 1��G������ Heading 1������I}�%������O伣�����4 Heading 2��G������ Heading 2������I}�%�������?Э�����5 Heading 3��G������ Heading 3������I}�%������23暢�����6 Heading 4��9������ Heading 4������I}�%�����7€����(������ Hyperlink��
8�Input��u�������Input������虣�����??v�%�������������������� ��������9�Linked Cell��K�������Linked Cell�����鷠�%�������€������:�Neutral��A�������Neutral������霚�����渆�%�����€���"������Normal��
;�Normal 2��&������Normal 2���<�
Normal 2 2��
=�Normal 3��7�����Normal 3������%���� >�Note��b����
��Note������������膊������膊������膊�� ���膊�����?�Output��w�������Output�����蝌�����???�%������???������???������???�� ���???�����@€����$�������Percent��
A�Title��1�������Title������I}�%����
B�Total��M�������Total������%������O伣������O伣�����C�Warning Text��?�������Warning Text�������%����X�����TableStyleMedium9PivotStyleLight16��8������������€€€€€€€€€览�€€€�忉�=棷�,览�稊�����忉�=棷�,览�稊������������櫶��櫶虣��虣3f�3烫櫶�����fff�枛�3f3檉333�3�3f33�333\������`���
}&��Cover��_:��Purpose��DD� Dashboard��Ci��General��_���Oracle 9i on Windows��馀��Oracle 9i on Unix���
��Oracle 10g on Windows��rF��Oracle 10g on Unix��蹐��SQL Server 2000��奚��SQL Server 2005��H��
DB2 v8.1.7��0H��Out of Scope Controls����Sources��蕅��Legend��寃�
Change Log�����������������������D�����������
������������!���
;�P
��!���
;�V ��!���
;�J
��!���
;�W
��!���
;L
��!��
;�R
��!��
;�M
����
�_xlfn.IFERROR���� ����; "
�� ����;L
�� ����;���������8�� �痼��疣�h�e����,����e��������F
���
��� ���x����������/�鹧€���$�"�饾€��x\ ���\ 沐�N_�y€�@=�餼€x\ ���\ 沐�N_阡��5���\�����?€䎬�紉uT訽拂�%�)拏H�HHг�H梩(�5€tw#0�( �
㈣休滳�5�;茺鼮甾鳢鳢w<s鯺kf��`從?�腵�圬�<>�(�6禥�/恘�匋�4��$��3H���;峊�恫�d���孒 咏@態��!e"$P壓鎽�P嵻��彵FH�#���$��x倲�堿
邕2�2�?v^)�蕝\帳O捪ぐC��黐z�譖!亱������R BB��$��`E蕪��葎�S&鶙◤y㑳��;れ�4>跁���愳邤鴋D���&Y€�蜣?����"�*(�&p帀聲+�湙X�=陮软s�:曹嘪のR&惪v0{待��
�
6 �:�蹰馧劯�O咼垇妸妿唺䜣
X}� 霍���y�哈��F顥.kc鰔椚頄睉u愗[櫻!�}s�$XF�找�€溙�翮q�讼惥莁�$�{��c�め9�tH(�)�>析銀� 垳�8��<襝\�0P伳鉒rJ�,H���忬鲽鵲麲茤�`0"闵恱滖]�2�?鬶婻�*忏�<�#疽[9���+鞍�肈鍍~ �簫礆4P�櫀yV傇q溸昊�|��+ J1�'�`�(蒊ky���揨]<83笠�韇瞧w耿�*殜犖��$E倌n�%甤CueJ箞�#)胋 �8<9毋_!隦!S�&糠1昗竻dpw9収A埕��1��灬f�#矡7纭鮇Y4鍕h聡浬睚瘘��a鷆嬻3籗膵iㄦNh胆荟芧踗T7彙$!′垅滭k蹼V�€��枼t'垹籜苧
-羮{u阸];酺滓 WsE�B��灛m暸9�5~疩d{��&x趈殻s����潤狰\>9煾5�vd㑳!�;e砼�髹U怰4鱟絽跔�B傩H躞蹕YJ儙���9$ j��罓愐v�#?��K�%x�;��j�wtc�9/���;闃rD�r�须nH$fE'�x��?�7�*�7閜曥��M勌x摛螚.瘌買@甛<囦餸O"橣��
v��闥���怉�湭氣$孑��榷&I�,G�3�"旉&�/>飞测錭颁頦�-��艒氲'膔鏃5��鸓翈摼原�<渠頂��俚A働UY3鎲Q狱消�w�'粫9€7t�?�"���tA�:u蠑{�疄h�0鬿c⿶�u躤�-�~4jbY����7丏�t蕶F齑}���;痏^=鵋E欦L搓XbN胅廤'�D簉�*壜;��-���缬R�9革鈰&�R鑌�K*y� 蘋噴�-kq唅h箪类p��~9CTE)Nu/礆�>�6+繂冕��*���惭�钮�%测縠蹿�<偐�鐒^n諺鲸�,$��S������踵鮩���爳惭调��/�>X苉�Ax} 艚6=�O昱+骚�'�+晜�P眜c]d(���.彛�嵮!i妿珆O���H箮嗏m�方�=嵇��輤l`!O�/��>� �舗āZ\E暎V劰�<�"~4鈰阪璧蘙拲谟�KE|鳈C:��7溝�熴N隻秺A芋肁膋���3.wJ蟽+祣�5�獦鲠傺�/�覺念fY��a吀窃t�3Ii�熊^���蛇V=諷��鍉Q琏雐T)桬`F4閚荌R�I�
4#sYis沖L|鰋捒Z�(峓�鍞荬底¨魠!�^J>ku階癊zv芫x鮫疏揊:��翬/w苞�5|)}2��貌彔��皽�=q裎�y����"B瑔��BR>�%呶�=芀:睃龥�趇膆箙燢甆咓�"��嵑鎪肠蕍蚕岩���3�辞蚕楃&<韶�.j]�q鎨o晤侱曦���歷�:鱘燽w呔!"`o咠{蛣sV h驶��觵t@#885厨魔坧���>ez�9件##\B09�3巍d"gu�7��Ax�# �
4�y�紮8r�m搽偓v|^^S��x迂#讯hr螴�w鸖��|靯q仌N;_.�1X版
ヾ+慹2d纕8d鼶唎鸝傉铨。邨i�7k孤�\�=旎S
�)~抂~��]Vi��N儢�$跽埩��i觔��荋岞�w矾唉3迭w,=��惪��澠�#腖o��灡�2向搉n內qd親o�甓柁r鋸g蔄�t�?鴊!8濨R櫜@cmm責�2
赨鉿�糚���駞瞃��K鴥糮P掸��-涫幃珙^☉�2ア<Y@�4CB�緱DI����O7+�狇沰3哘��柧q!�-抳��07��浇�7a鯄婃ク嬜���0熪兖县捂�綜鄀颒jB.嵩.LcT鼊廂am'D��瑄氾褿蘒2@踈Zn�翀溝柚�雪"疾暳GΡ源sWwa���gCe踼�钥祯�
#��盾(~〧%"v愓u畍jvmvTx@践v洃惭颈�!惫��3"嶍6濒:触硆��词讗��-�(�擫�姒�闯奥倯踨H瓏䦆�!魟� =u��9��┎��~,��U��躱��槭孨?a=SA衁范+�淡�鲈��螿鱳2躂爂翘[,笺ч浍h1t犙�,口繿峆���Se�="�p揘闙5rz獙輪��Q.棢T�渼I�����$讫_E萼祰IP~+ 粢I+e瑜嗐霪歨銋
�m� 4Pq膔峃��桴m�����-焩Rn�,N黰�;c/毞$D兟瓺搉��l~N漚�珞痹踱�
簁厹杬&讏0兂l��晽K桟M誚婁梪2髓論た滾[2t�-�&嚒:�V昶+s熉禹��A释询�;畜� Ъ婭芖�3��j��帩蛪镳a�,涗/[ゼ棊/轻�晥r︙昺楀2钧齉�5Nw��6� M��8黍紂��馵G�}M阧]梞
麅:典�亻��贷�.C��]薁P<��鯖8E]B�-駀����
u�*0xM"嵨賯鍳霏 �yD鬦�N��'蠯�"2蚱���+h$`�.嶣7#J圌
b瞴7� ��狌內��_v釩т燿鬤�5U{g皟漽Nx�縼穄霩罧戋�.g斧祒*�%)?払��Y鰊G�a箝攛�蹆+�
G�
鰯籪g猏蔉>a歽$���稦犥臺贌禰暓韒�|邡�E滟蘗Q}a螻��柜6��9�贚��瀯碾壥蹙r桫�黂巫媟���&�2v帄�/x颋*陷ど[{a.�\R秕gX姥1Z銷�=�MU卨6�/o鵹*R箌髬�&#�漡$�而蠱韫��i浊5縇 e�洩�4砘$y�橆��曭jP靯z�5项棩�*�靄s寘+胣j︶3脈lN荈:�麕05�皽|騍拆€痫谲:藈7Q貣�>SW岜?H厹蚖�,%=愶(�� �4)nasB{f\晶禲��來磱碬�\�瘘滸崧2�-~6唠彑瞿�&|︙mm釪�0苤I�����孬婠><�>Am锾甚I毕�
澠澗�廕f
��#��.{鞝�9F��而跨磼Svc��]凫衋秢MAgl�缴}�Yb�?A���r鰺f�,蝊q梆$��闲,yh(E��Ym+e�夀J峔娷�R�2$aj慇�KD粨g�黷���鳷�.�2鉽���﹔jO盠2H軯(��巈覇c標���L顸k�*�f.杼 顂��2℡j熵IE#I厃儇W�掙泯馀�.�哢^�D钋sRo圣~删��夼�咐x鍠竝缁;�銝⑥�8����8v€:�"矉 翹�/��確o/l<`��價q瀂.���#"漞�x騿釧洑~$9嘐T�踳鬕楨伯�#�X斄[懽繵D�0�3�/噒TQ�浸B�FO@_>�肅�0鶞~賙忷矼1�颧w�蕩砆`�价��7��㏄Uv囧�幬x9耂�..,h镋 俧耴*jA-(篷>3�;鸲��sx劓
猬�/�$=��炷榌pu(d^?�c��cV,Q~I�]q嫁椨嫨��珣[F�&�跚稶d�"齣L�ごf�(藱M�硧�>�竼9QP渺猡+~Le��iJ繮��€_ 惇袩.�2^嬔��7[拪m嬫媓L)$(�(:Z?怂Y n;圎`eq�鴮�>��@,洈職╠妷(*���'�KP�s�箆N�Go�>D阢寉��鮌庀��W孿u7洀mト=戫WH絉瓊��矕�釟i��'��$Ts�龇弼賖扳r嗁� 勝b粈�-7都:H 6奦��%€门fK%+�"�硯欨�,C�萹T/�\波z�7�!鹋�嬷暗k���5:P溺�.��@謮��F汯蝉絍qd藕��k擦9�$~璑Iq�
L屶?�y��~臽x<����股€E�5��墬��7 a裂]楔�4
巰罴lU筹3擼荍�歧�2"蘪|姳"w郒B裶^��骱�=鱃�=�T歞�%wp�坁pitI赯�(uK裒v琵X�R'櫦u�eJ紅 �汴�溮��/箾僐団矿朎麼觉财懈鉷喾
q�$0��璂墙����ы�'球:
X�B���g�@蛥; 0��趒脛^P酰煚檬鏺 !�>�
uC殼裗LxB誩w�\6/u\zS~�撁�)8�"�
d倉~y啇熧燪G��n嗷亦6躲��O��鎗舛�漈專W簔$F跪�;�6��)澁绋唢綔$��磵揪z证!
��p��?幡#7鵷�利4款m)訴3PF�昑�揯(※荹儞蘼�;����)�7晘7孢�腂�����c1羭1�
y屵�/↑鞣�[o�� ���H\K訴d痴i]n$絺'a謄SN����屨馿暆���嬩�EX�"v宫缭嶞`�+贈愂-笢é�﹚徎辶谧5�B鋉xI做鰄�e
t.鮮瞿� 抎^C單逯U鸎驰醭牐H挅�睉�¬嬅�;?袤(rw�>饞\@澆情sm�?!����&�R厒,腢酏邐$╧�謊T�€��%耜xF綜N糠垄�R䏝iY.: _&C熨膐~%W≡鳀酔詼F蛰���=逊~
h僸�基�叇嚧M蜊��坦W���;4<鰕�厑@�?BDI8�!�*r3!_窙y箝烪貄汩*蚎藅鯍+懽t鏐€樨&�0��c99�4�<�0嶦K蔐艋鰬�+�T?#ˉ�#3-�8%�M�Q�:L櫝鞄}w啶�>�T價睽x}食�嗷��氵F転螙鯹pF@€糗R�o��碹��﹪cT青C噈%2�����A%�2⺳��*惥絇w�Ag����論q��巃龖鬺)�祒�B�#nR夺�2榹駴馉�(惚 ��匮���3!�6缮Qi�/粛HN欁n梲扛�轁Сbm�蘂鯢�ゅ趍@遒膯璆僑P峲I?TG偑��襻�隻C鼴_鈁R瞋�珑翏籒g��偶�%z�,趍碞嵀�
S獕叞�-7F���L��畚���;桫(茢��纭�n沰4辚^���m疜x煅|#螫?�#蜽,;谸C卪�鍰;��6'���△姜檔�蓐扫16袑0平騞u�
靜�9嵑畍涔H)�塠焋h筼�0珬墱溾b姕hM躅�B9|!?舥副/1���u肮踺酤� ГhX螙�>澛d𱓖J扄谋���ns馼笈Sf壜-偬蛗�?澎�梶Y��n��
�4x筏H抙瞛B��栫.妹Z狅"傿��4X!
$湑�1煎c殨a?��攪0b緽� F丁[cK庾V��轑L�$┰ �"4I潃�@兂�;z�涅酿g鳬哸て劙咲�"渭���驲j寉qf�2註爸閞#蹧O|0齈蔝x斊k�n�<仠泪駰T鞮 GGp�1C扒U方�聴f斫L�鎐+�>5[豧� ��鰓y燽��8狟o訵軈�����鲡Mw贜璀樖咄詿3.[
合��* 鴭��$��/zw�:�窕檮f�Tz倔贶輂?骬��:猍s捕G恩J圬斝`;烎%蚿眀€怯1�nHub徸UP齨^z蟯�熂��O噾礨柃鑧^�x諨媜X.j╫6ㄅf�;勶蠲薜���朴貅\}篗碤�
艶�;�!蛨"AuA櫤;�驛��冂�
磦�銎f�J��
?蜤"F璛遉�哵�L熭=兇殾毇0勁A衙�'�:��(VqG�w�擱2���:|A袇��獅臸*翠G;.(�t斣,鶕攔��(%A《j殍��_診3Pliz烿V偪布皹j栺@��艘�剂���鏬芟���橺枚 b蚔�?0d�,6� Y��頯N@�"炾�*,卽�#���"硚��x^.jXe<7邿螋儭�絚�,糫E:��"鼛ぎ�忽-OQ屦# �*配*栵}J磗◎#�;kD蹫:�,s:��唵袐��顏y�6�&€�.剗t�鉅燖逕舵p����g鯧砛w�Y�e挍)�鹴R早!�
W��"��v��裋/e~�璘䴗"嘨ub
��[x�%�濾岸)��ルM7��v灡M#A轾V餎E�1���匊� Un€]����r覲膯匽k�y�G5葹+�墥�'���QQ吹揥釺痬疨镎儺$/?�0s吅竀]~磻瓶�龄莞������玊e缚�&幙��溫�g賆�,)僂隗┄Q幭輪z�灗YP楽h瑽']oe撊婛倇�=杷嫇9疏峔|��9帥MK璉y揪b揯}蒏SM�炵��? b
輭燊� iK��俥����咽躗x彻��U���
�RV_��8�?
蚇7��E蒶刨鲖-揞�3V搯�F�銢W�褮螳鰯js翾P�0浧�赹C嘊��証�7�3Z论8%柫-沰ы�g憫*灀��凃�菚W盱猅討V4��Z滐衦滼?媫痜俻垕外K�馣擩坕痜i�ha坍絭��泀徝))蜾}#Vp趄4F�$�O蟛殩w�7I~娐ce.l灝�%��,x��淠崏AT焬}��Vq��P��喖�� 矜���R�!N8�"砢�禢x袢�\h_肦Χ鱲X托诜7泗揂螏& m鬟毹6zj�紶b禍c釟辿>[ㄖj?EGN佖q窴?�S;|蘥L�|縭輰朮�媋"#漺ょ�鎀ku�8��-p阠聓嵿��{|寉~N衶"钦岨鞲+檩闺 鵒鰏u�>[汉,%w蓰�7�驏B崡ul
涜鶾�%�8�忌Ig��g�騨`�'活■凬鏬3⑽o����k氋V_�*?厡�否Fug�乂轸耹$腐�+z牫�dc翾Y'��$a菪�_Dl絫X鳑镸&�=r觓裻�K��馵矆L毩D锲裟�<��萮-迎虫鸵�*鶍xD軴楿琮佥q��旬:6��
7珩��>��`h甘o氷�����
釖�$胫S獺C碩,禎煲&�磱T� o澱f���旘鉞����?\o抹萉%��貫娐羥�,]6�目黖n 溻�/��O谠痤髨j�1�
迥氾�%]��t�;V^趺簨JEg遟EZl屉簒[�7��氉頒缘�>e{跫硸g駿濓1悭1��蛣覕�G�� 膋_�"燁Г6~炞楧?�唸瓡Q鈒剀�.哏Rt�伺
5'S拂\S�7饀垐妝��V VV溅�&�犑縢vQ艡�2W駏妋^~m茨�鏌礄欍㏑�;《�O嶹郞氀裳龆\�;�緅镃秳返维鼵��ow�+p�樖F
J ��屪�~鏤1W鴏��仄歽�yX�=[z夑��.鼴?讑3�(!�.*硽�`h勖 �!�嫬戞_&�會�鑫�.︻�3沾7
匟�,ei{li#�I�蜇藮J�撃僁咊匾dkyB懘蠦Z�%B∫O�3蛂锕w︱睇}~钏哥瀧午|嘻|蝪�97u礛澛��*溔���=襆⌒����炿黲�揿qJ��:嵭<酔a潆裷⒓Sg潓h�>eq輋�鮾.tn��筽鮞搉绀9堵鍓ZV/3�"�5�偏鈱\~u獓m(o扅d^椈yR蒢�
����(樄o�惜v稍絥=_r瑽�#�呻3稯8:�磒梼A駠塟'飣��gjm��0靘┾?蟃4+z骂�&膛%N稸橁溧2碓酧�+�2gu��槗y搖_e
D���W墨+詴呏往KQ�俆鋺l�,襱挮売脤謯m葭�攺�邕>迟菽%�4础濒<З潚駰NnTPj.竢鈽陒�S��,邔�1闩=���+韸麋濔眈=�qY�蚡�艎ro┷��S俆��V閛,鵣erty兄�?j鱨:睁i镪踋�7宦瘨w介锤
���鏘[��藩夷葶铦擸�脍韝u玩繘恤エ嬶钕挺Za��れ�n�23髈��雫����Wd醢~�(y呯Ag迨釴dZu蘉iY}蟧gx娕v�935蹴氙羽h政5瑶d桧Z秸冨'+&仞�育^n~詐姥d秿嗙脘 O傼暕-鉕彄谛祌c彪k飌腔{�-My�.L嘶s宥kY嚛'_D��嚳��=鎢;℡f蝾0睞坬肑笱肟��8d鮁擹_忖�c琛謸�揀�憿k�b7掫d�,�椨∑怨K+.黷嶺騏�2X9��QE�4窓轫徯髼?���6鍻捺�頨遷鼠凋�1j
")嵰崠G淸�妦�韡頕鲼珂詿q6�3JJfM高:莏����[F薖Wi寏��<谴Q狷赘浨b傚橱蟱坞瑧黺欬c������W尥諻^�;俪冒犏I� ��+2�;D)�0�眎蕮辿箶壁灂�7K��\}1U)躃醝廹�险恓缚�'燉�)h_��鍪}鼖6�剑q玊妝��JK祓輂#�=�*�7諸�呝遦*���3v5哦鳓w'讣絊2唪�1S!楑UEK隻��l婌覕G�
鱵齶;2诽P峢W�觎�1栦7鳄{>_'oH�;nfXxxa=#3仏€鲆煻2濿J}���$?幝]ST篟8扛x谙8ce遞鐼騠邥M鐬R�硘U'Td薀t}枸]C�2-�?f炍■鲊7 � 啑u�
疕増S
p�礚p��5瓘褪G暁uel7�
逘状^霕棼f譏誀◤≡3臋8咘G�����K\肪�嚊晹R煩敫j憱幀#觞2�6�杆
褞酬"�掆齡琂槼Qny��諀茩� 鋖瓋�UzuG彭藍eMmL_惢�熀��.p蜽仲郭彪緸x)n詄x搔0潦F!o]Z纖%���(+��YAM3�&9O�?S婶HJ講孜癇1壺���Twz~��kQ尦����j5>z駪�劬夥痥毯嶝菁W3祡��鐡�焩m���� ��灿哚�!蠹鲺窆+嶟咕3耱J焉啿蔤Y�="��l]玔�6緙d侃�鮨j暼"�59鋓譶�,xT�C��k槙�-�)圬谐C�)栩�&
��仙崄
+'>q _\_�*V鴕�顇QQ�4撌6iノi廪��?�化l賅穳7p镐n紽�;A陣玳詅懡轠J沷��,鮞p{閗韐Y� 祩����ge壽L�;�$>)鲍賿翱�.;7�尽硷厂"狈*耻调%痴/祕拨�:睃痁菫袄萙"拣���之ū�<@疺v鬔Y紵ゐ���.�<��捂泿-}QP�役r1m胼鶺k众 n+VqP峖zC2�:U&蠌4齭獩�n��7�雜R�|�8猳�朝枸U鯀[gJj氲/頬�1JJ� 秓贷��g�V�.г鳴+)箔�9W�'閱碮糽刚��焅%�痌d5蜟U~r�a┗掩W{]趘$蚗笥懦+�8頍5��憔��╉1*比�其澢9腭蚫拥�"&畅蒓奥鵷湓%别�.�.�5�=�3ぎ幧�6斄尘=壹�3诲锼����剰诲58?4樰蹾�"�"��鼒焭惭��词荞摆惫䴔巜�朩笔�鵞�-*=6�惫搁摆軳涩鄫尘7崃櫾%攻4筌鵴坏漭�>7\疺Y栮W豤�=n�5避踺蘔!諄 6礣5猹?_攖�騮�E瘲;V�'暀��閠�;�燊齢[嘕攈#%f+蚎攺镚藌縠� ���78�,X}队H又4b湣絆p讛粷媵d綃瀯�
^U7徬縧N讉^颷滅>秇雚�砺擋�痡xM樋龖k}j敡��J墧K!狐!=�嵥�M艔"�,N緋甄Q踢抮y$
�.-菑j�j戾 �飖[$��嚣yn.n)抮衘z�:�2�结^丄��
嘜:箟�飙9氦恢yvc玳娖.���3鶡綥W蕼muw靛冴X迒笫晴賦���闔uvH荣包鶞;)蹙�)��稤P饭贔6詻�Y�'r鸬�5差媁7飘靝no稾b^鋉f噁慰>办覍汅13痴沢琎!��黫骵鼡鉟��窜����<T齛y嫔�嫴垲sg]�$E��媫�2>��猚�lyv髵歪T7J啣涽瞵T=矻恸5M耮cB;v鐪9y餇葟ゥ矈檱熦塝瀂zSi��鯍蟑V�赟r���鐇鶜陝糪八X糁﹫��rZS勈:g��6��>��菁谤黿臌<蕐 藲甐��摍?M4辎{瓟蹆4��揝鍲旝.迀F��4�1┋wL鷱
q垫汧颚i�;蜸N�婉�)V*挩�=徬目釘旃E�M炥杲姫篑���$練慦q^b懡襑!��{C� '仙�%��奟�}K灄绻詴鵗?&�.��W頭�R┴轻�扅M8欚&|桵宍捅顖臉J莅J��觻窖糱��=]竜c;�(kO}6z�+i睥}��+焇 S.梮Il友粹�emf�昌�<-�7揉*N�m谊桄(�;N鰗―饸�鲛熅\歒h!?��w�"哌U7���檃秛譢卶醹蹲撄yCg��週橧柄V���
脈���,w順赹u�,跇候{G鴨桖ⅰ竿缑��/��� ��2xn+�/7;瘔�=z�亰���妥僺V]婀�1QVVB4蘸歙拀Zj~島傻QI鍠}=�'�� �1�?�;謢疦麦�7搏乔��熣w哅N砲圮�#勲鶿��呣$猋�縔C�飛WQ级嶢坚�M泸銄骓�菹臰-�祖啨�仪E�/礶�4���=ξ鬸磴��毞�N3綯入逤
��7鐬嘑殐F.�8c�=澤瞴%睃腮搛鰎稯[j:ZtD末�2G�=�鬧椊p靻謀釵/ 1抽澥#鉍曰���-┘颹�!恣v圏^���
泜S言�$
��__�$t�委U�8��湊xlqvB甆嶁=��Y篁+眜T�"鱤悴枂��f
閙擢W~��桗al竉繩=x帿矤��mYS秋C<琐庆駳�(炔f┕柖願潜��镦抠1n騆W涤�'��蕛敷饴髜阇擳�嵆+$�E7l"$?汚馮}S楠穠愈劬wy%d鍾螵
溭
媯��顫}�5絘|Y&I�2u�?u灂�
菛~U 涷e伐璵K忙S呟睇芪臰^骾珛i櫕-�7椋描谟驤k駢濋K確��_蔣蹡濬Q{h}9呾0槵���離d璸今g詸C曾閖+B�'頺潱琹筢蹜鯳!Y綝�鷦d8?蹝fq筂>袄贬辞谕偾闯髄毬%词贬�.滜触皑蚕瀱��逡椄�:6驰檄雌�4綫冲虫銮���鴓础��灔/徣貺栠蝉婄璨�礒>��=洣#鉉��#蝉鴏辩笆楝嵑����罢�3栜搲<]搭�O壃ヅ�#煆禣祿X>=����+剁幭爹鸺眆险芞��尘粍�嶆�倃�&铁触)岒窜驳摆辞铲�1騻湂��'袄鲍笔飞族眖畨绗鲻絯丑><蓾���Y�4z\}伯"絷╈嚝藻Z匫鍥]�罪X涳葲�,b襤梒'戢rO�堪a蟳)W銋�跭沷峣壔昗睵cK~j澺G�)q鬓隬T茴z響+�x]朱赎F\錱3枕薈潽���,楨
快2�1骿応澲��>芛尢�>】滸篻锱I跜4�酹^漌&蟠鮚皖驂鋉8翊~U�0頡���鹢虻鍧g霔�s灇飉�7頯�1钗桬Ⅴ��塝桋$敫
5閉忔茷���圤诖>鲢��闝农棍u4(�Y��]��鲝?6W��d敧梞 �#燪o�<祥3��O��;再d鈰器N_.矾禶yOvQ`�c掙�膍J-!籌儇吉萖忭�鳔駍悸9����-�6��溈-"by餤P鸹�$镵h抭驰Ib普��:湬簪u跗慑甹鵴%.庋嵀�鱬�b矈嫩�欵x>鶷ヮ柌�,箃6杜C'ょ��--��m遨f�諈�夏筲r��动赢Of关杦⑤+
xI*?鸶�呛鶾��.嘊摛q
k饵T谚惄�LY��~� �[_��)Oz纵<抽シ�.vf^I1輄��夘S%Z3n]谳%(鲛羱��醐勻�r⿵漨�_穷縮�9R~u���_
棆n�o��*d$u萁�:挺狢�g摆ㄏSdr6EM隦驨�隁6洑Rr噢l^�僮]K7�95疎��
0)齔钲瘌孜�,H釠4?恗辔/�+祂蕧硸7朁蓺?組
泛nx�2缥鵣a�/S妎d嗩T�=�R槖=Q菬黕拮(8Zg陫K觙躒数jw┿黅升kEf����㈧L檂S袷鈆撺m�*��<�睨餠u&籴纡Fs冿�m+�E鮁鵀;冁陂(p(蕒;遟颳晓��鹔g寬?��鰷临覅/労|蕻)H簎蛎ㄩ'葀��'箢9�/x鑁区��郝T#锘��銂氝椡xc)L\�&?1﨏埔尪&Oh梍袡I^�;e哉��鮏([�泱2^�O∕x栶亥虀[*!鵊苈竦�繜S択�?栲勻���<曛朒绩�%+�榐舂"瞩t砓Y梓��暩ゐ€婈��鏕��殍=r韢 莚v灡染�碥铆�3Z鯬w� 溹b� s�!s /-�鞇^屆A�ps����'BG�齱�011f�1蟕�5?3�t鎳還軀皗4'J7>枸8饍$喂�����Xu@�驽�鉟€�)湱��亣S,^@}F$"`�啶岆��畣��0m��?€tq欋D皦驁3� 螤陘�蘇�恿長 !���鈽Dy����BC桞��C酙洏���W����BU�|�穠亻繺hG`V佱���CWtX
悡D€協8鵋�0�+��,翽x"-^�&�rr闵薡���.坬�����:2}謺�藚鍊�%�x�儏宂_豶`Z
�'H�$d猏x��秔<�燶肂B`猚醾鼆z��5�檦5���幠謏�躉剃8x炄迗&]��9'瀮�-�c��zZ矆b劔酗瀭鯾��猿觿��& t丁疩
乂�4蠥��{#(a腍��螦��cn姞錗��:0�衽��屉AU\�O� ��"�8Ai宖��灆:x剖,糋��3��e�$qh��攏�*@be︖!膼������獕浅j*x�H敃� 踤��侜厂吚��婣竽���:6O擴鼢��€2t軦 l;�頿[@帉k袪 炐敺咯��E�桎�X喳�鹁�歍� �冢�f��4X炶迗�萌i��y契闝�I�M%絧��#被X�ㄖ3T缥挦���?������)@f
愲秣繠€譎�4�����=yV咸�'X飕Y?�4璯�[Z秠b*窝��q幸p8d�(芒�"P�������Uo鸎搮��O靶YC�$=Z銖$<槞�6RX潄��!�戫$矴f��-�z���@<� 潯ア塄bA厾{€禉蓧輗€!鑧愒燞戽淽������嵀�'邊渘@㧏�'��輵��惏iahr�aY'ō鋚0�
�'XN��豼��'J:�H蘾2E髎P湕�揿♂軪{�><��A!舵椿XO漢轑e�>3�>T巵贷/Q験y娩 z2z)�4X"�tp)�Hr6n瀊黗Y襏€�7J�!��沞�4V��ⅲg�酎_�4鍐��'艷�"眘�w掩��O皁刟b
萡~t5��@f湲y 榝蒬Jk�喞揳X��X﹥]/�`�O��鷐囫谢5&7Ng� ����(孎�艙������ 鉧������'j�繦�.滈&ai夐嚗"S
�_蝪rr駡�"1z蟺�>�''灛�懎�葴��k槼iL瀈Ln�'资嚾�[3,�#,O��囎}�$槪�!+吺1l埼T�鞃牎�0
�'癪h襘/C揰>丑笔腍�尝���麙驰侺鮻�<��间'盓qq鯊'i雊���2鉆召⺶P<乮��
f宼汛.�V���E0y釯pe 7k倞��6意L土nc€�R�?c滯G&�ㄇ綿4c`兣�
餯�g�犼迟厂�奥辞眏�62<緮�
� t罼`�裁��&���礋'��盀`马朧 8馜絜C牑_�,
0P��� �歎�8a撴tc狸.,坋��OFA=7�2�'�,栀�m嘄��V醝6藟'���
t痛x╙%a蹻z必s榴�8苼K��溷TR\Wㄑd繹t$O男櫘:h2焯�*<
2G烉�?<�L7�虨5~��-呫-攎臬 B$扒fX��
� 鋩嘍銐��鯼�^�!_�<���佁��<}&p��6恆艪濋�)P�4�ろ信��碱�娙�(�'���>馜��致�*<4&渎�蟚9*�'�/J傖���玱i湊G���v呮蓗���#
睩氚Ht�,瘈R��`��鄚i<赁�5(勵罽媟鍓�满d嶢�渉2 ��'麓栀!騭hEE�]5�)r�7��蔡 刲J��aWw��炄�'$�K�祯��T�孓�1h怦測耓(:�毰0��
���f蕠�6�0V簦x瞜�����!哏�+��氟N譟��湒�"l樍蘒����Z`�102*7灗䴘莨鈶�"l3遽'掕錊鸒剤�,�┞脄*Fs蠱@€���蚗�w��勻及恍;X鋪Uo棼廻篅玤�+������
3$!N祼�來鈒熰����0��~��.2逵wEAOm��欮棵櫠�
z�廢2\早��滊裋���X�?~G`\�-.骋虫�/佱�6产�#<嚄鲤J�毕邎'窜泇�q�4��2柾�揁1歳C{U薖€硦滍��儢&齹g偖 �����'�[��m�径��镁F
�&傦��诎
�/M*��H"寎ㄈ爃蘠�%�B倶�,胳桝頴亇��棍� �r����%s崕� 糄貭�k�8P荺\熉L����/吹 �:兙/
��XP�#垐繦�c�
g聯诫姪�B2��O纅y�S�S�t嗭豣!��,恗F0!悡Y矩景mc��hI���翐�7揇�)麷<两Q坥ms[悋��0�厓鮵��;骤�'�6="qp鐗趚���P.<箎3 茯�+<��?`f呣e內�8岁��d岚�0o�碏歩!圱港'ks�,� �4��>轨Fヅ�对�
O42v藞�#�訖������轋串�,�5�(��W���忰雲�棱壾
��D緽���灗螁�=茤K��L僢� ⒑C磐n����,��阚+葎��a鷅t-萷��撶€8���'P3犇Y埿枊R�$���K��鏯6D���dB躼ⅤG匹_1y傟a�E麺廮鄩偲闐0趛岕�U��9逆�p寔!
颌飺E掴苨PB�<1��dR���>d�坷�Ud�紾��4��^パ
蔑�B�巉嗜敻馜'墝K筷G48�a鮺磕�eQ瑥�M!4
謆鄕�緡�M�v�%����H勚F ���O攣�C雺】$ ≯'狪c陰卩挖��paE励����>鹣壭q壁V犐〉�课�*@QT潱�'�2怷��9萩}�闣�;盛樄�+���墤[�3飿B賕����
�茴萵ZY�,讧�★襼�'�9G
I殇懒�{p蘎
R�L�坷�て��伒悵:瀼觃坋倖觍����涇C晭跆?h��赶7�=���綃a��C6���x��瑐gZ�t�r}GY�寝�薇繰�;Y��Я鷬
X��1Qn竸!馾詀�R��詭U楔馁�C� f抅=�
��
vB�.��鸈0��4�X麃!��:3,�/`��濦�C��M���#q蹲Py俥��+狕}v"淺�6赜[4餭Bl浢枂E�籙沛夅� ��3眜€|囀�eQ���q疮鯾�Lm繤嬃�1?�挵匒敬&缈��瑠麸�c*羓髥虛勗涊��擀��!/�<丵�+P��騞軫9h���9酊巃烪戃畼�
�>Q諠Q7��
>�8�翱皝诲颈�/迟��碍炩��,(媌廰�焳&翱缚罢�办闯鐲�隈诲弻�迈⒊�哾幂������镑�5絈�祭�'调$��騞鮂颁╋屩���恅��锄测��<�_{卟c伙v麝罱;�38�3���)岡Ip�:淫K�x�膶梎��< o胹��`钱rU}煗d璽镛繚%u莙旌|�*_�8瓆�-櫶蒺|n凍n44|K瞶G�藿垴s瀦繪��IFVG义X泴鎾�'�'���<�s枝�7阽�-�雷2�?煬���#I送婰z稊去}�:�
��e���3���躖隕n庞軛�唾| :ni蚡~�佒#蛁9鳾�-Q熏幱O'g>w#濹�6?
�%瓧母�O輅:羟
�8l/17+潈€�峞��R7��蟉�彍l�阺7鈏黣τ��3е斤仹<���� a€K�>y]g雓yy��,窱�氣=晬鯵缽1=�d懖���4�ir蜫��秽)�坌j簻��e醤lq杋6讦�<︱�郗蠣��?f"韄箣�\��詡uW玞沽岬AC窘伋兛��_鐅廜��麪T叆A7働
�恠L�乥睹�����
蕭殲��B括k7�箮���憂'd媆�匽饠�妻炾]€��9髂�2撀拝岆Oe�!|惤2讑兡著�缧盆泖i趭錸xVS寏饅~;嘚Zn����櫄瘴滾,晇繂V��括棅!m癘簷墅�#V躒�7銠��6卫囩摠揍�粨�%��IBT逨ゝ筲�. �s腩轴[TM�僃�=恅烮�ssf瞣B\乬ZK�梦榻�黤}劭孲烖8?���?.i麓�ㄉ3灝 m轥S鎵滒谲�%弪�D賨<琨q鶠埽 qb�鸋糣�/\n=���;�鴧朂�仰馏��$�5X靸玑钜诨�)+滲�7>顏绀+窨1怳�=�$儱����饎9靜�fR黤<_唢宔铸V<鄞鴚G茶�瀗Z|鄼���蠗黢GAO|鹸鷒锋u咑�/�鼮�1x惨G����濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
��濳�m粇喙
覠夌��€%�>鹺䴕缼彸
饘�A惂擝﨎多�&糬螐��堬啁鹮䥺e靽��
鵜_髶酋MVNJv栯^_^|涨穧駣聪t4D縵���瀀譯銫炯娦�.|`S�铟黟2mzl7>#��|楓_Dp牤碐'�農(�7匃顷�9]�耓彑僩@"嫥���}"�蝻p�*7���%n�脹��>忱�'M錿('焸'y噢怡�逽7棖馄
丰蒬J疢��+bF牅x�6/碌���検秝鄠�7酙酟;縶�垄埇�.烋m瑛峅�ㄗ淀�96"E�$
�娼p蓣�_�O樨洁b煁p稐泇��;?/]=��倜艧j燅U�*[舠�湶宮b<�2�v�;殉q瘓g��丅%壋��>J&&欲��扌态�"� {羑��cA谔鲻<旴蚩<⒖�濨W巙���堻�x緹���3炑颺t�:壀蟊���嚙糝�}��莱頰4k�鱓獈潯Vび匎齃7��e鐤I�\�碅7��y:@怇",B鶡���瘆��B飒t�侓�9�羱��嘖
P����穜��袄乬0杏�9尘/:测偤澺惫<=※瑲bh燃K��鍟�鑭翱�n骾瀜毕�AM�M娪排�-虚徻u洩|儊��-�+X-kN��<硰3迴�挧S�硠O镭�#飶悢�薻K咾?���y粥墴Z�搽6��O3�貈м騕䲣�>缬[螳︻�7彈8h厂餕�/��7范��8娇_L鑕x綥枌�%"挒_薍Bz�-x猌槇p堳s���af忦�E蕑l麱�^鎫窎u艠?皿�#柑X�铏鈝钃紙驉C*�/岤�**;D8:x芛x鎉奆�N*搜�eK 薘��卉5彞x艷�3]�蓃��塡搁虫镑�+尘烟晍#罢骥驹妉旄�翱痴鲖��,蝉蚶笃惫9鸺�繮3谤汩佺�嗞�����翱��仹碐蠌纪牦鵐稟篂�L睐<鷋瞩淇vM剀l簗���7鱅儣g|遵k鉸搕焱狱\咫髐悀忹�$Z欲u磏R靏T�飀H�%^�蜷狈�纊羸g〓瘆鶠楻x澉菛镢�=�遍隒铳}嚶榕�/14�均€#�w"�饮�.�>闭梏/'痥�闭�:搁顿��鱤尝��絖驳霗馃�����!5调骋��苍W6辕闯縝斡测奾�9�央M嗃裀什1摊��赛��裀誱︖摆��井耻.栺鑶蔼驳�,颈拂蚕脸;弈�>'辞�:躠齿槌/.辞眍祹驳?<
�� 懸蓗睏�0]��+X蚈��頎��嬄秐�閡#��H�亜莴>
屲维ㄞ��1央�2�7丑�+燁肠亣把椨濒松4翱础��湈�4�眻奾躃讴雕澌苍�4�摆�?<ê葜鈊伦倡嘔�鰪唤l=杨帨��/9孩麃6櫡��贋揫�槻S诪��魒纂V���駜�FЛ甥积埳﹄ň[���骯毕蘄wq.痚兹积|4fb7囷H?衺�爖SH,€nE.�>��E�0弐鈼2硥/蘦h彣[煟�!U��
鼍9鰩樐烉晸*餌)�l3n���卛��'�� ��F(麽�6嗈]4;橶0觓<ヽn]�*C�P踳h▕�Q�=憳碩M��@聆��h杛桊�
��jX鬚N�檄钗錾W觍�> 忁^l|▍��灪{A
�1滴纘朦1Z溎�&��)W齖�宸���I茟�3w��凞�筪0iI跇�.L� 譜€陵��<榄��嚘�+茅y1B詖0譏霍+(&a赯櫠�a�#J驂�5Z[S=4荬��
s�顬錄�05)X�閕锞0"@�1>$�>b`:簠c�态�i_@��F頝�"鴆#馆軾��漣6惲"U憧%5\u服@柯觰:鈕断a�茼€Ya笊��-夨)��聾(淀魹z�8媡"}���;漵v;`觐.0c@B歹禩�"晶���3�1����艠籟�&x鬯�*0���樊鉐��b�!€j[j�F炲=
�3����0鍹X筆w���
t�瀀陂dF�试'纳�1�衒�AOOg��|v眖0�#!╃鹪E�^nE隸D闾2�腦<4苽棭霯��`攲8膄6臻釞){f旃�O"�=颌VO窑!€�z-曊i����9 #B忆'牮﹂�Q腩I泰]��5�觐��託4X�雎6�{y闐咥NB���姑��rD�牮□6���i覢喏櫙����M颞��螕��#�倖F��3w忎埦tUy奲ン9td�訌�X/�0鏽�k誽U傏O銸8癴 �蠣��檧N趂囝B鄏�伇`噜*戍�謐Cx2��釋%L�
1Li/d.F���#夃家昺塂哅睸�肻�i}��銜獵(EEX�#�(b�瓟滶f,髲暵�8�.(:U�
庋b珐鼒>郔�敞仇烣A�PI�w�9�+�gy崘#CPp簚Ya,��'F:��@唐忚c�`�d絃釰�,焹骊苔�)
鈎�� ;�6暂�3c��慟+?�巟N�=帧绍���N�5啒��拔軸� ��T���%�=F噜�vR�W`蕋�7膺富[醪労o垔K氠;uw7�谊10竫�
Zy�塬�$&吿H��'a'rz珙n�/蚲�1* $z<冋e绍X]獵尨漋�埙W粪墧 x,媕A"夏=纕�nk���粩�+]�膴�逳�7��I�蘸<��[90麢�9鉤�M�hg锤�#(��iw��%U樐pкZ��LdδHO�5�%5L柡;�-Δ�=�C�&軭菰�Q�b模瓂 摂c�d6獋釅^AI馤�%
M覊惺诟牭PJG贻@卫d陹榀�災t�
�暀F<崑5灸餉鄋�褎t"瑉�總鐼6>貙滠尝裈屏��缚奷袄��叠逡�翱:赌"��8耻3�*惭弖�洨赌钻罢驳产�膇蜏���=�缚腩零诛办�滦&�宜�,��$2戁筒础踇髞掸譎贰<伌�1陬芞檈寳�>��.蚃Y�D�2���3悖牬k� ��#U��縡腄ZJ�HGD;钡�6棩xF疋鶄6肷�����鉏
��#�de���.釟[��0<_HGh�!�Ml�j瘩�1炈膖燩0t���選膳Gb交冂t廇���� �����樘�;杤﨨珉枮沓�桖�� G~a龣v�QU骘碽�7橹Nh��栩�阅�%<棃
軡宊
��葘T��篳�趷VT鄏s闕'�[--wN潰歮籶癴o熪銔��僤��潟�0�03棂旍�瞎A@_E�$垇b欲: 蚜鉏�E,��洐l贉n腝s+V瑮蟧懦訽��唀薈P鉞藊⑥VW3�1 �爫51|S羊愻峹昼�枌�=$�0�殿��?菋"搧€%俩MO8 Nz4r崤[鞸謰镻LE� ��苪琠-�'�[W����G爁�
����l迥�&缇鑀S�葒唖璼y�?槧}砏Sz悦��榶扺oZ€繤�帵掵渽隧E'卻����漌庳鰥鏋 o镹眤��碮4稉�狿��儛琢沉I���iA^ǎ琍i��d,����hk��L�GC鉓�
蚜戙i崮I� 伣买��圽揳:悗��Zs&帏Qx:8准艒=意�敼"YZC髙樝��&+Dnc€{讧噑M5痈��穥P疃�镱��悠勿�����@!��姿値€椱`
痌�'贁}E�"�5�'�+~眫��>[��p�&謏����
槷�3�%}8~叚i�+⑼�A2
O禊糩��-€��- 撡�:黛迃皓喱0兄k
�4�7dT�����6啦,p扦侬�=�4�&&榦(Q���蚮锞胁乥�竣�樚塍J�⒂�;�U��/�/乮/噘芦嚽���&4瞆r�6杅I兇搿ZU哺�s���z甞6篧嶮�&B宪Z-{gt�#+�}#?l;�襝惦汐G癡笪��A��J貝q~[儳����虅�H碢�2�"∈mд�(���€��@1V��y-�2刘�6興N€D� �1
�. 厤Y�3�$換徫饷扝籟=E灧鉟��#_'�E1蚬� ���30刟閤憛橡觥XL�Zc�餹�崜Q���厵蟬h�n`螮n艺�
I刽3AQrャ:畄AT峂0杍xb_����'驂V#鵍8葶~b�67豳 焌���4L�s潒~���未渮?iCbbU碏淎%,彝A��睔悝�0鲅玚�� 鑓�7趃€3�
圷"~>镑身�<会s轷V1C垝:贳�>�籰&愘�誇襄�n��太Ic����剜奆V瑾槀� W愝T皚赙� 伇 �$ b#癆缾�銯姓�8c�85貸篦���{謨橨轥焵��Y\:��"kl�5rZ/鄭祎u揵�0塋�)v{:���$B6|��O緾娷?�O槇%9��濦饥��p-硉�5赻�凁椐H许��ST�璭Z孰bC娍�熄犉黗�af╇磻莛��<翇涙)e窧罚��襔�潋$S9薃珣D恰mx蔫毟5_!D籝 w穌�0�焠脑飷`.獫*萿-瀘S狪~N濓d賦�莽叩a婜埇`筳5{嵘}��>%��鈑O@畹�q阢A覷笵�榟滛u�=v⊕Jz崖┛X蟴}
矜��_斺R&冉TA疧�媝nFL�&鮲BTB;U愲�<;�3�獙T�賿棺V汽��O觼B樤g�"{U�沗粆�嘣�血�V饘A豏鉻Th����贅�!j��埥��脰V����溭���鳐N嶅咎j<阈補橭禅�.
n�6楱栎Yb藫>簧础��碍蝉肠永煁驳寍惭罢滨��苍笔惭辫��间厂<
����瀟�/矃%Z覴�3軣婄妈3薽╗�葓f裵3A�瀷袢膚aZ巶╣缢t袭貅呇gV_V��oDG�罟狚墵��痐�彊�唋薳N{s�迄x�>��灊�>H_�'X\柪�ζ6簎�6F�門盕鑦SO酸�$� 2"O過?�O��M鹪�璄侫lO1���4輮od{α�!z� MK2�>�QI菮�;羶�.€Z5娲�榖3靸'k
�∵'墫W��络Db� 犙璾�&�)83D�雃5A+�f��青e>齿�8肠���狍叠镑&6��贵办�穄饎诸拦)$3�0颙<1|�7M[�奻〒��Ye��q螆O惍�'緸��m使�O�烮W癆鉔h1"ePU��9���&鏀��"抅u��O�81荓16����[�%翐輴�*K����=掛L<梮舢_�' 焞镲6吳%z�'��1棬.Uz涸|�*�5哨�袪幤当蘞�s7�购蘄瞌K��汧�嫼娓�螲裀犐]��
O�n唱▓<�B�� x茷阥<��(�&s螻�*<1R�(`v{���8Q�#4鶭R. 潼圧H���g1��=�e���b镋�2磜裂綷娧N@#仕%晝&p楢H�,欮R奫2��eu^��蒂ktk� E伤�
�竻$���F�WQ錐�説9缊�bY;�z
��—:▼鶴4�6��� 炧�+��bQ犨=�健貧k)u
� 曹kG_�%�磇憀��姖€`�蠋鲹v��篻粚汙lQsp�懃鞼蹐����A���!;W��敦,旘����w3��亩埋4殮�3q�W頺�0冱=Hp#��W吼釁�
�459�9�莽倖�Tm(宱d� 遄�'�#�礎雾€傌}�錔7|2o擃�焌�r�仛�偔�3碞���葪��P�[造�a敥釗L+舽?�O星狨奱荾O{u���]�麦5岠�>��T��7f�F�>k�林賕€'�>b硢���
b嫐�#艸婴�[e�>娄輘亁ρ茠没�����/濒��$捬驳蹿绎虫���&<#1o}i.�[��樝d���mpe;灒餓迧��i5灥��妒邍x鎲��GDo����`?_吗)+�骵椟婋r觑�倧胹秥槍 炴咀��p}3��>%B未�6閻"l�%鈪祒�*9�祭燯Z�聲)g"擰/s3� O汻f�颃��a�粎W夒��,�;説刧iw�PQl夒W霢l*ι勷��j��駭跟ix
�5�?|V虁伾瓁.凮�.G�#噘�n��d���谎>�!8�X@蜳鰽葐9 霭4粦盥'塦諂=l啤鼌��s焟闕禀w漷釗�f易c乞AlV蠕伬>|麈值口�8��溹飣<���$�'��{[樷K���:鵞駝�!|��^醠�襫掛€问旘繦.t�)�=<訔刽���A碱I��[衮勭櫸`h1�"灞Z)����╓蕛`7岍鱙2OB:蕼硝��G"�"�碔���孰Z�(�秺鏚{ly��$嫞�橻�4逓x��2%@�<F-Q�臇�℉兪p���"��酹焵�,ㄈ"Jt幈kh:惟4饅3kAsf��'尫&(嶯��R壈R3陠x��"鍗瓵�v
嚏晡跾�5o+鋳��,耸赍蜚|>?_阰���棤埛'S�$(d拧P衋t炖:��娜墁6�4�{畤m疽銍�J�烫杶�O斆涳�%P坦f��乱囥�:j;�y[�雚jK���6Z5�:泐jGe2�犪R寫w�2Q譈$槙�4Pq/刏~6挽3確)��需K��@�锐�缧0�FW好O"~'��競7d莢0旱$劣�剸�癄���瞢Dk覮缀S,庑.婈��羘���0xC晀漼赈�6�&怮劍s��RbU�'Pv�&\-�u潁慢K��.kaN.�d謐=/勨�"繑馮%w酝�2.邃N:�*伙�je鱥��[瑓Tぱ汸獼J薣}蔀#烬蜇E�%丑毾UTN8�妾熃�6�7椇�(�26�6sJ���>U_�A��U.wn��$�,nR=�!k洋=0#TB 玘K坐H釋n襧��+r�2&嵆:Q��2M�(�h��鍏`�
T2i)EY7sHM����4Y�(�>_~夿h�9��7碎舜��S孭ン(�6 碚|�為�1��
N��塿M橝j��E熕逤C�2d嚍�=��;��m枏f櫝�����㈡瞴扙诔9{鴉g鎣���螄I鋿#蔕,�亯愳�/$VEo後搮�`淁嚫�"i"�@ yN?渭�"h!4#�.h�
��JOq�
�5�U瘹€鹕鉺汇@傾j{�2��瘰I6L踽<漘{�帟恺yZ峠��z�孩=�
�赊橳r���~7j���
澇�(�I葱HO睕靤猈!95潩Z�:牎~\诵懅�3簜鐩螠?揚L唃M糔j�g2巫SX犴愘悕�_/��V鲷溻敷�[]��鬶脌犗p��讶韩.�併鴲}忟R�^ 仾0�.椛摈'°c遇(�'愋�����侠0荪�陼/�#�,摨O+煉Xd�
D�,茿趶�i_し*+矵-6 +嗴儵`a��茓� 宪l6&5X甆饱^�88篽g謪M����F镔:煜*����鼖逩爉l�%A馺衹
+礬;i�>镻葰�,棫攝���侚铲�K鯥叢ts{限箂��Gm+両蹡��暵JH烙抬蒬�;D⒏€绮欎慙Y�2鱑璣爪)�^鹸f;�*�-P潋�2[o靦赻彁屟c O樝E�J{斃2�鮧睖膈綴�"h嗰>�鰤�賄{澝E某�%僘�`苍c躎j煒U�N嶗渳憧z�3灥訾az~矗焂浩BnVG<汳撠��庱\6蟁_#衰3��倦2�W�``U��斡C傟屐��钓錣--赓F�
{醝;|堢
蟋鮱輑j酕祷%駡c�Q�嶮s:|}斝鴼�R语�2教o�9珝x6�&嘭lWtl�%��阻R���靕麽=�PJ3t請聶��T祧���@|�5s砒6聯�P�%Q[H�>錙0��壆=>=溸菑崵y桢嚫琲\��,��T� ERW摵R凩�Q��炓��av�媤R即嶢勝鐦�k����卻钰�O�>DI�漷G�'!(貔|-€*x�%鰒z昳9AGJe�l�濻蠵��犢陹�&偖閈�O�
颼7劽�dq8K(pNT`� @�E(忪?>Y ii L濦E�-�#�?�Q緪Rg韍a�����'�#繙5摵�蟖燏鶊騺�埀竁����2�'��击狳垬#d)Ih坠({洙删{娒)垚н��)�(�j2x念h?<1��羄抗羊��:�$@毜n;ǐ��瀈�2�b��蚽鮳迪��k汏]氊辋�'喃Y埗�B" � 輤� �<儿X觘�'���RM6<﹎訰痬z躕餅��T丽p=�P吁g氝��酙"0*M鎈嶙gi檩q��)滙c壍学機)骳rB霐�>侉X圠��穦褸"��JO飶�8(錺Z潐�5��擕|��=o�骽/2�$|
�~�� 湓�$W1脲鶅0%螠�;鸆ir�j.雿X���!�1 捔��(j裆/fL楏洭]��X曓j鱳]��璭@L�?Y>$�'��S�' ORt�V較�-椶�鯝桖cxR嵦拮��呧D�仺�
炣鉐裹R塾�;�$吁��弋愅Y�驡3R毸��奄�#�O��'�樒颐s"C���LL�:I�:
�{�$й�┨€蘃)際F簌鲳驈?鐍吇'V�/@��+n}�讯vp� �S|籵YU-1I粰c皔�>��擳L愖f&亅9gR�欇饀4]-九TI锯
葞\>泆5vK�.サ�'g魏鱔讍^CkN2O2€阝0�0錜覄Z篐9棡豄1� M�8颋J��婩嬵巓R㎎惫╘,s�ō���鞁謢@用砶夹虻o�嬀害$�I怸霶�帆'』�8�該滵�~唇�(嶭涆�|�紤
��腆a��D筮��P�>3�犖闱疦苍健�虫倝搱0帪�蔼��散颈��%綬墈颁遭��4�~��!9�乡錗��EL觱t]P#輢��+抴蛫W喽x殶谰\纫趓�阕!(�犜r7����z��W铺$鹊k軏��,@黑��砂�$TH€虔�0�龓#?晒@���嗇�-蟴|彺瓯��€騰 €�?驅棼�1耼��B泽そ�1,�.7繺y袯閯佤e K2
皞+塮D輳�
cT/e>硴�$悟�办&��丑蚵喵穝摆摆叠测齿闻飞��廧熋噫笔�<8鼕i�*@猾��痑�n熘做�P�4��縝衂�.Y鑢W豥�~��踙蒖偯娱"S豋V#抓�40姁髭蹧�竲fF铩�*~t�9s翷i1��R4y跾?��0蓥WU餋�,芺�V牒�)��1T�柛\鵷
婑�9C��啙��掌�祣��H库n迬鹣?�<珺�l[氇�/�z騣R��N?鐌� 牿S��鍞 n恢U�&€�+贜恡驄€Y�午w淌V�盒钳��TT)0�����Z�&R
甖篬鹃�>劸|蔾Q埤z逼盂9煦G粫艡1�8z
霿喰藯飥俕耵�!韤"+�p鉯.轿迕歈涑黀�)� ���(�
�iO唧鶄#衁鑫c(��∑mt�/凹溈�*���#搙K:`橭�o�uC�+~k�#爹
椿O��`��斵D��+t_1�<,��鵾つ
鈓幼鳑_q"\H�琇�2煙跌羲聽藿睃a瘜2\��瓞腛���5[4胁F澽糩
;^ 跈霏錇逓�=��I�
糸P侮~e�<鱁`_j噠�x顙谰訬�$-捂鐗�_]:﨧鷽疫唼屣��錤:=錵會駽��徇�藈hl�栁3澕閟/礚:�/��/笙縗��?�>梩?��9��襙:者咯肠戍骋Э�殠柧葠n耻�7浳锄赭嫌冲竹冲⺮:斘耻厂��暱桛�)�9玺':蹿测﨣鷵�?<濶�3�*?扆_滯穌ャL碁鄞)b���,鬟た)齟癸�hm搊琬U�)����3��������A���@�@���
�������� ��v��SC-7�Control
ID�AC-14�CM-2�CM-3�CM-4�CM-5�CM-6�CM-7�MP-7�SA-8�SA-10�SA-11�SC-5�SI-9�SI-10�SI-11�SI-12�NIST Control�Test Module�Tester:�Date: Location:�IRS Safeguard SCSEM Legend(Identification number of SCSEM test case�NIST ID'NIST 800-53/PUB 1075 Control Identifier�Objective of test procedure.6Detailed test procedures to follow for test execution.�Expected ResultsLThe expected outcome of the test step execution that would result in a Pass._The actual outcome of the test step execution, i.e., the actual configuration setting observed.�Comments / Supporting Evidence�Reviewer to include any supporting evidence to confirm if the test case passed., failed on not applicable As evidence, provide the following information for the following assessment methods:
1. Interview - Name and title of the person providing informati���Test Case Tab: Execute the test cases and document the results to complete the IRS Safeguard Computer Security review. Reviewer is required to complete the following columns: Actual Results, Comments/Supporting Evidence. Please find more details of ea���Comments/Supporting Evidence�Version�Release Date�Summary of Changes�Name
First Release�Booz Allen Hamilton�Pass / Fail / N/A
First M. Last�month d, yyyy - month d, yyyy�City, ST�Agency POC(s): �Name:�Telephone #
Email Address�(###) ###-#### x#####�First.M.Last@xx.xxxMReviewer to indicate if the test case passed, failed, or is not applicable. �Percent (%)�Status�Pass�Fail�Info�Not Applicable�Blank (Not Reviewed)�Total Tests Performed�Test Objective
Test Steps�Actual Results�Test ID�DIRECTIONS FOR SCSEM USE�Pass / Fail / N/A / Info�AC-22�CM-9�IR-8�SC-28�SC-32�SI-7�AC-21�AU-13�AU-14�SA-12�SA-13�SA-14�SC-25�SC-26�SC-27�SC-29�SC-30�SC-31�SC-33�SC-34�SC-16�SI-13�PM-1�PM-2�PM-3�PM-4�PM-5�PM-6�PM-7�PM-8�PM-9�PM-10�PM-11
# of Tests�-�Total # Tests Available�Out-of-Scope Reason�RA-1 Control covered in the MOT SCSEM�RA-2�RA-3�RA-5�PL-1�PL-2�PL-4�PL-5,Control not selected in IRS Publication 1075�PL-6�SA-1�SA-2�SA-3�SA-4�SA-5�SA-6�SA-7�SA-9�CA-1�CA-2�CA-3�CA-5�CA-6�CA-7�PS-1�PS-2�PS-3�PS-4�PS-5�PS-6�PS-7�PS-8�CP-1�CP-2�CP-3�CP-4�CP-6�CP-7�CP-8�CP-9�CP-10�CM-1�CM-8�MA-1�MA-2�MA-3�MA-4�MA-5�MP-1�Control covered in the SDSEM�MP-2�MP-3�MP-4�MP-5�MP-6�PE-1�PE-2�PE-3�PE-4�PE-5�PE-6�PE-7�PE-8�PE-9�PE-10�PE-11�PE-12�PE-13�PE-14�PE-15�PE-16�PE-17�PE-18�SI-1�SI-4�SI-5�SI-8�IR-1�IR-2�IR-3�IR-4�IR-5�IR-6�IR-7�AT-1�AT-2�AT-3�AT-4�IA-1�AC-1�AC-18�AC-19�AC-20�AU-1�AU-7�AU-11�SC-1�SC-12�SC-15�SC-17�SC-18�SC-19�SC-20�SC-22�800-53 Test
Method�IA-8
ReferencesjNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Revision 3�Test Case Reference#DESCRIPTION OF SYSTEM ROLE WITH FTInProvide a narrative description of this system's role with receiving, processing, storing or transmitting FTI.[�The dashboard is provided to automatically calculate test results from the Test Case tab.
The 'Info' status is provided for use by the reviewer during test execution to indicate more information is needed to complete the test. It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of the review.,IRS Publication 1075, December 2010 Revision�IRS Internal Revenue Manual (IRM) 10.8.4, Information Technology (IT) Security, Relational Database Management Systems (RDBMS) Security Configurations, August 1,2010RDISA Microsoft SQL Server 2000 Database Security Checklist, Version 8, Release 1.7RDISA Microsoft SQL Server 2005 Database Security Checklist, Version 8, Release 1.7ADISA Oracle 9 Database Security Checklist, Version 8, Release 1.7BDISA Oracle 10 Database Security Checklist, Version 8, Release 1.8BDISA Oracle 11 Database Security Checklist, Version 8, Release 1.8@DISA Generic Database Security Checklist, Version 8, Release 1.6,Oracle 9i on Windows SCSEM Results Dashboard-Oracle 10g on Windows SCSEM Results Dashboard)Oracle 9i on Unix SCSEM Results Dashboard*Oracle 10g on Unix SCSEM Results Dashboard'SQL Server 2000 SCSEM Results Dashboard'SQL Server 2005 SCSEM Results Dashboard"DB2 v8.1.7 SCSEM Results Dashboard810.8.4.5.3.2
10.8.4-2 B.13.5.2 1-2.
10.8.4-5 E.15.1 5-6.G10.8.4.5.3.5
10.8.4-2 B.13.2 1.
10.8.4-2 B.13.3 1.
10.8.4-5 E.15.2 1-2.S10.8.4.5.2.1 (1) c., d.
10.8.4-2 B.4.3 1. c., d.
10.8.4-2 B.15.8 2.
10.8.4-5 E.16.2;10.8.4.5.2.1 (1) c., d.
10.8.4-2 B.4.2 1.
10.8.4-5 E.16.3-4;10.8.4.5.2.1 (1) c., d.
10.8.4-2 B.4.2 1.
10.8.4-5 E.16.5-8610.8.4.5.2.1 (1) b.
10.8.4-2 B.4.4 3.
10.8.4-5 E.18 2.610.8.4.5.2.1 (1) b.
10.8.4-2 B.4.4 1.
10.8.4-5 E.18 3.610.8.4.5.2.1 (1) b.
10.8.4-2 B.4.4 2.
10.8.4-5 E.18 4.510.8.4.5.2.3 (1)
10.8.4-2 B.4.1 1-2.
10.8.4-5 E.19 1.310.8.4.5.2.3 (1)
10.8.4-2 B.4.4 4.
10.8.4-5 E.20 1.510.8.4.5.2.3 (1)
10.8.4-2 B.4.2 1.
10.8.4-5 E.21 1-3.510.8.4.5.2.3 (1)
10.8.4-2 B.4.3 1.
10.8.4-5 E.21 4-5.510.8.4.5.2.3 (1)
10.8.4-2 B.4.3 1.
10.8.4-5 E.21 7-8.910.8.4.5.2.1 (1) e.
10.8.4-2 B.4.3 1.
10.8.4-5 E.21 9-10.<�10.8.4.5.2.2 (1) e-f.
10.8.4-2 B.4.3 1.
10.8.4-5 E.21 11-12.;10.8.4-2 B.6.3.1 1.
10.8.4-2 B.6.3.4 1. a.
10.8.4-5 E.22 1.&10.8.4-2 B.6.3.7 1.
10.8.4-5 E.23 1-2.�10.8.4-2 B.6.3.8
10.8.4-5 E.24�10.8.4-2 B.6.3.5
10.8.4-5 E.25�10.8.4-2 B.6.4
10.8.4-5 E.26�10.8.4-2 B.7
10.8.4-5 E.27010.8.4.5.4.9 (3) b.
10.8.4-2 B.3.3
10.8.4-5 E.28�10.8.4-2 B.14 1.
10.8.4-5 E.29�10.8.4-2 B.10
10.8.4-5 E.31�10.8.4-2 B.14.2
10.8.4-5 E.32�10.8.4-2 B.9
10.8.4-5 E.33�10.8.4-2 B.12
10.8.4-5 E.34�Verify that all installed Oracle products are supported.
Each organization responsible for the management of a database shall ensure that unsupported DBMS software is removed or upgraded to a supported version prior to a vendor dropping support.�Verify that all installed Oracle products have up-to-date patch levels.
Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. But Fix Patches should be applied as needed.[�Verify that login information is encrypted for old versions of Oracle database, i.e., that the initialization parameter DBLINK_ENCRYPT_LOGIN is set to TRUE.
The DBLINK_ENCRYPT_LOGIN parameter, when set to TRUE, prevents unencrypted passwords from being sent to remote servers. This parameter has been unsupported as of Version 9, Release 2 (9.2).�Verify that auditing is enabled, i.e., that the initialization parameter AUDIT_TRAIL is set to TRUE, OS, or DB.
The AUDIT_TRAIL parameter specifies where the Oracle database writes the audit trail information. The valid values are TRUE, OS, and DB. �Verify that resource limit enforcement is enabled, i.e., that the initialization parameter RESOURCE_LIMIT is set to true.
The RESOURCE_LIMIT parameter specifies whether or not enforcement of resource limits is enabled.�Verify that only server-based authentication is used, i.e., that the initialization parameter REMOTE_OS_AUTHENT is set to FALSE.
The parameter REMOTE_OS_AUTHENT, when set to TRUE, allows the authentication of remote clients by the host operating system.��Verify that client-based operating system roles are not used, i.e., that the initialization parameter REMOTE_OS_ROLES is set to FALSE.
The parameter REMOTE_OS_ROLES, when set to TRUE, allows the operating system roles to be used from remote clients. Roles on a DBMS shall be locally defined and shall implement specific business purposes defined by the Enterprise Life Cycle (ELC) documentation of the ELC project that uses the DBMS.L�Verify that role management is not performed by the operating system, i.e., that the initialization parameter OS_ROLES is set to FALSE.
The parameter OS_ROLES, when set to TRUE, allows operating system roles to be used. Role information must be stored, managed, and protected<� in the database rather than files external to the DBMS.x�Verify that distinct SELECT privileges shall be required of users executing UPDATE or DELETE functions, i.e., that the SQL92_SECURITY initialization parameter is set to TRUE.
The initialization parameter SQL92_SECURITY when set to TRUE, specifies that SELECT privileges are required during an UPDATE or DELETE function when a WHERE clause specifying column values is present.e�Verify that SYSTEM privileges are restricted such that access to objects in the dictionary and SYS schemas is restricted, i.e., that the O7_DICTIONARY_ACCESSIBILITY initialization parameter is set to FALSE.
The O7_DICTIONARY_ACCESSIBILITY parameter controls SYSTEM privileges. If the parameter is set to TRUE, access to objects in the YS schema is allowed.��Verify that multiple databases cannot use the same password file, i.e., that REMOTE_LOGIN_PASSWORDFILE is set to either EXCLUSIVE or NONE
The REMOTE_LOGIN_PASSWORDFILE initialization parameter specifies whether Oracle uses a password file and how many databases can use the password file. Setting the parameter to NONE signifies that Oracle should ignore any password file; EXCLUSIVE signifies that the password file can be used by only a single database.��On Oracle database version 9.2 and later, verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.
The AUDIT_SYS_OPERATIONS initialization parameter introduced with Oracle version 9.2 enables auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the $ORACLE_HOME/rdbms/admin directory.&�Verify that database links are required to be defined with the same name as the database to which they connect, i.e., that the GLOBAL_NAMES initialization parameter is set to TRUE.
This setting prevents inadvertent connections to the wrong database and simplifies management of database links.�Verify that the internal Oracle DBMS parameter _TRACE_FILES_PUBLIC is set to FALSE.
Setting _TRACE_FILES_PUBLIC to TRUE allows all database accounts access to trace files.e�Verify that the number of roles that may be active for any database session is no larger than necessary, i.e., that the MAX_ENABLED_ROLES parameter is set to the lowest value consistent with required database operation.
Setting this parameter may provide additional assurance that application roles are being enabled and disabled in accordance with design.D�Verify that the Oracle database cannot register with a listener located on a separate host machine, i.e., that the REMOTE_LISTENER parameter is set to a null string value.
The configuration and management of a remote listener may be outside the security domain of the database host system, and shall therefore, not be used.-�Verify that a valid and protected directory is designated for writing and storing the audit trail, i.e., that the AUDIT_FILE_DEST initialization parameter is well defined.
The AUDIT_FILE_DEST parameter specifies the directory where the Oracle database audit trail shall be written on the host system.p�Verify that a valid and protected directory is designated for writing and storing database session trail files, i.e., that the USER_DUMP_DEST initialization parameter is well defined.
The USER_DUMP_DEST parameter specifies the host directory where database session trace files are written. The USER_DUMP_DEST parameter shall be set to a valid and protected directory.s�Verify that a valid and protected directory is designated for writing and storing alert log and trace files for Oracle background processes, i.e., that the BACKGROUNG_DUMP_DEST initialization parameter is well defined.
The BACKGROUNG_DUMP_DEST parameter specifies the host directory where the Oracle alert log and trace files for Oracle background processes are written.��Verify that a valid and protected directory is designated for writing and storing Oracle core files, i.e., that the CORE_DUMP_DEST initialization parameter is well defined.
The CORE_DUMP_DEST parameter specifies the host directory where the Oracle core files are written.6�Verify that redo log archiving is enabled at instance startup, i.e., that the LOG_ARCHIVE_START parameter is set to TRUE.
The LOG_ARCHIVE_START parameter determines whether redo log archiving is started at the time of instance startup. The database must be in archive log mode for this setting to take effect.6�In the event that archive logging is enabled, verify that a valid and protected directory is designated for writing and storing redo log archives, i.e., that the LOG_ARCHIVE_DEST initialization parameter is well defined.
The LOG_ARCHIVE_DEST parameter requires that ARCHIVELOG mode be enabled on the database.S�In the event that archive logging is enabled, verify that a valid and protected backup directory is designated for writing and storing redo log archives, i.e., that the LOG_ARCHIVE_DUPLEX_DEST(_n) initialization parameter is well defined.
The LOG_ARCHIVE_DUPLEX_DEST(_n) parameter requires that ARCHIVELOG mode be enabled on the database.x�Verify that an arbitrary OS user account will be unable to log in to a database account of the same name without a password, i.e., that the OS_AUTHENT_PREFIX is set to a string other than OPS$.
Setting the OS_AUTHENT_PREFIX parameter to a value other than OPS$ prevents an OS account from being able to access a database account by the same name without providing a password.��For Oracle client workstations, verify that password encryption is enabled for logins via network connections to Oracle servers, i.e. that the ORA_ENCRYPT_LOGIN environment variable is set to TRUE.
Oracle password information in a connection request shall be encrypted.��Verify that password file authentication for database administrative accounts is disabled.
Because administrative accounts do not allow for individual accountability via auditing, password file authentication shall not allow for remote administrative sessions.�Verify that default accounts unnecessary for the daily operation of the database are either deleted or locked and expired.
This check is based on a list of Oracle-recommended settings for default accounts.�Verify that default passwords for default accounts have been changed.
This check is based on the list of usernames and associated default passwords ��Verify that a password is set for all listeners running on the system.
No password is set on the listener by default. A listener password shall be set. Failing to set a password on the listener could result in unauthorized users starting, stopping, and configuring the listener service. The password shall be stored in encrypted format within the listener.ora file. This is accomplished by using the change_password function of the LSNRCTL utility.��Verify that the ADMIN_RESTRICTIONS option is enabled in the listener.ora file.
The Oracle listener by default allows dynamic configuration via the LSNRCTL utility. Dynamic configuration leaves the listener vulnerable to unauthorized modification should the listener not be protected by a password or the password be compromised. Dynamic configuration shall be disabled by specifying the parameter ADMIN_RESTRICTIONS_listener_name in the listener.ora file.��Verify that Oracle profiles are configured correctly.
User profiles are used to restrict system resource use as well as define some security parameters. The DEFAULT profile is used when no other profile is specified for the database account. The DEFAULT profile should be modified to secure database accounts that are not assigned a specific profile. Any custom profiles in the database should also have these security parameters set.5�Verify that Oracle files and directories have correct ownership.
All files and directories installed by Oracle should be owned by the installation account and the installation group, except for the Oracle Listener and Intelligent Agent processes, both of which must have unique user IDs associated with them.K�Verify that all database files, redo logs, and control files have permission mode 640 or more restrictive; these <� files typically have .dbf, .log, and .ctl extensions, respectively.
To maintain discretionary access to data, all database files, redo logs, and control files must be readable only by the oracle account and dba group.�Verify that the main Oracle binary directory has its permission mode set to 755.
The $ORACLE_HOME/bin directory must be writable by the Oracle software owner and executable by all users.�Verify that all other executables in the $ORACLE_HOME/bin directory are writable only by oracle and group-executable.
All other Oracle executables in the $ORACLE_HOME/bin directory must have their permission mode set to 750.�Verify that the main Oracle library directory has its permission mode set to 750.
The $ORACLE_HOME/lib directory must be writable by the Oracle software owner.�Verify that all files in the main Oracle library directory have their permission modes set to 644.
The contents of $ORACLE_HOME/lib must be readable and writable by oracle and readable by all other users.�Verify that the main Oracle log directory has its permission mode set to 750.
Access to the $ORACLE_HOME/rdbms/log directory must be restricted to the oracle account and dba group.�Verify that product subdirectories containing logging information have their permission modes set to 750.
Access to the $ORACLE_HOME/rdbms and $ORACLE_HOME/sqlplus directories must be restricted to the oracle account and dba group.�Verify that all files in product subdirectories containing logging information have their permission modes set to 644.
The contents of $ORACLE_HOME/rdbms and $ORACLE_HOME/sqlplus must read-writable by oracle and readable by all other users.��Verify that all files in product admin subdirectories containing logging information have their permission modes set to 644.
The contents of $ORACLE_HOME/rdbms/admin and $ORACLE_HOME/sqlplus/admin must read-writable by oracle and readable by all other users.�Verify that each parent directory in the $ORACLE_HOME path has a permission mode of 755.
All parent directories of the $ORACLE_HOME directory must be writable by their owners, and world readable/executable.5�Verify that access to all Oracle database parameter files is restricted to the software owner and DBAs.
Access to the Oracle initialization parameter files, i.e. init.ora, init.ora, spfile.ora, and spfile.ora, must have their permissions modes set to 640, be owned by oracle and group-owned by dba.��Verify that access to the remote logon password file is restricted to the software owner and DBAs.
Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. This file must have its permission mode must be set to 640, be owned by oracle, and group-owned by dba.$�Verify that access to the listener.ora file is restricted to the software owner and DBAs.
The listener.ora file contains listener configuration parameters and the listener password. Access to this file must be restricted to the Oracle owner, the Oracle TNSLISTENER service account, and DBAs.4�Verify that access to the support files for the Oracle Intelligent Agent is restricted to the software owner and DBAs.
The files dbsnmp_rw.ora and dbsnmp_ro.ora files, if present, may contain the password of the DBSNMP database account. Access to these files must be restricted to the Oracle owner and DBAs.z�Verify that access to the sqlnet.ora file (and protocol.ora file for Oracle database version 8 and 8i) is restricted to the software owner and DBAs.
The sqlnet.ora file (and protocol.ora file for Oracle database version 8 and 8i) contains network configuration information for the host database and listener. Access to this file must be restricted to the Oracle owner and DBAs.b�Verify that access to log and trace file directories is restricted to the software owner and DBAs.
Log and trace file directories found under the $ORACLE_HOME directory may contain information useful for the unauthorized access to database contents. Access to these directories and the files they contain must be restricted to the Oracle owner and DBAs.�Verify that all database objects are audited for RENAME actions.
The only database object auditing required is RENAME actions on all objects.�Verify that required measures are taken to protect audit trails.
Access to auditing information must be restricted to database administrators. Any manual alteration to the auditing table must itself be audited.�Verify that a minimum set of PUBLIC execute privileges have been revoked.
Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any unnecessary privileges.�Verify that no system privileges are granted to the PUBLIC role.
Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any system privileges.�Verify that no object privileges are granted to the PUBLIC role.
Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any object privileges.�Verify that no object privileges are granted to non-system user accounts and roles.
Only DBAs shall be granted the privileges necessary to create objects in a production environment.�Verify that no predefined roles are assigned to custom database accounts.
Oracle predefined roles shall be restricted to Oracle default accounts with the exception of the DBA role.�Verify that no system privileges are granted directly to non-default users and roles.
System privileges must not be granted directly to any user or application user roles.�Verify that no object privileges are granted directly to non-default user accounts.
Object privileges must only be granted to users through role assignments.�Verify that no users and roles are granted the revoke, index, and reference privileges.
The DBA shall restrict assignment of the alter, index, and references object privileges to DBAs, object owners, and predefined roles.�Verify that users do not have access to DBA data.
The DBA shall ensure that access to DBA views and tables is restricted to DBAs and batch processing accounts.&�Verify that the EXTPROC module is disabled, if its use is unnecessary.
Oracle EXTPROC functionality shall be disabled if it is not explicitly required to support a business application. The EXTPROC component has a known vulnerability that allows unauthenticated access via the Oracle Listener.��Verify that a non-default port number is in use for the Oracle Listener.
[CONFLICT IN POLICY]
IRS requires standard port usage to better support firewall and intrusion detection monitoring. Oracle default ports shall be used to support Oracle network communications when traversing network firewalls. (Note: this is mostly in reference to Oracle's "random port assignments" feature.
[N.B. IANA has not licensed port 1521 to Oracle Corp, therefore it cannot be considered a true "standard port."]
Center for Internet Security (from Security Benchmark for Oracle 9i/10g): "Standard ports are well known and can be used by attackers to verify applications running on a server."�Verify that network address restrictions are enabled.
Access to the database from the network can be restricted based on TCP/IP network address. TCP/IP address restrictions shall be defined on systems unless such restrictions are not feasible.��Verify that the XML DB feature is disabled, unless it is necessary in which case required event logging must be in place.
The Oracle DB feature offers access to database resources using standard Internet protocols. If Oracle XML DB is not required, then it shall be disabled; if it is required, logging shall be enabled by setting the log-level for all enabled protocols to log unsuccessful logins.��Verify that Oracle Enterprise Management components have been removed if they are not required.
The Oracle Intelligent Agent is used by the Oracle Enterprise Manager to provide centralized database management both locally and remotely. Because this functionality offers administrative action on the local database and is av<� ailable via the network, it is vulnerable to attack. The DBA shall disable the Oracle Intelligent Agent on databases accessible via the Internet.�Verify that no static or fixed user database accounts have their unencrypted passwords inside the database link table.
Applications shall not create or use public database links, with the exception of database links required for replication.�Verify that multiple copies of the database's control and redo files exist.
To prevent loss of service resulting from disk failure, multiple copies of Oracle control and redo log files shall be employed.�Verify that the SQL*Plus HOST command is disabled.
The HOST command provides system access to database users. The DBA shall restrict access to the HOST command to authorized DBAs.��Verify that no users have the SYSTEM tablespace as their default or temporary tablespace.
To prevent the SYSTEM tablespace from becoming full, the DBA shall ensure that no non-default users have the SYSTEM tablespace as their default or temporary tablespace.�Verify that ARCHIVELOG mode is enabled.
The Oracle ARCHIVELOG feature allows for database recovery via the redo log files. The DBA shall enable ARCHIVELOG mode.�Verify that the Oracle trace utility does not exist on the system.
The Oracle trace utility can have a negative impact on database performance and disk space usage.�1. For database versions 9.0.1 and earlier, perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='dblink_encrypt_login';
2. View the init.ora file for each Oracle instance that is version 9.0.1 or earlier.h1. This query must return TRUE.
2. The following statement must be present:
DBLINK_ENCRYPT_LOGIN = TRUE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='audit_trail';
2. View the init.ora file for each Oracle instance.�1. This query must return TRUE, OS, or DB.
2. One of the following statements must be present:
AUDIT_TRAIL = TRUE
AUDIT_TRAIL = OS
AUDIT_TRAIL = DB�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='resource_limit';
2. View the init.ora file for each Oracle instance.b1. This query must return TRUE.
2. The following statement must be present:
RESOURCE_LIMIT = TRUEg1. This query must return FALSE.
2. The following statement must be present:
REMOTE_OS_AUTHENT = FALSE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='remote_os_roles';
2. View the init.ora file for each Oracle instance.e1. This query must return FALSE.
2. The following statement must be present:
REMOTE_OS_ROLES = FALSE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='os_roles';
2. View the init.ora file for each Oracle instance.^1. This query must return FALSE.
2. The following statement must be present:���������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�h����i�j�k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�{�|�}�~��€�
OS_ROLES = FALSE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='utl_file_dir';
2. View the init.ora file for each Oracle instance.�1. This query must return the full path to a valid, protected directory.
2. he following statement must be present:
UTL_FILE_DIR =
where is the full path to a directory meeting the specified restrictions.�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='sql92_security';
2. View the init.ora file for each Oracle instance.b1. This query must return TRUE.
2. The following statement must be present:
SQL92_SECURITY = TRUE�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='O7_DICTIONARY_ACCESSIBILITY';
2. View the init.ora file for each Oracle instance.r
1. This query must return FALSE.
2. The following statement must be present:
O7_DICTIONARY_ACCESSIBILITY = FALSE�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='remote_login_passwordfile';
2. View the init.ora file for each Oracle instance.�
1. This query must return either EXCLUSIVE or NONE.
2. One of the following statements must be present:
REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE
REMOTE_LOGIN_PASSWORDFILE = NONE�For Oracle database versions 9.2 and later, perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='audit_sys_operations';
2. View the init.ora file for each Oracle instance that is version 9.2 or later;.h1. This query must return TRUE.
2. The following statement must be present:
AUDIT_SYS_OPERATIONS = TRUE�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='global_names';
2. View the init.ora file for each Oracle instance.�
This query must return TRUE.
View the init.ora file for each Oracle instance; the following statement must be present:
GLOBAL_NAMES = TRUE31. View the init.ora file for each Oracle instance.H 1. The following statement must be present:
_TRACE_FILES_PUBLIC = FALSE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='max_enabled_roles';
2. View the init.ora file for each Oracle instance.��1. MAX_ENABLED_ROLES must be set to the lowest setting consistent with required database operation.
2. The following statement must be present:
MAX_ENABLED_ROLES =
where is the lowest positive integer consistent with required database operation.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='remote_listener';
2. View the init.ora file for each Oracle instance.l1. This query must return a null value.
2. The following statement must be present:
REMOTE_LISTENER = FALSE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='audit_file_dest';
2. View the init.ora file for each Oracle instance.X�1. This query must return the full path to a valid, protected directory.
2. The following statement must be present:
AUDIT_FILE_DEST =
where is the full path to a valid, protected directory. (Note that the AUDIT_TRAIL initialization parameter must be set to OS for the AUDIT_FILE_DEST setting to take effect.)�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='user_dump_dest';
2. View the init.ora file for each Oracle instance.
�1. This query must return the full path to a valid, protected directory.
2. The following statement must be present:
USER_DUMP_DEST =
where is the full path to a valid, protected directory.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='background_dump_dest';
2. View the init.ora file for each Oracle instance.�1. This query must return the full path to a valid, protected directory.
2. The following statement must be present:
BACKGROUNG_DUMP_DEST =
where is the full path to a valid, protected directory.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='core_dump_dest';
2. View the init.ora file for each Oracle instance.�1. This query must return the full path to a valid, protected directory.
2. The following statement must be present:
CORE_DUMP_DEST =
where is the full path to a valid, protected directory.�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='log_archive_start';
2. View the init.ora file for each Oracle instance.e1. This query must return TRUE.
2. The following statement must be present:
LOG_ARCHIVE_START = TRUE�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='log_archive_dest';
2. View the init.ora file for each Oracle instance.�1. This query must return the full path to a valid, protected directory.
2. The following statement must be present:
LOG_ARCHIVE_DEST =
where is the full path to a directory meeting the specified restrictions.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='log_archive_duplex_dest(_n)';
where (_n) is either not present or replaced by _1, _2,....
2. View the init.ora file for each Oracle instance._�1. This query must return the full p<� ath to a valid, protected directory for each result.
2. The following statement(s) must be present:
LOG_ARCHIVE_DUPLEX_DEST(_n) =
where (_n) is either not present or replaced by _1, _2,... and is the full path to a directory meeting the specified restrictions, for each such line.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='os_authent_prefix';
2. View the init.ora file for each Oracle instance.�1. This query must return a value other than OPS$.
2. The following statement must be present:
OS_AUTHENT_PREFIX =
where is a text value than OPS$.�1. On an Oracle client workstations only:
View the sqlnet.ora file; the following statement must be present:
ORA_ENCRYPT_LOGIN = TRUE?1. The following statement is present:
ORA_ENCRYPT_LOGIN = TRUE��If REMOTE_LOGIN_PASSWORDFILE (See test ID 12) is set to NONE, this check is not applicable.
1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='log_archive_duplex_dest(_n)';
where (_n) is either not present or replaced by _1, _2,....
�1. If REMOTE_LOGIN_PASSWORDFILE is not set to NONE, it must be set to EXCLUSIVE and the following query must return no data, i.e. "no rows selected":
SQL> SELECT * FROM v$PWFILE_USERS��1. For each username/status pair below, perform the following query:
SQL> SELECT username, account_status
2 FROM dba_users
3 WHERE username = '';
USERNAME ACCOUNT_STATUS
ADAMS, AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, BLAKE, CLARK, CTXSYS, DBSNMP, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, OSE$HTTP$ADMIN, OUTLN, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SCOTT, SH, SYS, SYSTEM��1.If exists on the Oracle database installation, the resulting ACCOUNT_STATUS value must match below:
OPEN for:
AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, DBSNMP, OPENOSE$HTTP$ADMIN, OSE$HTTP$ADMIN, OUTLN, SCOTT, SYS, SYSTEM
EXPIRED & LOCKED for:
ADAMS, BLAKE, CLARK, CTXSYS, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SHg1. Run the following command:
% egrep -i passwords_listener \
> $ORACLE_HOME/network/admin/listener.ora\1. A line of output resembling the following must be present:
PASSWORDS_LISTENER = XXXXXXXXXh1. Run the following command:
% egrep -i admin_restrictions_ \
> $ORACLE_HOME/network/admin/listener.orag1. A line of output, for each active listener, must be present:
ADMIN_RESTRICTIONS_listener_name = TRUE`1. Perform the following query:
SQL> SELECT PROFILE,RESOURCE_NAME, LIMIT
2 FROM dba_profiles';�1. The following RESOURCE_NAME and LIMIT pairs must be present for each profile returned:
IDLE_TIME 15
PASSWORD_LIFE_TIME 90
PASSWORD_REUSE_MAX 10
PASSWORD_REUSE_TIME 365
FAILED_LOGIN_ATTEMPTS 906�1. Run the following commands for each Oracle-based filesystem:
% ls -lR /u01 | egrep -v 'oracle|total|^$|:$'
% ls -lR /u01 | egrep -v 'oinstall|total|^$|:$'
(In this example, /u01 is the Oracle filesystem, the installation owner is assumed to be oracle, and the installation group is assumed to be oinstall.)��1. The results of these commands should only return the Listener, nmb, and nmo binaries. The Listener binary should be owned by a user account made solely for the purpose of owning/running the Oracle listener. The nmb and nmo must be owned by root for operational reasons.�1. Locate all database files, redo logs, and control files with a find command similar to the following:
% find XXX -type f -name "*.dbf" -o -name "*.log" \
> -o -name "*.ctl"
(Here, XXX is all of the Oracle-based filesystems)�1. For each result of this command, check the permissions and ownership. The permission mode for each file must be 640 or more restrictive, the owner must be oracle, and the group owner must be dba.<�1. Perform the following command:
% ls -ld $ORACLE_HOME/bin/�1. This directory must have its permission mode set to 755, be owned by oracle, and group owned by dba. (For Oracle Database versions earlier than 9.2, the permission mode must be set to 751.)�1. Perform the following command:
% ls -l $ORACLE_HOME/bin/dbsnmp
2. Perform the following commands.
% ls -l $ORACLE_HOME/bin/oidldapd
% ls -l $ORACLE_HOME/bin/oracle
% ls -l $ORACLE_HOME/bin/oradismn�1. If long list output is returned, the permission mode must correspond to mode 4750; the owner must be root; and the group owner must be dba. (the 4 represents setuid bit is set)
2. If long list output is returned, the permissions code must correspond to mode 4751; the owner must be oracle; and the group owner must be dba. (the 4 represents setuid bit is set)�1. Execute the following script from the command line:
% for i in `ls $ORACLE_HOME/bin`; do
> file $ORACLE_HOME/bin/$i | \
> egrep -s executable &&
> ls -lL $i | egrep -v rwxr-x---
> donem1. This command must not return any output other than the following: nmb, nmo, oidldapd, oracle, and oradism.;1 Perform the following command:
% ls -ld $ORACLE_HOME/lib/g1. This directory must have its permission mode set to 750, be owned by oracle, and group owned by dba.�1 Execute the following script from the command line:
% for i in `ls $ORACLE_HOME/lib`; do
> ls -lLd $ORACLE_HOME/lib/$i | \
> egrep -v rw-r--r--
> done,
1. This command must not return any output.B1. Perform the following command:
% ls -ld $ORACLE_HOME/rdbms/log/^1. Perform the following commands:
% ls -ld $ORACLE_HOME/rdbms/
% ls -ld $ORACLE_HOME/sqlplus/m
1. This directories must have their permission modes set to 750, be owned by oracle, and group owned by dba.�1. Execute the following commands:
% ls -lL $ORACLE_HOME/rdbms | egrep '^-' | \
> egrep -v 'rw-r--r--'
% ls -lL $ORACLE_HOME/sqlplus | egrep '^-' | \
> egrep -v 'rw-r--r--'-1. These commands must not return any output.F1. Perform the following command:
% ls -ld $ORACLE_HOME/network/trace/g1. This directory must have its permission mode set to 730, be owned by oracle, and group owned by dba.�1. Execute the following commands:
% ls -lL $ORACLE_HOME/rdbms/admin | \
> egrep '^-' | \
> egrep -v 'rw-r--r--'
% ls -lL $ORACLE_HOME/sqlplus/admin | \
> egrep '^-' | \
> egrep -v 'rw-r--r--'�1. Execute the following script from the command line:
% opath=
% for I in `echo $ORACLE_HOME | \
> sed 's/\// /g'`; do
> opath=$opath/$i
> ls -ld $opath | grep -v drwxr-xr-x
> done.1. There must not be output from this command.�1. Locate all database initialization parameter files. These are typically found in the $ORACLE_HOME/dbs/ directory, but may be found elsewhere. Perform the following command:
% ls -l h
1. These files must have their permission modes set to 640, be owned by oracle, and group owned by dba.�1. Locate the remote logon password file. This is typically located at $ORACLE_HOME/dbs/orapwd.ora, but may be found elsewhere. Perform the following command:
% ls -l b1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba.�1. Locate the listener.ora file. This is typically located at $ORACLE_HOME/network/admin/listener.ora, but may be found elsewhere. Perform the following command:
% ls -l c
1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba.�1. Locate the dbsnmp_rw.ora and dbsnmp_ro.ora files. These are typically located in the $ORACLE_HOME/network/admin/ directory, but may be found elsewhere. Perform the following command for each file:
% ls -l g1. These files must have their permission modes set to 640, be owned by oracle, and group owned by dba.�1. Locate the sqlnet.ora file. This is typically located at $ORACLE_HOME/network/admin/sqlnet.ora, but may be found elsewhere. Perform the following command:
% ls -l �
1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba. (For Oracle database versions 8 and 8i, this check must also be performed on the protocol.ora file.)��1. Perform the following command:
% ls -l $ORACLE<� _HOME/
where is each of the following directories:
admin/bdump/, admin/cdump/, admin/create/, admin/udump/, ctx/log/, hs/log/, ldap/log/, network/log/, otrace/admin/, and sysman/log/�1. All files with the log and trc file extensions must have their permission modes set to 640, be owned by oracle, and group-owned by dba.�1. Perform the following query:
SQL> SELECT AUDIT_OPTION,SUCCESS,FAILURE
2 FROM DBA_STMT_AUDIT_OPTS
3 UNION SELECT PRIVILEGE,SUCCESS,FAILURE
5 FROM DBA_PRIV_AUDIT_OPTS;��1. The following AUDIT_OPTIONS/PRIVILEGES must be returned with SUCCESS and FAILURE values of BY ACCESS:
ALTER [ANY CLUSTER, ANY DIMENSION, ANY INDEX, ANY LIBRARY, ANY OUTLINE, ANY PROCEDURE, ANY ROLE, ANY SEQUENCE, ANY SNAPSHOT, ANY TABLE, ANY TRIGGER, ANY TYPE, DATABASE, PROFILE, RESOURCE COST, ROLLBACK SEGMENT, SEQUENCE, SESSION, SYSTEM, TABLE, TABLESPACE, USER]
ANALYZE ANY, AUDIT ANY, BACKUP ANY TABLE, BECOME USER, COMMENT ANY TABLE, COMMENT TABLE
CREATE ANY [CLUSTER, CONTEXT, DIMENSION, DIRECTORY, INDEX, LIBRARY, OUTLINE, PROCEDURE, SEQUENCE]
DROP [ANY CLUSTER, ANY DIMENSION, ANY DIRECTORY, ANY INDEX, ANY LIBRARY, ANY OUTLINE, ANY PROCEDURE, ANY ROLE, ANY SEQUENCE, ANY SNAPSHOT, ANY TABLE, ANY TRIGGER, ANY TYPE, ANY VIEW, PROFILE, PUBLIC SYNONYM, ROLLBACK SEGMENT, TABLESPACE, USER]
ENQUEUE ANY QUEUE, FORCE [ANY TRANSACTION, TRANSACTION], GLOBAL QUERY REWRITE, GRANT [ANY PRIVILEGE, ANY ROLE, DIRECTORY, PROCEDURE, SEQUENCE, TABLE, TYPE], MANAGE [ANY QUEUE, TABLESPACE]d1. Perform the following query:
SQL> SELECT COUNT(*) FROM DBA_OBJ_AUDIT_OPTS
2 WHERE REN = '-/-';+1. The value of the count must be zero (0).j1. Perform the following query:
SQL> SELECT DEL,UPD FROM DBA_OBJ_AUDIT_OPTS
2 WHERE OBJECT_NAME='AUD$';41. The DEL and UPD values returned must both be A/A.)�1. Perform the following query:
SQL> SELECT TABLE_NAME FROM DBA_TAB_PRIVS
2 WHERE GRANTEE='PUBLIC' AND
3 PRIVILEGE='EXECUTE'
4 AND TABLE_NAME IN (
5 'UTL_SMTP', 'UTL_TCP', 'UTL_HTTP',
6 'UTL_FILE',
7 'DBMS_RANDOM', 'DBMS_LOB', 'DBMS_SQL',
8 'DBMS_JOB', 'DBMS_BACKUP_RESTORE');A1. This query must not return any data, i.e., "no rows selected."e1. Perform the following query:
SQL> SELECT PRIVILEGE FROM DBA_SYS_PRIVS
2 WHERE GRANTEE='PUBLIC';
�1. Perform the following query:
SQL> SELECT * FROM DBA_TAB_PRIVS
2 WHERE GRANTEE='PUBLIC' AND
3 OWNER NOT IN (
4 'SYS', 'CTXSYS', 'MDSYS', 'ODM',
5 'OLAPSYS', 'MTSYS',
6 'ORDPLUGINS', 'ORDSYS',
7 'SYSTEM', 'WKSYS',
8 'REMISS', 'XDB', 'LBACSYS');�1. Perform the following query:
SQL> SELECT GRANTEE,GRANTED_ROLE FROM
2 DBA_ROLE_PRIVS WHERE
3 ADMIN_OPTION='YES' AND GRANTEE NOT IN (
4 'SYS','SYSTEM','DBA',
5 'AQ_ADMINISTRATOR_ROLE',
6 'MDSYS','LBACSYS');�1. Perform the following query:
SQL> SELECT GRANTEE,PRIVILEGE FROM
2 DBA_SYS_PRIVS WHERE
3 ADMIN_OPTION='YES' AND
4 GRANTEE NOT IN ('SYS,'SYSTEM',
4 'DBA','AQ_ADMINISTRATOR_ROLE',
5 'MDSYS','LBACSYS');Y�1. Perform the following query:
SQL> SELECT GRANTEE || ' ' || OWNER ||
2 ' ' || TABLE_NAME FROM
3 DBA_TAB_PRIVS WHERE GRANTABLE='YES'
4 AND GRANTEE NOT IN (
5 'SYS','SYSTEM','DBA','OLAPSYS','CTXSYS',
6 'PUBLIC','LBACSYS') AND
7 TABLE_NAME NOT IN (
8 SELECT SYNONYM_NAME FROM DBA_SYNONYMS
9 WHERE SYNONYM_NAME=TABLE_NAME);W�1. Perform the following query:
SQL> SELECT GRANTEE,GRANTED_ROLE FROM
2 DBA_ROLE_PRIVS WHERE GRANTED_ROLE IN (
3 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
4 'CONNECT','CTXAPP','DBSNMP',
5 'DELETE_CATALOG_ROLE',
6 'EXECUTE_CATALOG_ROLE',
7 'EXP_FULL_DATABASE',
8 'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE',
9 'IMP_FULL_DATABASE','JAVA_ADMIN',
10 'JAVADEBUGPRIV',
11 'JAVAIDPRIV','JAVASYSPRIV',
12 'JAVAUSERPRIV',
13 'OEM_MONITOR','OLAP_DBA',
14 'OSDBA','OSOPER','OUTLN',
15 'PLUSTRACE','RECOVERY_CATALOG_OWNER',
16 'RESOURCE','SELECT_CATALOG_ROLE',
17 'SNMPAGENT',
18 'SYS','SYSDBA','SYSOPER','SYSTEM',
19 'TIMESERIES_DBA',
20 'TIMESERIES_DEVELOPER',
21 'TKPRFER','WKADMIN',
22 'WKUSER','WM_ADMIN_ROLE')
23 AND GRANTEE NOT IN (
24 'SYS','SYSTEM','DBA',
25 'EXP_FULL_DATABASE',
26 'IMP_FULL_DATABASE',
27 'EXECUTE_CATALOG_ROLE',
28 'JAVASYSPRIV','OEM_MONITOR',
29 'OUTLN','WKSYS',
30 'OSE$HTTP$ADMIN','ORDPLUGINS','LBACSYS',
31 'WKUSER','ORDSYS',
32 'SELECT_CATALOG_ROLE',
33 'CTXSYS','AURORA$JIS$UTILITY$',
34 'DBSNMP');}�1. Perform the following query:
SQL> SELECT GRANTEE || ' ' || GRANTED_ROLE
2 FROM DBA_ROLE_PRIVS
3 WHERE DEFAULT_ROLE='YES'
4 AND GRANTED_ROLE IN (
4 SELECT GRANTEE FROM DBA_SYS_PRIVS
5 WHERE PRIVILEGE LIKE '%USER%'
6 AND GRANTEE NOT IN
7 ('CTXSYS','DBA','IMP_FULL_DATABASE',
8 'MDSYS','SYS','WKSYS')
9 ) AND GRANTEE NOT IN (
10 'DBA','SYS','SYSTEM');��1. Perform the following query:
SQL> SELECT GRANTEE,PRIVILEGE FROM
2 DBA_SYS_PRIVS WHERE PRIVILEGE <>
3 'CREATE SESSION' AND GRANTEE NOT IN (
4 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
5 'AURORA$ORG$UNAUTHENTICATED',
6 'CONNECT','CTXAPP',
7 'DBA','DBSNMP','DELETE_CATALOG_ROLE',
8 'EXECUTE_CATALOG_ROLE',
9 'EXP_FULL_DATABASE',
10 'HS_ADMIN_ROLE','IMP_FULL_DATABASE',
11 'JAVA_ADMIN', 'JAVADEBUGPRIV',
12 'JAVAIDPRIV','JAVASYSPRIV',
13 'MDSYS','OEM_ADVISOR',
14 'OEM_MONITOR','OSDBA',
15 'OSOPER','OUTLN','PLUSTRACE',
16 'RECOVERY_CATALOG_OWNER','RESOURCE',
17 'SCHEDULER_ADMIN',
18 'SELECT_CATALOG_ROLE',
19 'SNMPAGENT','SYS','SYSDBA','SYSOPER',
20 'SYSTEM','TIMESERIES_DBA',
21 'TIMESERIES_DEVELOPER',
22 'TKPROFER','TSMSYS')�1. Perform the following query:
SQL> SELECT DISTINCT GRANTEE FROM
2 DBA_TAB_PRIVS WHERE GRANTEE NOT IN
3 (SELECT ROLE FROM DBA_ROLES) AND
4 GRANTEE NOT IN
5 (SELECT USERNAME FROM DBA_USERS) AND
6 GRANTEE <> 'PUBLIC';.�1. Perform the following query:
SQL> SELECT GRANTEE || ' ' || PRIVILEGE
2 || ' ' || OWNER || ' ' || TABLE_NAME
3 FROM DBA_TAB_PRIVS WHERE (
4 PRIVILEGE LIKE '%ALTER%' OR
5 PRIVILEGE LIKE '%INDEX%' OR
6 PRIVILEGE LIKE '%REFERENCES%'
7 ) AND GRANTEE<>'SYSTEM' AND
8 GRANTOR<>'MDSYS';��1. Perform the following query:
SQL> SELECT GRANTEE || ' ' || PRIVILEGE
2 || ' ' ||
3 TABLE_NAME FROM DBA_TAB_PRIVS
4 WHERE (OWNER='SYS' OR TABLE_NAME LIKE
5 'DBA_') AND GRANTEE NOT IN (
6 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
7 'AURORA%JIS%UTILITY%','DBA','DBSNMP',
8 'EXECUTE_CATALOG_ROLE',
9 'EXP_FULL_DATABASE',
10 'HS_ADMIN_ROLE','IMP_FULL_DATABASE',
11 'ORDSYS','OSE$HTTP$ADMIN','OUTLN',
12 'PUBLIC','SELECT_CATALOG_ROLE',
13 'SNMPAGENT','SYSTEM',
14 'DELETE_CATALOG_ROLE',
15 'GATHER_SYSTEM_STATISTICS',
16 'LOGSTDBY_ADMINISTRATOR','MDSYS','ODM',
17 'OEM_MONITOR','OLAPSYS',
18 'WKUSER','WMSYS',
19 'WM_ADMIN_ROLE','XDB','TRACESVR') AND
20 GRANTEE NOT IN (SELECT GRANTEE FROM
21 DBA_ROLE_PRIVS WHERE
22 GRANTED_ROLE='DBA')��1. Perform the following query:
SQL> SELECT DISTINCT OWNER
2 FROM DBA_OBJECTS,DBA_USERS
3 WHERE OWNER NOT IN (
4 'SYS','SYSTEM','MDSYS','CTXSYS',
5 'ORSYS','ORDPLUGINS',
6 'AURORA$JIS$UTILITY$','ODM',
6 'ODM_MTR','OLAPDBA','OLAPSYS','MTSSYS',
7 'OSE$HTTP$ADMIN','OUTLN','LBACSYS',
8 'PUBLIC','DBSNMP','RMAN','WKSYS',
9 'WMSYS','XDB') AND OWNER=USERNAME AND
10 ACCOUNT_STATUS<>LOCKED;41. View the $ORACLE_HOME/install/portlist.ini file. N1. The value of the 'Oracle Net Listener' parameter must not be equal to 1521.�1. The INBOUND_CONNECT_TIMEOUT_listener_name parameter is set to three (3) or less, but greater than zero (0).
2. The SQLNET.INBOUND_CONNECT_TIMEOUT parameter is set to three (3) or less, but greater than zero (0).71. View the $ORACLE_HOME/network/admin/sqlnet.ora file.�1. The following lines must be present:
tcp.validnode_checking = YES
tcp.invited_nodes = (list of IP addresses, hostnames)
tcp.excluded_nodes = (list of IP addresses, hostnames)�Determine, from a knowledgeable DBA, if Oracle XML DB is required and in use.
1. If it is not in use, then view the $ORACLE_HOME/dbs/init$ORACLE_SID.ora file.
OR
2. If Oracle XML DB use is justifi<� ed, then view the xdbconfig.xml file. �1. No lines of the following type are present:
DISPATCHERS="(PROTOCOL=TCP)(SERVICE=XDB)"
OR
2. The following line is present within the and tags:
1�1. Perform the following query:
SQL> SELECT * FROM DBA_ROLES
2 WHERE ROLE='SNMPAGENT';
2. Execute the following from the command line:
% file $ORACLE_HOME/bin/dbsnmp�1. This query must not return any data, i.e., "no rows selected."
2. This command must return an error similar to "No such file or directory."\1. Perform the following query:
SQL> SELECT NAME FROM LINK$
2 WHERE PASSWORD IS NOT NULL;�1. Perform the following query:
SQL> SELECT NAME FROM v$CONTROLFILE;
2.Perform the following query:
SQL> SELECT MEMBER FROM v$LOGFILE;k1. At least two control file paths must be returned.
2. At least two redo log file paths must be returned.r1. Perform the following query:
SQL> SELECT CHAR_VALUE
2 FROM PRODUCT_USER_PROFILE
3 WHERE ATTRIBUTE='HOST';.1. This query must return the string DISABLED.�1. Perform the following query:
SQL> SELECT USERNAME FROM DBA_USERS
2 WHERE USERNAME NOT IN
3 ('OUTLN','SYS','SYSTEM')
4 AND (DEFAULT_TABLESPACE='SYSTEM' OR
5 TEMPORARY_TABLESPACE='SYSTEM');B
1. This query must not return any data, i.e., "no rows selected."E1. Perform the following query:
SQL> SELECT LOG_MODE FROM v$DATABASE;?1. This query must return ARCHIVELOG as the value for LOG_MODE.I1. Perform the following command:
% ls -l $ORACLE_HOME/otrace/admin/*.dat21. This command must not return any file listings.k1. Determine version(s) of installed Oracle product(s) from following command:
SQL> SELECT * from v$VERSION{1. Determine patch level(s) of installed Oracle product(s) from following command:
% $ORACLE_HOME/OPatch/opatch lsinventory�1. Visit the following web site to determine the currently available patches for each installed Oracle product:
http://www.oracle.com/technology/deploy/security/alerts.htm�1. Currently (3/24/2010) supported versions are as follows:
8i: 8.1.7.4
9i (Release 1) 9.0.1.4
9i: (Release 2) 9.2.0.1 - 9.2.0.8
10g (Release 1): 10.1.0.2 - 10.1.0.5
10g (Release 2): 10.2.0.1 - 10.2.0.4
11g (Release 1): 11.1.0.6 - 11.1.0.7 �Examine�Flaw Remediation�SI-2�Audit Storage Capacity�AU-4�Audit Generation�AU-12�Identifier Management�IA-5�Protection of Audit Information�AU-9�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='remote_os_authent';
2. View the init.ora file for each Oracle instance.�AC-6�Least Privilege�AC-5�Separation of Duties610.8.4.4.6.1 (1) a.
10.8.4-2 B.1 2. a.
10.8.4-5 E.1 1.610.8.4.4.6.1 (1) c.
10.8.4-2 B.1 2. b.
10.8.4-5 E.1 2.B10.8.4.5.1.2 (2)
10.8.4-2 B.6.1
10.8.4-2 B.15.6
10.8.4-5 E.2 1. #1F10.8.4.5.3.1 (1) a.
10.8.4-2 B.13.4
10.8.4-2 B.15.1
10.8.4-5 E.2 1. #2610.8.4.5.4.7 (1) b.
10.8.4-2 B.15.2
10.8.4-5 E.2 1. #3"10.8.4-2 B.15.3
10.8.4-5 E.2 1. #4"10.8.4-2 B.15.4
10.8.4-5 E.2 1. #5"10.8.4-2 B.15.5
10.8.4-5 E.2 1. #6"10.8.4-2 B.15.8
10.8.4-5 E.2 1. #7"10.8.4-2 B.15.7
10.8.4-5 E.2 1. #8"10.8.4-2 B.15.9
10.8.4-5 E.2 1. #9$10.8.4-2 B.15.10
10.8.4-5 E.2 1. #10$10.8.4-2 B.15.11
10.8.4-5 E.2 1. #11$10.8.4-2 B.15.12
10.8.4-5 E.2 1. #12$10.8.4-2 B.15.13
10.8.4-5 E.2 1. #13$10.8.4-2 B.15.14
10.8.4-5 E.2 1. #14$10.8.4-2 B.15.15
10.8.4-5 E.2 1. #15$10.8.4-2 B.15.17
10.8.4-5 E.2 1. #16$10.8.4-2 B.15.17
10.8.4-5 E.2 1. #17$10.8.4-2 B.15.18
10.8.4-5 E.2 1. #18$10.8.4-2 B.15.19
10.8.4-5 E.2 1. #19$10.8.4-2 B.15.20
10.8.4-5 E.2 1. #20$10.8.4-2 B.15.21
10.8.4-5 E.2 1. #21$10.8.4-2 B.15.22
10.8.4-5 E.2 1. #22$10.8.4-2 B.15.23
10.8.4-5 E.2 1. #23.10.8.4.5.1.2 (2)
10.8.4-2 B.6.1
10.8.4-5 E.2.5�10.8.4-2 B.3.4 1.
10.8.4-5 E.4.10.8.4.2.2 d.
10.8.4.5.1.5 (1) b.
10.8.4-5 E.5210.8.4.5.1.5 (1) A.
10.8.4-2 B.3.7 1.
10.8.4-5 E.6 10.8.4-2 B.6.3.2 2.
10.8.4-5 E.8 10.8.4-2 B.6.3.3 a.
10.8.4-5 E.9+10.8.4-2 B.3.8
10.8.4-2 B.8.2
10.8.4-5 E.11;10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.1
10.8.4-5 E.13F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #1F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #2Y10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 2.
10.8.4-5 E.14.1 1. #3
10.8.4-5 E.14.1 6.F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #4F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #5F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #6F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #7F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #8F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #9G10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #10G10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 1. #11C10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.7 1.
10.8.4-5 E.14.1 3.C10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.8 1.
10.8.4-5 E.14.3 []E10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.9 1.
10.8.4-5 E.14.3 1-3.H10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.10 1-2.
10.8.4-5 E.14.3 4-6.G10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.11 2.
10.8.4-5 E.14.3 7-10.H10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.12 1.
10.8.4-5 E.14.3 11-13.H10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.1.13 1.
10.8.4-5 E.14.3 14-18.810.8.4.5.3.2
10.8.4-2 B.13.5.1 1-3.
10.8.4-5 E.15.1 2-4.�SC-9�AC-17�IA-4�AC-3�AU-2�AC-2�SC-14�SC-10�Au-9�SC-2�SC-4#10.8.4-2 B.3.1.2 3. b.
10.8.4-5 E.3F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.2.2 1.
10.8.4-5 E.14.2 1. #1F10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.2.2 1.
10.8.4-5 E.14.2 1. #2C10.8.4.5.4.10
10.8.4.5.4.11
10.8.4-2 B.16.2.3 1.
10.8.4-5 E.14.4 1.��On Oracle database version 9.2 and later, verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.
The AUDIT_SYS_OPERATIONS initialization parameter introduced with Oracle version 9.2 enables auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the Windows event log.�Verify that the value of the registry key specifying domain name prefix requirement is set to TRUE.
Database accounts authenticated externally by a Windows system must be identified by the respective domain name prefix.��Verify that Oracle files and directories have correct ownership.
All files and directories installed by Oracle should be owned by the installation account, except for the Oracle Listener and Intelligent Agent processes, both of which must have unique user IDs associated with them.��Verify that the ORACLE_BASE\ORACLE_HOME group and permissions are set correctly.
The ORACLE_BASE\ORACLE_HOME directory must have "Full Control" granted to the Administrators and System groups; the Authenticated Users group must be granted Read, Execute, and List Contents permissions.�Verify that access to all Oracle database parameter files is restricted to the software owner and DBAs.
Database and parameter files must have their access restricted to users with administrator privileges.��Verify that access to the remote logon password file is restricted to the software owner and DBAs.
Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. Permissions entries must only be defined for local administrators.�Verify that access to Oracle registry keys is restricted to local administrators.
Access to registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE must be restricted to local administrator.��Verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.
The AUDIT_SYS_OPERATIONS initialization parameter allows for auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the $ORACL<� E_HOME/rdbms/admin directory.�Verify that access to the sqlnet.ora file is restricted to the software owner and DBAs.
The sqlnet.ora file contains network configuration information for the host database and listener. Access to this file must be restricted to the Oracle owner and DBAs.o�Verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.
The AUDIT_SYS_OPERATIONS initialization parameter enables auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the Windows event log.*10.8.4.4.6.1
10.8.4-3 (C.1)
10.8.4-6 (F.1)�10.8.4-3 (C.1)�10.8.4.4.6.1
10.8.4-3 (C.1)710.8.4.5.3.2
10.8.4.5.3.3
10.8.4-3 (C.4)
10.8.4-6 (F.6)�10.8.4.5.3.1�10.8.4-3 (C.4.2)
10.8.4-6 (F.6)(10.8.4.5.3.5
10.8.4.5.3.6
10.8.4-6 (F.6)�10.8.4-3 (C.8.1)
10.8.4-6 (F.2)�10.8.4-3 (C.8.3)
10.8.4-6 (F.2)�10.8.4-3 (C.8.4)
10.8.4-6 (F.2)�10.8.4-3 (C.2.1)
10.8.4-6 (F.3)=10.8.4.4.6.3
10.8.4.5.4.10
10.8.4-3 (C.3.14.1)
10.8.4-6 (F.4).10.8.4.4.6.3
10.8.4.5.4.10
10.8.4-3 (C.3.14.1)"10.8.4-3 (C.3.14.2)
10.8.4-6 (F.5)�10.8.4-3 (C.3.14.2)*10.8.4.4.6.5
10.8.4-3 (C.9)
10.8.4-6 (F.7)�10.8.4-3 (C.10)
10.8.4-6 (F.7)�10.8.4-3 (C.3.8)
10.8.4-6 (F.9)/10.8.4.5.2.1
10.8.4-3 (C.3.12.2)
10.8.4-6 (F.9),10.8.4.5.2.1
10.8.4-6 (F.11)
10.8.4-6 (F.11)#10.8.4-3 (C.3.12.3)
10.8.4-6 (F.11)�10.8.4-3 (C.12)
10.8.4-6 (F.11)�10.8.4.5.2.2
10.8.4-6 (F.13)-10.8.4.5.4.9
10.8.4-3 (C.3.9)
10.8.4-6 (F.14) 10.8.4-3 (C.7.1)
10.8.4-6 (F.16)�10.8.4-3 (C.7.3)�2.5.7.3.1
10.8.4-3 (C.7.3)�10.8.4.5.1.2-
10.8.4.5.1.2
10.8.4-3 (C.3.5)
10.8.4-6 (F.3)�10.8.4.4.4.6�10.8.4-3 (C.16)"10.8.4-3 (C.3.12.1)
10.8.4-6 (F.9)�10.8.4-6 (F.11)�10.8.4-3 (C.3.12.1) 10.8.4-3 (C.3.11)
10.8.4-6 (F.9)010.8.4.5.2.3.1
10.8.4-3 (C.3.11)
10.8.4-6 (F.10)/10.8.4.5.2.3.1
10.8.4-3 (C.3.3)
10.8.4-6 (F.10)"10.8.4-3 (C.3.3)
10.8.4-3 (C.3.11)A10.8.4.5.2.3.4
10.8.4-3 (C.3.12.4)
10.8.4-6 (F.8)
10.8.4-6 (F.11)�10.8.4.5.2.1
10.8.4-6 (F.12)�10.8.4-3 (C.3.12.2)�10.8.4-3 (C.3.6)
10.8.4-6 (F.3)�10.8.4-3 (C.14) 10.8.4-3 (C.6.3)
10.8.4-6 (F.15)110.8.4-3 (C.6.2)
10.8.4-3 (C.6.5)
10.8.4-6 (F.15)�10.8.4.5.3.9�10.8.4-3 (C.12)�10.8.4.5.4.2
10.8.1�10.8.4-3 (C.3.2)�10.8.4.5.4.8�10.8.4.4.5.1�10.8.4.4.5.1
10.8.4.5.4.9�10.8.4.5.4.4�10.8.4.4.4.4�10.8.4.5.3.6�10.8.4.5.3.7 �Verify that SQL
Server software service pack is no earlier than the current service pack version minus one.
Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. Bug Fix Patches should be applied as needed.��Verify that the latest SQL Server software patches and hotfixes are applied.
Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. Bug Fix Patches should be applied as needed.6�Verify that the OS is running the latest available and tested version and Service Pack level of Windows Server 2000, Windows Server 2003 or Windows XP.
The latest available and tested version and Service Pack level of Windows Server 2000, Windows Server 2003 and Windows XP operating system shall be employed.��Verify that the SQL Server support expiration date is not within six months time.
Each organization responsible for the management of a database shall ensure that unsupported DBMS software is removed or upgraded to a supported version prior to a vendor dropping support.
The DBA shall request upgrade, through procurement, immediately upon notification of a MS SQL Server expiration date that is within the six-month window.�Verify that logon auditing is enabled.
The DBA shall ensure that all database connection failures are audited. Where possible, the DBA shall ensure that both successful and unsuccessful
connection attempts are audited. �Verify that auditing is configured and implemented on all DBMS software and the host operating systems that the DBMS software runs on.
The SecSpec shall assure that auditing is configured and implemented on all DBMS software and the host operating systems that the DBMS software runs on.L�Verify that file rollover capability is enabled on SQL Server audit traces.
Verify that SQL Server is configured to halt if a failure in audit file rollover occurs.
The DBA shall enable the file rollover capability on SQL Server audit traces.
The DBA shall configure SQL Server to halt if a failure in audit file rollover occurs.�Verify that updates and deletes of the audit data are being audited.
The DBA shall ensure that database audit trail information is audited for all update and deletion operations.B��Verify that the option to directly update system tables is disabled.
The ALLOW UPDATES parameter specifies whether direct updates may be made to the system
tables. When � allow updates� is disabled, database accounts cannot make updates to the system
tables.
The DBA shall disable or set to 0 the ALLOW UPDATES parameter.�Verify that the parameter REMOTE ACCESS is disabled.
The DBA shall disable the REMOTE ACCESS parameter (set to 0) unless replication is in use on the database or the requirement is fully justified and documented in appropriate ELC documentation.�Verify that the parameter SCAN FOR STARTUP PROCS is disabled.
The DBA shall disable the SCAN FOR STARTUP PROCS parameter (set to 0) unless fully justified
and documented in appropriate ELC documentation.e�Verify that SQL Server uses Windows authentication only.
The DBA shall ensure that only the host-based authentication method is implemented since only that
method meets C2 requirements. Windows and Windows Active Directory provide a Windows security
identifier (SID) to SQL Server that provide the ability to audit activity by individual database accounts./�Verify that file permissions are set properly for the SQL Server install directory.
The SA/DBA shall restrict access to all directories created by the installation of SQL Server to full
control permissions granted to the SQL Server service account, the DBA OS group, the Administrators
group, and the local SYSTEM accounts.
The SA/DBA shall restrict access to all files created by the installation of SQL Server to full control
permissions granted to the SQL Server service account, the DBA OS group, the Administrators
group, and the local SYSTEM accounts.��Verify that file permissions are set properly for database files.
The SA/DBA shall restrict access to all directories created by the installation of SQL Server to full
control permissions granted to the SQL Server service account, the DBA OS group, the Administrators
group, and the local SYSTEM accounts.
The SA/DBA shall restrict access to all files created by the installation of SQL Server to full control
permissions granted to the SQL Server service account, the DBA OS group, the Administrators
group, and the local SYSTEM accounts.�Verify that all database files exist on a volume separate from the SQL Server executable volume.
The DBA shall have the data files on a separate volume from the executable and parameter files.��Verify that registry permissions are set properly for the SQL Server registry values.
The SA/DBA shall restrict access to the Windows registry keys under the HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\MSSQLServer (for a default instance) or HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\MS SQL Server\InstanceName (for a named instance) to full control
permissions granted to the DBA OS group, the Administrators group, the local SYSTEM account,
and the SQL Server service account.g�Verify that registry permissions are set properly for the SQL Server registry values.
The SA/DBA shall restrict read and write permissions to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\MSSQL S<� erver and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Perflib registry keys to the SQL Server service account and the DBA OS group.��Verify that user-defined stored procedures are stored in an encrypted format.
Custom application and GOTS application software source code objects shall be encrypted within the database, where available as a DBMS feature, in accordance with industry (cissecurity.org) and government (csrc.nist.gov/pcig) best practice recommendations.
The DBA shall ensure that custom application and GOTS source code objects are encrypted within the database when possible.�Verify that user-defined extended procedures do not exist.
The DBA shall prevent creation and use of user-defined extended stored procedures.
The DBA shall remove all extended stored procedures that are not required from the database and
host system.�Verify that system-defined extended stored procedures are restricted from use.
The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only
unless fully justified and documented with the IT Security Specialist.�Verify that the XP_CMDSHELL extended stored procedure is not present on the system.
The DBA shall remove the XP_CMDSHELL extended stored procedure from the system unless fully
justified and documented in appropriate ELC documentation.��Verify that the Guest account does not exist in all databases except master and tempdb.
The SQL Server guest account allows Windows accounts without direct SQL Server authorization that
have been authenticated to the Windows OS to access the database. It cannot be removed from the
master and tempdb databases. The guest account shall be deleted from all databases except the
master and tempdb databases.
The DBA shall delete the database guest account from all databases except the master and
tempdb databases.�Verify that object permissions have not been granted to the guest account in all databases.
The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.�Verify that object permissions have not been granted to the public database role in all databases.
The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.�Verify that user access to DBA views and tables is denied.
The DBA shall ensure that access to DBA views and tables is restricted to DBAs and batch processing accounts.��Verify that the use of CmdExec and ActiveScripting job steps are restricted to DBAs.
Jobs can be used to automate administrative procedures as well as T-SQL procedures. CmdExec and ActiveScripting job steps issue or can issue operating system commands and shall be restricted to
use by DBAs. Access to the host operating system poses a security risk.
The DBA shall restrict use of CmdExec and ActiveScripting job steps to DBAs.�Verify that backup files for databases are secure.
To ensure backup file protection, access permissions to backup files shall be restricted to SAs. Restore permissions on databases shall be restricted to DBAs and database owners.�Verify that objects are not owned by application user accounts.
The DBA shall ensure that application user database accounts do not own any database objects.�Verify that application owner accounts are disabled/locked when not in use.
The DBA shall ensure that custom application owner accounts are disabled/locked when not in use.���Verify that when connecting to linked databases, the connection is authenticated using the current user's identification and password.
Linked or remote servers shall only be configured to use Windows authentication. The capability to preserve a user� s identification, and, therefore, maintain DAC integrity, is currently available only in a Windows 2000 or later environment where the connections can be protected with Kerberos and account delegation can be used. When linking SQL Server databases, the connection shall be authenticated using the current user� s identification and passwords or certificates.
The DBA shall configure linked servers to use the user� s current authentication to access the remote database.�Verify that version numbers, SQL Server-related or otherwise, are not present in database instance names.
The DBA shall not include a version number, SQL Server-related or otherwise, in the SQL Server
production database instance names.��Verify that all databases are located in separate database files.
The DBA shall locate the system database MASTER.MDF in a separate database that resides
within its own unique datafile(s).
The DBA shall locate the miscellaneous system database MODEL.MDF in a separate database that
resides within its own unique datafile(s).
The DBA shall locate the system database MSDB.MDF in a separate database that resides within
its own unique datafile(s).
The DBA shall locate the system database TEMPDB.MDF in a separate database that resides
within its own unique datafile(s).
The DBA shall locate the application databases in separate databases that reside within their own
unique datafile(s).�Verify that all databases are named correctly.
Databases shall be named in accordance with IRM 2.5.7, Data Name Standards, using a name descriptive
enough to identify the function of the data contained within the database.*�Verify that all DBMS administrator passwords are required to be changed every 60 days.
The DBA shall ensure that database administrator account passwords are changed every 60 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.��Verify that all DBMS user passwords are required to be changed every 90 days.
The DBA shall ensure that database user account passwords are changed every 90 days or more frequently and shall implement scripts, profiles, or
other controls as necessary to enforce this requirement.��Verify that the password for the SA account is password protected.
The default SA password, used to connect as administrator, shall be changed from the default installation value. Leaving the default password unchanged could result in unauthorized accounts accessing the server as sa, which provides them full database administration privileges.
The DBA shall password protect the SQL Server sa pseudo database account.
The DBA shall change the SQL Server sa pseudo database account default password.�Verify that all DBMS account passwords are not reused within three password changes.
The DBA shall ensure that database account passwords are not reused within three password changes.�Verify that all DBMS accounts are limited to three failed logons before they become locked.
Where available, the DBA shall limit database account logons to three failed logons before they become locked.��Verify that the DBMS is not installed on a Microsoft Windows domain controller or backup domain controller.
The installation of a DBMS on a host platform introduces additional vulnerabilities and resource requirements to the host. Additionally, vendor DBMS software distributions frequently offer additional functionality, such as web servers and directory server software, on the same installation media that the DBMS is provided on. Since it is a best security practice to separate or
partition services offered to different audiences, any DBMS should be installed on a host system dedicated to its support and offering as few services as
possible to other clients. For this reason, a DBMS shall not be installed on a host system<� that also provides web services, directory services, directory naming services, etc. In particular, DBMS software shall not be installed on Microsoft Windows domain controllers or backup domain controllers under any circumstances.:�Verify that the sample databases have been removed.
Microsoft SQL Server ships with sample databases. These databases contain many default permissions that do not conform to policy. Additionally, sample items can be used as an entry point into systems.
The DBA shall ensure that the sample databases are removed.�Verify that statement permissions have been revoked for the public database role in all databases.
The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST.�Verify that statement permissions have been revoked for the guest account in all databases.
The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST.��Verify that statement permissions are not granted to any application user, application administrator, application developer, or application role.
The following list of SQL Server statement privileges shall not be granted, directly or indirectly
through the use of roles, to any application user, application administrator, application developer, or
application role.
CREATE TABLE
CREATE VIEW
CREATE SP
CREATE DEFAULT
CREATE RULE
CREATE FUNCTION
BACKUP DB
BACKUP LOG
CREATE DATABASE�Verify that the guest account does not have any role assignments granted.
The DBA shall not grant SQL Server predefined roles to PUBLIC or GUEST.�Verify that only DBAs are granted server role memberships.
The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�Verify that only DBAs are granted database role memberships.
The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�Verify that only authorized DBAs are assigned the SYSADMIN role.
The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�Verify that the BUILTIN\Administrators group is not assigned the SYSADMIN role.
The DBA shall deny the Windows BUILTIN\Administrators group the assignment to SYSADMIN role._�Verify that users do not have administrative privileges.
The DBA shall ensure that application user database accounts, application administrator accounts,
application developer accounts, and application roles do not have the administration option of any
object privilege.
The DBA shall deny PUBLIC and GUEST the grant option of any object privilege.k�Verify that object privileges are not assigned directly to individual application user database accounts.
The DBA shall ensure that all object privileges granted to application users are granted through the use of application specific roles.
The DBA shall ensure that object privileges are not assigned directly to individual application user database accounts.��Verify that application users, application administrators, and application roles are not granted the references object privilege.
The DBA shall ensure that application users, application administrators, and application roles are not granted the references object privilege.R�Verify that system-defined extended stored procedures are restricted from user access.
The DBA shall prevent creation and use of user-defined extended stored procedures.
The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only
unless fully justified and documented with the IT Security Specialist.��Verify that the SQL Server Agent service and the SQL Server service both run under the same service account. This account is only a member of the Users or Power Users group.
The MS SQL Server Agent services, MSSQLServer or MSSQL$Instancename for a named instance and SQLServerAgent, shall not be run under the administrator or system accounts. A service account
shall be defined and shall be a local Windows account unless a Windows domain account is required to support replication, remote procedure calls, or SQLMail. The SQL Server Agent services shall use the same account. The service account shall not be a member of the local or domain administrators group. The service account shall be denied the interactive logon right. The service account must be added to the SQL Server SYSADMIN role.��Verify that the SQL Server service account has the appropriate user rights.
The service account shall be denied the interactive logon right. The SQL Server Agent service account requires the following rights:
- Act as part of the operating system
- Replace a process-level token
- Log on as a service
- Access this computer from the network
- Increase quotas
- May require the logon as a batch job right�Verify that SQL Mail is disabled.
The DBA shall ensure that SQL Mail is not implemented. The SQLServerAgent uses its own mail that is configured and controlled separately from the SQL Mail.��Verify that snapshot folders do not exist on Windows administrative shares. Verify that snapshot folders have the appropriate permissions assigned.
The DBA shall configure the snapshot folder location on an explicit share and not on a Windows
administrative share.
The DBA shall set snapshot folder permissions to SYSTEM and ADMINISTRATOR Full Control,
SQL Server Agent domain account read and write.�Verify that all database connections for replication agents are using Windows authentication logons.
The DBA shall configure all database connections for replication agents to use Windows authentication
logons.�Verify that restore permissions on databases are restricted to DBAs and/or the database owners.
The DBA shall restrict restore permissions on databases to DBAs and/or the database owners.�Verify that only authorized batch jobs or database scripts are being run against the database.
The DBA shall review the DBMS job queues daily to ensure that no unauthorized batch jobs or database scripts are being run against the database.��Verify that a DBA Windows OS group exists.
Verify that only authorized DBA Windows accounts exist within the DBA Windows OS group.
The SA/DBA shall create a DBA Windows OS group.
The SA/DBA shall assign only SecSpec-authorized DBA Windows accounts to the DBA OS group.$�Verify that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database
accounts.
The DBA shall ensure that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database
accounts.�Verify that development databases do not co-reside on the same hosts as production databases.
The DBA shall ensure that development databases do not co-reside on the same hosts as production databases on Unix-based and Windows operating system platforms.�Verify that no database links are defined between production and development databases.
The DBA shall ensure that no database links are defined between production and development databases.��Verify that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable.
The DBA shall ensure that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable.�Verify that the latest database software configuration has been backed up.
The SA, with the support of the DBA, shall backup the database software configuration after every database software upgrade.�Verify that the database audit data is reviewed at a minimum bi-weekly.
The database audit data shall be reviewed at a minimum bi-weekly. This review process shall check for any intrusive activity and any anomalous activity.e�Windows XP
1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator.
http://support.microsoft.com/kb/322389
Windows Server 2000
1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator.
http://support.microsoft.com/kb/260910/en-us
Windows Server 2003
1. Verify that the la<� test available and tested Service Pack is installed by visiting the below link and consulting with the system administrator.
http://support.microsoft.com/kb/889100�1. Verify with the DBA that database and database application software is baselined and the baseline is maintained after upgrades to the software are made.�1. Interview the DBA to determine if audit data is captured, backed up, and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years.�1. Interview the DBA. Ask if the audit trail is reviewed at a minimum bi-weekly for anomalies to standard operations or unauthorized access attempts.210.8.4-3 (C.3.12.1)
10.8.4-6 (F.9)
10.8.4-6 (F.11)0Loosely based on
10.8.4-3 (C.3.6)
10.8.4-6 (F.3)�N/A>10.8.4-3 (C.6.3)
10.8.4-6 (F.15)
STIG 3.3.1 - (DG0123: CAT II)��Verify that file permissions are set properly for the SQL Server install directory.
NOTE! Specific directory/file permissions for SQL Server 2005 are not present in the IRM. The following check is provided here as a guideline to help make the system more secure.#�Verify that registry permissions are set properly for the SQL Server registry values.
NOTE! The information given here is not currently present in the IRM. The IRM does not currently contain SQL Server 2005 specific information. This information is provided here for guidance purposes only.�Verify that system-defined extended stored procedures are restricted from user access.
The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only
unless fully justified and documented with the IT Security Specialist.��Verify that the XP_CMDSHELL extended stored procedure is not present on the system.
NOTE! The IRM states that the XP_CMDSHELL extended stored procedure must be removed from the system. This is unsafe for SQL Server 2005. Since the IRM was written for SQL Server 2000, we will deviate here and suggest that XP_CMDSHELL simply be disabled instead of deleted. Since this test deviates from the IRM, it is provided here just to help increase the security of the system being tested.
From the IRM:
The DBA shall remove the XP_CMDSHELL extended stored procedure from the system unless fully
justified and documented in appropriate ELC documentation.&�Verify that the Guest account does not exist in all databases except master and tempdb.
NOTE! SQL Server 2005 cannot comform to the IRM because the guest account cannot be dropped. It can be disabled however. This differs from the IRM which states that the guest account must be dropped from all databases except for the master and tempdb databases.
This check tests to see if the guest account has been disabled for each database except for the master and tempdb databases. This deviates from the IRM but is provided here to help enhance security.�Verify that object permissions have not been granted to the public database role or to the guest account.
The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.4��Verify that objects are owned only by authorized accounts.
The DBA shall ensure that all database objects are owned by the database system, DBAs, or by a separate account created especially for application object ownership.
The DBA shall ensure that application user database accounts do not own any database objects.
The SecSpec shall ensure that DBA accounts do not own application objects.
The DBA shall ensure that default DBMS database accounts other than the default administration account are not used as the owner of an application� s
objects or schema.��Verify that all databases are located in separate database files.
The DBA shall locate the system database MASTER.MDF in a separate database that resides within its own unique datafile(s).
The DBA shall locate the miscellaneous system database MODEL.MDF in a separate database that
resides within its own unique datafile(s).
The DBA shall locate the system database MSDB.MDF in a separate database that resides within its own unique datafile(s).
The DBA shall locate the system database TEMPDB.MDF in a separate database that resides within its own unique datafile(s).
The DBA shall locate the application databases in separate databases that reside within their own
unique datafile(s).%�Verify that statement permissions have been revoked for guest, public and all user accounts in all databases.
The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST.
Verify that statement permissions have been revoked for user accounts in all databases.��Verify that the SQL Server service accounts have the appropriate user rights and privileges.
NOTE! The information given here is not currently present in the IRM. The IRM does not currently contain SQL Server 2005 specific information. This information is provided here for guidance purposes only.
Verify that the SQL Server service accounts have the appropriate user rights and privileges.�Verify that Database Mail is disabled.
NOTE! This check is not present in the IRM. It is included here only to help secure the system.
Database Mail is new to SQL Server 2005. Disabling it increases the security of the system.*�Verify that snapshot folders do not exist on Windows administrative shares.
Verify that snapshot folders have the appropriate permissions assigned.
NOTE! This check deviates slightly from the IRM. Since the IRM does not contain SQL Server 2005 specific information, the comparable DISA check is used instead.
The DBA will ensure all access to sensitive application data stored inside the database, and in external host files, is granted only to database accounts and OS accounts in accordance with user functions as specified by the Information Owner.n�For each database except master and tempdb, do the following.
T-SQL:
1. Enter the following statement. Replace with the name of the database being tested.
use
select state_desc from sys.database_permissions where
permission_name = 'CONNECT' and grantee_principal_id = 2
2. Verify that "GRANT" is not returned.
Management Studio:
N/A�10.8.4-4 (D.1.1)�10.8.4-4 (D.2.1)�10.8.4-4 (D.2.2)�10.8.4-4 (D.3.1)�10.8.4-4 (D.3.2)�10.8.4-4 (D.3.3)�10.8.4-4 (D.5.1)�10.8.4-4 (D.5.2)�10.8.4-4 (D.5.3)�10.8.4-4 (D.5.4)�10.8.4-4 (D.6)�10.8.4-4 (D.7.2)�10.8.4-4 (D.7.3)�10.8.4-4 (D.8.1.1)�10.8.4-4 (D.8.1.2)�10.8.4-4 (D.8.1.3)�10.8.4-4 (D.8.1.4)�10.8.4-4 (D.8.1.5)�10.8.4-4 (D.8.1.6)�10.8.4-4 (D.8.1.8)�10.8.4-4 (D.8.1.9)�10.8.4-4 (D.8.1.10);10.8.4-4 (D.8.1.11)
10.8.4-4 (D.8.1.12)
10.8.4-4 (D.8.1.13)�10.8.4-4 (D.8.1.14)�10.8.4-4 (D.8.1.15)�10.8.4-4 (D.8.1.16)�10.8.4-4 (D.8.1.17)�10.8.4-4 (D.8.1.18)�10.8.4-4 (D.8.1.19)�10.8.4-4 (D.8.1.20)�10.8.4-4 (D.8.2.1)�10.8.4-4 (D.8.2.2)�10.8.4-4 (D.8.2.3)�10.8.4-4 (D.8.2.4)�10.8.4-4 (D.8.2.5)�10.8.4-4 (D.8.2.6)�10.8.4-4 (D.8.2.7)�10.8.4-4 (D.8.2.9)�10.8.4-4 (D.8.3.1)�10.8.4-4 (D.8.3.2)�10.8.4-4 (D.8.3.3)�10.8.4-4 (D.8.3.4)�10.8.4-4 (D.8.3.5)�10.8.4-4 (D.10)�10.8.4.4.6.3
10.8.4.5.4.10�10.8.4.5.1.7�Verify that the latest FixPak has been installed for the installed version.
The DBA shall ensure that the latest FixPak has been installed for the installed version.��Verify that the DB2 support expiration date is not within six months time.
The DBA shall ensure that the versions of DB2 operating in the IRS environment are supported versions. Versions that are not supported shall be upgraded to a supported version.
The SecSpec shall ensure that unsupported DBMS software is removed or upg<� raded prior to a vendor
dropping support.
The SecSpec shall ensure that the site has a formal migration plan for removing or upgrading DBMS
systems prior to the date the vendor drops security patch support.0�Verify that DAS access is available only to the DBA.
Verify that only authorized DBAs are assigned the DAS administrative privilege.
The SecSpec shall ensure that DAS access is available only to the DBA.
The SecSpec shall ensure that only authorized DBAs are assigned the DAS administrative privilege.1�Verify that access to Data Link file directories is restricted to SAs, DBAs, the DB2 installation account, and the DB2 service/daemon accounts.
The SA/DBA shall ensure that access to Data Link file directories is restricted to SAs, DBAs, the DB2 installation account, and the DB2 service/daemon accounts.�Verify that the Data Links services/process are granted the minimum privileges
to operate.
The SA/DBA shall ensure that the Data Links services/process are granted the minimum privileges
to operate.��Verify that DB2 clients specify SERVER_ENCRYPT, KERBEROS, or KRB-
_SERVER_ENCRYPT authentication for connection to the DB2 database.
The DBA shall ensure that DB2 clients specify SERVER_ENCRYPT, KERBEROS, or KRB-
_SERVER_ENCRYPT authentication for connection to the DB2 database.�Verify that only authorized DBAs are assigned the SYSADM, SYSCTRL, and SYSMAINT authorities.
The SecSpec shall ensure that only authorized DBAs are assigned the SYSADM, SYSCTRL, and SYSMAINT authorities.�Verify that a custom account is created to support the DB2 installation.
The DBA/SA shall ensure that a custom account is created to support the DB2 installation.1�Verify that the DB2 software installation account is assigned the least privileges
required to support operation of DB2 database and functions.
The DBA/SA shall ensure that the DB2 software installation account is assigned the least privileges
required to support operation of DB2 database and functions.�Verify that access to the DB2 installation account is restricted to SecSpec
-approved users.
The SecSpec shall ensure that access to the DB2 installation account is restricted to SecSpec
-approved users.}�Verify that a custom account is created to support the DB2 services/daemons
and that this account is assigned the least privileges required to support operation of the DB2 instance.
The DBA/SA shall ensure that a custom account is created to support the DB2 services/daemons
and that this account is assigned the least privileges required to support operation of the DB2 instance.�Verif����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������y that the DB2 fenced user OS account is created and restricted to the minimum OS privileges required.
The DBA/SA shall ensure that the DB2 fenced user OS account is created and restricted to the minimum OS privileges required.�Verify that only authorized DBAs and application owner accounts are assigned the DBADM authority.
The SecSpec shall ensure that only authorized DBAs and application owner accounts are assigned
the DBADM authority.�Verify that DB2 connect privileges are not assigned to groups unless justified and
documented with the SecSpec.
The DBA shall ensure that DB2 connect privileges are not assigned to groups unless justified and
documented with the SecSpec.��Verify that application users are not assigned any database privileges except for the CONNECT database privilege.
Verify that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts and DBA accounts on a production database.
Verify that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts, application developer accounts, and DBA accounts on a development database.
The DBA shall ensure that application users are not assigned any database privileges except for the CONNECT database privilege.
The DBA shall ensure that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts and DBA accounts on a production database.
The DBA shall ensure that database privileges with the exception of the CONNECT privilege are restricted to application owner accounts, application developer accounts, and DBA accounts on a development database.�Verify that PUBLIC is not granted the CONNECT, CREATETAB, BINDADD, IMPLICIT_
SCHEMA database privilege.
The DBA shall ensure that PUBLIC is not granted the CONNECT, CREATETAB, BINDADD, IMPLICIT_
SCHEMA database privilege.�Verify that no database account is assigned the CREATE_NOT_FENCED database
privilege.
The DBA shall ensure that no database account is assigned the CREATE_NOT_FENCED database
privilege.�Verify that no unfenced procedures or functions are defined with the database.
The DBA shall ensure that no unfenced procedures or functions are defined with the database.�Verify that the CREATE_EXTERNAL_ROUTINE shall be restricted to application owner accounts.
The CREATE_EXTERNAL_ROUTINE shall be restricted to application owner accounts.S�Verify that privileges that alter data structures are restricted to DBAs and application object owners.
Verify that PUBLIC is not granted CREATEIN object privileges within any database.
Verify that the USE privilege to tablespaces is not granted to PUBLIC.
Privileges that create, modify, or delete database objects constitute a change to the database design and can effect operation of the database. To protect the integrity of the database, privileges that alter data structures shall be restricted to DBAs and application object owners.
The DBA shall ensure that PUBLIC is not granted
CREATEIN object privileges within any database.
The USE privilege to tablespaces is granted automatically to PUBLIC upon tablespace creation. This privilege shall be revoked from PUBLIC in order to prevent usage of tablespace resources by unauthorized users.F�Verify that privilege assignment is restricted to DBAs and application object owners.
When privileges are assigned with the CONTROL object privilege, several individual object privileges are granted with the WITH GRANT OPTION. The WITH GRANT OPTION allows the grantee to assign the granted privilege to other database users. Privilege assignment shall be restricted to DBAs and application object owners. The CONTROL object privilege shall not be granted to application user database accounts. Object privileges shall not be granted to application users with the WITH GRANT OPTION.���Verify that access to the system catalog tables and views described in the Description field have been revoked from PUBLIC.
By default, PUBLIC is granted select privileges to 238 system catalog tables and views during a
typical installation. These privileges should be reviewed to determine what is required by supported
applications. Required permissions should be removed from PUBLIC and assigned to the appropriate
application user role. At a minimum, access to the following system catalogs tables and views shall be
revoked from PUBLIC:
" SYSCAT.DBAUTH
" SYSCAT.TABAUTH
" SYSCAT.PACKAGEAUTH
" SYSCAT.INDEXAUTH
" SYSCAT.COLAUTH
" SYSCAT.PASSTHRUAUTH
" SYSCAT.SCHEMAAUTH��Verify that the custom application object owner account is used only for update and maintenance of the application objects.
The DBA shall ensure that the custom application object owner account is used only for update and
maintenance of the application objects.��Verify that audit options have been configured as described in the Description field.
The DBA shall configure audit options as f<� �ollows or more inclusive:
" Audit � required success and failure� audits audit configuration changes
" Checking � not required - audits authorization checking of attempts to access, create, alter, drop
DB2 objects
" Objmaint � required success and failure� audits create, alter, or drop of objects
" Secmaint � required success and failure� audits privilege assignments and database configuration
modifications
" Sysadm � required success and failure� audits SYSADM privileged activities
" Validate � required � audits authentication events�Verify that DB2 auditing is enabled at database server startup.
The DBA/SA shall ensure that DB2 auditing is enabled at database server startup.��Verify with the data owner to ensure the setting of the errortype parameter complies with privacy, security classification, and other sensitivity considerations.
The DBA shall consult with the data owner to ensure the setting of the errortype parameter complies with privacy, security classification, and other sensitivity considerations. Required auditing shall be performed by the database auditing facility or designed into the capabilities of the application used to access the data.�Verify that access to the db2audit.log and db2audit.cfg files is restricted to the authorized
users
The DBA/SA shall ensure that access to the db2audit.log and db2audit.cfg files is restricted to the authorized
users.��Verify that file and directory ownership is limited to the DB2 instance owner, DB2 fenced user, and DAS account as appropriate.
The DBA/SA shall set DB2 file and directory ownership to the DB2 instance owner, DB2 fenced user, and DAS account as appropriate.�Verify that world privileges have been revoked from DB2 files and directories.
The DBA/SA shall revoke all world privileges from DB2 files and directories.�Verify that no DB2 executable files have the SUID or GUID bit set.
The DBA/SA shall ensure that no DB2 executable files have the SUID or GUID bit set.a�Verify that access to the DB2 directories Disk:\Program ob体育s\ and Disk:\DB2 is
limited to Full Control permissions granted to Administrators and the DB2 software installation account, and Modify, Read & Execute, List Folder Contents, Read, and Write permissions granted to DB2
service accounts.
The SA/DBA shall ensure that access to the DB2 directories Disk:\Program ob体育s\ and Disk:\DB2 is
limited to Full Control permissions granted to Administrators and the DB2 software installation account, and Modify, Read & Execute, List Folder Contents, Read, and Write permissions granted to DB2
service accounts.G�Verify that access to the DB2 registry keys and values located under the registry hives HKLM\Software\IBM\DB2 and services beginning with DB2 are limited to Read and Full Control permissions granted to Administrators, the DB2 software installation account, and DB2 service accounts.
The SA/DBA shall ensure that access to the DB2 registry keys and values located under the registry hives HKLM\Software\IBM\DB2 and services beginning with DB2 are limited to Read and Full Control permissions granted to Administrators, the DB2 software installation account, and DB2 service accounts.��Verify that the audit-buf-sz parameter is set to 0.
The DBA shall ensure that the audit-buf-sz parameter is set to 0. When set to 0, audit records are written as soon as they are generated. Setting this value to other than 0 allows the audit records to be cached in a buffer to be written at a more optimized performance time. Setting the value to 0 potentially decreases database performance.n�Verify that access to the directory specified by the smp_log_path parameter is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA shall ensure that access to the directory specified by the smp_log_path parameter is restricted
to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�Verify that the datalinks value is set to NO unless Data Links are required by a database application.
The DBA shall set the datalinks value to NO unless Data Links are required by a database application.�Verify that the discover parameter value is set to DISABLE.
The DBA shall ensure the discover parameter value is set to DISABLE.�Verify that the discover_comm parameter is set to DISABLE.
The DBA shall ensure that the discover_comm parameter is set to DISABLE.�Verify that the discover_inst parameter is set to DISABLE.
The DBA shall ensure that the discover_inst parameter value is set to DISABLE.f�Verify that access to the directory specified in the diagpath parameter is restricted to
SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA shall ensure that access to the directory specified in the diagpath parameter is restricted to
SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�Verify that the notifylevel is set to a minimum value of 3.
The DBA shall ensure that the notifylevel is set to a minimum value of 3.�Verify that the federated parameter is set to a value of NO unless required and documented
with the SecSpec.
The DBA shall ensure that the federated parameter is set to a value of NO unless required and documented
with the SecSpec.��Verify that the sysadm_group, the sysctrl_group, and the sysmaint_group parameters are all assigned to custom local groups.
On a Windows platform, the sysadm_group parameter shall be assigned to a custom local group.
On a Windows platform, the sysctrl_group parameter shall be assigned to a custom local group.
On a Windows platform, the sysmaint_group parameter shall be assigned to a custom local group.��Verify that the authentication parameter is set to SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.
To protect passwords from being sent in clear text within a database connection request, the authentication parameter shall be set to SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.�Verify that the use_sna_auth parameter value is set to NO.
The DBA shall ensure that the use_sna_auth parameter value is set to NO.��Verify that the fed_noauth is set to NO.
The fed_noauth enables or disables the requirement to authenticate to the instance when the federated parameter is enabled and the authentication mode is either SERVER or SERVER_ENCRYPT. The fed_noauth shall be set to NO.N�Verify that the catalog_noauth parameter is set to NO or 0.
The catalog_noauth parameter when set to YES or 1 allows users without SYSADM authority to catalog databases. Unauthorized changes to the database catalogs could result in errors in access to local and remote databases. The catalog_noauth parameter shall be set to NO or 0.V�Verify that access to the path indicated in the dftdbpath parameter is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
Verify that access to the path indicated in the dftdbpath parameter is a valid path on the server operating system.
The DBA shall ensure that access to the path indicated in the dftdbpath parameter is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA shall ensure that access to the path indicated in the dftdbpath parameter is a valid path on the server operating system.��Verify that the trust_allclnts parameter is set to YES.
This parameter is used in conjunction with an authentication mode of CLIENT to allow or disallow all
clients to be authenticated at the client operating system for DB2 access. This parameter is only effective when the authentication mode is set to CLIENT. Since the requirement for authentication mod<� e is that it be set to a value other than CLIENT, the value of this parameter must be left to YES.:�Verify that the trust_clntauth parameter is set to CLIENT.
This parameter specifies whether trusted clients are authenticated at the client or at the server. This
parameter is not considered unless the authentication mode is CLIENT. If the client presents a username and password when a database connection is requested and the trust_clnauth parameter is set to SERVER, then the client shall be authenticated by the server. Since the requirement for authentication mode is that it be set to a value other than SERVER, the value of this parameter must be left to CLIENT.9�Verify that access to the DB2 logpath directory is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA/SA shall ensure that access to the DB2 logpath directory is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.w�Verify that access to the DB2 file specified in the loghead database parameter is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA/SA shall ensure that access to the DB2 file specified in the loghead database parameter is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.?�Verify that access to the DB2 newlogpath directory is restricted to SAs, DBAs,
the DB2 software installation account, and DB2 service/daemon accounts.
The DBA/SA shall ensure that access to the DB2 newlogpath directory is restricted to SAs, DBAs,
the DB2 software installation account, and DB2 service/daemon accounts.�Verify that access to the DB2 mirrorlogpath directory is restricted to authorized users.
The DBA/SA shall ensure that access to the DB2 mirrorlogpath directory is restricted to authorized
users.:�Verify that the mirrorlogpath specifies a location on a separate physical disk unless the logpath specifies a directory on a mirrored or RAID 5 disk.
The DBA shall ensure that the mirrorlogpath specifies a location on a separate physical disk unless the logpath specifies a directory on a mirrored or RAID 5 disk.I�Verify that access to the DB2 overflowlogpath directory is restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
The DBA/SA shall ensure that access to the DB2 overflowlogpath directory is restricted to SAs,
DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�Verify that the logretain parameter is set to RECOVERY unless authorized by the SecSpec.
The DBA shall ensure that the logretain parameter is set to RECOVERY unless authorized by the SecSpec.(�Verify that userexit is set to ON unless authorized by the SecSpec.
The DBA shall ensure that userexit is set to ON unless authorized by the SecSpec.
NOTE! The IRM states that userexit must be set to YES. This is either a typo or an update to DB2 changed the possible values for this parameter.€Verify that the discover_db parameter is set to DISABLE.
The DBA shall ensure that the discover_db parameter is set to DISABLE.�Verify that the DAS discover parameter is set to DISABLE when the DAS is configured
for TCP/IP communications.
The DBA shall ensure that the DAS discover parameter is set to DISABLE when the DAS is configured
for TCP/IP communications.�Verify that the dasadm_group is set to a custom account on a Windows server.
The DBA shall ensure that the dasadm_group is set to a custom account on a Windows server.zVerify that the exec_exp_task parameter is set to NO.
The DBA shall ensure that the exec_exp_task parameter is set to NO.�Verify that the userid specified by the sched_userid parameter is restricted to authorized DAS use.
The DBA shall ensure that the userid specified by the sched_userid parameter is restricted to authorized
DAS use.�Verify that DAS authentication is set to SERVER_ENCRYPT or KERBEROS_ENCRYPT.
The DBA shall ensure that DAS authentication is set to SERVER_ENCRYPT or KERBEROS_ENCRYPT.�Verify that a single OS account is used to authenticate to databases to support replication
activities.
The DBA shall ensure that a single OS account is used to authenticate to databases to support replication
activities.J�Verify that the minimum DB2 privileges are assigned to the replication account on
the database server to support the replication activities on that database.
The DBA shall ensure that the minimum DB2 privileges are assigned to the replication account on the database server to support the replication activities on that database.�Verify that DASADM and SYSADM authorities are not granted to replication OS accounts.
The DBA shall ensure that DASADM and SYSADM authorities are not granted to replication OS
accounts.�Verify that the data files exist on a separate volume from the executable and parameter files.
The DBA shall have the data files on a separate volume from the executable and parameter files.`�Verify that access to a shared database N-Tier connection account is restricted by network configuration and authentication method to the connecting application server.
The DBA shall ensure that access to a shared database N-Tier connection account is restricted by network configuration and authentication method to the connecting application server.�This check requires information found in a previous check. It requires the name of the DB2 installation account.
1. Verify with the DBA that access to the DB2 installation account is restricted to SecSpec-approved users.�1. Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='global_names';
2. View the init.ora file for each Oracle instance.�
1. This query must return TRUE.
2. View the init.ora file for each Oracle instance; the following statement must be present:
GLOBAL_NAMES = TRUE��1. For each username/status pair below, perform the following query:
SQL> SELECT username, account_status
2 FROM dba_users
3 WHERE username = '';
ADAMS, AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, BLAKE, CLARK, CTXSYS, DBSNMP, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, OSE$HTTP$ADMIN, OUTLN, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SCOTT, SH, SYS, SYSTEM�1. In Windows Explorer, right-click on the file name of an Oracle-installed file. Then select Properties; select the Security tab; click the Advanced button under the Permissions section; and select the Owner tab. V1. All Oracle files and directories must be owned by the BUILTIN/Administrators group.t1. View the $ORACLE_HOME/network/admin/listener.ora file.
2. View the $ORACLE_HOME/network/admin/sqlnet.ora file.#�Determine, from a knowledgeable DBA, if the EXTPROC module is in use to support a business application. If its use is justified, then this test item passes.
If not:
1. Examine the listener.ora and tnsnames.ora files under $ORACLE_HOME/network/admin.
2. View the $ORACLE_HOME/bon directory.�If its use is justified, then this test item passes.
If not:
1. None of the following strings are present: icache_extproc, plsextproc, and extproc.
2. There is no executable extproc.f1. Run the following command:
C:\>find /I "passwords_listener" $ORACLE_HOME/network/admin/listener.orah1. Run the following command:
C:\>find /I "admin_restrictions_" $ORACLE_HOME/network/admin/listener.ora�Windows hosts running Oracle database versions prior 8.1.x only:
1. From REGEDT32:
Select HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID\. Double click on key OSAUTH_PREFIX_DOMAIN. ,1. The value in the string box must be TRUE.@1. View the following directory:
$ORACLE_HOME/otrace/admin/*.datG1. Currently (3/24/2010) supported versions are as follows:
10g: 10.2.0�Perform the following query:
SQL> SELECT VALUE FROM v$PARAMETER
2 WHERE NAME='audit_sys_operations';
2. View the init.ora file for each Oracle instance that is version 9.2 or later;.-1. The latest security patches are installed.=1. The latest available and tested Service Pack is installed��1. The Everyone group has the following auditing entries:
- Successful - Delete
- Su<� ccessful - Change Permissions
- Successful - Take Ownership
- Failure - Traverse Folder / Execute ob体育
- Failure - Delete
- Failure - Change Permissions
- Failure - Take Ownership��T-SQL:
Repeat the following for each database.
1. Get the list of files associated with the database by entering the following statement:
select filename from sysfiles
Enterprise Manager:
Repeat the following for each database.
-Expand the server group.
-Expand the server.
-Right-click the database and click Properties.
1. Click the Data ob体育s tab.
2. Click the Transaction Log tab. Z�T-SQL:
1. Verify that each filename exists on a volume separate from the SQL Server executable volume.
Enterprise Manager:
1. Verify that each filename under Location exists on a volume separate from the SQL Server executable volume.
2. Verify that each filename under Location exists on a volume separate from the SQL Server executable volume.u��The current service pack is SP4 (8.00.2039) as of May 6, 2008.
T-SQL:.
1. Enter the following statement:
select serverproperty(� ProductVersion� )
-Verify that the result is 8.00.760 (SP3) or higher.
Enterprise Manager:
1. Right-click the server, and then click Properties.
-Click the General tab.
-Verify that the value for "Product version:" is 8.00.760 (SP3) or higher.
�T-SQL:.
1. The result is 8.00.760 (SP3) or higher.
Enterprise Manager:
1. The value for "Product version:" is 8.00.760 (SP3) or higher.nT-SQL:
1. config_value is either "all" or "failure".
Enterprise Manager:
1. "All" or "Failure" is selected.Z�T-SQL:
Enter the following statement:
use master
exec xp_loginconfig 'audit level'
1. Verify that config_value is either "all" or "failure".
Enterprise Manager:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Security tab.
1. Under Security/Audit level, verify that "All" or "Failure" is selected.H�T-SQL:
Repeat the following for each server.
-Enter the following statement which returns a row for each audit trace enabled on the system:
select * from ::fn_trace_getinfo('0')
where property = 5
1. Verify that at least one row is returned.
2. Verify that for each row returned that "value" is "1".
Enterprise Manager:
1. N/ArT-SQL:
1. At least one row is returned.
2. For each row returned that "value" is "1".
Enterprise Manager:
1. N/AH�T-SQL:
Repeat the following for each server.
-Enter the following statement which returns a row for each audit trace enabled on the system:
select * from ::fn_trace_getinfo('0')
where property = 1
1. Verify that at least one row is returned.
2. Verify that for each row returned that "value" is "6".
Enterprise Manager:
1. N/ArT-SQL:
1. At least one row is returned.
2. For each row returned that "value" is "6".
Enterprise Manager:
1. N/AG�For audit data stored in files:
-Determine the location of the audit file(s). If a custom audit trace is being used, the audit data is stored in a file specified in the trace definition. If C2 auditing is being used, then the audit data is stored in the \mssql\data directory for default instances of SQL Server or the \mssql$instancename\data directory for named instances of SQL Server.
-Browse to the audit data file using Windows Explorer.
-Right-click the file and select Properties.
-Select the Security tab.
-Click the Advanced button.
-Select the Auditing tab.
1. Verify the Everyone group with the following auditing entries:
- Successful - Delete
- Successful - Change Permissions
- Successful - Take Ownership
- Failure - Traverse Folder / Execute ob体育
- Failure - Delete
- Failure - Change Permissions
- Failure - Take Ownership
For audit data stored in a table:
2. If C2 auditing is enabled, then this test passes. Otherwise, continue.
-Verify that a custom audit trace is being used and that the following code is specified in the trace definition:
Declare @on bit
Set @on = 1
exec sp_trace_setevent TraceID, 114, 10, @on
exec sp_trace_setevent TraceID, 114, 11, @on
exec sp_trace_setevent TraceID, 114, 12, @on
exec sp_trace_setevent TraceID, 114, 14, @on
exec sp_trace_setevent TraceID, 114, 15, @on
exec sp_trace_setevent TraceID, 114, 21, @on
exec sp_trace_setevent TraceID, 114, 22, @on
exec sp_trace_setevent TraceID, 114, 23, @on
exec sp_trace_setevent TraceID, 114, 28, @on
exec sp_trace_setevent TraceID, 114, 35, @on
exec sp_trace_setevent TraceID, 114, 41, @on��1. The Everyone group has the following auditing entries:
- Successful - Delete
- Successful - Change Permissions
- Successful - Take Ownership
- Failure - Traverse Folder / Execute ob体育
- Failure - Delete
- Failure - Change Permissions
- Failure - Take Ownership
2. A custom audit trace is being used and the following code is specified in the trace definition:
Declare @on bit
Set @on = 1
exec sp_trace_setevent TraceID, 114, 10, @on
exec sp_trace_setevent TraceID, 114, 11, @on
exec sp_trace_setevent TraceID, 114, 12, @on
exec sp_trace_setevent TraceID, 114, 14, @on
exec sp_trace_setevent TraceID, 114, 15, @on
exec sp_trace_setevent TraceID, 114, 21, @on
exec sp_trace_setevent TraceID, 114, 22, @on
exec sp_trace_setevent TraceID, 114, 23, @on
exec sp_trace_setevent TraceID, 114, 28, @on
exec sp_trace_setevent TraceID, 114, 35, @on
exec sp_trace_setevent TraceID, 114, 41, @on
��-Browse to C:\winnt\system32\config\appevent.evt using Windows Explorer.
-Right-click the file and select Properties.
-Select the Security tab.
-Click the Advanced button.
-Select the Auditing tab.
1. Verify the Everyone group has the following auditing entries:
- Successful - Delete
- Successful - Change Permissions
- Successful - Take Ownership
- Failure - Traverse Folder / Execute ob体育
- Failure - Delete
- Failure - Change Permissions
- Failure - Take Ownership��T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'allow updates'
1. Verify that the values for config_value and run_value are 0.
Enterprise Manager:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Server Settings tab.
-Under Server behavior
1. . Verify that the "Allow modifications to be made directly to the system catalogs" check box is not checked.�T-SQL:
1. The values for config_value and run_value are 0.
Enterprise Manager:
1. The "Allow modifications to be made directly to the system catalogs" check box is not checked.\�NOTE! If replication is in use, then this should be enabled.
T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'remote access'
1. Verify that the values for config_value and run_value are 0 unless replication is in use.
Enterprise Manager:
N/ArT-SQL:
1.The values for config_value and run_value are 0 unless replication is in use.
Enterprise Manager:
N/A��NOTE! If a custom defined audit trace is being used in place of C2 auditing, then the scan for startup procs option may need to be enabled. A deviation will be required if this is the case.
T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'scan for startup procs'
1. Verify that the values for config_value and run_value are 0.
Enterprise Manager:
N/AUT-SQL:
1. The values for config_value and run_value are 0.
Enterprise Manager:
N/Ag�T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec xp_loginconfig 'login mode'
1. Verify that config_value is "Windows NT Authentication".
Enterprise Manager:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Security tab.
1. Under Security, veri<�� fy that "Windows only" is selected.kT-SQL:
1. config_value is "Windows NT Authentication".
Enterprise Manager:
1. "Windows only" is selected.J�1. Open Windows Explorer.
-Browse to SQL Server install directory. By default this is C:\Program ob体育s\Microsoft SQL Server\MSSQL.
-Right-click on the \MSSQL directory name.
-Click Properties.
-Select the Security tab.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Verify that permissions for subfolders and files contained in \MSSQL match the criteria specified above.W�1. The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Permissions for subfolders and files contained in \MSSQL match the criteria specified above.t�T-SQL:
Repeat the following for each database.
-Get the list of files associated with the database by entering the following statement:
select filename from sysfiles
-For each file, do the following:
a. Navigate to the file using Windows Explorer.
b. Right-click on the file and click Properties.
c. Select the Security tab.
1. Verify that the only permissions are the following or less:
- full control - Administrators
- full control - SYSTEM
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Enterprise Manager:
N/A$�T-SQL:
1. The only permissions are the following or less:
- full control - Administrators
- full control - SYSTEM
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Enterprise Manager:
1. N/A����-Click Start, Run then launch regedt32.exe.
-Expand HKEY_LOCAL_MACHINE.
-Expand Software.
-Expand Microsoft.
-Right click Microsoft SQL Server and click Permissions.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Verify that permissions for subkeys match the criteria specified above.z���5�1. The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Permissions for subkeys match the criteria specified above.����-Click Start, Run then launch regedt32.exe.
-Expand HKEY_LOCAL_MACHINE.
-Expand Software.
-Expand Microsoft.
-Right click MSSQLServer and click Permissions.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Verify that permissions for subkeys match the criteria specified above.z���4�1.The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Permissions for subkeys match the criteria specified above.��1.The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - CREATOR OWNER
d. read/write (see below) - SQL Server service account (custom)
e. read/write (see below) - DBA group (custom)
2 Permissions for subkeys match the criteria specified above.
Registry permissions for read/write values are as follows:
- Query Value
- Set Value
- Create Subkey
- Enumerate Subkeys
- Notify
- WriteDAC
- Write Owner
- Read Control%�-Click Start, Run then launch regedt32.exe.
-Expand HKEY_LOCAL_MACHINE.
-Expand Software.
-Expand Microsoft.
-Expand Windows NT.
-Expand CurrentVersion.
-Right click perflib and click Permissions.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - CREATOR OWNER
d. read/write (see below) - SQL Server service account (custom)
e. read/write (see below) - DBA group (custom)
2 Verify that permissions for subkeys match the criteria specified above.��1. The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - CREATOR OWNER
d. read/write (see below) - SQL Server service account (custom)
e. read/write (see below) - DBA group (custom)
2. Permissions for subkeys match the criteria specified above.
Registry permissions for read/write values are as follows:
- Query Value
- Set Value
- Create Subkey
- Enumerate Subkeys
- Notify
- WriteDAC
- Write Owner
- Read Control��-Click Start, Run then launch regedt32.exe.
-Expand HKEY_LOCAL_MACHINE.
-Expand System.
-Expand CurrentControlSet.
-Expand Services.
-Right click MSSQLSERVER and click Permissions.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - CREATOR OWNER
d. read/write (see below) - SQL Server service account (custom)
e. read/write (see below) - DBA group (custom)
2. Verify that permissions for subkeys match the criteria specified above.���T-SQL:
Repeat the following for each database.
-Enter the following statement:
select sysobjects.name from sysobjects
inner join syscomments on sysobjects.id = syscomments.id
where syscomments.encrypted = 0 and
(sysobjects.type=� P� or sysobjects.type=� X� )
and sysobjects.uid > 4 and sysobjects.uid <� 16384
1. Verify that nothing is returned in the above query.
Enterprise Manager:
N/A4T-SQL:
1. Nothing is returned.
Enterprise Manager:��T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
-Expand the master database.
-Select Extended Stored Procedures.
1. Scroll down the list of procedures. Verify that the owner for all procedures is dbo.HT-SQL:
N/A
Enterprise Manager:
1. The owner for all procedures is dbo.���T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select sysobjects.name, sysusers.name from sysobjects
inner join sysprotects on sysobjects.id = sysprotects.id
inner join sysusers on sysprotects.uid = sysusers.uid
where ((sysobjects.name like 'xp_reg%') or (sysobjects.name like 'sp_OA%')) and (sysprotects.protecttype <�> 206)
1. Verify that only DBA accounts are listed in the return results.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
-Expand the master database.
-Select Extended Stored Procedures.
-For each procedure (and especially procedures that begi<� �n with � sp_OA� or � xp_reg'), do the following:
a. Right-click on the procedure name and select Properties.
b. Select permissions.
c. Select "List only users/user-defined database roles/public with permissions on this object."
1. Verify that only DBA accounts have access to the procedure.�T-SQL:
1.Only DBA accounts are listed in the return results.
Enterprise Manager:
1. For each procedure, only DBA accounts have access to the procedure.��T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select sysobjects.name from sysobjects
where sysobjects.name = 'xp_cmdshell'
1. Verify that no result is returned.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
-Expand the master database.
-Select Extended Stored Procedures.
-Scroll down the list of procedures.
1. Verify that the procedure xp_cmdshell does not exist.cT-SQL:
1. No result is returned.
Enterprise Manager:
1. The procedure xp_cmdshell does not exist.dT-SQL:
1. No records are returned.
Enterprise Manager:
1.The procedure xp_cmdshell does not exist.��For each database except master and tempdb, do the following.
T-SQL:
-Enter the following statement:
exec sp_helpuser 'guest'
1. Verify that no records are returned.
Enterprise Manager:
-Expand the database.
-Select Users.
1. Verify that the guest user does not exist.�T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, 'guest', NULL, 'o'
1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Select Users.
-Double-click user Guest. If Guest isn't there then the test passes for this database.
-Select Permissions.
-Select "List only objects with permissions for this user".
1. Verify that no permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.�T-SQL:
1. No rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
1. No permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.H�T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, 'public', NULL, 'o'
1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Select Roles.
-Double-click role Public.
-Select Permissions.
-Select "List only objects with permissions for this role".
1. Verify that no permissions are shown. If permissions are shown, verify that a green check is not visible for the permission.�T-SQL:
1. No rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
1. No permissions are shown. If permissions are shown, verify that a green check is not visible for the permission.��T-SQL:
Repeat the following for each database.
-Enter the following statement:
select SystemTableOrViewName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects
inner join sysprotects on sysobjects.id = sysprotects.id
inner join sysusers on sysprotects.uid = sysusers.uid
where (sysobjects.type = 'S' or sysobjects.type = 'V') and (sysprotects.uid > 4) and (sysprotects.protecttype <> 206)
1. If results are returned, then verify that each UserOrGroupName is a DBA or a batch processing account.
Enterprise Manager:
N/A?�T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Management.
-Right-click on SQL Server Agent.
-Select Properties.
-Select the Job System tab.
1. Verify that the checkbox "Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps" is checked.`T-SQL:
1. Each UserOrGroupName is a DBA or a batch processing account.
Enterprise Manager:
N/A�T-SQL:
N/A
Enterprise Manager:
1. The checkbox "Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps" is checked.��T-SQL:
Repeat the following for each server.
-Enter the following statement:
use msdb
select physical_drive, physical_name from backupfile
-For each file listed in the query results, do the following:
a. Open Windows Explorer and browse to the file.
b. Right click on the file's container directory.
c. Select Properties.
d. Select Security tab.
1. Verify that the only permissions are the following or less:
- full control - SYSTEM
- full control - Administrators
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Enterprise Manager:
N/A#�T-SQL:
1. The only permissions are the following or less:
- full control - SYSTEM
- full control - Administrators
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Enterprise Manager:
N/A�T-SQL:
1. A values for UserOrGroupName are not application user accounts.
Enterprise Manager:
1. Each object is not owned by an application user.��T-SQL:
Repeat the following for each database.
-Enter the following statement which lists objects not owned by the database owner:
select ObjectName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects
inner join sysusers on sysusers.uid = sysobjects.uid
where sysobjects.uid <> 1
1. Verify that all values for UserOrGroupName are not application user accounts.
Enterprise Manager:
Repeat the following for each database
-Expand the database.
-Select Tables, Views, Stored Procedures, Extended Stored Procedures, User Defined Data Types, and User Defined Functions..
1. Verify that each object is not owned by an application user.O�T-SQL:
Repeat the following for each database.
-Enter the following statement:
select sysusers.name, sysobjects.name from sysobjects
inner join sysusers on sysusers.uid = sysobjects.uid
where sysusers.hasdbaccess = 1 and sysusers.name <> 'dbo'
1. Verify that no results are returned.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Logins.
-For each login that is an application owner account, do the following:
a. Double click the login.
b. Select the General tab.
1. Verify that the "Deny access" radio button is selected.vT-SQL:
1. No results are returned.
Enterprise Manager:
1. The "Deny access" radio button is selected for each login.��T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Linked Servers.
-For each linked server, do the following:
a. Double-click the linked server.
b. Select the Security tab.
1. Verify that the "Be made using the login's current security context" radio button is selected.
2. Under "Local server login to remote server login mappings", verify that there are no mappings.�T-SQL:
N/A
Enterprise Manager:
1. The "Be made using the login's current security context" radio button is selected for each linked server..
2. There are no mappings for each linked server.��T-SQL (preferred method):
Repeat the following for each server.
-Enter the following statement:
use master
select serverproperty(ServerName)
1. Verify that the version number, SQL Server-related or otherwise, is not in the server name.
Enterprise Manager:
N/A - While it is possible to get the server name using Enterprise Manager, for local servers this may not give an accurate result. Use T-SQL.sT-SQL:
1. The version number, SQL Server-related or otherwise, is not in the server name.
Enterprise Manager:
N/Ai�T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select name, filename from sysdatabases
1. Ver<�� ify that there is a database named "master" and that the filename for it is "master.mdf".
2. Verify that there is a database named "model" and that the filename for it is "model.mdf".
3. Verify that there is a database named "msdb" and that the filename for it is "msdb.mdf".
4. Verify that there is a database named "tempdb" and that the filename for it is "tempdb.mdf".
5. Verify that all databases present are located in their own separate database files.
Enterprise Manager:
N/A��T-SQL:
1. There is a database named "master" and that the filename for it is "master.mdf".
2. There is a database named "model" and that the filename for it is "model.mdf".
3. There is a database named "msdb" and that the filename for it is "msdb.mdf".
4. There is a database named "tempdb" and that the filename for it is "tempdb.mdf".
5. All databases present are located in their own separate database files.
Enterprise Manager:
N/A��This procedure should be performed by the system administrator. All database administrator accounts must be checked.
-Open the Group Policy Object Editor for the appropriate GPO.
-Expand Computer Configuration.
-Expand Windows Settings.
-Expand Security Settings.
-Expand Account Policies.
-Select Password Policy.
1. Verify that "Maximum password age" is set to 60 days or less (but not 0).�T-SQL:
Repeat the following for each server.
-Enter the following statement:
select count(name) from syslogins
where password is null and name = 'sa'
1. Verify that "0" is returned.
Enterprise Manager:
N/A4T-SQL:
1. "0" is returned.
Enterprise Manager:
N/A�-Click Start, Run then launch regedt32.exe.
-Expand HKEY_LOCAL_MACHINE.
-Expand System.
-Expand CurrentControlSet.
-Expand Control.
-Select ProductOptions.
1. Verify that ProductType does not have a value of "LANMANNT" or "LANSECNT".A1. ProductType does not have a value of "LANMANNT" or "LANSECNT".��T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, 'public', NULL, 's'
1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right-click the database and click Properties.
-Select the Permissions tab.
1. Verify that a green check isn't visible in any checkbox for the public database role.�T-SQL:
1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
1. A green check isn't visible in any checkbox for the public database role.��T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, 'guest', NULL, 's'
1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right-click the database and click Properties.
-Select the Permissions tab.
1. Verify that a green check isn't visible in any checkbox for the guest account.�T-SQL:
1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
1. A green check isn't visible in any checkbox for the guest account.��T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, NULL, NULL, 's'
1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO" and Grantee is a user account.
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right-click the database and click Properties.
-Select the Permissions tab.
1. Verify that a green check isn't visible in any checkbox for any user account.�T-SQL:
1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO" and Grantee is a user account.
Enterprise Manager:
1. A green check isn't visible in any checkbox for any user account.��T-SQL:
N/A
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right click the database and click Properties.
-Click the Permissions tab.
1. Verify that none of the statement privileges listed below are granted to any application user, application administrator, application developer, or application role. Granted permissions are shown with a green checkmark.
CREATE TABLE
CREATE VIEW
CREATE SP
CREATE DEFAULT
CREATE RULE
CREATE FUNCTION
BACKUP DB
BACKUP LOG
CREATE DATABASEg�T-SQL:
N/A
Enterprise Manager:
1. None of the statement privileges listed below are granted to any application user, application administrator, application developer, or application role. Granted permissions are shown with a green checkmark.
CREATE TABLE
CREATE VIEW
CREATE SP
CREATE DEFAULT
CREATE RULE
CREATE FUNCTION
BACKUP DB
BACKUP LOG
CREATE DATABASEQ�T-SQL:
Repeat the following for each database.
-Enter the following statement which lists all of the database roles that guest is a member of:
exec sp_helpuser 'guest'
1. Verify that either no results are returned or that a single result is returned where GroupName is 'public'.
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Select Users.
-Double-click user Guest.
1. If Guest isn't there then the test passes for this database.
2. Under "Database role membership", verify that all checks except public are cleared.�T-SQL:
1. No results are returned or that a single result is returned where GroupName is 'public'.
Enterprise Manager:
1. Guest isn't there.
2. All checks except public are cleared.��T-SQL:
Repeat the following for each server.
-Enter the following statement which displays all users who are granted server role memberships:
exec sp_helpsrvrolemember
1. Verify that only DBAs are granted server role memberships.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Server Roles.
-For each server role, do the following:
a. Double-click the server role.
1. Verify that only DBAs are granted membership to the server role.�T-SQL:
1. Only DBAs are granted server role memberships.
Enterprise Manager:
1. Only DBAs are granted membership to the server role.�T-SQL:
1. Only DBAs are granted database role memberships (memberships beginning with "db_").
Enterprise Manager:
1. Only DBAs are granted membership to the database role.���T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_helpsrvrolemember � sysadmin�
1. Verify that only authorized logins are members of the System Administrators server role.
Enterprise Manager:
Repeat the following for each server.
Expand the server.
-Expand Security.
-Select Server Roles.
-Right-click the System Administrators (sysadmin) server role and click Properties.
1. Verify that only authorized logins are members of the System Administrators server role.�T-SQL:
1. Only authorized logins are members of the System Administrators server role.
Enterprise Manager:
1. Only authorized logins are members of the System Administrators server role.���T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_helpsrvrolemember � sysadmin�
1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select<� Server Roles.
-Right-click the System Administrators (sysadmin) server role and click Properties.
1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.�T-SQL:
1. BUILTIN\Administrators is not a member of the System Administrators server role.
Enterprise Manager:
1. BUILTIN\Administrators is not a member of the System Administrators server role.��T-SQL:
Repeat the following for each database.
-Enter the following statement which checks for the "grant with grant" privilege on objects:
select sysusers.name, sysobjects.name, sysprotects.action from sysprotects
inner join sysusers on sysusers.uid=sysprotects.uid
inner join sysobjects on sysobjects.id=sysprotects.id
where sysprotects.protecttype = 204
1. Verify that no results are returned.
Enterprise Manager:
N/A<�T-SQL:
1. No results are returned.
Enterprise Manager:
N/A��T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, NULL, NULL, 'o'
1. Verify that there are no rows returned where Grantee is an application user account and ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Select Users.
-For each application user account do the following:
-Double-click the user.
-Select Permissions.
-Select "List only objects with permissions for this user".
1. Verify that no permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.�T-SQL:
1. No rows are returned where Grantee is an application user account and ProtectType is "Grant" or "Grant_WGO".
Enterprise Manager:
1. No permissions are shown. If permissions are shown, a green check isn't visible in any checkbox.9�T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, NULL, NULL, 'o'
1. For each row where Grantee is an application administrator or an application user AND Action is "References", verify that ProtectType is not "Grant" or "Grant_WGO".
Enterprise Manager:
N/ANT-SQL:
1. ProtectType is not "Grant" or "Grant_WGO".
Enterprise Manager:
N/AS�
T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select sysobjects.name, sysusers.name, sysprotects.action from sysprotects
inner join sysobjects on sysobjects.id = sysprotects.id
inner join sysusers on sysusers.uid = sysprotects.uid
where (sysobjects.type = 'X') and (sysobjects.uid < 5) and (sysprotects.protecttype <> 206)
1. For each row returned, verify that the value for name is not "public".
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
-Expand the master database.
-Select Extended Stored Procedures.
-For each user-defined extended stored procedure, verify the following:
-Right-click on the procedure name.
-Select All Tasks.
-Select Manage Permissions.
1. For user public, verify that the check box under the EXEC column has a red X.�T-SQL:
1. For each row returned, the value for name is not "public".
Enterprise Manager:
1. For user public, the check box under the EXEC column has a red X.E�T-SQL:
N/A
Enterprise Manager:
1. The user is only a member of the Users group (or the Power Users group if SQL Service is part of an Active Directory).
2. Under "Startup service account" the "This account" radio button is clicked.
3. The same user used for starting up the SQL Server Agent service is used here as well.��T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Management.
-Right-click SQL Server Agent and click Properties.
-Click the General tab.
-Verify that under "Service startup account" that the "This account" radio button is clicked. Take note of the account being used as the SQL Server Agent service startup account.
-Click Start->Administrative Tools->Active Directory Users and Computers (for Windows 2003 Server).
-Find the account from step 5 and double-click it.
-Click the Member Of tab.
1. Verify that the user is only a member of the Users group (or the Power Users group if SQL Service is part of an Active Directory).
-Back in Enterprise Manager, right-click the server and click Properties.
-Click the Security tab.
2. Verify that under "Startup service account" that the "This account" radio button is clicked.
3. Verify that the same user used for starting up the SQL Server Agent service is used here as well.��T-SQL:
N/A
Enterprise Manager:
1. The SQL Server Agent service startup account has the following rights:
- Act as part of the operating system
- Replace a process-level token
- Log on as a service
- Access this computer from the network
- Increase quotas
- May require the logon as a batch job right
2. The SQL Server Agent service startup account does not have the following rights:
- Allow log on locally��T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Security tab.
-Take note of the account being used as the SQL Server Agent service startup account.
-Click Start->Administrative Tools->Domain Controller Security Policy->Local Policies->User Rights Assignment
1. Verify that the SQL Server Agent service startup account has the following rights:
- Act as part of the operating system
- Replace a process-level token
- Log on as a service
- Access this computer from the network
- Increase quotas
- May require the logon as a batch job right
6. Verify that the SQL Server Agent service startup account does not have the following rights:
- Allow log on locallyw�T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select name from sysxlogins
where (sysxlogins.name = 'BUILTIN\Administrators')
1. Verify that nothing is returned.
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Logins.
1. Verify that BUILTIN\Administrators is not a valid login.dT-SQL:
1. Nothing is returned.
Enterprise Manager:
1. BUILTIN\Administrators is not a valid login.�T-SQL:
N/A
Enterprise Manager:
Repeat the following for each server.
-Expand the server.
-Expand Support Services.
-Right-click SQL Mail and click Properties.
1. Verify that there are no MAPI profiles.@T-SQL:
N/A
Enterprise Manager:
1. There are no MAPI profiles.~�T-SQL:
N/A
Enterprise Manager:
Repeat the following for each publication on each server.
-Expand the server.
-Expand Replication.
-Expand Publications.
-Right-click the publication and click Properties.
-Click the Security tab.
1. Verify that the checkbox labeled "Generate snapshots in the normal snapshot folder" is unchecked.
2. Verify that the checkbox labeled "Generate snapshots in the following location" is checked and that the directory listed is not a Windows administrative share.
-Navigate to the directory above using Windows Explorer.
-Right-click on the directory and click Properties.
-Select the Security tab.
3. Verify that the only permissions are the following or less:
- full control - Administrators
- full control - SYSTEM
- read/write - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER��T-SQL:
N/A
Enterprise Manager:
1. The checkbox labeled "Generate snapshots in the normal snapshot folder" is unchecked.
2. The checkbox labeled "Generate snapshots in the following location" is checked and that the directory listed is not a Windows administrative share.
3. The only permissions are the following or less:
- full control - Administrators
- full control - SYSTEM
- read/write - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNERv�T-SQL:
N/A
Enterprise Manager:
-Select Tools from the menu bar.
-Select Replication.
-Select Configure Publishing, Subscribers, and Distribution.
-Select the Subscribers tab.
-Double-click on each subscriber.
-Under Agent connection to the Subscriber
1. Verify that the radio button "Impersonate the SQL Server Agent account on SQL Server (trusted connection)" <� is selected.�T-SQL:
N/A
Enterprise Manager:
1. The radio button "Impersonate the SQL Server Agent account on SQL Server (trusted connection)" is selected.��T-SQL:
Repeat the following for each server.
-Enter the following statement:
select name, denylogin, hasaccess from syslogins
1. Verify that all accounts listed are actually in use. If they are not in use, verify that they are disabled.
Enterprise Manager:
N/A�T-SQL:
1. All accounts listed are actually in use. If they are not in use, verify that they are disabled.
Enterprise Manager:
N/A{1. The audit trail is reviewed at a minimum bi-weekly for anomalies to standard operations or unauthorized access attempts.�1. Audit data is captured, backed up, and maintained. IRS requires the agency to retain archived audit logs/trails for the remainder of the year they were made plus six years.�1. The database and database application software is baselined and the baseline is maintained after upgrades to the software are made.21. The file does not exist anywhere on the system.�-Click Start -> Search.
1. Search all hard drives (including subfolders) for the file Odbctrac.dll. Verify that the file does not exist anywhere on the system.��NOTE! This check will require information from the DBA.
Repeat the following for each server.
Enterprise Manager:
-Expand the server.
-Verify that the server contains either production or development databases. If the server contains both production and development databases, then this server fails this check.
-Expand Security.
-Select Linked Servers.
1. Verify that each linked server's function type matches the function type of the local server. For example, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases.^�Enterprise Manager:
1. Each linked server's function type matches the function type of the local server. For example, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases.
�T-SQL or Enterprise Manager:
1.���������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�g�h�j����k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�{�|�}�~��€� All databases listed are production databases or development databases. Productiona and development should not reside on te same server.K�To locate the database names, do the following (repeat for each server):
T-SQL:
-Enter the following statement:
use master
select name from sysdatabases
Enterprise Manager:
-Expand the server group.
-Expand the server.
-Expand Databases.
1.Verify that all databases listed are production databases and not development databases.>�T-SQL:
-Determine if replication is in use. Enter the following statement which checks to see if the replication database exists:
select count(name) from sysdatabases
where name = 'distribution'
1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue.
-Enter the following statements
use distribution
exec sp_helprolemember 'replmonitor'
2. Verify that only DBA and designated replication database accounts are returned:
-Determine the databases participating in replication. Enter the following statements:
exec sp_helpreplicationdboption
-For each databases participating in replication, enter the following statement
use
exec sp_helprolemember 'db_owner'
3. Verify that only DBA and designated replication database accounts are returned:
Enterprise Manager:
N/A�T-SQL:
1. 0 is returned (replication is not in use) If 1 is returned, continue.
2. Only DBA and designated replication database accounts are returned
3. Only DBA and designated replication database accounts are returned:
Enterprise Manager:
N/A�1. A DBA Windows OS group exists and that only authorized DBA accounts exist within that group.
2. The DBA Windows OS group exists as a SQL Server Login
3. System Administrators is checked.��-Open Computer Management. Click Start, Control Panel, Administrative Tools, Computer Management.
In Computer Management, expand System Tools, expand Local Users and Groups, and select Groups.
-View the list of groups defined.
1. Verify that a DBA Windows OS group exists and that only authorized DBA accounts exist within that group.
-Verify that the DBA Windows OS group exists as a SQL Server Login. In Enterprise Manager, expand the server, expand Security, select Logins.
2. Verify that the DBA Windows OS group exists as a login.
-Double click the group, click the Server Roles tab
3. Verify that System Administrators is checked.�-Open the SQL Server Network Utility.
-Select the General tab.
1. Verify that the checkbox "Force protocol encryption" is checked.71. The checkbox "Force protocol encryption" is checked.��T-SQL:
-Enter the following statement for each server. Note that the statement checking for the "CREATE DATABASE" statement will return an error if CREATE DATABASE is not assigned.
exec sp_helpsrvrolemember 'sysadmin'
exec sp_helpsrvrolemember 'dbcreator'
exec sp_helprotect 'CREATE DATABASE'
1. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
-Enter the following statement for each database. Replace with the name of the database being tested.
use
exec sp_helprolemember 'db_owner'
2.. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
Enterprise Manager:
N/A��T-SQL:
1. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
2. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
Enterprise Manager:
N/A��T-SQL:
Repeat the following for each server.
-Review jobs scheduled to start automatically at system startup. Enter the following statement:
use master
select name from sysobjects where xtype = 'p' and objectproperty(id, 'ExecIsStartup') = 1
1. Verify that all jobs listed are authorized.
-Review the SQL Server job history. Enter the following statement:
use msdb
select distinct (j.name) from sysjobhistory h,sysjobs j where h.job_id=j.job_id
2. Verify that all jobs listed are authorized.
Enterprise Manager:
N/AcT-SQL:
1. All jobs listed are authorized.
2. All jobs listed are authorized.
Enterprise Manager:?1. "Maximum password age" is set to 60 days or less (but not 0)�This procedure should be performed by the system administrator. All database user accounts must be checked.
-Open the Group Policy Object Editor for the appropriate GPO.
-Expand Computer Configuration.
-Expand Windows Settings.
-Expand Security Settings.
-Expand Account Policies.
-Select Password Policy.
1. Verify that "Maximum password age" is set to 90 days or less (but not 0).@1. "Maximum password age" is set to 90 days or less (but not 0).l�This procedure should be performed by the system administrator. All database accounts must be checked.
-Open the Group Policy Object Editor for the appropriate GPO.
-Expand Computer Configuration.
-Expand Windows Settings.
-Expand Security Settings.
-Expand Account Policies.
-Select Password Policy.
1. Verify that "Enfore password history" is set to 3 or more.l�This procedure should be performed by the system administrator. All database accounts must be checked.
-Open the Group Policy Object Editor for the appropriate GPO.
-Expand Computer Configuration.
-Expand Windows Settings.
-Expand Security Settings.
-Expand Account Policies.
-Select Account Lockout Policy.
1. Verify that "Account lockout threshold" is set to 3.21. "Enfore password history" is set to 3 or more.+1. "Account lockout threshold" is set to 3.�T-SQL:.
1. The result is 9.00.2047 (SP1) or higher.
Enterprise Manager:
1. The value for "Product version:" is 8.00.760 (SP3) or higher.y��The current service pack is SP2 (9.00.3042) as of June 5, 2008.
T-SQL:.
1. Enter the follo<� �wing statement:
select serverproperty(� ProductVersion� )
-Verify that the result is 9.00.2047 (SP1) or higher.
Enterprise Manager:
1. Right-click the server, and then click Properties.
-Click the General tab.
-Verify that the value for "Product version:" is 9.00.2047 (SP1) or higher.
�-Visit the below link:
http://www.microsoft.com/technet/security/current.aspx
1. Verify that your SQL Server installation is up to date by searching the latest security bulletins.�-Visit the link below:
http://support.microsoft.com/lifecycle/search/
1. Search for the appropriate version of SQL Server and verify that support for it will not expire within six months.G�T-SQL:
Repeat the following for each server.
-Enter the following statement which returns a row for each audit trace enabled on the system:
select * from ::fn_trace_getinfo('0')
where property = 5
1. Verify that at least one row is returned.
2. Verify that for each row returned that "value" is "1".
Management Studio:
1. N/AG�T-SQL:
Repeat the following for each server.
-Enter the following statement which returns a row for each audit trace enabled on the system:
select * from ::fn_trace_getinfo('0')
where property = 1
1. Verify that at least one row is returned.
2. Verify that for each row returned that "value" is "6".
Management Studio:
1. N/A[�NOTE! If replication is in use, then this should be enabled.
T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'remote access'
1. Verify that the values for config_value and run_value are 0 unless replication is in use.
Management Studio:
N/A��NOTE! If a custom defined audit trace is being used in place of C2 auditing, then the scan for startup procs option may need to be enabled. A deviation will be required if this is the case.
T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'scan for startup procs'
1. Verify that the values for config_value and run_value are 0.
Management Studio:
N/Af�T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec xp_loginconfig 'login mode'
1. Verify that config_value is "Windows NT Authentication".
Management Studio:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Security tab.
1. Under Security, verify that "Windows only" is selected.s�T-SQL:
Repeat the following for each database.
-Get the list of files associated with the database by entering the following statement:
select filename from sysfiles
-For each file, do the following:
a. Navigate to the file using Windows Explorer.
b. Right-click on the file and click Properties.
c. Select the Security tab.
1. Verify that the only permissions are the following or less:
- full control - Administrators
- full control - SYSTEM
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Management Studio:
N/A��T-SQL:
Repeat the following for each database.
-Enter the following statement:
select SystemTableOrViewName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects
inner join sysprotects on sysobjects.id = sysprotects.id
inner join sysusers on sysprotects.uid = sysusers.uid
where (sysobjects.type = 'S' or sysobjects.type = 'V') and (sysprotects.uid > 4) and (sysprotects.protecttype <> 206)
1. If results are returned, then verify that each UserOrGroupName is a DBA or a batch processing account.
Management Studio:
N/A��T-SQL:
Repeat the following for each server.
-Enter the following statement:
use msdb
select physical_drive, physical_name from backupfile
-For each file listed in the query results, do the following:
a. Open Windows Explorer and browse to the file.
b. Right click on the file's container directory.
c. Select Properties.
d. Select Security tab.
1. Verify that the only permissions are the following or less:
- full control - SYSTEM
- full control - Administrators
- full control - SQL Server service account (custom)
- full control - DBA group (custom)
- full control - CREATOR OWNER
Management Studio:
N/A��T-SQL (preferred method):
Repeat the following for each server.
-Enter the following statement:
use master
select serverproperty(ServerName)
1. Verify that the version number, SQL Server-related or otherwise, is not in the server name.
Management Studio:
N/A - While it is possible to get the server name using Management Studio, for local servers this may not give an accurate result. Use T-SQL.h�T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select name, filename from sysdatabases
1. Verify that there is a database named "master" and that the filename for it is "master.mdf".
2. Verify that there is a database named "model" and that the filename for it is "model.mdf".
3. Verify that there is a database named "msdb" and that the filename for it is "msdb.mdf".
4. Verify that there is a database named "tempdb" and that the filename for it is "tempdb.mdf".
5. Verify that all databases present are located in their own separate database files.
Management Studio:
N/A�T-SQL:
Repeat the following for each server.
-Enter the following statement:
select count(name) from syslogins
where password is null and name = 'sa'
1. Verify that "0" is returned.
Management Studio:
N/A���T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_helpsrvrolemember � sysadmin�
1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Server Roles.
-Right-click the System Administrators (sysadmin) server role and click Properties.
1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.8�T-SQL:
Repeat the following for each database.
-Enter the following statement:
exec sp_helprotect NULL, NULL, NULL, 'o'
1. For each row where Grantee is an application administrator or an application user AND Action is "References", verify that ProtectType is not "Grant" or "Grant_WGO".
Management Studio:
N/A��T-SQL:
Enter the following statement:
use master
exec xp_loginconfig 'audit level'
1. Verify that config_value is either "all" or "failure".
Enterprise Manager:
Repeat the following for each server.
-Right-click the server and click Properties.
-Click the Security tab.
1. Under Login auditing, verify that either "Failed logins only" or "Both failed and successful logins" is selected.�T-SQL:
1. config_value is either "all" or "failure".
Enterprise Manager:
1. Either "Failed logins only" or "Both failed and successful logins" is selected.�T-SQL:
1. Each filename exists on a volume separate from the SQL Server executable volume.
Enterprise Manager:
1. Each path exists on a volume separate from the SQL Server executable volume.e�T-SQL:
Repeat the following for each database.
-Get the list of files associated with the database by entering the following statement:
use
select filename from sysfiles
1. Verify that each filename exists on a volume separate from the SQL Server executable volume.
Management Studio:
Repeat th<� e following for each database.
-Expand the server group.
-Expand Databases.
-Right-click the database and click Properties.
-Select the ob体育s page.
1. Under "Database files:", check each path in the "Path" column. Verify that each path exists on a volume separate from the SQL Server executable volume.��1. The only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Permissions for subkeys match the criteria specified above. In addition,
a. SQLServer2005ReportServerUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys.
b. SQLServer2005MSFTEUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\MSSearch" and its sub-keys.
c.SQLServer2005SQLAgentUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerAgent" and its sub-keys.
d. SQLServer2005SQLServerADHelperUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerSCP" and its sub-keys.
e. Remote Desktop Users can have Read access to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys.
f. If permissions other than Read are granted to the custom SQL Server Users group or the same members, then this test fails.|�Use regedit.exe (Windows 2003) or regedt32.exe (Windows XP, Windows 2000) to review registry permissions.
To review registry permissions using regedit, navigate to the registry key indicated, right-click on the key, and select Permissions. Select the users and groups permissions and view the assigned Permissions in the Permissions box.
-Expand Microsoft.
-Right click Microsoft SQL Server and click Permissions.
1. Verify that the only permissions are the following or less:
a. full control - Administrators
b. full control - SYSTEM
c. full control - SQL Server service account (custom)
d. full control - DBA group (custom)
e. full control - CREATOR OWNER
2. Verify that permissions for subkeys match the criteria specified above.
a. SQLServer2005ReportServerUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys.
b. SQLServer2005MSFTEUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\MSSearch" and its sub-keys.
c.SQLServer2005SQLAgentUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerAgent" and its sub-keys.
d. SQLServer2005SQLServerADHelperUser$ can have Full Control to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.<#>\SQLServerSCP" and its sub-keys.
e. Remote Desktop Users can have Read access to "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS" and its sub-keys.
f. If permissions other than Read are granted to the custom SQL Server Users group or the same members, then this test fails.��
T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select sysobjects.name, sysusers.name, sysprotects.action from sysprotects
inner join sysobjects on sysobjects.id = sysprotects.id
inner join sysusers on sysusers.uid = sysprotects.uid
where (sysobjects.type = 'X') and (sysobjects.uid < 5) and (sysprotects.protecttype <> 206)
1. For each row returned, verify that the value for name is not "public".
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
-Expand the master database.
-Expand Programmability.
-Expand Extended Stored Procedures.
-Expand System Extended Stored Procedures.
-For each procedure, verify the following:
-Right-click on the procedure name and click Properties.
-Select the Permissions page.
-Under "Users or roles:", see if "public" exists. If it does, verify that Deny is checked.�T-SQL:
1. For each row returned, the value for name is not "public".
Enterprise Manager:
1. If "public" exists. Deny is checked.�T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'xp_cmdshell'
1. Verify that config_value is "0".
Management Studio:
N/A<�T-SQL:
1. The config_value is "0".
Enterprise Manager:
N/A:T-SQL:
1. "GRANT" is not returned.
Management Studio:
N/A��T-SQL:
Repeat the following for each database.
-Enter the following statement. Replace with the name of the database being tested.
use
select user_name(p.grantee_principal_id) 'User', o.name 'Object', p.permission_name
from sys.objects o, sys.database_permissions p
where o.object_id = p.major_id and p.grantee_principal_id in (0,2)
1. Verify that no rows are returned.
Management Studio:
N/A8T-SQL:
1. No rows are returned.
Management Studio:
N/A}T-SQL:
1. If results are returned, then each UserOrGroupName is a DBA or a batch processing account.
Management Studio:
N/A��T-SQL:
Repeat the following for each server.
-Enter the following statement:
use msdb
exec sp_enum_proxy_for_subsystem @subsystem_name='ActiveScripting'
exec sp_enum_proxy_for_subsystem @subsystem_name='CmdExec'
1. If no records are returned, then this check passes. If records are returned, then proceed to the next step.
-For each proxy listed, do the following.
-Enter the following statement replacing with the proxy name returned above:
exec sp_enum_login_for_proxy @proxy_name=''
2. Review the names listed in the return set. Verify that names returned include only sysadmins. If groups are returned, then verify that only sysadmins exist in those groups.
Management Studio:
N/A�T-SQL:
1. If no records are returned, then this check passes. If records are returned, proceed to the next step.
2. Names returned include only sysadmins. If groups are returned, then only sysadmins exist in those groups.
Enterprise Manager:
N/A��T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select sys.schemas.name as 'Schema Name', sys.database_principals.name as 'Schema Owner'
from sys.schemas, sys.database_principals
where sys.schemas.principal_id = sys.database_principals.principal_id
1. Verify that all schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership.
2. Verify that application user database accounts do not own any schemas.
3. Verify that DBA accounts do not own application specific schemas.
4. Verify that default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas.
Management Studio:
N/A��T-SQL:
1. All schemas are owned by the database system, DBAs, or by a separate account created especially for application object ownership.
2. Application user database accounts do not own any schemas.
3. DBA accounts do not own application specific schemas.
4. Default DBMS database accounts other that the default administration account are not used as the owner of application specific schemas.
Management Studio:
N/A��T-SQL:
Repeat the following for each database.
-Enter the folliwng statement replacing with the database to test:
use
select distinct schema_id from sys.objects where is_ms_shipped=0
1. If no rows are returned, then this database passed the test and you should proceed to the next database.
-. If rows are returned, then enter the following statement for each row returned. Replace with the SID in the row.
select suser_sname(p.sid)
from sys.database_principals p, sys.server_principals s
where p.principal_id= and p.sid = s.sid and s.is_disabled=0 and p.type not in ('A','R')
2. Verify that no rows are returned.
Management Studio:
N/A�T-SQL:
1. If no rows are returned, then this database passed the test and you should proceed to the next database (skip test 2 for this database).
2. Verify that n<� o rows are returned.
Enterprise Manager:
N/A��T-SQL:
N/A
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Server Objects.
-Expand Linked Servers.
-For each linked server, do the following:
-Double-click the linked server.
-Select the Security page.
1. Verify that the "Be made using the login's current security context" radio button is selected.
2. Under "Local server login to remote server login mappings", verify that there are no mappings.�T-SQL:
N/A
Enterprise Manager:
1. The "Be made using the login's current security context" radio button is selected.
2. Under "Local server login to remote server login mappings", there are no mappings.4�To locate the database names, do the following (repeat for each server):
T-SQL:
-Enter the following statement:
use master
select name from sysdatabases
Management Studio:
-Expand the server.
-Expand Databases.
For each database name listed with the exception of master, tempdb, model and msdb, verify the following:
1. Verify that only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name.
2. Verify that the first character of the name is alphabetic (A-Z).
3. Verify that the name does not start with a verb.
4. Verify that the length of the name is less than 30 characters long.
5. Verify that the name is unique.
6. Verify that the name is clear and accurate to reflect a condensed version of the data description.��Either test method:
1. Only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name.
2. The first character of the name is alphabetic (A-Z).
3. The name does not start with a verb.
4. The length of the name is less than 30 characters long.
5. The name is unique.
6. The name is clear and accurate to reflect a condensed version of the data description.O�To locate the database names, do the following (repeat for each server):
T-SQL:
-Enter the following statement:
use master
select name from sysdatabases
Enterprise Manager:
-Expand the server group.
-Expand the server.
-Expand Databases.
For each database name listed with the exception of master, tempdb, model and msdb, verify the following:
1. Verify that only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name.
2. Verify that the first character of the name is alphabetic (A-Z).
3. Verify that the name does not start with a verb.
4. Verify that the length of the name is less than 30 characters long.
5. Verify that the name is unique.
6. Verify that the name is clear and accurate to reflect a condensed version of the data description.t�T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select user_name(grantee_principal_id),permission_name from sys.database_permissions
where state in ('G','W')
1. Verify that no records are returned for the guest account, the public account or for any user accounts.
Management Studio:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right-click the database and click Properties.
-Select the Permissions page.
1. Verify that no Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.�T-SQL:
1. No records are returned for the guest account, the public account or for any user accounts.
Enterprise Manager:
1. No Grant or With Grant permissions are specified for the guest account, the public account or for any user accounts.��T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select user_name(grantee_principal_id),permission_name from sys.database_permissions
where (type like 'CR%' or type like 'BA%' or type='CL') and state in ('G','W')
1. Verify that no records are returned for application users, application administrators, application developers, or a member of an application role.
Management Studio:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Right-click the database and click Properties.
-Select the Permissions page.
1. Verify that Grant or With Grant is not checked for application users, application administrators, application developers, or a member of an application role for the following permissions:
CREATE TABLE
CREATE VIEW
CREATE SP
CREATE DEFAULT
CREATE RULE
CREATE FUNCTION
BACKUP DB
BACKUP LOG
CREATE DATABASE��T-SQL:
1. No records are returned for application users, application administrators, application developers, or a member of an application role.
Management Studio:
1. Grant or With Grant is not checked for application users, application administrators, application developers, or a member of an application role for the following permissions:
CREATE TABLE
CREATE VIEW
CREATE SP
CREATE DEFAULT
CREATE RULE
CREATE FUNCTION
BACKUP DB
BACKUP LOG
CREATE DATABASE��T-SQL:
-Enter the following statement for each server and verify that no results are returned:
select suser_sname(role_principal_id) 'Role' from sys.server_role_members
where member_principal_id = 2
-Enter the following statement for each database
use
select user_name(role_principal_id) 'Role'
from sys.database_role_members
where member_principal_id =2
1. Verify that no results are returned:
Management Studio:
N/A=T-SQL:
1. No results are returned:
Enterprise Manager:
N/A��T-SQL:
Repeat the following for each server.
-Enter the following statement which displays all users who are granted server role memberships:
exec sp_helpsrvrolemember
1. Verify that only DBAs are granted server role memberships.
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Expand Server Roles.
-For each server role, do the following:
-Double-click the server role.
1. Verify that only DBAs are granted membership to the server role.��T-SQL:
Repeat the following for each database
-Enter the following statement which displays all users who are granted database role memberships:
exec sp_helprolemember
1. Verify that only DBAs are granted database role memberships (memberships beginning with "db_").
Management Studio:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Expand Security.
-Expand Roles.
-Expand Database Roles.
-For each database role that begins with "db_", do the following:
-Double-click the database role.
-Select the General page.
-Under "Members of this role:",
1. Verify that only DBAs are granted membership to the database role.���T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_helpsrvrolemember � sysadmin�
1. Verify that only authorized logins are members of the System Administrators server role.
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Server Roles.
-Right-click the System Administrators (sysadmin) server role and click Properties.
1. Verify that only authorized logins are members of the System Administrators server role.s�T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select USER_NAME(p.grantee_principal_id) 'DB User', o.name 'Object', p.permission_name
from sys.database_permissions p, sys.objects o
where p.state='W'
1. All privileges returned have the "GRANT WITH GRANT" option enabled. Verify that all accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, appl<� ication administrator accounts, application developer accounts, and application roles should not be listed. PUBLIC and GUEST should have this option DENIED.
Management Studio:
N/Ai�T-SQL:
1. All privileges returned have the "GRANT WITH GRANT" option enabled. All accounts returned are authorized to have "GRANT WITH GRANT" enabled. Application user database accounts, application administrator accounts, application developer accounts, and application roles are not listed. PUBLIC and GUEST have this option DENIED.
Enterprise Manager:
N/A��T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select u.name, o.name, p.permission_name
from sys.objects o, sys.database_principals u, sys.database_permissions p
where o.object_id=p.major_id
and p.grantee_principal_id=u.principal_id
and p.state in ('G','W')
and u.type in ('S','U')
1. Verify that there are no rows returned.
Management Studio:
N/A9T-SQL:
1. No rows are returned.
Enterprise Manager:
N/A�T-SQL:
1. For each row where Grantee is an application administrator or an application user AND Action is "References", ProtectType is not "Grant" or "Grant_WGO".
Enterprise Manager:
N/A��-Open the SQL Server Configuration Manager to view login accounts for the following services (some services may not exist):
- SQL Server ()
- SQL Server Agent ()
- SQL Server Analysis Services ()
- SQL Server Reporting Services ()
- SQL Server Integration Services
- SQL Server FullText Search ()
- SQL Server Browser ()
1. Verify that all of the above services use a custom account.
2. If any service uses a domain user account, verify that the service requires network or domain resources.
3. Verify that the accounts are not members of the local or domain administrators groups.
4. Verify that the accounts listed are not builtin accounts (LocalSystem, Local Service, Network Service, etc.) Exception: SQL Server Active Directory Helper or SQL Writer.
5. Verify the user rights granted to the above accounts. Note that user rights may be assigned to the service accounts via Windows groups. Only the below user rights should be assigned to the accounts.
SQL Server account:
- Log on as a Service
- Act as part of the Operating System
- Log on as a batch job
- Replace a process-level token
- Bypass traverse checking
- Adjust memory quotas for a process
- Permission to start SQL Server Active Directory Helper
- Permission to Start SQL Writer
SQL Server Agent account:
- Log on as a Service
- Act as part of the Operating System
- Log on as a batch job
- Replace a process-level token
- Bypass traverse checking
- Adjust memory quotas for a process
Analysis Server account:
- Log on as a service
Report Server account:
- Log on as a service
Integration Services account:
- Log on as a service
- Permission to write to application event log
- Bypass traverse checking
- create global objects
- Impersonate a client after authentication
Full-Text Search account:
- Log on as a Service
SQL Server Browser account:
- Log on as a Service��1. All of the above services use a custom account.
2. If any service uses a domain user account, the service requires network or domain resources.
3. The accounts are not members of the local or domain administrators groups.
4. The accounts listed are not builtin accounts (LocalSystem, Local Service, Network Service, etc.) Exception: SQL Server Active Directory Helper or SQL Writer.
5. The user rights granted to the above accounts. Note that user rights may be assigned to the service accounts via Windows groups. Only the below user rights should be assigned to the accounts.
SQL Server account:
- Log on as a Service
- Act as part of the Operating System
- Log on as a batch job
- Replace a process-level token
- Bypass traverse checking
- Adjust memory quotas for a process
- Permission to start SQL Server Active Directory Helper
- Permission to Start SQL Writer
SQL Server Agent account:
- Log on as a Service
- Act as part of the Operating System
- Log on as a batch job
- Replace a process-level token
- Bypass traverse checking
- Adjust memory quotas for a process
Analysis Server account:
- Log on as a service
Report Server account:
- Log on as a service
Integration Services account:
- Log on as a service
- Permission to write to application event log
- Bypass traverse checking
- create global objects
- Impersonate a client after authentication
Full-Text Search account:
- Log on as a Service
SQL Server Browser account:
- Log on as a Serviceo�T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select name from syslogins
where (loginname = 'BUILTIN\Administrators')
1. Verify that nothing is returned.
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Security.
-Select Logins.
1. Verify that BUILTIN\Administrators is not a valid login.��T-SQL:
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'SQL Mail XPs'
1. Verify that "0" is returned for config_value.
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Management.
-Expand Legacy.
-Right click on SQL Mail and select Properties.
1. Verify that a a prompt to enable SQL Mail is displayed. Answer "No" if prompted.�T-SQL:
1. "0" is returned for config_value.
Enterprise Manager:
1. A prompt to enable SQL Mail is displayed. Answer "No" if prompted.�T-SQL:
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'Database Mail XPs'
1. Verify that "0" is returned for config_value.
Management Studio:
N/AET-SQL:
1. "0" is returned for config_value.
Enterprise Manager:
N/A��T-SQL:
N/A
Management Studio:
Repeat the following for each publication on each server.
-Expand the server.
-Expand Replication.
-Expand Local Publications.
-Right-click the publication and click Properties.
-Click the Snapshot page.
1. Under "Location of snapshot files", verify that the directory listed is not a Windows administrative share.
-Navigate to the directory listed under "Location of snapshot files", using Windows Explorer.
-Right-click on the directory and click Properties.
-Select the Security tab.
2. Verify that the only permissions are the following or less:
- full control - Administrators
- DBAs (custom group/user)
- read - Merge and Distribution Agents (custom group/user)
- write - Snapshot Agents (custom group/user)g�T-SQL:
N/A
Enterprise Manager:
1. Under "Location of snapshot files", the directory listed is not a Windows administrative share.
2. The only permissions are the following or less:
- full control - Administrators
- DBAs (custom group/user)
- read - Merge and Distribution Agents (custom group/user)
- write - Snapshot Agents (custom group/user)��T-SQL:
N/A
Enterprise Manager:
1. The radio button "Run under the following Windows account:" is selected.
2. "Process account:" is a Windows account that is authorized to run the Snapshot Agent process.
3. The radio button "By impersonating the process account" is selected.
4. "Agent process account" is a Windows account that is authorized to run the Snapshot Agent process.
5. "Distributor connection" is "Impersonate agent process account (Windows Authentication)".��T-SQL:
N/A
Management Studio:
-Expand the server.
-Expand Replication.
-Expand Local Publications.
4. Right-click each publication, select Properties, and perform the following steps.
-Select the Agent Security page.
-Click the "Security Settings..." button.
1. Verify that the radio button "Run under the following Windows account:" is selected.
2. Verify that "Process account:" is a Windows account that is authorized to run the Snapshot Agent process.
3. Verify that the radio button "By impersonating the process account" is selected.
-Expand Local Subscriptions.
-Right-click each subscription, select Properties, and perform<� the following steps.
4. Verify that "Agent process account" is a Windows account that is authorized to run the Snapshot Agent process.
5. Verify that "Distributor connection" is "Impersonate agent process account (Windows Authentication)".�T-SQL:
Repeat the following for each server.
-Enter the following statement:
select name, type from sys.server_principals
where type <> 'R' and is_disabled <> '1'
1. Verify that all accounts listed are actually in use.
Management Studio:
N/ALT-SQL:
1. All accounts listed are actually in use.
Enterprise Manager:
N/A��T-SQL:
-Enter the following statement for each server. Note that the statement checking for the "CREATE DATABASE" statement will return an error if CREATE DATABASE is not assigned.
exec sp_helpsrvrolemember 'sysadmin'
exec sp_helpsrvrolemember 'dbcreator'
exec sp_helprotect 'CREATE DATABASE'
1. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
-Enter the following statement for each database. Replace with the name of the database being tested.
use
exec sp_helprolemember 'db_owner'
2. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned).
Management Studio:
N/A�-Open the SQL Server Configuration Manager.
-Expand SQL Server 2005 Network Configuration.
-Right-click on Protocols for and click Properties.
-Select the Flags tab.
1. Verify that the value for ForceEncryption is "Yes".*1. The value for ForceEncryption is "Yes".��T-SQL:
Repeat the following for each server.
-Review jobs scheduled to start automatically at system startup. Enter the following statement:
use master
select name from sys.procedures
1. Verify that all jobs listed are authorized.
-Review the SQL Server job history. Enter the following statement:
use msdb
select distinct (j.name) from sysjobhistory h,sysjobs j where h.job_id=j.job_id
2. Verify that all jobs listed are authorized.
Management Studio:
N/AgT-SQL:
1. All jobs listed are authorized.
2. All jobs listed are authorized.
Enterprise Manager:
N/Ai�-Open Computer Management. Click Start, Control Panel, Administrative Tools, Computer Management.
-In Computer Management, expand System Tools, expand Local Users and Groups, and select Groups.
-View the list of groups defined.
1. Verify that a DBA Windows OS group exists and that only authorized DBA accounts exist within that group.
-In Management Studio, expand the server
-expand Security
-expand Logins
2. Verify that the group exists as a login.
-Double click the group
-click the Server Roles page
3. Verify that sysadmin is checked.
4. Verify that the DBA Windows OS group exists as a SQL Server Login. �T-SQL:
1. A DBA Windows OS group exists and that only authorized DBA accounts exist within that group.
2. The group exists as a login.
3. Sysadmin is checked.
4.The DBA Windows OS group exists as a SQL Server Login.
Enterprise Manager:
N/A*�T-SQL:
-Determine if replication is in use. Enter the following statement which checks to see if the replication database exists:
select count(name) from sys.databases
where name = 'distribution'
1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue.
-Enter the following statements:
use distribution
exec sp_helprolemember 'replmonitor'
2. Verify that only DBA and designated replication database accounts are returned.
-Determine the databases participating in replication. Enter the following statements:
exec sp_helpreplicationdboption
-For each database returned, enter the following statement
use
exec sp_helprolemember 'db_owner'
3. Verify that only DBA and designated replication database accounts are returned.
Management Studio:
N/A��T-SQL:
1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue.
2. Only DBA and designated replication database accounts are returned.
3. Only DBA and designated replication database accounts are returned:
Enterprise Manager:
N/A1�To locate the database names, do the following (repeat for each server):
T-SQL:
-Enter the following statement:
use master
select name from sysdatabases
Management Studio:
-Expand the server.
-Expand Databases.
1. Verify that all databases listed are production databases and not development databases.�T-SQL:
1. All databases listed are production databases and not development databases.
Enterprise Manager:
1. All databases listed are production databases and not development databases.��Repeat the following for each server.
Management Studio:
-Expand the server.
1. Verify that the server contains either production or development databases. If the server contains both production and development databases, then this server fails this check.
-Expand Server Objects.
-Select Linked Servers.
2. Verify that each linked server's function type matches the function type of the local server. For example, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases.��1. The server contains either production or development databases, not both. If the server contains both production and development databases, then this server fails this check.
2. Each linked server's function type matches the function type of the local server.�-Click Start -> Search.
-Search all hard drives (including subfolders) for the file Odbctrac.dll.
1. Verify that the file does not exist anywhere on the system.�1. The database and database application software are baselined and the baseline is maintained after upgrades to the software are made.�1. Verify with the DBA that database and database application software are baselined and the baseline is maintained after upgrades to the software are made.�1. Audit data is captured, backed up, and maintained. IRS requires agencies to retain archived audit logs/trails for the remainder of the year they were made plus six years.O� represents the directory created for the specific SQL Server instance. This directory is specified in the registry under HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL.
Review the security settings for each directory/file specified below. The permission to check is specified first followed by a list of dirctories/files and the account/group that should have the permission.
Verify that the permission assignments are not less restrictive than listed. Verify that no permission assignments are granted the the builtin USERS group. For any or directories or files, the following groups may have Full Control assigned: Administrators (builtin group), DBAs (custom group), CREATOR OWNER (builtin), SYSTEM (builtin).
Full Control
1. \MSSQL\backup | MSSQLServer, SQLServerAgent
2. \MSSQL\data | MSSQLServer
3. \MSSQL\FTData | MSSQLServer, FTS
4. \MSSQL\jobs | SQLServerAgent
5. \MSSQL\Log (all files) | MSSQLServer, SQLServerAgent
6. \MSSQL\Log\(all files except .trc files) | FTS
7. \MSSQL\Repldata | MSSQLServer
8. \Olap\Backup | MSSQLServerOLAPservice
9. \Olap\Config | MSSQLServerOLAPservice
10. \Olap\Data | MSSQLServerOLAPservice
11. \Reporting Services\reportservice.asmx | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
12. \Reportingservices\Reportserver\global.asax | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
Read
13. \MSSQL\Template Data (SQL Server Express Only) | MSSQLServer
14. \Reporting Services\reportManager\pages | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
15. \Reporting Services\reportManager\Styles | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
16. \Reporting Services\reportManager\webctrl_client\1_0 | SQLServer2005ReportingServicesWebServiceUser
17. \Reportingservices\Reportserver\global.asax | SQL Serv<� ices Users
Read, Execute
18. \MSSQL\binn | SQL Services Users
19. \MSSQL\FTRef | FTS
20. \MSSQL\Install | MSSQLServer, FTS
21. \OLAP | MSSQLServerOLAPservice
22. \Reporting Services\ReportServer | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
23. \Reporting Services\reportManager | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
24. \MSSQL\binn\sqlctr90.dll | Perfomance Log Users,Performance Monitor Users
Read, Write
25. \Olap\Log | MSSQLServerOLAPservice
26. \Reporting Services\RSTempfiles | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
27. \Reportingservices\Reportserver\Reportserver.config | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
Read, Write, Delete
28. \Reporting Services\Log ob体育s | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
List folder contents
29. \MSSQL\binn | Perfomance Log Users,Performance Monitor UsersT Full Control
1. \MSSQL\backup | MSSQLServer, SQLServerAgent
2. \MSSQL\data | MSSQLServer
3. \MSSQL\FTData | MSSQLServer, FTS
4. \MSSQL\jobs | SQLServerAgent
5. \MSSQL\Log (all files) | MSSQLServer, SQLServerAgent
6. \MSSQL\Log\(all files except .trc files) | FTS
7. \MSSQL\Repldata | MSSQLServer
8. \Olap\Backup | MSSQLServerOLAPservice
9. \Olap\Config | MSSQLServerOLAPservice
10. \Olap\Data | MSSQLServerOLAPservice
11. \Reporting Services\reportservice.asmx | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
12. \Reportingservices\Reportserver\global.asax | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
Read
13. \MSSQL\Template Data (SQL Server Express Only) | MSSQLServer
14. \Reporting Services\reportManager\pages | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
15. \Reporting Services\reportManager\Styles | SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
16. \Reporting Services\reportManager\webctrl_client\1_0 | SQLServer2005ReportingServicesWebServiceUser
17. \Reportingservices\Reportserver\global.asax | SQL Services Users
Read, Execute
18. \MSSQL\binn | SQL Services Users
19. \MSSQL\FTRef | FTS
20. \MSSQL\Install | MSSQLServer, FTS
21. \OLAP | MSSQLServerOLAPservice
22. \Reporting Services\ReportServer | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
23. \Reporting Services\reportManager | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,SQL Services Users
24. \MSSQL\binn\sqlctr90.dll | Perfomance Log Users,Performance Monitor Users
Read, Write
25. \Olap\Log | MSSQLServerOLAPservice
26. \Reporting Services\RSTempfiles | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
27. \Reportingservices\Reportserver\Reportserver.config | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
Read, Write, Delete
28. \Reporting Services\Log ob体育s | SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser
List folder contents
29. \MSSQL\binn | Perfomance Log Users,Performance Monitor Users�� represents the subdirectory of the Program ob体育s directory named Microsoft SQL Server.
Review the security settings for each directory/file specified below. The permission to check is specified first followed by a list of dirctories/files and the account/group that should have the permission.
Verify that the permission assignments are not less restrictive than listed. Verify that no permission assignments are granted the the builtin USERS group. For any or directories or files, the following groups may have Full Control assigned: Administrators (builtin group), DBAs (custom group), CREATOR OWNER (builtin), SYSTEM (builtin).
Read, Execute, List folder contents
1. \90\Notification services | Notification services
Full Control
2. \90\shared\msmdlocal.ini | MSSQLServerOLAPservice
Read
3. \90\shared\msmdlocal.ini | SQL Server Browser
4. \90\dts\binn\MsDtsSrvr.ini.xml | MSDTSServer
5. \90\sdk | SQL Services Users
Read, Execute
6. \90\tools | SQL Services Users
7. \90\Setup Bootstrap | SQL Services Users
8. \80\tools | SQL Services Users
9. \90\com | MSSQLServer,SQLServerAgent
10. \90\dts | SQL Services Users
11. \90\dts\binn | MSDTSServer
12. \90\shared | MSSQLServer,SQLServerAgent,FTS,MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser
Read, Write
13. \90\shared\Errordumps | MSSQLServer,SQLServerAgent,FTS
MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser ��Read, Execute, List folder contents
1. \90\Notification services | Notification services
Full Control
2. \90\shared\msmdlocal.ini | MSSQLServerOLAPservice
Read
3. \90\shared\msmdlocal.ini | SQL Server Browser
4. \90\dts\binn\MsDtsSrvr.ini.xml | MSDTSServer
5. \90\sdk | SQL Services Users
Read, Execute
6. \90\tools | SQL Services Users
7. \90\Setup Bootstrap | SQL Services Users
8. \80\tools | SQL Services Users
9. \90\com | MSSQLServer,SQLServerAgent
10. \90\dts | SQL Services Users
11. \90\dts\binn | MSDTSServer
12. \90\shared | MSSQLServer,SQLServerAgent,FTS,MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser
Read, Write
13. \90\shared\Errordumps | MSSQLServer,SQLServerAgent,FTS
MSSQLServerOLAPservice,SQLServer2005ReportServerUser,SQLServer2005ReportingServicesWebServiceUser,Notification services,MSDTSServer,SQL Server Browser x�T-SQL:
Repeat the following for each database.
-Enter the following statement:
use
select schema_name(o.schema_id) as 'Schema', o.name
from sys.objects o, sys.sql_modules s
where o.object_id=s.object_id and s.definition is not null
1. If any results are listed that are not installed as part of a COTS application, then this test fails.
Management Studio:
N/A�T-SQL:
1. If any results are listed that are not installed as part of a COTS application, then this test fails.
Management Studio:
N/A��T-SQL:
Repeat the following for each server.
-Enter the following statement
select name from sys.system_objects where type='X' and is_ms_shipped=0 order by name
1. Verify that no records are returned.
-Enter the following statement
select name from sys.system_objects where type='X' and is_ms_shipped=1 order by name
2. Verify that all of the extended stored procedures returned are required.
Management Studio:
N/A|T-SQL:
1. No records are returned.
2. All of the extended stored procedures returned are required.
Management Studio:
N/AD�T-SQL:
Repeat the following for each server.
-Enter the following statement:
exec sp_configure 'show advanced options', 1
reconfigure
exec sp_configure 'OLE Automation Procedures'
1. Verify that config_value is "0". If config_value is not "0", then verify that OLE Automation Procedures are required.
Management Studio:
N/A€T-SQL:
1. config_value is "0". If config_value is not "0", then OLE Automation Procedures are required.
Management Studio:
N/AM�T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select o.name, user_name(p.grantee_principal_id)
from sys.system_objects o, sys.database_permissions p
where o.object_id = p.major_id and
o.name like 'xp_reg%' and p.type='EX'
1. Verify that only DBA accounts are listed in the return results. Verify that any references to PUBLIC are not returned.
NOTE: By default, the public role is granted execute acces<� s to xp_regread. If this access is required, transfer the privilege assignment to the authorized custom database role.
Management Studio:
N/A}T-SQL:
1. Only DBA accounts are listed in the return results. No references to PUBLIC are returned.
Enterprise Manager:
N/A�Examine
Interview��-Enter the following DB2 system command:
db2level
-The above command's output will include an "Informational tokens" section. Determine the DB2 version and the FixPak version from this output.
1. Verify that the DB2 version begins with 8. An example DB2 version is v8.1.7.912.
2. Verify that the FixPak version matches the latest FixPak version provided by IBM. The latest FixPak version can be found here:
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235�1. The DB2 version begins with 8. An example DB2 version is v8.1.7.912.
2.The FixPak version matches the latest FixPak version provided by IBM. ��IBM has dropped base support for v8.x of DB2 (April 30, 2009).
IBM will be dropping extended support for v8.x of DB2 on April 30, 2012.
Up to date product lifecycle information can be found here:
http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21168270
-Speak with the DBA to determine if base or extended support is available for the copy of DB2 that you are reviewing.
-Based on the type of support available, determine if support for DB2 will expire within six months. If support will not expire within six months, then this check passes.
1. If support will expire within six months, then verify that a formal migration plan is in place for removing or upgrading DB2 prior to the expiration date.�1. If support will expire within six months, a formal migration plan is in place for removing or upgrading DB2 prior to the expiration date.��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor to determine the value assigned to DASADM_GROUP.
get admin cfg
-Enter the following command from the DB2 Command Line Processor to determine the value assigned to SYSADM_GROUP.
get dbm cfg
-Check memberships for each group specified in steps 1 and 2 from the host operating system.
1. Verify that only DBA accounts are members of these groups.01. Only DBA accounts are members of these groups��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor:
get dbm cfg
-View the returned value for the DATALINKS parameter.
If the DATALINKS value is NO, then proceed to the next instance. Otherwise, continue with the following steps.
-Enter the following DB2 system command:
dlfm list registered databases
dlfm list registered directories for all users on db inst node
-For all of the directories listed, view the host system file permissions
1. Verify that permissions are granted only to SAs, DBAs, the DB2 installation account, the Data Links Administrator account, and the DB2 and Data Links Manager service/daemon accounts.�1. Permissions are granted only to SAs, DBAs, the DB2 installation account, the Data Links Administrator account, and the DB2 and Data Links Manager service/daemon accounts.��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor:
get dbm cfg
-View the returned value for the DATALINKS parameter.
If the DATALINKS value is NO, then proceed to the next instance. Otherwise, continue with the following steps.
-Determine the service accounts for the DB2 - service and the DLFM service.
1. For Windows, if the DLFM service uses an account other than the DB2 - service, then confirm that user rights assigned to the DLFM service account are limited to:
Act as part of the operating system
Create token object
Increase quotas
Log on as a service
Replace a process level token
1. For Unix, verify that the process account(s) do not belong to the Root group.j�For Windows:
1. If the DLFM service uses an account other than the DB2 - service, then the user rights assigned to the DLFM service account are limited to:
Act as part of the operating system
Create token object
Increase quotas
Log on as a service
Replace a process level token
For Unix
1. The process account(s) do not belong to the Root group.�1. The Authentication field value for all connections is SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.
2. DB2 clients are using SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT authentication.��-Enter the following DB2 system command:
db2ca
1. Verify that the Authentication field value for all connections is SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.
2. Interview the DBA to verify that DB2 clients are using SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT authentication.��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor to determine the values assigned to SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP.
get dbm cfg
1. If any value is blank, then this check fails.
-Check memberships for each group specified above from the host operating system.
2. Verify that only authorized DBA accounts are members of these groups.n1. If any value is blank, then this check fails.
2. Only authorized DBA accounts are members of these groups.i1. The DB2 installation account is a custom account created specifically to support the DB2 installation.~���-Determine the location of the DB2 installation directory. On Unix systems type "echo $DB2PATH" at the system prompt. On Windows systems type "set DB2PATH" at the system prompt.
-From the system prompt, navigate to the DB2 installation directory specified in above.
-Determine the DB2 installation account (the owner of the DB2 files and directories). For Windows, use the dir /q /s command. For Unix, use the ls -l command.
1. Verify that the DB2 installation account is a custom account created specifically to support the DB2 installation.
Remember the name if the DB2 installation account. This account name is used in future checks. ��G�This check requires information found in a previous check. It requires the name of the DB2 installation account.
On Unix:
1. Verify that the DB2 installation account has root authority.
On Windows:
1. Verify that the DB2 installation account is a member of the local Administrators group.
-Determine the group memberships for the DB2 installation account. Start>Settings>Control Panel>Administrative Tools>Computer Management>System Tools>Local Users and Groups>Users>DB2 installation account>Member Of>Note group membership assignments.
2. Verify that the DB2 installation account has only the "Act as part of the operating system" user right and user rights assigned to the local Administrators group. Start>Settings>Control Panel>Administrative Tools>Local Security Policy>Local Policies>User Rights Assignments>Review assignments.
3. Verify that the DB2 installation account has Full Control permissions to the SQLLIB directory, subdirectories, and files.
4. Verify that the DB2 installation account has Full Control permissions to the DB2 instance directories, subdirectories, and files.��On Unix:
1. The DB2 installation account has root authority.
On Windows:
1. The DB2 installation account is a member of the local Administrators group.
2. The DB2 installation account has only the "Act as part of the operating system" user right and user rights assigned to the local Administrators group. Start>Settings>Control Panel>Administrative Tools>Local Security Policy>Local Policies>User Rights Assignments>Review assignments.
3. The DB2 installation account has Full Control permissions to the SQLLIB directory, subdirectories, and files.
4. The DB2 installation account has Full Control permissions to the DB2 instance directories, subdirectories, and files.I1.Access to the DB2 installation account is restricted to approved users.��-Determine the DB2 service account. On Windows, go to Start>Settings>Control Panel>Administrative Tools>Computer Management>Services and Applications>Services>DB2 - -0. On Unix, enter the command ps -ef|grep DB2.
1. Verify that the DB2 service ac<� count is a custom account used specifically to support the service/daemon.
-Determine the groups that the DB2 service account is a member of. On Windows, go to Start>Settings>Control Panel>Administrative Tools>Computer Management>System Tools>Local Users and Groups>Users>DB2 service account name>Member of>Note group membership assignments. On Unix, enter the command groups .
2. On Unix, verify that the DB2 service account is not assigned Root group membership and that it does not have a privileged user id.
or
2. On Windows, verify that the DB2 service account is not a member of the Administrators group.
or
5. On Windows, verify that the DB2 service account is granted only the following user rights. To see user rights, go to Start>Settings>Control Panel>Administrative Tools>Local Security Policy>Local Policies>User Rights Assignments> Review assignments.
Act as part of the operating system
Create token object
Increase quotas
Log on as a service
Replace a process level token��1. Verify that the DB2 service account is a custom account used specifically to support the service/daemon.
2. On Unix, the DB2 service account is not assigned Root group membership and that it does not have a privileged user id.
or
2. On Windows, verify that the DB2 service account is not a member of the Administrators group.
3. On Windows, the DB2 service account is granted only the following user rights. To see user rights, go to Start>Settings>Control Panel>Administrative Tools>Local Security Policy>Local Policies>User Rights Assignments> Review assignments.
Act as part of the operating system
Create token object
Increase quotas
Log on as a service
Replace a process level token5�If the host operating system is Windows, then this check is N/A.
-Determine the DB2 instance owner. The default account name for the DB2 instance owner is db2inst1. Use /opt/IBM/db2/V8.1/sqllib/db2ps command to see the instance account.
-View the owner of the .fenced file located in the DB2 inst����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ance owner's $HOME/sqllib/adm directory with the ls -l .fenced command.
1. The owner of this file should be the fenced user account.
-Enter the following command to list the group memberships of the fenced user account.
groups
2. Verify that the fenced user account does not belong to the Root group.
-Enter the following command to view all files owned by the fenced user account.
ls -l |grep
3. Verify that the fenced user account does not own files other than the .fenced file.
�1. The owner of this file is the fenced user account.
2. The fenced user account does not belong to the Root group.
3. The fenced user account does not own files other than the .fenced file.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.dbauth where granteetype='G' and connectauth='Y'
-For each record returned,
1. Verify that the value for grantee is not a group unless justified and documented with the SecSpec.
-For each record returned
2. Verify that the value for grantee is not PUBLIC.�1. The value for grantee is not a group unless justified and documented with the SecSpec.
2. The value for grantee is not PUBLIC.T�Repeat the following steps for each DB2 database in each instance.
-Interview the DBA to determine if the database is used for production or development.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.dbauth where CREATETABAUTH='Y' or BINDADDAUTH='Y' or
NOFENCEAUTH='Y' or IMPLSCHEMAAUTH='Y' or EXTERNALROUTINEAUTH='Y' or
QUIESCECONNECTAUTH='Y' or LOADAUTH='Y'
-For each record returned,
1. Verify that the value for grantee is not an application user account.
2. If this is a production database, then verify for each record returned that the value for grantee is either a DBA account or an application owner account.
or
2. If this is a development database, then verify for each record returned that the value for grantee is either a DBA account, an application owner account, or a developer account.|�1. The value for grantee is not an application user account.
2. If this is a production database, for each record returned that the value for grantee is either a DBA account or an application owner account.
or
2. If this is a development database, for each record returned that the value for grantee is either a DBA account, an application owner account, or a developer account.I�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.dbauth where CREATETABAUTH='Y' or BINDADDAUTH='Y' or IMPLSCHEMAAUTH='Y' or CONNECTAUTH='Y'
1. For each record returned, verify that the value for grantee is not PUBLIC.'1. The value for grantee is not PUBLIC.�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.dbauth where NOFENCEAUTH='Y'
1. Verify that no records are returned.�1. No records are returned.3�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select routineschema, routinename from syscat.routines where fenced='N' and routineschema not in
('SYSFUN','SYSPROC','SYSIBM','SQLJ')
1. Verify that no records are returned.$�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.dbauth where EXTERNALROUTINEAUTH='Y'
1. Verify for each record returned that the value for grantee is an application owner account.R1. For each record returned,the value for grantee is an application owner account.�1. Each grantee returned is either a DBA or an application owner account.
2. PUBLIC is not a grantee for having USE tablespace authority or the CREATEIN schema authority.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.tabauth where alterauth='Y' or refauth='Y' or indexauth='Y' or controlauth='Y'
select grantee from syscat.schemaauth where alterinauth='Y' or createinauth='Y' or dropinauth='Y'
(Note if PUBLIC is assigned CREATEINAUTH)
select grantee from syscat.passthruauth
select grantee from syscat.sequenceauth where alterauth='Y' or usageauth='Y'
select grantee from syscat.tbspaceauth where useauth='Y'
(Note if PUBLIC is assigned USEAUTH)
select grantee from syscat.indexauth where controlauth='Y'
select grantee from syscat.packageauth where controlauth='Y' or bindauth='Y'
1. Verify that each grantee returned is either a DBA or an application owner account.
2. Verify that PUBLIC is not a grantee for having USE tablespace authority or the CREATEIN schema authority.(�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.tabauth where alterauth='G or deleteauth='G'' or refauth='G' or indexauth='G' or
insertauth='G' or updateauth='G' or deleteauth='G'
select grantee from syscat.schemaauth where alterinauth='G' or createinauth='G' or dropinauth='G'
select grantee from syscat.routineauth where executeauth='G'
select grantee from syscat.sequenceauth where alterauth='G' or usageauth='G'
select grantee from syscat.tbspaceauth where useauth='G'
select grantee from syscat.indexauth where controlauth='Y'
select grantee from syscat.packageauth where executelauth='G' or bindauth='G'
1. Verify that each grantee returned is either a DBA or an application owner account.I1. Each grantee returned is either a DBA or an application owner account.`�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee from syscat.tabauth where grantee='PUBLIC' and selectauth='Y' and tabname in ('DBAUTH', 'TABAUTH','PACKAGEAUTH','INDEXAUTH','COLAUTH','PASSTHRUAUTH', 'SCHEMAAUTH')
1. Verify that no records are returned.��Repeat the following steps fo<� r each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select distinct definer from syscat.indexes where definer <>'SYSIBM'
select distinct definer from syscat.packages where definer <>'SYSIBM'
select distinct definer from syscat.routines where definer <>'SYSIBM'
select distinct definer from syscat.schemata where definer <>'SYSIBM'
select distinct definer from syscat.tables where definer <>'SYSIBM'
select distinct definer from syscat.triggers where definer <>'SYSIBM'
select distinct definer from syscat.views where definer <>'SYSIBM'
1. For all definers listed, verify with the DBA that these are authorized application object owners or DBAs.S1. For all definers listed, these are authorized application object owners or DBAs.��Repeat the following steps for each DB2 instance.
-Enter the following DB2 system command:
db2audit describe
1. Verify that all of the following are returned with a value of true:
Log audit events
Log object maintenance events
Log security maintenance events
Log system administrator events
Log validate events
2. Verify with the DBA that both success and failure of each of the above events is logged.�1.All of the following are returned with a value of true:
Log audit events
Log object maintenance events
Log security maintenance events
Log system administrator events
Log validate events
2. Both success and failure of each of the above events is logged.�Repeat the following steps for each DB2 instance.
-Enter the following DB2 system command:
db2audit describe
1. Verify that the value "Audit active" returns true.
2. Verify with the DBA that a process exists that enabled auditing at server startup.f1. The value "Audit active" returns true.
2. A process exists that enabled auditing at server startup.��Repeat the following steps for each DB2 instance.
-Enter the following DB2 system command:
db2audit describe
1. Consult with the data owner and verify that the value for "Return SQLCA on audit error" complies with privacy, security classification, and other sensitivity considerations.�1. The value for "Return SQLCA on audit error" complies with privacy, security classification, and other sensitivity considerations.��Repeat the following steps for each DB2 instance.
-Determine the file permissions for the security folder. The security folder is located here:
\\security
is the DB2 installation directory and is the name of the instance.
1. Verify that permissions are locked down for the security directory. For Windows, this should be Full Control granted to the SYSADM group and the BUILTIN\Administrators group.:1. Permissions are locked down for the security directory.��-Determine the location of the DB2 installation directory. On Unix/Linux systems type "echo $DB2PATH" at the system prompt. On Windows systems type "set DB2PATH" at the system prompt.
-From the system prompt, navigate to the DB2 installation directory specified above.
-For Windows, enter the dir /q /s command. For Unix, enter the ls -l command.
1. Verify that all files and directories are owned by the DB2 instance owner, DB2 fenced user, or DAS account.b1. All files and directories are owned by the DB2 instance owner, DB2 fenced user, or DAS account.c1. None of the files or directories show access grants to Everyone (Windows) or World (Unix/Linux).��-Determine the location of the DB2 installation directory. On Unix/Linux systems type "echo $DB2PATH" at the system prompt. On Windows systems type "set DB2PATH" at the system prompt.
-From the system prompt, navigate to the DB2 installation directory.
-For Windows, enter the dir /q /s command. For Unix, enter the ls -l command.
1. Verify that none of the files or directories show access grants to Everyone (Windows) or World (Unix/Linux).�If the host system is not Unix/Linux, then this check is N/A.
-Enter the following at the command prompt:
cd $DB2PATH
ls -l -R
1. View the returned permissions on all files. Verify that all files do not have the SUID or the SGID bits set.71. All files do not have the SUID or the SGID bits set.��If the host system is not Windows, then this check is N/A.
-Get the path to the DB2 installation directory. Enter the following command at the command prompt:
set db2path
-View permissions of the DB2 installation directory and the Disk:\DB2 directory.
1. Verify that permissions are limited to the following or less:
Administrators - Full Control
DB2 Installation Account - Full Control
DB2 Service Accounts - Modify, Read & Execute, List Folder Contents, Read, and Write
�1. The permissions are limited to the following or less:
Administrators - Full Control
DB2 Installation Account - Full Control
DB2 Service Accounts - Modify, Read & Execute, List Folder Contents, Read, and Writes1. Permissions are only granted to Administrators, the DB2 software installation account, and DB2 service accounts.��If the host system is not Windows, then this check is N/A.
-Launch REGEDT32.
-View permissions on the HKLM\Software\IBM\DB2 registry hive and keys.
-View permissions on HKLM\SYSTEM\CurrentControlSet\Services\DB2 (all services beginning with "DB2") registry hives and keys.
1. Verify that permissions are only granted to Administrators, the DB2 software installation account, and DB2 service accounts.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the AUDIT_BUF_SZ parameter is 0.:1. The returned value for the AUDIT_BUF_SZ parameter is 0."�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
-View the returned value for the SPM_LOG_PATH parameter and view the permissions on the listed file directory. If no directory is specified then the directory is /sqllib/spmlog.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�1. If the host system is Unix, permissions are 750 or more restrictive. If the host system is Windows, ppermissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.��Repeat the following steps for each DB2 instance.
-Speak with the DBA and determine if Data Links support is required for the instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. If Data Links support is not required, then verify that the returned value for the DATALINKS parameter is NO. If Data Links support is required, then verify that the returned value for the DATALINKS parameter is YES.�1. If Data Links support is not required, then the returned value for the DATALINKS parameter is NO. If Data Links support is required, then the returned value for the DATALINKS parameter is YES.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the DISCOVER parameter is DISABLE.<�1. The returned value for the DISCOVER parameter is DISABLE.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the DISCOVER_COMM parameter is DISABLE.A1. The returned value for the DISCOVER_COMM parameter is DISABLE.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the DISCOVER_INST parameter is DISABLE.A1. The returned value for the DISCOVER_INST parameter is DISABLE.O�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
-View the returned value for the diagpath parameter and view the permissions on the listed file directory. If no directory is specified then the directory is \SQLLIB\ or
/.
1.<� If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�1. If the host system is Unix, permissions are 750 or more restrictive. If the host system is Windows, permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the NOTIFYLEVEL parameter is 3 or greater.D1. The returned value for the NOTIFYLEVEL parameter is 3 or greater.��Repeat the following steps for each DB2 instance.
-Speak with the SecSpec and determine if the instance should be federated.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. If the instance does not need to be federated, then verify that the returned value for FEDERATED is NO. If the instance needs to be federated, then verify that the returned value for FEDERATED is YES and that this fact is documented with the SecSpec.�1. If the instance does not need to be federated, then the returned value for FEDERATED is NO. If the instance needs to be federated, then the returned value for FEDERATED is YES and that this fact is documented with the SecSpec.I�Repeat the following steps for each DB2 instance.
-If you are testing on a platform other than Windows, then this check result is N/A.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned values for SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP are all custom local groups.g1. The returned values for SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP are all custom local groups.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the AUTHENTICATION parameter is SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.j1. The returned value for the AUTHENTICATION parameter is SERVER_ENCRYPT, KERBEROS, or KRB_SERVER_ENCRYPT.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the USE_SNA_AUTH parameter is NO.;1. The returned value for the USE_SNA_AUTH parameter is NO.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the FED_NOAUTH parameter is NO.91. The returned value for the FED_NOAUTH parameter is NO.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the CATALOG_NOAUTH parameter is NO or 0.B1. The returned value for the CATALOG_NOAUTH parameter is NO or 0.��1. If no value is listed for the DFTDBPATH parameter, then this check passes. If a value is listed for the DFTDBPATH parameter, then proceed.
2. If the host system is Unix, permissions are 750 or more restrictive. If the host system is Windows, permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
3. Verify that the returned value for the DFTDBPATH parameter is a valid path on the server operating system.��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
-View the returned value for the DFTDBPATH parameter and view the permissions on the listed file directory.
1. If no value is listed for the DFTDBPATH parameter, then this check passes. If a value is listed for the DFTDBPATH parameter, then proceed.
2. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.
3. Verify that the returned value for the DFTDBPATH parameter is a valid path on the server operating system.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the TRUST_ALLCLNTS parameter is YES.>1. The returned value for the TRUST_ALLCLNTS parameter is YES.�Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor.
get dbm cfg
1. Verify that the returned value for the TRUST_CLNTAUTH parameter is CLIENT.A1. The returned value for the TRUST_CLNTAUTH parameter is CLIENT.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the logpath parameter and view the permissions on the listed file directory.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.��Repeat the following steps for each DB2 database in each instance.
Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the loghead parameter and view the permissions on the listed file.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the newlogpath parameter and view the permissions on the listed file directory.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the mirrorlogpath parameter and view the permissions on the listed file directory.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.\�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the mirrorlogpath parameter.
-For Windows, use Start>Settings>Control Panel>Administrative Tools>Computer Management>Storage>Disk Management to view the physical disk on which the mirrorlogpath directory resides.
For Unix, use the df to view the disks. Confirm with the SA or DBA if the disk is mirrored or is a RAID 5. 1. Verify that either the mirrorlogpath exists on a different physical disk or resides on a RAID 5 disk array.b1. Either the mirrorlogpath exists on a different physical disk or resides on a RAID 5 disk array.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
-View the returned value for the overflowlogpath parameter and view the permissions on the listed file directory.
1. If the host system is Unix, verify that permissions are 750 or more restrictive. If the host system is Windows, verify that permissions are restricted to SAs, DBAs, the DB2 software installation account, and DB2 service/daemon accounts.@�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
1. Verify that the returned value for the LOGRETAIN parameter is RECOVERY. If it is not RECOVERY, then verify that <� this setting is authorized by the SecSpec for this database.�1. The returned value for the LOGRETAIN parameter is RECOVERY. If it is not RECOVERY, then verify that this setting is authorized by the Security Specialist for this database.3�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
1. Verify that the returned value for the USEREXIT parameter is ON. If it is not ON, then verify that this setting is authorized by the SecSpec for this database.�1. The returned value for the USEREXIT parameter is ON. If it is not ON, then verify that this setting is authorized by the Security Specialist for this database.�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
get db cfg
1. Verify that the returned value for the DISCOVER_DB parameter is DISABLE.?1. The returned value for the DISCOVER_DB parameter is DISABLE.�-Enter the following command from the DB2 Command Line Processor.
get admin cfg
1. Verify that the returned value for the DISCOVER parameter is DISABLE.#�Repeat the following steps for each DB2 instance.
-If you are testing on a platform other than Windows, then this check result is N/A.
-Enter the following command from the DB2 Command Line Processor.
get admin cfg
1. Verify that the returned value for dasadm_group is a custom local group.?1. The returned value for dasadm_group is a custom local group.�-Enter the following command from the DB2 Command Line Processor.
get admin cfg
1. Verify that the returned value for the exec_exp_task parameter is NO.<�1. The returned value for the exec_exp_task parameter is NO.Z1. The parameter is blank or the sched_userid account is restricted to authorized DAS use.?�-Enter the following command from the DB2 Command Line Processor.
get admin cfg
-View the returned value for the sched_userid parameter.
1. If this parameter is blank, then this check passes.
If this parameter is not blank, interview the DBA and verify that the sched_userid account is restricted to authorized DAS use.�-Enter the following command from the DB2 Command Line Processor.
get admin cfg
1. Verify that the returned value for the AUTHENTICATION parameter is SERVER_ENCRYPT or KERBEROS_ENCRYPT.]1. The returned value for the AUTHENTICATION parameter is SERVER_ENCRYPT or KERBEROS_ENCRYPT.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select count(*) from syscat.tables where datacapture='Y'
-If no records are returned from the query, then proceed to the next database. If records are returned, then proceed.
-Interview the DBA. Ask which user accounts are used for replication and if there is more than one account used for replication.
1. Verify that only one account is used to perform replication.31. Only one account is used to perform replication.Y�-If no accounts were found in the above check, then this check is N/A.
1. If the host system is Unix, verify that each account found in the above check does not have Root privileges. If the host system is Windows, verify that each account requires no elevated OS privileges and that each account is not a member of any administrative type group.�1. If the host system is Unix, each account found in the above check does not have Root privileges. If the host system is Windows, each account requires no elevated OS privileges and that each account is not a member of any administrative type group.��Repeat the following steps for each DB2 instance.
-Enter the following command from the DB2 Command Line Processor to determine the value assigned to DASADM_GROUP.
get admin cfg
-Enter the following command from the DB2 Command Line Processor to determine the values assigned to SYSADM_GROUP, SYSCTRL_GROUP, and SYSMAINT_GROUP.
get dbm cfg
-Check memberships for each group specified in the above steps from the host operating system.
1. Verify that replication accounts are not members of these groups.81. Replication accounts are not members of these groups.<�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
list database directory
-View the returned value for "Database drives" for each database.
-Determine the location of the DB2 installation directory. On Unix systems type "echo $DB2PATH" at the system prompt. On Windows systems type "set DB2PATH" at the system prompt.
-Do the following based on the host operating system.
Windows:
- View Start>Settings>Control Panel>Administrative Tools>Storage>Disk Management
- View the physical disk specified by the DB2PATH logical partition.
Unix/Linux:
- View the environment variable value for DB2PATH.
- View the physical disk drives.
1. Verify that the drive specified in DB2PATH is not the same physical disk as the drive for holding database files.h1. The drive specified in DB2PATH is not the same physical disk as the drive for holding database files.,�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select distinct grantee from syscat.dbauth where connectauth = 'Y'
1. For each grantee, determine with the DBA if the grantee is used by more than one user or if the grantee is used to access the database by an application hosted on a middle-tier server. If the grantee meets this criteria, then verify that the account is restricted by network configuration and authentication method to the connecting application server.@�1. For each grantee, if the grantee is used by more than one user or if the grantee is used to access the database by an application hosted on a middle-tier server. If the grantee meets this criteria, then the account is restricted by network configuration and authentication method to the connecting application server.'�Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select distinct grantee from syscat.dbauth where connectauth = 'Y'
1. Review the list of users with the DBA and verify that they are active, authorized accounts.-1. All users are active, authorized accounts.�1.Audit data is captured, backed up, and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years.z1.The audit trail is reviewed at a minimum bi-weekly for anomalies to standard operations or unauthorized access attempts.
SC-8
SC-9
?Verifies FTI is encrypted when in transit across a WAN or LAN.
�IRS Publication 1075 9.18.2 InterviewNVerify the agency has implemented an account management process for the VPN.
��1. Confirm whether all FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency� s Local Area Network (LAN). ��1. All FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency� s Local Area Network (LAN). %Audit Review, Analysis, and Reporting�AU-6�Verify that audit trails are periodically reviewed by security personnel.
Exceptions and violations are properly analyzed and appropriate actions are taken.HVerify that automatic session termination applies to all DB connections.�Verify that the DB system enforces a separation of duties for sensitive administrator roles.
There is an effective segregation of duties between the administration functions and the auditing functions of the DB system.CAudit trails cannot be read or modified by non-administrator users.V1. Log files have appropriate permissions assigned and permissions are not excessive.��-Interview the DB administrator to determine the application audit log location.
-Examine the permission settings of the log files.
1. F<� �or a Windows system, the NTFS file permissions should be System � Full control, Administrators and Application Administrators - Read, and Auditors - Full Control.
or
1. For UNIX systems, use the ls � la (or equivalent) command to check the permissions of the audit log files.
�Interview/ Examine�AU-8@The DB provides time stamps for use in audit record generation.
\1. The audit logs contain time and date of auditable events using the internal system clock.q1. Personnel who review and clear audit logs are separate from personnel that perform non-audit administration.
e1. The DB system terminates a session if there is a period of inactivity of no more than 15 minutes.�1. The DB Administrator can provide system documentation identifying how often the auditing logs are reviewed.
The auditing logs have been reviewed by security personnel within the time period identified in the system documentation.U1. The DB Administrator can demonstrate that documented operating procedures exist.
�1. Interview the DB Administrator to verify documented operating procedures exist for user and system account creation, termination, and expiration.
��1. Interview DB Administrator and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed.
2) Examine reports that demonstrate monitoring of security violations, such as unauthorized user access. �1. Interview the DB administrator and review DB configurations to determine if there is a session termination after no more than15 minutes of inactivity.��1. Interview the DB Administrator to identify the following:
" Personnel that review and clear audit logs
" Personnel that perform non-audit administration such as create, modify, and delete access control rules; DB user access management.%Unneeded functionality is disabled.
t�1. Interview the DB Administrator to determine what functionality is installed and enabled by default for the application.
2. Examine the configuration of the server the DB runs on. Determine what software is installed on the servers. Determine which services are needed for the DB by examining the system documentation and interviewing the Application Administrator.
��1. The DB does not install with functionality which is unnecessary and enabled by default. Any functions installed by default that are not required by the application are disabled.
2. Services or software which are not needed are not present or disabled on the server. SC-8
SC-9�Network Disconnect�Time Stamps�Least Functionality�Account Management�Configuration Settings�Examine
Test�Interview
Examine[Verify that the minimum level of statement auditing is configured and recorded "by access."�Verify that audit data is archived and maintained.
IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years.�Verify that statement permissions have been revoked for user accounts in all databases.
Verify that statement permissions have been revoked for user accounts in all databases.�Verify that the BUILTIN/Administrators group is not a valid SQL Server logon.
Verify that the BUILTIN/Administrators group is not a valid SQL Server logon.B�Verify that inactive database accounts are disabled/removed.
The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirements, which requires disabling of accounts after 45 days of inactivity and removal of accounts after 90 days of inactivity.��Verify that when sensitive data is sent over the network that it is encrypted.
When a database connection is requested via the network to a database server, the client shall provide an individual account name and authentication
credentials to access the database. The database account name and any password transmission from a client to a database server over a network shall
be protected.A�Verify that inactive database accounts are disabled/removed.
The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirments, which requires disabling of accounts after 45 days of inactivity and removal of accounts after 90 days of inactivity.EVerify that default passwords for default accounts have been changed.91. All default username/password pairs have been changed.R1. Verify with the DBA that all default username/password pairs have been changed.�Authenticator Management�Boundary Protection�Transmission Confidentiality
Remote Access�Access Enforcement�Auditable Events�Publicly Accessible Content�Information in Shared Resources:Permitted Actions without Identification or Authentication�Public Access Protections�Denial of Service Protection�Application Partitioning(Transmission Integrity / Confidentiality�1. 'Interview the DB administrator to demonstrate the application provides time and date of the last change in data content. This may be demonstrated in application logs, audit logs, or database tables and logs.��Verify that a valid and protected directory is designated for I/O with the host operating system, i.e., that the UTL_FILE_DIR initialization parameter is well defined.
The parameter UTL_FILE_DIR was added to support Oracle packages that allow the reading and writing of external text files to an operating system file. This parameter shall be set to a specific operating system directory where application procedures/programs can read and write files. This means the directory shall exist and have the permissions correctly set to allow Oracle background processes to write to the directory; otherwise, errors will occur. The UTL_FILE_DIR parameter shall not be set to a "*" value.�Verify that no administrative privileges are granted in conjunction with any roles.
DBAs, application owners, and application administrators should be the only database accounts with the privilege to assign permissions to other users.�Verify that no administrative privileges are granted in conjunction with other granted privileges.
DBAs, application owners, and application administrators should be the only database accounts with the privilege to assign permissions to other users.w�Verify that no default application administration roles are granted to non-system user accounts.
Application administration roles are determined by the granting of CREATE USER, ALTER USER, and DROP USER privileges. These roles must not be enabled by default upon connection to the database, but may be enabled/disabled as required by the application administration function."�Verify that all non-default object owner user accounts are disabled.
The DBA shall ensure that the application object owner account is used only for update and maintenance of the application objects. The DBA shall ensure that custom application owner accounts are disabled when not in use.��Verify that listener connection timeouts are enabled.
The DBA shall ensure a connection timeout limit is set with the minimum number of seconds appropriate for the application. The requisite parameters shall be specified in the listener.ora and sqlnet.ora files.41. No files with the extension of dat (*.dat) exist.�Verify that Oracle files requiring the SUID to be set for normal operation are configured correctly.
The files listed require the SUID bit to be set in accordance with the IRS UNIX IRM.�Verify that the Oracle trace directory has its permission mode set to 730.
Access to the $ORACLE_HOME/network/trace directory must be restricted to the oracle account, with limited access<� granted to the dba group.G1. Support for the installed version will not expire within six months.B�T-SQL:
Repeat the following for each database
-Enter the following statement which displays all users who are granted database role memberships:
exec sp_helprolemember
1. Verify that only DBAs are granted database role memberships (memberships beginning with "db_").
Enterprise Manager:
Repeat the following for each database.
-Expand the server.
-Expand Databases.
-Expand the database.
-Select Roles.
-For each database role that begins with "db_", do the following:
-Double-click the database role.
1. Verify that only DBAs are granted membership to the database role.��Repeat the following steps for each DB2 database in each instance.
-Enter the following command from the DB2 Command Line Processor.
select grantee,granteetype from syscat.dbauth where dbadmauth='Y'
-For each record where granteetype = "U".
1. Verify that the grantee for that record is an authorized DBA or application owner account.
-For each record where granteetype = "G"
2. Verify that each user in the group specified in grantee is an authorized DBA or application owner account.�1.The grantee for that record is an authorized DBA or application owner account.
2. Each user in the group specified in grantee is an authorized DBA or application owner account.�O�Interview
TestlListing of Applications/Systems (to include Agency ownership) providing data.
Listing of extracts received.r
Note: Test Case should not necessarily fail, unless the applications/systems listed are external to the agency.hListing of Applications/Systems (to include Agency ownership) receiving data.
Listing of extracts sent.*�1. Rules for checking the valid syntax of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify that inputs match specified definitions for format and content.
2. Data that does not match the required format and content are rejected.
�T�AC-4C1. Determine if FTI within the data tables are clearly identified.>�1. FTI data within the data tables are clearly identified as being Federal Taxpayer Information. It must meet the following requirements:
a. FTI needs to be tagged at the application, database, data profile, data table, data column and row, or even data element level.
b. If an agency has a database that is composed entirely of FTI, labeling at the database level would be sufficient. However, if an agency has FTI commingled with other information in a database, FTI has to be labeled at the level that separates from non-FTI data (i.e. data table, data element). 81. Determine if FTI data is comingled with non-FTI data.��1. FTI data is not commingled with non-FTI data. FTI data remains in a separate data table.
2. If FTI data is comingled with non-FTI data ensure the FTI data meets IRS requirements on comingling data. (All FTI is clearly identified and auditing must be turned on.)�Databaseu1. The Platform is running a supported operating system release. (Please note the OS and release in Actual Results)�SC-23J�1. Access to database tables containing FTI are restricted to authorized personnel only.
2. FTI data is isolated from other state
agency data within database tables. If FTI and other state agency data are commingled (as defined in IRS Publication 1075) in database tables, proper controls are in place to identify the FTI data.
�IA-2I1. Work with the administrator to view a list of all users of the system.m1. All usernames are unique.
2. All administrative accounts are valid and all users have a need for access.=1. Determine if account configurations meet IRS requirements.�1. All privileged accounts are disabled after 60 days of inactivity and all normal user accounts are disabled after 90 days of inactivity.R1. Determine if password configurations meet IRS requirements for minimum length.E1. Passwords are required to be a minimum of 8 characters in length.W1. Determine if password configurations meet IRS requirements for password complexity.$1. Password complexity is enforced.W1. Determine if password configurations meet IRS requirements for password expiration.n1. Passwords are required to be changed every 60 days for privileged users and every 90 days for normal users.61. Determine if appropriate roles have been assigned.v1. Varying level of roles have been established for access with no user having too high of privileges than necessary.�AC-11�1. All data tables, containing FTI, are clearly labeled identifying them to have FTI within it's records.
2. If data tables are commingled with FTI and state data, the labeling needs to be done at the data element level.;1. Determine if audit logs are reviewed on a regular basis.q1. Audit logs are reviewed on a regular basis.
(Note how often and who is responsible for reviewing audit logs)�1. Record data removal procedures.
2. Destruction log is created and meets Publication 1075 requirements. (Check with DES if necessary)�Database Supporting Platformz1. Determine if the platform the database is hosted on is running a supported release of that particular operating system.b1. Determine what sources the database receives FTI from and what specific extracts are included.�1. Determine what data is extracted from the database. (This could be other applications pulling data or the database pushing to another application.)f
Note: Test Case should not necessarily fail, unless the database is sending FTI outside the agency.P1. Determine what products (electronic or paper) are created from the database.XList all products created by the database and what particular FTI extracts are included.�
Note: Test Case should not necessarily fail, unless the products created do not meet Publication 1075 requirements. Consult with the DES on this.
Note: Ensure the DES is made aware of paper and electronic products created from the database.{1. Determine the mechanism(s) used to check data input to the database environment for completeness, accuracy and validity.�1. Examine the list of personnel authorized to input data to the database environment.
2. Verify the list of authorized personnel contains only current personnel with a job function that requires this level of access.
�1. Only personnel with a job function that requires them to input data to the database environment have this level of access.
2. Personnel who no longer require this level of access are promptly removed from the access list.
�Interview the administrator and/or network personnel and determine what happens to the original FTI extract after it has been loaded into the database.�The agency has documented procedures in place for the removal or backing up of the original FTI extract, after it has been loaded into the database.]1. Determine controls in place to protect FTI data while at rest in the database environment.��1. Determine if access attempts to the database environment require the user to be identified and authenticated prior to access being granted.
Note: There are various ways to access the database environment. Ensure identification and authentication controls are implemented for the following access mechanisms:
a) Direct access to the backend database management system and data dictionary;
b) Operating system access to the platform where the database resides;
c) Access to the application used to query the database environment and produce reports.
2. Determine if there are any automated processes that access the database for data retrieval and verify the identification and authentication mechanism in place for these processes.
+�1. Identification and authentication is required at the operating system, database and application level within the database environment.
2. Automated processes that access the database are identified and authenticated using process account credentials.
3. Passwords are not displayed in clear text.Z�1. Determine who has access to the database environment from all possible connection points including:
a) Direct access to the backend database management system and dat<� a dictionary;
b) Operating system access to the platform where the database resides;
c) Access to the application used to query the database environment and produce reports.
�1. Access is restricted to authorized application end users, operating system administrators and database administrators.
2. Personnel who no longer require access to the database environment are promptly removed from the access list.
�1. Review account approval procedures to determine who approves access to the database.
2. Determine who has access to the database.�1. All account access has a documented approval.
2. Agency personnel approve all access to the database.
3. All personnel who have access are approved and have a need for access.]1. Determine if the database is configured to lock a session after 15 minutes of inactivity.T1. The database is configured to lock out a session after 15 minutes of inactivity.S1. Determine if the database application screens clearly identify FTI to the user.T1. FTI is clearly identified to the user (on screen) from the database application.v1. Determine which data tables within the database contain FTI.
2. Determine the naming convention of the data tables.a1. Determine if auditing is activated within the database and on all data tables containing FTI.Q1. Auditing is activated within the database and all data tables containing FTI.�1. Determine the security relevant events that are captured in the audit logs within the database environment.
2. Verify that security events are captured in logs at the operating system, database and application level.��1. The database captures all changes made to data, including: additions, modifications, or deletions. If a query is submitted, the audit log must identify the actual query being performed, the originator of the query, and relevant time/stamp information.
2. Security events are captured in logs at the operating system, database and application level.
3. All users, including administrators, are subject to auditing.
51. Determine if data is backed up from the database.�1. Data is backed up from the database to either electronic media or electronic storage.
Record the following data:
--What type of backup
--Where does the backup reside
--How often backups occur
--Who has access to the backupsa1. Procedures for removing data from the database.
2. Determine if there is a destruction log.��T-SQL:
Repeat the following for each server.
1Enter the following statement:
use master
select name from sysdatabases
1. Verify that none of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS
Enterprise Manager:
Repeat the following for each server.
-Expand the server group.
-Expand the server.
-Expand Databases.
1. Verify that none of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS��T-SQL:
1. None of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS
Enterprise Manager:
1. None of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS��T-SQL:
Repeat the following for each server.
-Enter the following statement:
use master
select name from sysdatabases
1. Verify that none of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS
Management Studio:
Repeat the following for each server.
-Expand the server.
-Expand Databases.
1. Verify that none of the following databases exist:
- Northwind
- pubs
- AdventureWorks
- AdventureWorksDB
- AdventureWorksAS�Database Storage
Database Flow�Database Backup�Database Removal
Database Load�Database
FTI Extract Removal)Database Identification & Authentication �Database Access Control�Database Application Screen�Database Security Auditing����This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a database (Oracle 9i, Oracle 10g, SQL Server 2000, SQL Server 2005, or DB2 version 8.1.7) to receive, store, process or transmit Federal Tax Information (FTI).
Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.
Complete the General tab for all database platforms ONLY IF THE DATABASE WILL NOT BE EVALUATED AS A DATA WAREHOUSE. Otherwise, the Data Warehouse SCSEM will address the questions in the General tab of this SCSEM.���$Verify supported platform is in use.�Determine sources of FTI input.+Determine data extracted from the database./Determine the products created by the database.:Determine mechanisms are in place to check the data input.6Ensure authorized personnel have access to input data.;Verify original FTI is secured after loading into database.CVerify if data is secured when at rest in the database environment.BEnsure identification and authentication controls are implemented.=Verify all usernames are unique and administrators are valid.9Verify privileged accounts are disabled after inactivity.6Verify password minimum character length requirements.'Verify password complexity is enforced.$Verify password change requirements.AVerify access restrictions are in place for database connections.$Verify account access is documented.5Verify appropriate roles have been assigned to users.,Verify if roles have been assigned properly.\Verify that FTI is clearly identifiable to the user on screen from the database application.%Verify labeling of FTI data elements.,Verify FTI commingling requirements are met.&Verify FTI data tables are identified.TVerify auditing is activated within the database and all data tables containing FTI.iVerify the database captures all changes made to data, including: additions, modifications, or deletions.7Verify that audit logs are reviewed on a regular basis.aVerify that data is backed up from the database to either electronic media or electronic storage.LVerify the data removal procedures and destruction log requirements are met.RVerify that the ORACLE_BASE\ORACLE_HOME group and permissions are set correctly.
�The ORACLE_BASE\ORACLE_HOME directory must have "Full Control" granted to the Administrators and System groups; the Authenticated Users group must be granted Read, Execute, and List Contents permissions.iVerify that access to all Oracle database parameter files is restricted to the software owner and DBAs.
fDatabase and parameter files must have their access restricted to users with administrator privileges.dVerify that access to the remote logon password file is restricted to the software owner and DBAs.
&�Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. Permissions entries must only be defined for local administrators.[Verify that access to the listener.ora file is restricted to the software owner and DBAs.
�The listener.ora file contains listener configuration parameters and the listener password. Access to this file must be restricted to the Oracle owner, the Oracle TNSLISTENER service account, and DBAs.xVerify that access to the support files for the Oracle Intelligent Agent is restricted to the software owner and DBAs.
�The files dbsnmp_rw.ora and dbsnmp_ro.ora files, if present, may contain the password of the DBSNMP database account. Access to these files must be restricted to the Oracle owner and DBAs.YVerify that access to the sqlnet.ora file is restricted to the software owner and DBAs.
�The sqlnet.ora file contains network configuration information for the h<���ost database and listener. Access to this file must be restricted to the Oracle owner and DBAs.�Log and trace file directories found under the $ORACLE_HOME directory may contain information useful for the unauthorized access to database contents. Access to these directories and the files they contain must be restricted to the Oracle owner and DBAs.kAccess to registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE must be restricted to local administrator.QVerify that access to Oracle registry keys is restricted to local administrators.�Test�10.8.4���Safeguard Computer Security Evaluation Matrix (SCSEM)
Database
Oracle v9i, 10g
SQL Server 2000, 2005
DB2 v8.1.7
September 28, 2011
Version 1.0
A����The IRS strongly recommends agencies test all SCSEM settings in a development/test environment prior to deploying them in operational environments because in some cases a security setting may �impact a system� s functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the operational system configuration. Prior to making changes to the production system agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary. The IRS welcomes feedback and suggestions from agencies in regard to individual SCSEMs.
Database Name����`��翟a���咧��囐3�€�,�)���戂=�檑��8���擒s�<���壿5 州� $�� 夀5
蒉�
,��
|�(�堰}�炪J�����ヨQ�Y�W��B��
���H�����%���H.����;�O�獲���圙���譔���lW���嘷��
萮���鉲���Rs�n�v}�n�U��M�b��6�|��P�k��? 麩��
睢���洠�o�茎���皎���陋�����%����夜���u��%�樇�H�5���� ���
蓖�a�w���������h�����
�&�d������� 90�}��1�L��2�^��3�K��3�1��?��
wT����f����p����€��
����}��U�櫂�M�暚�I��=�钕�~�夃�� *����埤�$������������/����;����J���軺���媐�i�M}���m��'�謦���吇���%����玩�������
"��(��)����B�� ∟���阇���~h�<�榯�V��~�������
帟�(������楔�F�卟�U������q�������e�*��|�犕���U����呥���e���
唛�
�T�������J����&�������������� ������9��C��!���c��c��"�����B���������������������O岆�Uj_ 翶U��
����f2��蓘�������)-.�+3��4�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?M��Adobe PDF������S飥����
o�d����������Letter����PRIV� ��'�'�'�'����0��\K�hC�FF燆�������SMTJ��Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0�EBDA�����Standard��"�d��������333333�?333333�?���&��<3U��}�$ ��}��������}���$ ��}����
���}� I����}�
�����}���$ �����)�
�����
��������
��������
��������
��������
��������
��������
��������
������ �
������
�
��������
��������
������
�
��������
��������
��������������������������������������������������������@������������
��
�s�����������������������
������������������������
������������������������
�������������������������������
������������������������
������������������������
������������������������
������������������������
�� ���������������������
��
���������������������
������������������������
������������������������
��
���������������������
������������������������
������������������������
��������
����t���������������������
������������������������
������������������������
������������������������
������������������������
������������������������
������������������������
�0v���*�(������������2��������!�
������"�
������#�
������$�
������%�
������&�
������(�
����
!�����
!���+�
"�����
"���,�
#�����
#���-�
$���.�
$���/���$����
$���0���$����
$ ��1�
%���+�
%���2�
% ��3�
&���+�
&���2�
& ��3�
(���u�����x���L**�����鸺������
d��黏����(� ���
��d���瓞��
���d�
���餽����d���A����?������������1������览�?������������伱�IRS Logo����@����������]N�����`������ $�����Word.Document.8要�����鸶���甬� ��%���O�2��
���d��S�餘����€��伱 ���Group 2Horizontal Rule�"���������<�������] ����`���~��饁B�
�� dB
���>��������������?���€�����Line 3���%���O�����]���� �`����饇B�
��
d�
��餌�������������)�����?���€�����Line 4���Z 2���2���]����
�`>����@���������������
������
��� ���%% 猩陏��寕�K�����First.M.Last@xx.xxx嗌陏��寕�K��Nmailto:First.M.Last@xx.xxxyX侓;�H�,俔膮'cカ���&& 猩陏��寕�K�����First.M.Last@xx.xxx嗌陏��寕�K��Nmailto:First.M.Last@xx.xxxyX侓;�H�,俔膮'cカg��g��������D
����f2��蓘��������?�3C�
����d�������褚MbP?_��*�+����€�%�������������&��?'��?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d���X�X�333333�?333333�?���&��<3U�����
���
�������
�������
�
@������
�������
�������
�������
�������
������
������
�������
�������
������
�������
����
�A����������������� �{|||||||||||}��
��F������������������� �{|||||||||||}��
��������������������� �|||||||||||||��
��������������������� ���������������� ���������������
��������������� ���������������� ����������������
��������������� ���������������� @���0$0$0$0$$$$$$�P��餒 ����\���0���(� ���
��\�>���蔼������������"��������������7�� �Sheet4g��g��������D
����f2��蓘������#腎�鵦�甧�
����d�������褚MbP?_��*�+����€�%�������������&��?'��?(��?)��?Mb�CutePDF Writer������S飥����
o�K��������Letter����PRIV�0���������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�g�h�i�j�k�l�m�n�p����q�r�s�t�u�v�w�x�y�z�{�|�}�~��€���'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�K�����333333�?333333�?���&��<3U��}�I���}����
��}����
��}������}���I���}����
��}�������}���I���}� �
��}�
�
����#��������� �����J��� ��������� ��������� ������������������������������������������� �������
����� ��������� ���
�J��� �������@�� �������@�� �������@���������@���������@���������@��������������������������� ����������������� �����J��� ��������� ��������� ���������������������������������
�f��
��gh��
��f��
��gh��
��f��
� gh
�
�i6�
��id�
��j5�
��i6�
��id�
��j5�
��i6�
� id�
�
j5�
�k7�+��D����;�L � ���PassAZ��C��l���-D��繢 ���A��������D��繢 �������B���
��k7�+��D ���;��J � ���PassAZ��C��l���-D��繢 ���A��������D��繢 �������B���
��k7�+� D ��;��R � ���PassAZ��C�
l�
�-D� 繢 ��A��������D� 繢 ������B���
�m8�+��I
���;�L � ���FailAZ��C��l���-D��繢 ���A��������D��繢 �������B���
��m8�+��I����;��J � ���FailAZ��C��l���-D��繢 ���A��������D��繢 �������B���
��m8�+� I� ��;��R � ���FailAZ��C�
l�
�-D� 繢 ��A��������D� 繢 ������B���
�n9�+��I����;�L � ���InfoAZ��C��l���-D��繢 ���A��������D��繢 �������B���
��n9�+��I����;��J � ���InfoAZ��C��l� �-D��繢 ���A��������D��繢 �������B���
��n9�+� I� ��;��R � ���InfoAZ��C�
l�
�-D� 繢 ��A��������D� 繢 ������B���
�o:�*��I����;�L � ���N/AAZ��C��l�
�-D��繢
���A��������D��繢
�������B���
��o:�*��I����;��J � ���N/AAZ��C��l���-D��繢
���A��������D��繢
�������B���
��o:�*� I� ��;��R � ���N/AAZ��C�
l�
�-D� 繢
��A��������D� 繢
������B���
�m;�$��IS@����;�L � 繟[��C��l�?���-D��繢
���A��������D��繢
�������B���
��m;�$��I€R@����;��J � 繟[��C��l�?�
�-D��繢
���A��������D��繢
�������B���
��m;�$� I€T@� ��;��R � 繟[��C�
l�?� �-D� 繢
��A��������D� 繢
������B���
m<��# �J���
%����������
�pe�
�m<��# �J���
%����������
�pe�
�m<��# J���
%�� � �����
pe�
qf�#
�rS@���
%��������摮�
�se�
�qf�#
�r€R@���
%��������摮�
�se�
�qf�#
r€T@ ��
%�� � ���摮�
se�
f��
�gh��
�f��
�gh��
�f��
gh
�
�i6�
��id�
��j5�
��i6�
��id�
��j5�
��i6�
� id�
�
j5�
�k7�+��D����;��W � ���PassAZ��C��l���-D��繢����A��������D��繢��������B���
��k7�+��D����;��V � ���PassAZ��C��l� �-D��繢����A��������D��繢��������B���
��k7�+� D� ��;��M � ���PassAZ��C�
l���-D� 繢� ��A��������D� 繢� ������B���
�m8�+��I����;��W � ���FailAZ��C��l���-D��繢����A��������D��繢��������B���
��m8�+��I����;��V � ���FailAZ��C��l���-D��繢����A��������D��繢��������B���
��m8�+� I� ��;��M � ���FailAZ��C�
l"��-D� 繢� ��A��������D� 繢� ������B���
�n9�+��I����;��W � ���InfoAZ��C��l
��-D��繢����A��������D��繢��������B���
��n9�+��I����;��V � ���InfoAZ��C��l���-D��繢����A��������D��繢��������B���
��n9�+� I� ��;��M � ���InfoAZ��C�
l�
�-D� 繢� ��A��������D� 繢� ������B���
�o:�*��I����;��W � ���N/AAZ��C��l�
�-D��繢����A��������D��繢��������B���
��o:�*��I����;��V � ���N/AAZ��C��l���-D��繢����A��������D��繢��������B���
��o:�*� I� ��;��M � ���N/AAZ��C�
l���-D� 繢� ��A��������D� 繢� ������B���
�m;�$��I繳@����;��W � 繟[��C��l�?���-D��繢����A��������D��繢��������B���
��m;�$��I€U@����;��V � 繟[��C��l�?���-D��繢����A��������D��繢��������B���
��m;�$� I@S@� ��;��M � 繟[��C�
l�?���-D� 繢� ��A��������D� 繢� ������B���
�m<��#��J
�
%����������
��pe�
��m<��#��J���
%����������
��pe�
��m<��#� J�
�
%�� � �����
�
pe�
�qf�#��r繳@���
%��������摮�
��se�
��qf�#��r€U@���
%��������摮�
��se�
��qf�#� r@S@�
�
%�� � ���摮�
�
se���^�G�����^�G�����^�G
�
�f��
��gh��
�����
�����������������
�i6�
��id�
��j5������������
�k7�+��D� ��;��P � ���PassAZ��C��l���-D��繢!���A��������D��繢!�������B��������������
�m8�+��I����;��P � ���FailAZ��C��l���-D��繢!���A��������D��繢!�������B��������������
�n9�+��I����;��P � ���InfoAZ��C��l���-D��繢!���A��������D��繢!�������B��������������
�o:�*��I����;��P � ���N/AAZ��C��l ��-D��繢"���A��������D��繢"�������B��������������B}�X�T~��������w���T~��������w���08�:������ �������!�������"����� �
m;�$ �IT@����;��P � 繟[��C �l�?���-D �繢"���A��������D �繢"�������B���� ���������
!m<��#!�J���
%����������
!�pe��!���������
"qf�#"�rT@!��
%� ������摮�
"�se��"���������
o�(�S�P��餒0����<����0���(� ���
��<��>���蔼<�d�����������
��"���� 7��n���"���"�
�������
�����������
����������������������;��€�"�
�������
������������������������������@���Pass��������;��€�"�
�������
������������������������������@���Fail��������;��€�"�
�������
����������������������������������Info{�+{���"������{�+{���"�������{�+{���"��������� �Sheet2g��g��������D
����f2��蓘�������Wn�蓘�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?M��EPSON WorkForce 610 Seriese 61��������泙����
o�d��h���h������ �EPSON WorkForce 610 Series������������������������€����@@Version Erro���R�L���h�h���$�h�h���x�****��x�****��d��2������"�d����333333�?333333�?���&��<3U��}��Z�}���m \�}�������}���m���}���$�Z�}���I�Z�}�����Z�}���m"��}���$!Z�}� �\�}�
��Z�}���m�\�}���$ Z����������€�G�������€�G���������������������������������
��������������������������
����� ��������
��������������������������
������������������������������������������������������������������������������������������������������������������������������������
�@�
����
����
��=�
����
�E��
�E��
�E>�
�E��
E?�
EB�
�F#~�
�D�?�
��e���
��e���
���G��
��e���������
������
������
�������� ����~�
�D@�
��e���
��e���
���H��
��e���������
������
������
������
� ��
�
�����~�
�D�@�
��e���
��e���
���I��
��e���������
������
������
������
� ��
�
�����~�
�D�@�
��e���
��e���
���J��
��e���������
������
������
������
� ��
�
��� �~�
�D�@�
��e���
��e��
���K��
��e@��������
������
���!��
�������� ����~�
�D�@�
��e���
��e��
���L��
��e@��������
������
���"��
���#���� ����~�
�D�@�
��e���
��e ��
���M��
���A��������
������
���$��
���%���� ����~�
�D @�
��e���
��e���
���N��
��e<��������
������
���&��
�������� ����~�
D"@�
�e���
�e���
��O��
�eB���� ���
�����
��'��
��(��� ����~�
D$@�
�e���
�e���
��P��
�eB����
���
�����
�����
�� ���
����~�
�D&@�
��e���
��e���
���Q��
��eB��������
������
���
��
�������� ����~�
�D(@�
��e���
��e���
���R��
��eB��������
������
������
���
���� ����~�
D*@�
�e���
�e���
��S��
�eB����
���
�����
�����
������
����~�
�D,@�
��e���
��e���
���T��
��eB��������
������
������
�������� ����~�
�D.@�
��e���
��e���
���U��
��eC��������
������
���)��
���*���� ����~�
�D0@�
��e���
��e���
���V��
��eC��������
������
���+��
���,���� ����~�
�D1@�
��e���
��e���
���W��
��eC��������
������
������
�������� ����~�
�D2@�
��e���
��e���
���X��
��eC��������
������
���-��
���.���� ����~�
�D3@�
��e���
��e��
���Y��
��eD��������
������
���/��
���0���� ����~�
�D4@�
��e���
��e���
���Z��
��e=��������
������
���1��
�������� ����~�
�D5@�
��e���
��e���
���[��
��e=��������
������
������
�������� ����~�
�D6@�
��e���
��e���
���\��
��e=��������
������
������
������� ����~�
�D7@�
��e���
��e���
���]��
��e=��������
������
���2��
���3���� ����~�
�D8@�
��e���
��e���
���^��
��eE��������
������
���4��
���5���� ����~�
�D9@�
��e���
��e���
���_��
��eE��������
������
������
�������� ����~�
�D:@�
��e���
��e��
���`��
��e>��������
������
���6��
���7���� ����~�
�D;@�
��e���
��e ��
���a��
��e?��������
������
���8��
�������� �����<���������������������������������P��餒@�����`���0���(� ���
��`�>����@U����������A
������������������� ��� ��������;��€@���Pass��������;��€@���Fail��������;��€����Info{�U{���� �� ��&��;��€@�������櫶�笎��h��{�U{���� ���
��&��;��€@���������笎��h��{�U{���� ������&��;��€�����������笎��h��{��{���� ��z�Zz����&��;��€��������暢��������N/A��������������y�����Input Error�5Please enter an accepted value: Pass, Fail, N/A, Info���PassFailN/AInfoN��� g��g��������D
����f2��蓘������W銐�s��;��[��
����d�������褚MbP?_��*�+����€�%��������������&��?'��?(��?)��?Mb�CutePDF Writer������S飥����
o�A��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�A���X�X��?�?���&���U��}��Z�}���I�\�}�������}�������}���$�Z�}�����]�}����*��}����*Z�}�����\�}� ��Z�}�
��\�}���$ Z���Test Modulet��t��/.-,+*�����W�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ��������
���€�������� €��������
€�����
�� €���������€��������
€���������€���������€�H�������€�H������
€�H������
€�H�������€�H�������€�H������
€�H�������€�H������
€�H�������€�H������
€�H�������€�H������
�����������������
���
�@�
�E��
�E��
�E=�
�E��
�E��
�E>�
�E��
�E?�
EB�
F#~�
�D�?�
������
��D���
������
������
��D���
������
������������
~�
�D@�
������
��D���
������������
��D���
������
������������
~�
�D�@�
������
��D���
������������
��D���
������
������������
~�
�D�@�
������
��D���
������������
��D���
������
������������
~�
�D�@�
������
��D���
������������
��D���
������
������������
~�
�D�@�
������
��D���
������������
��D���
������
������������
~�
�D�@�
������
������
������������
��D���
������
������������
~�
�D @�
������
�����
������������
��D���
������
������������
~�
D"@�
�����
�D���
�����
�����
��q��
�����
������ ����
~�
D$@�
�����
�D���
�����
�����
��q��
�����
������
����
~�
�D&@�
������
��D���
������
������
���q��
������
������������
~�
�D(@�
������
��D���
������
������
���q��
���I��
���J��������
~�
D*@�
�����
�D���
�����
�����
��q��
��K��
��L���
����
~�
�D,@�
������
��D���
������
������
���q��
���M��
���N��������
~�
�D.@�
������
��D���
������
������
���q��
������
���O��������
~�
�D0@�
������
��D���
��� ��
������
���q��
���P��
���Q��������
~�
�D1@�
������
��D���
���
��
������
���q��
���R��
���S��������
~�
�D2@�
������
��D���
������
������
���q��
���T��
���U��������
~�
�D3@�
������
��D���
������
������
���q��
���V��
���W��������
~�
�D4@�
������
��D���
������
������
���q��
���X��
���Y��������
~�
�D5@�
������
��D���
���
��
������
���q��
���Z��
���[��������
~�
�D6@�
������
��D���
���%��
������
���q��
���\��
���]��������
~�
�D7@�
������
��D���
������
������
���q��
���1��
���2��������
~�
�D8@�
������
��D���
������
������
���q��
���`��
���a��������
~�
�D9@�
������
��D���
������
������
���q��
���b��
���c��������
~�
�D:@�
������
��D���
������
������
���q��
���d��
���e��������
~�
�D;@�
������
��D���
������
������
���q��
���h��
���i��������
~�
�D<@�
������
��D���
������
������
���q��
���j��
���k��������
~�
�D=@�
������
��D���
������
������
���q��
���n��
���o��������
~�
�D>@�
������
��D���
������
������
���q��
���p��
���q��������
~�
�D?@�
������
��D���
������
������
���q��
���r��
���s��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��
�����!��
�����"��������#��������$��������%��������&��������'��������(�� �����)��������*��������+��
�����,��
�����-��������.��
�����/��������0��������1��������2��������3��������4��������5��������6��������7��������8�� �����9��������:��������;��
�����<���������=��������>��������?�����~�
D@@�
�����
�D���
�����
�����
��q��
��t��
��u��� ����
~�
!D€@@�
!�����
!�D���
!�����
!�����
!��q��
!��v��
!��w���!����
~�
"DA@�
"�����
"�D���
"��&��
"��!��
"��q��
"��;��
"��<���"����
~�
#D€A@�
#�����
#�D���
#�����
#�����
#��q��
#��x��
#��y���#����
~�
$DB@�
$�����
$�D���
$�����
$�����
$��q��
$��3��
$��{���$����
~�
%D€B@�
%�����
%�D���
%�����
%�����
%��q��
%��9��
%��}���%����
~�
&DC@�
&�����
&�D���
&�� ��
&����
&��q��
&��:��
&�����&����
~�
'D€C@�
'�����
'�D���
'��!��
'�����
'��q��
'��€��
'������'����
~�
(DD@�
(�����
(�D���
(��'��
(�����
(��q��
(��4��
(��5���(����
~�
)D€D@�
)�����
)�D���
)��(��
)��"��
)��q��
)��b��
)��c���)����
~�
*DE@�
*�����
*�D���
*��)��
*��#��
*��q��
*��d��
*��e���*����
~�
+D€E@�
+�����
+�D���
+��*��
+�����
+��q��
+��f��
+��g���+����
~�
,DF@�
,�����
,�D���
,��/��
,�����
,��q��
,��h��
,��i���,����
~�
-D€F@�
-�����
-�D���
-��0��
-�����
-��q��
-��j��
-��k���-����
~�
.DG@�
.�����
.�D���
.��1��
.�����
.��q��
.��l��
.��m���.����
~�
/D€G@�
/�����
/�D���
/��2��
/�����
/��q��
/��2��
/��n���/����
~�
0DH@�
0�����
0�D���
0��+��
0��$��
0��q��
0��p��
0��o���0����
~�
1D€H@�
1�����
1�D���
1�����
1�����
1��q��
1�����
1������1����
~�
2DI@�
2�����
2�D���
2��3��
2����
2��q��
2�����
2������2����
~�
3D€I@�
3�����
3�D���
3��4��
3����
3��q��
3�����
3������3����
~�
4DJ@�
4�����
4�D���
4��5��
4����
4��q��
4�����
4������4����
~�
5D€J@�
5�����
5�D���
5��6��
5����
5��q��
5�����
5������5����
~�
6DK@�
6�����
6�D���
6��7��
6����
6��q��
6�����
6������6����
~�
7D€K@�
7�����
7�D���
7�����
7����
7��q��
7�����
7������7����
~�
8DL@�
8�����
8�D���
8�����
8����
8��q��
8�����
8������8����
~�
9D€L@�
9�����
9�D���
9��8��
9����
9��q��
9�����
9������9����
~�
:DM@�
:�����
:�D���
:��9��
:����
:��q��
:�����
:������:����
~�
;D€M@�
;�����
;�D���
;�����
;����
;��q��
;�����
;������;����
~�
<�DN@�
<������
<��D���
<���:��
<�����
<���q��
<������
<�������<�����
~�
=D€N@�
=�����
=�D���
=��;��
=����
=��q��
=�����
=������=����
~�
>DO@�
>�����
>�D���
>��<��
>����
>��q��
>�����
>������>����
~�
?D€O@�
?�����
?�D���
?��=��
?����
?��q��
?�����
?������?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��
�����A��������B��������C�� �����D��������E��
�����F��������G��������H��������I��������J�� �����K��������L��������M�������N�������O�������P��������Q��������R��������S��������T��������U��������V�����~�
@DP@�
@�����
@�D���
@�����
@����
@��q��
@�����
@������@����
~�
AD@P@�
A�����
A�D���
A��>��
A����
A��q��
A��7��
A��8���A����
~�
BD€P@�
B�����
B�D���
B��?��
B����
B��q��
B�����
B������B����
~�
CD繮@�
C�����
C�D���
C�����
C����
C��q��
C��6��
C������C����
~�
DDQ@�
D�����
D�D���
D��@��
D����
D��q��
D�����
D������D����
~�
ED@Q@�
E�����
E�D���
E��A��
E����
E��q��
E�����
E������E����
~�
FD€Q@�
F�����
F�D���
F��B��
F����
F��q��
F�����
F������F����
~�
GD繯@�
G�����
G�D���
G��C��
G����
G��q��
G�����
G������G����
~�
HDR@�
H�����
H�D���
H��D��
H����
H��q��
H�����
H������H����
~�
ID@R@�
I�����
I�D���
I��E��
I����
I��q��
I�����
I������I����
~�
JD€R@�
J�����
J�D���
J��F��
J����
J��q��
J�����
J������J����
~�
KD繰@�
K�����
K�D���
K��G��
K�����
K��q��
K�����
K������K����
~�
LDS@�
L�����
L�D���
L��H��
L�����
L��q��
L��=��
L������L����
�
M�HH��
N�HH��
O�HH��
P�HH��
Q�HH��
R�HH��
S�HH��
T�HH��
U�HH��
V�HH��2����€€€€€€€€€€€€€��������������&�P��������������(� ���
������餜��
��!�
C������������������������]F���!�!��d�
�����������Z��餜��
��"�
C�������������������������]F���"�!��d�
�����������Z��餜��
��)�
C�������������������������]F���)�!��d�
�����������Z��餜��
��1�
C�������������������������]F���1�!��d�
�����������Z��餜��
��#�
C�������������������������]F���#�!��d�
�����������Z��餜��
��0�
C�������������������������]F���0�!��d�
�����������Z��餜��
��$�
C�������������������������]F���$�!��d�
�����������Z��餜��
��(�
C�������������������������]F���(�!��d�
�����������Z��餜��
��%�
C��������������������� ���]F���%�!��d�
�����������Z��餜��
��&�
C��������������������
���]F���&�!��d�
�����������Z��餜��
��'�
C��������������������
����]F���'�!��d�
����������>����@U����������A
�������������� 7�����
�
���
�
��������;��€��
�
d�
��������������������������������@���Pass��������;��€��
�
d�
��������������������������������@���Fail��������;��€��
�
d�
������������������������������������Info������L ��L ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�+{��
�
�����{�+{��
�
������{�+{��
�
��� ��{�U{���L �����&��;��€������������{�U{���L ������&��;��€@����������{�U{���L ������&��;��€��������癙�������������;�����������PassFailN/AInfoN��L �� �Sheet3g��g��������D
����f2��蓘������Xf�����旭���
����d�������褚MbP?_��*�+����€�%�������������&��?'��?(��?)��?Mb�CutePDF Writer������S飥����
o�F��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�F���X�X��?�?���&���U��}����}���I���}�������}�������}���$���}����
��}���$&��}���I#��}�������}� ����}�
����}���$ ����Test Modulet��t��������X�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ��������
���€�G������ €�G������
€�G���
�� €�G�������€�G������
€�G�������€��������������������������
��������
��������������������������
�����������������
��������������������������
�����������������
��������
���
�@�
�~��
�~��
�E=�
�E��
�E��
�E>�
�E��
�E?�
EB�
F#~�
�D�?�
��D���
��D���
������
������
��D���
������
����������D�
~�
�D@�
��D���
��D���
������
���r��
��D���
������
����������D�
~�
�D�@�
��D���
��D���
������
���r��
��D���
������
����������D�
~�
�D�@�
��D���
��D���
������
���r��
��D���
������
����������D�
~�
�D�@�
��D���
��D���
������
���r��
��D���
������
����������D�
~�
�D�@�
��D���
��D���
������
���r��
��D���
������
����������D�
~�
�D�@�
��D���
������
������
���r��
��D���
������
����������D�
~�
�D @�
��D���
��D��
������
���r��
��D���
������
����������D�
~�
D"@�
�D���
�D���
�����
�����
�Dq��
�����
������ ����
~�
D$@�
�D���
�����
�����
�����
�D���
�����
������
��D�
~�
�D&@�
��D���
������
������
������
��Dq��
������
����������D�
~�
�D(@�
��D���
������
������
������
��Dq��
���I��
���J������D�
~�
D*@�
�D���
�����
�����
�����
�Dq��
��K��
��L���
��D�
~�
�D,@�
��D���
������
������
������
��Dq��
���M��
���N������D�
~�
�D.@�
��D���
������
������
������
��Dq��
������
���O������D�
~�
�D0@�
��D���
������
��� ��
������
��Dq��
���P��
���Q��������
~�
�D1@�
��D���
������
���
��
������
��Dq��
���R��
���S��������
~�
�D2@�
��D���
������
������
������
��Dq��
���T��
���U��������
~�
�D3@�
��D���
������
������
������
��Dq��
���V��
���W��������
~�
�D4@�
��D���
������
������
������
��Dq��
���X��
���Y��������
~�
�D5@�
��D���
������
���
��
������
��Dq��
���Z��
���[��������
~�
�D6@�
��D���
��D���
������
������
��Dq��
���\��
���]��������
~�
�D7@�
��D���
��� ��
������
������
��Dq��
���^��
���_��������
~�
�D8@�
��D���
��D���
������
������
��Dq��
���`��
���a��������
~�
�D9@�
��D���
��D���
������
������
��Dq��
���b��
���c��������
~�
�D:@�
��D���
��D�
������
������
��Dq��
���d��
���e��������
~�
�D;@�
��D���
������
������
������
��Dq��
���f��
���g��������
~�
�D<@�
��D���
������
������
������
��Dq��
���h��
���i��������
~�
�D=@�
��D���
������
������
������
��Dq��
���j��
���k��������
~�
�D>@�
��D���
������
������
������
��Dq��
���l��
���m��������
~�
�D?@�
��D���
������
������
������
��Dq��
���n��
���o��������
�D��l��€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€��� ��������!��
�����"��
�����#��
�����$��
�����%��������&��������'��������(��������)��
�����*��������+��������,��
�����-��������.��������/��������0��������1��������2�� �����3��������4��
�����5��������6��������7��������8��
�����9��������:��
�����;��������<���������=��������>��������?�����~�
D@@�
�D���
�����
�����
�����
�Dq��
��p��
��q��� ����
~�
!D€@@�
!�D���
!�����
!�����
!�����
!�Dq��
!��r��
!��s���!����
~�
"DA@�
"�D���
"�D��
"�����
"�����
"�Dq��
"��t��
"��u���"����
~�
#D€A@�
#�D���
#�D���
#�����
#�����
#�Dq��
#��v��
#��w���#����
~�
$DB@�
$�D���
$�D���
$�����
$�����
$�Dq��
$��x��
$��y���$����
~�
%D€B@�
%�D���
%�D���
%�����
%�����
%�Dq��
%��z��
%��{���%����
~�
&DC@�
&�D���
&�D���
&�����
&�����
&�Dq��
&��|��
&��}���&����
~�
'D€C@�
'�D���
'�D���
'�� ��
'����
'�Dq��
'��~��
'�����'����
~�
(DD@�
(�D���
(�D���
(��!��
(�����
(�Dq��
(��€��
(������(����
~�
)D€D@�
)�D���
)�D���
)��"��
)�����
)�Dq��
)�����
)������)����
~�
*DE@�
*�D���
*�D���
*��#��
*�����
*�Dq��
*�����
*������*����
~�
+D€E@�
+�D���
+�D���
+��$��
+�����
+�Dq��
+�����
+������+����
~�
,DF@�
,�D���
,�D���
,�����
,�����
,�Dq��
,�����
,������,����
~�
-D€F@�
-�D���
-�D���
-��%��
-�����
-�Dq��
-�����
-������-����
~�
.DG@�
.�D���
.�D���
.��&��
.�����
.�Dq��
.�����
.������.����
~�
/D€G@�
/�D���
/�D���
/��'��
/�����
/�Dq��
/�����
/������/����
~�
0DH@�
0�D���
0�D���
0��(��
0�� ��
0�Dq��
0�����
0������0����
~�
1D€H@�
1�D���
1�D���
1��)��
1��
��
1�Dq��
1�����
1������1����
~�
2DI@�
2�D���
2�D���
2��*��
2�����
2�Dq��
2�����
2������2����
~�
3D€I@�
3�D���
3�D���
3�����
3�����
3�Dq��
3�����
3������3����
~�
4DJ@�
4�D���
4�D���
4��+��
4��
��
4�Dq��
4�����
4������4����
~�
5D€J@�
5�D���
5�D���
5��,��
5�����
5�Dq��
5�����
5������5����
~�
6DK@�
6�D���
6�D���
6��-��
6�����
6�Dq��
6�����
6������6����
~�
7D€K@�
7�D���
7�D���
7��.��
7�����
7�Dq��
7�����
7������7����
~�
8DL@�
8�D���
8�D���
8��/��
8�����
8�Dq��
8�����
8������8����
~�
9D€L@�
9�D���
9�D���
9��0��
9�����
9�Dq��
9�����
9������9����
~�
:DM@�
:�D���
:�D���
:��1��
:�����
:�Dq��
:�����
:������:����
~�
;D€M@�
;�D���
;�D���
;��2��
;�����
;�Dq��
;�����
;������;����
~�
<�DN@�
<��D���
<��D���
<������
<������
<��Dq��
<������
<�������<�����
~�
=D€N@�
=�D���
=�D���
=��3��
=����
=�Dq��
=�����
=������=����
~�
>DO@�
>�D���
>�D���
>��4��
>����
>�Dq��
>�����
>������>����
~�
?D€O@�
?�D���
?�DC�
?��5��
?����
?�Dq��
?�����
?������?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��������A��������B��������C�� �����D��������E��������F��������G��������H��
�����I�� �����J��������K��������L��������M��������N�� �����O��������P��
�����Q��������R��������S��������T��������U�� �����V��������W�����~�
@DP@�
@�D���
@�DC�
@��6��
@����
@�Dq��
@�����
@������@����
~�
AD@P@�
A�D���
A�DC�
A��7��
A����
A�Dq��
A�����
A������A����
~�
BD€P@�
B�D���
B�D���
B�����
B����
B�Dq��
B�����
B������B����
~�
CD繮@�
C�D���
C�D���
C�����
C����
C�Dq��
C�����
C������C����
~�
DDQ@�
D�D���
D�D���
D��8��
D����
D�Dq��
D�����
D������D����
~�
ED@Q@�
E�D���
E�D���
E��9��
E����
E�Dq��
E�����
E������E����
~�
FD€Q@�
F�D���
F�D���
F�����
F����
F�Dq��
F�����
F������F����
~�
GD繯@�
G�D���
G�D���
G��:��
G����
G�Dq��
G�����
G������G����
~�
HDR@�
H�D���
H�D���
H��;��
H����
H�Dq��
H�����
H������H����
~�
ID@R@�
I�D���
I�D���
I��<��
I����
I�Dq��
I�����
I������I����
~�
JD€R@�
J�D���
J�D���
J��=��
J����
J�Dq��
J�����
J������J����
~�
KD繰@�
K�D���
K�D���
K�����
K����
K�Dq��
K�����
K������K����
~�
LDS@�
L�D���
L�D���
L��>��
L����
L�Dq��
L��7��
L��8���L����
~�
MD@S@�
M�D���
M�D
�
M��?��
M����
M�Dq��
M�����
M������M����
~�
ND€S@�
N�D���
N�D���
N�����
N����
N�Dq��
N��6��
N������N����
~�
OD繱@�
O�D���
O�D
�
O��@��
O����
O�Dq��
O�����
O������O����
~�
PDT@�
P�D���
P�D�
P��A��
P����
P�Dq��
P�����
P������P����
~�
QD@T@�
Q�D���
Q�D���
Q��B��
Q����
Q�Dq��
Q�����
Q������Q����
~�
RD€T@�
R�D���
R�D���
R��C��
R����
R�Dq��
R�����
R������R����
~�
SD繲@�
S�D���
S�D���
S��D��
S����
S�Dq��
S�����
S������S����
~�
TDU@�
T�D���
T�D���
T��E��
T����
T�Dq��
T�����
T������T����
~�
UD@U@�
U�D���
U�D���
U��F��
U����
U�Dq��
U�����
U������U����
~�
VD€U@�
V�D���
V�D���
V��G��
V�����
V�Dq��
V�����
V������V����
~�
WD繳@�
W�D���
W�D���
W��H��
W�����
W�Dq��
W�����
W������W����
�4�
��€€€€€€€€€€€€€€€€€€€€€€€�����&�`����E4��������(� ���
��4���餜��
���4
C������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
���4
C�������������������������]F�����!��d�
�����������Z��餜��
�� 4
C��������������������� ���]F��� �!��d�
�����������Z��餜��
��
4
C��������������������
���]F���
�!��d�
�����������Z��餜��
���4
C��������������������
����]F�����!��d�
����������>����@U����������A
�������������� 7������W ��W ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�U{���W �����&��;��€������������{�U{���W ������&��;��€@����������{�U{���W ������&��;��€��������癙�������������;�����������PassFailN/AInfoN��W �� �Sheet7g��g��������D
����f2��蓘������K����#��5�o<�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d����X�X�333333�?333333�?���&��<3U��}����}���I���}�������}�������}���$���}�������}����*��}�������}� ����}�
����}���$ �t��t���
�����K�������€���������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ���€�����
���€�������� €�������� €�����
���€��������
€���������€���������€���������€��������
€��������
€���������€��������
€��������
€���������€��������
€���������€��������
€���������€��������
€���������€��������
€��������
€���
�@�
����
����
��=�
����
����
��>�
����
��?�
�B�
�#~�
���?�
������
������
������
������
������
������
������������
~�
�D@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
������
������������
��D���
������
������������
~�
�D @�
��D���
��D��
������������
��D���
������
������������
~�
D"@�
�D���
�����
�����
�����
��q��
�����
������ ����
~�
D$@�
�D���
�����
�����
�����
��q��
�����
��>���
����
~�
�D&@�
��D���
������
������
������
���q��
������
������������
~�
�D(@�
��D���
������
������
������
���q��
���K��
���L��������
~�
D*@�
�D���
�����
�����
�����
��q��
��M��
��N���
����
~�
�D,@�
��D���
������
������
������
���q��
������
���O��������
~�
�D.@�
��D���
������
��� ��
������
���q��
���P��
���Q��������
~�
�D0@�
��D���
������
���
��
������
���q��
���R��
���S��������
~�
�D1@�
��D���
������
������
������
���q��
���T��
���U��������
~�
�D2@�
��D���
������
������
������
���q��
���V��
���W��������
~�
�D3@�
��D���
������
������
������
���q��
���X��
���Y��������
~�
�D4@�
��D���
������
���
��
������
���q��
���Z��
���[��������
~�
�D5@�
��D���
������
���.��
������
���q��
���?��
���]��������
~�
�D6@�
��D���
������
������
������
���q��
���1��
���2��������
~�
�D7@�
��D���
������
������
������
���q��
���`��
���a��������
~�
�D8@�
��D���
������
������
������
���q��
���b��
���c��������
~�
�D9@�
��D���
������
������
������
���q��
���d��
���e��������
~�
�D:@�
��D���
������
������
������
���q��
���h��
���i��������
~�
�D;@�
��D���
������
������
������
���q��
���j��
���k��������
~�
�D<@�
��D���
������
������
������
���q��
���n��
���o��������
~�
�D=@�
��D���
������
������
������
���q��
���p��
���q��������
~�
�D>@�
��D���
������
������
������
���q��
���r��
���s��������
~�
�D?@�
��D���
������
������
������
���q��
���t��
���u��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��
€�����!���€�����"���€�����#���€�����$���€�����%���€�����&�� €�����'��������(��������)��
�����*��
�����+��������,�� �����-��������.��������/���€�����0���€�����1���€�����2���€�����3���€�����4���€�����5���€�����6�� €�����7���€�����8���€�����9��
€�����:���€�����;���€�����<����€�����=���€�����>��
€�����?���€��~�
D@@��� �D*��
�����
�����
�����
��q��
��v��
��w��� ����
~�
!D€@@�
!�D���
!�����
!�����
!�����
!��q��
!��x��
!��y���!����
~�
"DA@�
"�D���
"�����
"�����
"�����
"��q��
"��3��
"��{���"����
~�
#D€A@�
#�D���
#�����
#�����
#�����
#��q��
#��9��
#��}���#����
~�
$DB@�
$�D���
$�����
$�� ��
$����
$��q��
$��:��
$�����$����
~�
%D€B@�
%�D���
%�����
%��!��
%�����
%��q��
%��€��
%������%����
~�
&�C@�
&�����
&�����
&��'��
&�����
&��q��
&��4��
&��5���&����
~�
'�€C@�
'�����
'�����
'��(��
'��"��
'��q��
'��b��
'��c���'����
~�
(�D@�
(�����
(�����
(��)��
(��#��
(��q��
(��d��
(��e���(����
~�
)�€D@�
)�����
)�����
)��*��
)�����
)��q��
)��f��
)��g���)����
~�
*�E@�
*�����
*�����
*��/��
*�����
*��q��
*��h��
*��i���*����
~�
+�€E@�
+�����
+�����
+��0��
+�����
+��q��
+��j��
+��k���+����
~�
,�F@�
,�����
,�����
,��-��
,�����
,��q��
,��l��
,��m���,����
~�
-�€F@�
-�����
-�����
-��2��
-�����
-��q��
-��2��
-��n���-����
~�
.�G@�
.�����
.�����
.��+��
.��$��
.��q��
.��p��
.��o���.����
~�
/�€G@�
/�����
/�����
/�����
/�����
/��q��
/�����
/������/����
~�
0DH@�
0�D���
0�����
0��3��
0����
0��q��
0�����
0������0����
~�
1D€H@�
1�D���
1�����
1��4��
1����
1��q��
1�����
1������1����
~�
2DI@�
2�D���
2�����
2��5��
2����
2��q��
2�����
2������2����
~�
3D€I@�
3�D���
3�����
3��6��
3����
3��q��
3�����
3������3����
~�
4DJ@�
4�D���
4�����
4��7��
4����
4��q��
4�����
4������4����
~�
5D€J@�
5�D���
5�����
5�����
5����
5��q��
5�����
5������5����
~�
6DK@�
6�D���
6�����
6�����
6����
6��q��
6�����
6������6����
~�
7D€K@�
7�D���
7�����
7��8��
7����
7��q��
7�����
7������7����
~�
8DL@�
8�D���
8�����
8��9��
8����
8��q��
8�����
8������8����
~�
9D€L@�
9�D���
9�����
9�����
9����
9��q��
9�����
9������9����
~�
:DM@�
:�D���
:�����
:��:��
:����
:��q��
:�����
:������:����
~�
;D€M@�
;�D���
;�����
;��;��
;����
;��q��
;�����
;������;����
~�
<�DN@�
<��D���
<������
<���<��
<�����
<���q��
<������
<�������<�����
~�
=D€N@�
=�D���
=�����
=��=��
=����
=��q��
=�����
=������=����
~�
>DO@�
>�D���
>�����
>�����
>����
>��q��
>�����
>������>����
~�
?D€O@�
?�D���
?�����
?��>��
?����
?��q��
?��7��
?��8���?����
�D~�l�~€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@���€�����A�� €�����B���€�����C��
€�����D���€�����E���€�����F���€�����G���€�����H�� €�����I���€�����J���€��~�
@DP@�
@�D���
@�����
@��?��
@����
@��q��
@�����
@������@����
~�
AD@P@�
A�D���
A�����
A�����
A����
A��q��
A��6��
A������A����
~�
BD€P@�
B�D���
B�����
B��@��
B����
B��q��
B�����
B������B����
~�
CD繮@�
C�D���
C���
C��A��
C����
C��q��
C�����
C������C����
~�
DDQ@�
D�D���
D�����
D��B��
D����
D��q��
D�����
D������D����
~�
ED@Q@�
E�D���
E�����
E��C��
E����
E��q��
E�����
E������E����
~�
FD€Q@�
F�D���
F�����
F��D��
F����
F��q��
F�����
F������F����
~�
GD繯@�
G�D���
G�����
G��E��
G����
G��q��
G�����
G������G����
~�
HDR@�
H�D���
H�����
H��F��
H����
H��q��
H�����
H������H����
~�
ID@R@�
I�D���
I�����
I��G��
I�����
I��q��
I�����
I������I����
~�
JD€R@�
J�D���
J�����
J��H��
J�����
J��q��
J��=��
J������J����
��\��€€€€€€€€€€�����&�p�����D��������(� ���
��D���餜��
���D
C������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
���D
C�������������������������]F�����!��d�
�����������Z��餜��
�� D
C�������������������������]F��� �!��d�
�����������Z��餜��
��
D
C��������������������� ���]F���
�!��d�
�����������Z��餜��
���D
C��������������������
���]F�����!��d�
�����������Z��餜��
���D
C��������������������
����]F�����!��d�
����������>����@U����������A
������������������J ��J ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�U{���J �����&��;��€��������������{�U{���J ������&��;��€@������������{�U{���J ������&��;��€��������癙���������������;�����������PassFailN/AInfoN��J �� �Sheet6g��g��������D
����f2��蓘������W�I�怽�Xo�靯�
����d�������褚MbP?_��*�+����€�%�������������&��?'��?(��?)��?Mn�Microsoft Office Document Imag������/��d��X���X��Letter����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������widm������"�F���X�X��?�?���&���U��}����}���I���}�������}�������}���$�Z�}�������}����*��}�����H�}� ����}�
��H�}���$ ����Test Modulet�(t�
���������������
��W�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ���€�\���
���€�������� €�������� €�����
���€��������
€���������€���������€���������€�H������
€�H������
€�H�������€�H�������€�H������
€�H�������€�H������
€�H�������€�H������
€�H������
€�H�������€�H������
€�H������
€�H�������€�H�
�@�
����
����
��=�
����
����
��>�
����
��?�
�B�
�#~�
���?�
������
������
������
������
������
������
������������
~�
�D@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
������
������������
��D���
������
������������
~�
�D @�
��D���
�����
������������
��D���
������
������������
~�
�"@�
�����
�����
�����
�����
�����
�����
������ ����
~�
D$@�
�D���
�����
�����
�����
��q��
�����
��>���
����
~�
�D&@�
��D���
������
������
������
���q��
������
������������
~�
�D(@�
��D���
������
������
������
���q��
���K��
���L��������
~�
D*@�
�D���
�����
�����
�����
��q��
��M��
��N���
����
~�
�D,@�
��D���
������
������
������
���q��
������
���O��������
~�
�D.@�
��D���
������
��� ��
������
���q��
���P��
���Q��������
~�
�D0@�
��D���
������
���
��
������
���q��
���R��
���S��������
~�
�D1@�
��D���
������
������
������
���q��
���T��
���U��������
~�
�D2@�
��D���
������
������
������
���q��
���V��
���W��������
~�
�D3@�
��D���
������
������
������
���q��
���X��
���Y��������
~�
�D4@�
��D���
������
���
��
������
���q��
���Z��
���[��������
~�
�D5@�
��D���
������
���,��
������
���q��
���\��
���]��������
~�
�D6@�
��D���
������
������
������
���q��
���^��
���_��������
~�
�D7@�
��D���
������
������
������
���q��
���`��
���a��������
~�
�D8@�
��D���
������
������
������
���q��
���b��
���c��������
~�
�D9@�
��D���
������
������
������
���q��
���d��
���e��������
~�
�D:@�
��D���
������
������
������
���q��
���f��
���g��������
~�
�D;@�
��D���
������
������
������
���q��
���h��
���i��������
~�
�D<@�
��D���
������
������
������
���q��
���j��
���k��������
~�
�D=@�
��D���
������
������
������
���q��
���l��
���m��������
~�
�D>@�
��D���
������
������
������
���q��
���n��
���o��������
~�
�D?@�
��D���
������
������
������
���q��
���p��
���q��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��
€�H���!��
€�H���"��
€�H���#���€�H���$���€�H���%���€�H���&���€�H���'���€�H���(��
€�H���)���€�H���*���€�H���+���€�H���,���€�H���-���€�H���.���€�H���/���€�H���0���€�H���1�� €�H���2���€�H���3��
€�H���4��������5��������6��������7��
�����8��������9�� �����:��������;��������<���������=��������>��������?�����~�
D@@�
�D���
�����
�����
�����
��q��
��r��
��s��� ����
~�
!D€@@�
!�D���
!�����
!�����
!�����
!��q��
!��t��
!��u���!����
~�
"DA@�
"�D���
"�����
"�����
"�����
"��q��
"��v��
"��w���"����
~�
#D€A@�
#�D���
#�����
#�����
#�����
#��q��
#��x��
#��y���#����
~�
$DB@�
$�D���
$�����
$�����
$�����
$��q��
$��z��
$��{���$����
~�
%D€B@�
%�D���
%�����
%�����
%�����
%��q��
%��|��
%��}���%����
~�
&DC@�
&�D���
&�����
&�� ��
&����
&��q��
&��~��
&�����&����
~�
'D€C@�
'�D���
'�����
'��!��
'�����
'��q��
'��€��
'������'����
~�
(DD@�
(�D���
(�����
(��"��
(�����
(��q��
(�����
(������(����
~�
)D€D@�
)�D���
)�����
)��#��
)�����
)��q��
)�����
)������)����
~�
*DE@�
*�D���
*�����
*��$��
*�����
*��q��
*�����
*������*����
~�
+D€E@�
+�D���
+�����
+�����
+�����
+��q��
+�����
+������+����
~�
,DF@�
,�D���
,�����
,��%��
,�����
,��q��
,�����
,������,����
~�
-D€F@�
-�D���
-�����
-��&��
-�����
-��q��
-�����
-������-����
~�
.DG@�
.�D���
.�����
.��'��
.�����
.��q��
.�����
.������.����
~�
/D€G@�
/�D���
/�����
/��(��
/�� ��
/��q��
/�����
/������/����
~�
0DH@�
0�D���
0�����
0��)��
0��
��
0��q��
0�����
0������0����
~�
1D€H@�
1�D���
1�����
1��*��
1�����
1��q��
1�����
1������1����
~�
2DI@�
2�D���
2�����
2�����
2�����
2��q��
2�����
2������2����
~�
3D€I@�
3�D���
3�����
3��+��
3��
��
3��q��
3�����
3������3����
~�
4DJ@�
4�D���
4�����
4��,��
4�����
4��q��
4�����
4������4����
~�
5D€J@�
5�D���
5�����
5��-��
5�����
5��q��
5�����
5������5����
~�
6DK@�
6�D���
6�����
6��.��
6�����
6��q��
6�����
6������6����
~�
7D€K@�
7�D���
7�����
7��/��
7�����
7��q��
7�����
7������7����
~�
8DL@�
8�D���
8�����
8��0��
8�����
8��q��
8�����
8������8����
~�
9D€L@�
9�D���
9�����
9��-��
9�����
9��q��
9�����
9������9����
~�
:DM@�
:�D���
:�����
:��2��
:�����
:��q��
:�����
:������:����
~�
;D€M@�
;�D���
;�����
;�����
;�����
;��q��
;�����
;������;����
~�
<�DN@�
<��D���
<������
<���3��
<�����
<���q��
<������
<�������<�����
~�
=D€N@�
=�D���
=�����
=��4��
=����
=��q��
=�����
=������=����
~�
>DO@�
>�D���
>�����
>��5��
>����
>��q��
>�����
>������>����
~�
?D€O@�
?�D���
?�����
?��6��
?����
?��q��
?�����
?������?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��������A��������B�� �����C��������D��������E��
�����F��������G��������H��������I��������J��
�����K��������L��������M�� �����N��������O��
�����P��������Q��������R��������S��������T�� �����U��������V�����~�
@DP@�
@�D���
@�����
@��7��
@����
@��q��
@�����
@������@����
~�
AD@P@�
A�D���
A�����
A�����
A����
A��q��
A�����
A������A����
~�
BD€P@�
B�D���
B�����
B�����
B����
B��q��
B�����
B������B����
~�
CD繮@�
C�D���
C�����
C��8��
C����
C��q��
C�����
C������C����
~�
DDQ@�
D�D���
D�����
D��9��
D����
D��q��
D�����
D������D����
~�
ED@Q@�
E�D���
E�����
E�����
E����
E��q��
E�����
E������E����
~�
FD€Q@�
F�D���
F�����
F��:��
F����
F��q��
F�����
F������F����
~�
GD繯@�
G�D���
G�����
G��;��
G����
G��q��
G�����
G������G����
~�
HDR@�
H�D���
H�����
H��<��
H����
H��q��
H�����
H������H����
~�
ID@R@�
I�D���
I�����
I��=��
I����
I��q��
I�����
I������I����
~�
JD€R@�
J�D���
J�����
J�����
J����
J��q��
J�����
J������J����
~�
KD繰@�
K�D���
K�����
K��>��
K����
K��q��
K��7��
K��8���K����
~�
LDS@�
L�D���
L�����
L��?��
L����
L��q��
L�����
L������L����
~�
MD@S@�
M�D���
M�����
M�����
M����
M��q��
M��6��
M������M����
~�
ND€S@�
N�D���
N�����
N��@��
N����
N��q��
N�����
N������N����
~�
OD繱@�
O�D���
O�����
O��A��
O����
O��q��
O�����
O������O����
~�
PDT@�
P�D���
P�����
P��B��
P����
P��q��
P�����
P������P����
~�
QD@T@�
Q�D���
Q�����
Q��C��
Q����
Q��q��
Q�����
Q������Q����
~�
RD€T@�
R�D���
R�����
R��D��
R����
R��q��
R�����
R������R����
~�
SD繲@�
S�D���
S�����
S��E��
S����
S��q��
S�����
S������S����
~�
TDU@�
T�D���
T�����
T��F��
T����
T��q��
T�����
T������T����
~�
UD@U@�
U�D���
U�����
U��G��
U�����
U��q��
U�����
U������U����
~�
VD€U@�
V�D���
V�����
V��H��
V�����
V��q��
V�����
V������V����
�2L
��€€€€€€€€€€€€€€€€€€€€€€����鹛�€����d���鸫����(� ���
������餜��
����
C������������������������]F�����!��d�
�����������Z��餜��
����
C�������������������������]F�����!��d�
�����������Z��餜��
����
C�������������������������]F�����!��d�
�����������Z��餜��
����
C�������������������������]F�����!��d�
�����������Z��餜��
����
C�������������������������]F�����!��d�
�����������Z��餜��
����
C�������������������������]F�����!��d�
�����������Z��餜��
�� �
C�������������������������]F��� �!��d�
�����������Z��餜��
��
�
C�������������������������]F���
�!��d�
�����������Z��餜��
����
C��������������������� ���]F�����!��d�
�����������Z��餜��
��
�
C��������������������
���]F���
�!��d�
����������>����@U����������A
�������������� 7��.��
����
���
�������
�����������;��€
���
�������
�����������
���������������������@���Pass��������;��€
���
�������
�����������
���������������������@���Fail��������;��€
���
�������
�����������
�������������������������Info������V ��V ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�+{��
��������{�+{��
���������{�+{��
���������{�U{���V �����&��;��€������������{�U{���V ������&��;��€@����������{�U{���V ������&��;��€��������癙�������������;�����������PassFailN/AInfoN��V �� �Sheet5g��g��������D
����f2��蓘������S_��俊�嚧�丝�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d����X�X�333333�?333333�?���&��<3U��}����}���I���}�������}�������}���$���}�������}����*��}�������}� ����}�
����}���$ �t��t��
�����S�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ���€�����
���€���������€��������������
�� ��������������������������������������������������������������������������������
������������������������������������������������������������������������������������
�@�
����
����
��=�
����
����
��>�
����
��?�
�B�
�#~�
���?�
������
������
������
������
������
������
������������
~�
�D@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
������
������������
��D���
������
������������
~�
�D @�
��D���
�����
������������
��D���
������
������������
~�
D"@�
�D���
�Y���
�����
��d��
�����
�����
������ ����
~�
D$@�
�D���
�Y���
�����
��e��
�����
�����
������
����
~�
��&@�
������
������
������
���f��
������
������
������������
~�
�D(@�
��D���
������
���g��
���/��
���q��
���E��
���F��������
~�
D*@�
�D���
�����
��h��
��/��
��q��
�����
��@���
����
~�
�D,@�
��D���
������
���i��
���0��
���q��
������
���A��������
~�
�D.@�
��D���
������
���j��
���1��
���q��
������
������������
~�
�D0@�
��D���
������
���k��
���2��
���q��
���H��
���G��������
~�
�D1@�
��D���
������
���l��
���3��
���q��
���I��
���J��������
~�
�D2@�
��D���
������
���m��
���4��
���q��
���K��
���L��������
~�
�D3@�
��D���
������
���n��
���5��
���q��
���M��
���N��������
~�
�D4@�
��D���
������
���n��
���5��
���q��
���O��
���B��������
~�
�D5@�
��D���
������
���o��
���6��
���q��
���P��
���Q��������
~�
�D6@�
��D���
������
���p��
���7��
���q��
���R��
���S��������
~�
�D7@�
��D���
������
���q��
���8��
���q��
���T��
���U��������
~�
�D8@�
��D���
������
���r��
���9��
���q��
���V��
���W��������
~�
�D9@�
��D���
������
���s��
���:��
���q��
���X��
���Y��������
~�
�D:@�
��D���
������
���t��
���:��
���q��
���Z��
���[��������
~�
�D;@�
��D���
������
���u��
���;��
���q��
���C��
���D��������
~�
�D<@�
��D���
������
���v��
���<��
���q��
���\��
���]��������
~�
�D=@�
��D���
������
���v��
���=��
���q��
���^��
���_��������
~�
�D>@�
��D���
������
���w��
���<��
���q��
���a��
���`��������
~�
�D?@�
��D���
������
���w��
���=��
���q��
���c��
���b��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��������!��
�����"��������#��������$��������%��������&��������'��������(��������)��������*��������+��������,��������-��������.��������/��������0��������1��������2��������3��
�����4��������5��������6��������7��������8��������9��������:��������;��������<���������=��������>��������?�����~�
D@@�
�D���
�����
��x��
��>��
��q��
��d��
��e��� ����
~�
!D€@@�
!�D���
!�����
!��y��
!��?��
!��q��
!��f��
!��g���!����
~�
"DA@�
"�D���
"�����
"��z��
"��?��
"��q��
"��h��
"��i���"����
~�
#D€A@�
#�D���
#�����
#��{��
#��?��
#��q��
#��j��
#��k���#����
~�
$DB@�
$�D���
$�����
$��|��
$��@��
$��q��
$��m��
$��l���$����
~�
%D€B@�
%�D���
%�����
%��}��
%��A��
%��q��
%��n��
%��o���%����
~�
&DC@�
&�D���
&�����
&��~��
&��A��
&��q��
&��p��
&��q���&����
~�
'D€C@�
'�D���
'�����
'����
'��B��
'��q��
'��r��
'��t���'����
~�
(DD@�
(�D���
(�����
(��€��
(��C��
(��q��
(��s��
(��u���(����
~�
)D€D@�
)�D���
)�����
)�����
)��D��
)��q��
)��v��
)��w���)����
~�
*DE@�
*�D���
*�����
*�����
*��E��
*��q��
*��y��
*��x���*����
~�
+D€E@�
+�D���
+�����
+�����
+��E��
+��q��
+��z��
+��{���+����
~�
,DF@�
,�D���
,�����
,�����
,��F��
,��q��
,��|��
,��}���,����
~�
-D€F@�
-�D���
-�����
-�����
-��G��
-��q��
-��~��
-�����-����
~�
.DG@�
.�D���
.�����
.�����
.��H��
.��q��
.��€��
.������.����
~�
/D€G@�
/�D���
/�����
/�����
/��I��
/��q��
/�����
/������/����
~�
0DH@�
0�D���
0�����
0�����
0��J��
0��q��
0�����
0������0����
~�
1D€H@�
1�D���
1�����
1�����
1��J��
1��q��
1�����
1������1����
~�
2DI@�
2�D���
2�����
2�����
2��K��
2��q��
2�����
2������2����
~�
3D€I@�
3�D���
3�����
3�����
3��J��
3��q��
3�����
3������3����
~�
4DJ@�
4�D���
4�����
4�����
4��J��
4��q��
4�����
4������4����
~�
5D€J@�
5�D���
5�����
5�����
5��L��
5��q��
5�����
5������5����
~�
6DK@�
6�D���
6�����
6�����
6��M��
6��q��
6��9��
6��:���6����
~�
7D€K@�
7�D���
7�����
7�����
7��N��
7��q��
7�����
7������7����
~�
8DL@�
8�D���
8�����
8�����
8��N��
8��q��
8�����
8������8����
~�
9D€L@�
9�D���
9�����
9�����
9��O��
9��q��
9�����
9������9����
~�
:DM@�
:�D���
:�����
:�����
:��P��
:��q��
:�����
:������:����
~�
;D€M@�
;�D���
;�����
;�����
;��Q��
;��q��
;�����
;������;����
~�
<�DN@�
<��D���
<������
<������
<���R��
<���q��
<������
<�������<�����
~�
=D€N@�
=�D���
=�����
=�����
=��R��
=��q��
=�����
=������=����
~�
>DO@�
>�D���
>�����
>�����
>��S��
>��q��
>�����
>������>����
~�
?D€O@�
?�D���
?�����
?�����
?��T��
?��q��
?�����
?������?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��������A��������B��
�����C��������D��������E��������F��������G��������H��������I��
�����J��������K��������L��������M��������N��������O��������P��������Q��������R�� ��~�
@DP@�
@�D���
@�����
@�����
@��U��
@��q��
@�����
@������@����
~�
AD@P@�
A�D���
A�����
A�����
A��V��
A��q��
A�����
A������A����
~�
BD€P@�
B�D���
B�����
B�����
B��W��
B��q��
B�����
B������B����
~�
CD繮@�
C�D���
C�����
C�����
C��?��
C��q��
C�����
C������C����
~�
DDQ@�
D�D���
D�����
D�����
D��X��
D��q��
D�����
D������D����
~�
ED@Q@�
E�D���
E�����
E�����
E��X��
E��q��
E�����
E������E����
~�
FD€Q@�
F�D���
F�����
F�����
F��X��
F��q��
F�����
F������F����
~�
GD繯@�
G�D���
G�����
G�����
G��Y��
G��q��
G�����
G������G����
~�
HDR@�
H�D���
H�����
H�����
H��Z��
H��q��
H�����
H������H����
~�
ID@R@�
I�D���
I�����
I�����
I��[��
I��q��
I�����
I������I����
~�
JD€R@�
J�D���
J�����
J�����
J��\��
J��q��
J�����
J������J����
~�
KD繰@�
K�D���
K�����
K�����
K��]��
K��q��
K�����
K������K����
~�
LDS@�
L�D���
L�����
L�����
L��^��
L��q��
L�����
L������L����
~�
MD@S@�
M�D���
M�����
M�����
M��\��
M��q��
M�����
M������M����
~�
ND€S@�
N�D���
N�����
N�����
N��_��
N��q��
N�����
N������N����
~�
OD繱@�
O�D���
O�����
O�����
O��`��
O��q��
O�����
O������O����
~�
PDT@�
P�D���
P�����
P�����
P��a��
P��q��
P�����
P������P����
~�
QD@T@�
Q�D���
Q�����
Q�����
Q��b��
Q��q��
Q�����
Q������Q����
~�
RD€T@�
R�D���
R�����
R�����
R��c��
R��q��
R�����
R������R����
�*�
h�€€€€€€€€€€€€€€€€€€�����&������
H��������(� ���
��H���餜��
���H
C������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
���H
C�������������������������]F�����!��d�
�����������Z��餜��
�� H
C�������������������������]F��� �!��d�
�����������Z��餜��
��
H
C��������������������� ���]F���
�!��d�
�����������Z��餜��
���H
C��������������������
���]F�����!��d�
�����������Z��餜��
���H
C��������������������
����]F�����!��d�
����������>����@U����������A
������������������R ��R ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�U{���R �����&��;��€������������{�U{���R ������&��;��€@����������{�U{���R ������&��;��€��������癙�������������;�����������PassFailN/AInfoN��R �� �Sheet8g��g��������D
����f2��蓘������Pb��拟�岝�:��
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d����X�X�333333�?333333�?���&��<3U��}����}���I���}�������}�������}���$���}�������}����*��}�������}� ����}�
����}���$ �t��t���
�����P�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ���€�����
���€���������€���������€�����
�� €��������������������������
��������������������������������������������
���������������������������������������������������������������������������������������������
�@�
����
����
��=�
����
����
��>�
����
��?�
�B�
�#~�
���?�
������
������
������
������
������
������
������������
~�
�D@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
������
������������
��D���
������
������������
~�
�D @�
��D���
�����
������������
��D���
������
������������
~�
D"@�
�D���
�Y���
�����
��d��
�����
�����
������ ����
~�
D$@�
�D���
�Y���
�����
��e��
�����
�����
������
����
~�
�D&@�
��D���
��Y���
������
���f��
������
������
������������
~�
�D(@�
��D���
��Y���
���g��
���/��
������
������
������������
~�
�*@�
�����
�����
��h��
��/��
��*��
�����
��@���
����
~�
�D,@�
��D���
������
���i��
���0��
���q��
������
���A��������
~�
�D.@�
��D���
������
���j��
���1��
���q��
������
������������
~�
�D0@�
��D���
������
���k��
���2��
���q��
������
������������
~�
�D1@�
��D���
������
���l��
���3��
���q��
������
���J��������
~�
�D2@�
��D���
������
���m��
���4��
���q��
������
���L��������
~�
�D3@�
��D���
������
���n��
���5��
���q��
���M��
���N��������
~�
�D4@�
��D���
������
���n��
���5��
���q��
���O��
���B��������
~�
�D5@�
��D���
������
���p��
���7��
���q��
������
���S��������
~�
�D6@�
��D���
������
���q��
���8��
���q��
������
���U��������
~�
�D7@�
��D���
������
���r��
���9��
���q��
������
���W��������
~�
�D8@�
��D���
������
������
���:��
���q��
��� ��
���!��������
~�
�D9@�
��D���
������
������
���:��
���q��
������
������������
~�
�D:@�
��D���
������
���t��
���:��
���q��
������
���[��������
~�
�D;@�
��D���
������
���u��
���;��
���q��
������
������������
~�
�D<@�
��D���
������
������
���<��
���q��
������
������������
~�
�D=@�
��D���
������
���x��
���>��
���q��
���"��
���#��������
~�
�D>@�
��D���
������
������
���?��
���q��
������
������������
~�
�D?@�
��D���
������
���y��
���?��
���q��
���$��
���%��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��������!��������"��������#��������$��������%��������&��������'��������(��������)��������*��������+��������,��������-��������.��������/��������0��������1��
�����2��������3��������4��������5��������6��������7��������8��������9��������:��������;��������<���������=��������>��
�����?�����~�
D@@�
�D���
�����
��z��
��?��
��q��
��&��
��'��� ����
~�
!D€@@�
!�D���
!�����
!��z��
!��?��
!��q��
!��(��
!��)���!����
~�
"DA@�
"�D���
"�����
"�����
"��?��
"��q��
"�����
"������"����
~�
#D€A@�
#�D���
#�����
#�����
#��@��
#��q��
#�����
#������#����
~�
$DB@�
$�D���
$�����
$�����
$��A��
$��q��
$�����
$������$����
~�
%D€B@�
%�D���
%�����
%����
%��B��
%��q��
%�����
%������%����
~�
&DC@�
&�D���
&�����
&��€��
&��C��
&��q��
&�����
&������&����
~�
'D€C@�
'�D���
'�����
'�����
'��D��
'��q��
'�����
'��w���'����
~�
(DD@�
(�D���
(�����
(�����
(��E��
(��q��
(�����
(������(����
~�
)D€D@�
)�D���
)�����
)�����
)��E��
)��q��
)�����
)������)����
~�
*DE@�
*�D���
*�����
*�����
*��F��
*��q��
*�����
*������*����
~�
+D€E@�
+�D���
+�����
+�����
+��G��
+��q��
+�����
+�����+����
~�
,DF@�
,�D���
,�����
,�����
,��H��
,��q��
,�����
,������,����
~�
-D€F@�
-�D���
-�����
-�����
-��I��
-��q��
-�����
-������-����
~�
.DG@�
.�D���
.�����
.�����
.��J��
.��q��
.�����
.������.����
~�
/D€G@�
/�D���
/�����
/�����
/��J��
/��q��
/�����
/������/����
~�
0DH@�
0�D���
0�����
0�����
0��K��
0��q��
0�����
0������0����
~�
1D€H@�
1�D���
1�����
1�����
1��J��
1��q��
1�����
1������1����
~�
2DI@�
2�D���
2�����
2�����
2��J��
2��q��
2�����
2������2����
~�
3D€I@�
3�D���
3�����
3�����
3��L��
3��q��
3�����
3������3����
~�
4DJ@�
4�D���
4�����
4�����
4��M��
4��q��
4��;��
4��:���4����
~�
5D€J@�
5�D���
5�����
5�����
5�����
5��q��
5�����
5������5����
~�
6DK@�
6�D���
6�����
6�����
6��P��
6��q��
6�����
6������6����
~�
7D€K@�
7�D���
7�����
7�����
7��Q��
7��q��
7�����
7������7����
~�
8DL@�
8�D���
8�����
8�����
8��R��
8��q��
8�����
8������8����
~�
9D€L@�
9�D���
9�����
9�����
9��R��
9��q��
9�����
9������9����
~�
:DM@�
:�D���
:�����
:�����
:��S��
:��q��
:�����
:������:����
~�
;D€M@�
;�D���
;�����
;�����
;��T��
;��q��
;�����
;������;����
~�
<�DN@�
<��D���
<������
<������
<���U��
<���q��
<������
<�������<�����
~�
=D€N@�
=�D���
=�����
=�����
=��V��
=��q��
=�����
=������=����
~�
>DO@�
>�D���
>�����
>�����
>��W��
>��q��
>�����
>������>����
~�
?D€O@�
?�D���
?�����
?�����
?�����
?��q��
?����
?������?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��������A��������B�� �����C��������D��������E��������F��������G��������H��������I��������J��������K��
�����L��������M�� �����N�������O����~�
@DP@�
@�D���
@�����
@�����
@��X��
@��q��
@�����
@������@����
~�
AD@P@�
A�D���
A�����
A�����
A��Y��
A��q��
A�����
A������A����
~�
BD€P@�
B�D���
B�����
B�����
B�����
B��q��
B�����
B������B����
~�
CD繮@�
C�D���
C�����
C�����
C�����
C��q��
C�����
C������C����
~�
DDQ@�
D�D���
D�����
D�����
D��[��
D��q��
D��
��
D�� ���D����
~�
ED@Q@�
E�D���
E�����
E�����
E��\��
E��q��
E�����
E������E����
~�
FD€Q@�
F�D���
F�����
F�����
F��]��
F��q��
F��
��
F������F����
~�
GD繯@�
G�D���
G�����
G�����
G��^��
G��q��
G�����
G������G����
~�
HDR@�
H�D���
H�����
H�����
H��\��
H��q��
H�����
H������H����
~�
ID@R@�
I�D���
I�����
I�����
I��_��
I��q��
I�����
I������I����
~�
JD€R@�
J�D���
J�����
J�����
J��`��
J��q��
J�����
J������J����
~�
KD繰@�
K�D���
K�����
K�����
K��a��
K��q��
K�����
K������K����
~�
LDS@�
L�D���
L�����
L�����
L��b��
L��q��
L�����
L������L����
~�
MD@S@�
M�D���
M�����
M�����
M��c��
M��q��
M�����
M������M����
���N���
N��� �
O��� �$f�,�€€€€€€€€€€€€€€������&�������@��������(� ���
��@���餜��
���@
C������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
���@
C�������������������������]F�����!��d�
�����������Z��餜��
�� @
C�������������������������]F��� �!��d�
�����������Z��餜��
��
@
C��������������������� ���]F���
�!��d�
�����������Z��餜��
���@
C��������������������
���]F�����!��d�
�����������Z��餜��
���@
C��������������������
����]F�����!��d�
����������>����@U����������A
������������������M ��M ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�U{���M �����&��;��€��������������{�U{���M ������&��;��€@������������{�U{���M ������&��;��€��������癙���������������;�����������PassFailN/AInfoN��M ��
�Sheet10g��g��������D
����f2��蓘������Q�
��
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d����X�X�333333�?333333�?���&��<3U��}����}���I���}�������}�������}���$���}�������}����*��}�������}� ����}�
����}������}���$ �t��t��������Q�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G�������€�G������
€�G��� ��������
��������������������������
��������������������������������������
�����������������������������������������������������������������������
����������������� ����������������� ���������������������
�@�
����
����
��=�
����
����
��>�
����
��?�
�B�
�#~�
�D�?�
��D���
��D���
������
������
��D���
������
������������
~�
�D@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
��D���
������������
��D���
������
������������
~�
�D�@�
��D���
������
������������
��D���
������
������������
~�
�D @�
��D���
�����
������������
��D���
������
������������
~�
D"@�
�D���
�����
�����
��d��
�D���
�����
������ ����
~�
D$@�
�D���
�����
�����
��e��
�D���
�����
������
����
~�
�D&@�
��D���
������
������
���f��
��D���
������
������������
~�
�D(@�
��D���
������
������
������
��D���
���+��
���,��������
~�
D*@�
�D���
�����
�����
�����
�D���
��-��
��.���
����
~�
�D,@�
��D���
������
������
������
��D���
���/��
���0��������
~�
�D.@�
��D���
������
������
������
��D���
���1��
���2��������
~�
�D0@�
��D���
������
������
������
��D���
���3��
���4��������
~�
�D1@�
��D���
��D���
������
������
��D���
���6��
���5��������
~�
�D2@�
��D���
������
������
������
��D���
���7��
���8��������
~�
�D3@�
��D���
������
������
������
��D���
���:��
���9��������
~�
�D4@�
��D���
������
������
������
��D���
���;��
���<��������
~�
�D5@�
��D���
������
������
������
��D���
���0��
���=��������
~�
�D6@�
��D���
������
������
������
��D���
���>��
���?��������
~�
�D7@�
��D���
������
������
������
��D���
���@��
���A��������
~�
�D8@�
��D���
������
������
������
��D���
������
������������
~�
�D9@�
��D���
������
������
������
��D���
���B��
���C��������
~�
�D:@�
��D���
������
������
������
��D���
���D��
���E��������
~�
�D;@�
��D���
������
������
������
��D���
���F��
���G��������
~�
�D<@�
��D���
������
������
������
��D���
���H��
���I��������
~�
�D=@�
��D���
��� ��
������
������
��D���
���J��
���I��������
~�
�D>@�
��D���
������
������
������
��D���
���K��
���L��������
~�
�D?@�
��D���
������
������
������
��D���
���N��
���M��������
�D~�l��€|||||||€€€€€€€€€€€€€€€€€€€€€€��� ��������!��������"��������#��������$��������%��������&��������'��������(��������)��������*��������+��������,��
�����-��������.��������/��������0��������1��������2��������3��������4��
�����5��������6��������7��������8��
�����9��������:��������;��������<���������=��������>��������?�����~�
D@@�
�D���
�����
����
�����
�D���
��O��
��P��� ����
~�
!D€@@�
!�D���
!��C�
!�����
!�����
!�D���
!��Q��
!��I���!����
~�
"DA@�
"�D���
"�����
"�����
"�����
"�D���
"��R��
"��S���"����
~�
#D€A@�
#�D���
#�����
#�����
#�����
#�D���
#��T��
#��U���#����
~�
$DB@�
$�D���
$�����
$�����
$�����
$�D���
$��V��
$��W���$����
~�
%D€B@�
%�D���
%�����
%�����
%�����
%�D���
%��X��
%��Y���%����
~�
&DC@�
&�D���
&�����
&�����
&�����
&�D���
&��Z��
&��[���&����
~�
'D€C@�
'�D���
'�����
'�����
'�����
'�D���
'��\��
'��]���'����
~�
(DD@�
(�D���
(�����
(�����
(�����
(�D���
(��_��
(��^���(����
~�
)D€D@�
)�D���
)�����
)�� ��
)�����
)�D���
)��`��
)��a���)����
~�
*DE@�
*�D���
*�����
*��
��
*�����
*�D���
*��b��
*��c���*����
~�
+D€E@�
+�D���
+�����
+�����
+�����
+�D���
+��e��
+��d���+����
~�
,DF@�
,�D���
,�����
,�����
,�����
,�D���
,��f��
,��g���,����
~�
-D€F@�
-�D���
-�����
-��
��
-�����
-�D���
-��h��
-��i���-����
~�
.DG@�
.�D���
.�����
.�����
.�����
.�D���
.��j��
.��k���.����
~�
/D€G@�
/�D���
/����
/�����
/�����
/�D���
/��l��
/��m���/����
~�
0DH@�
0�D���
0����
0�����
0�����
0�D���
0��n��
0��o���0����
~�
1D€H@�
1�D���
1����
1�����
1�����
1�D���
1��p��
1��q���1����
~�
2DI@�
2�D���
2�����
2�����
2�����
2�D���
2��r��
2��s���2����
~�
3D€I@�
3�D���
3�����
3�����
3�����
3�D���
3��t��
3��u���3����
~�
4DJ@�
4�D���
4�����
4�����
4�����
4�D���
4��v��
4��w���4����
~�
5D€J@�
5�D���
5�����
5�����
5�����
5�D���
5��x��
5��y���5����
~�
6DK@�
6�D���
6�D���
6�����
6�����
6�D���
6��z��
6��{���6����
~�
7D€K@�
7�D���
7�����
7�����
7�����
7�D���
7��|��
7��}���7����
~�
8DL@�
8�D���
8�����
8�����
8�����
8�D���
8��~��
8�����8����
~�
9D€L@�
9�D���
9�����
9�����
9�����
9�D���
9��€��
9������9����
~�
:DM@�
:�D���
:�����
:�����
:�����
:�D���
:�����
:������:����
~�
;D€M@�
;�D���
;�����
;�����
;�����
;�D���
;�����
;������;����
~�
<�DN@�
<��D���
<������
<������
<������
<��D���
<������
<�������<�����
~�
=D€N@�
=�D���
=�����
=�����
=�����
=�D���
=�����
=��s���=����
~�
>DO@�
>�D���
>�����
>�����
>�����
>�D���
>�����
>��s���>����
~�
?D€O@�
?�D���
?�����
?�����
?�����
?�D���
?�����
?��s���?����
�D€�l�€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€���@��������A��������B��������C�� �����D��������E��������F�� �����G�� �����H��������I�� �����J��������K��������L��������M��������N��������O��������P�����~�
@DP@�
@�D���
@�����
@�� ��
@�����
@�D���
@�����
@��s���@����
~�
AD@P@�
A�D���
A�����
A��!��
A�����
A�D���
A�����
A������A����
~�
BD€P@�
B�D���
B�����
B��"��
B�����
B�D���
B�����
B��s���B����
~�
CD繮@�
C�D���
C�����
C��#��
C�����
C�D���
C�����
C������C����
~�
DDQ@�
D�D���
D�����
D��$��
D�����
D�D���
D�����
D������D����
~�
ED@Q@�
E�D���
E����
E��%��
E�����
E�D���
E�����
E������E����
~�
FD€Q@�
F�D���
F����
F��&��
F�����
F�D���
F�����
F��m���F����
~�
GD繯@�
G�D���
G�����
G��'��
G�����
G�D���
G�����
G������G����
~�
HDR@�
H�D���
H�����
H��(��
H�����
H�D���
H�����
H������H����
~�
ID@R@�
I�D���
I�����
I��)��
I�����
I�D���
I�����
I������I����
~�
JD€R@�
J�D���
J�D���
J��*��
J�����
J�D���
J�����
J������J����
~�
KD繰@�
K�D���
K�����
K��+��
K�����
K�D���
K�����
K������K����
~�
LDS@�
L�D���
L�����
L��,��
L�����
L�D���
L�����
L������L����
~�
MD@S@�
M�D���
M�����
M��-��
M�����
M�D���
M�����
M������M����
~�
ND€S@�
N�D���
N�����
N��.��
N�����
N�D���
N�����
N������N����
~�
OD繱@�
O�D���
O�����
O��/��
O�����
O�D���
O�����
O������O����
~�
PDT@�
P�D���
P�����
P�����
P��\��
P�D���
P�����
P������P����
�&� @�€€€€€€€€€€€€€€€€�����&�������L��������(� ���
��L���餜��
���L
C������������������������]F�����!��d�
�����������Z��餜��
���L
C�������������������������]F�����!��d�
�����������Z��餜��
���L
C�������������������������]F�����!��d�
�����������Z��餜��
���L
C�������������������������]F�����!��d�
�����������Z��餜��
���L
C�������������������������]F�����!��d�
�����������Z��餜��
���L
C�������������������������]F�����!��d�
�����������Z��餜��
�� L
C�������������������������]F��� �!��d�
�����������Z��餜��
��
L
C�������������������������]F���
�!��d�
�����������Z��餜��
���L
C��������������������� ���]F�����!��d�
�����������Z��餜��
���L
C��������������������
���]F�����!��d�
�����������Z��餜��
��
L
C��������������������
����]F���
�!��d�
����������>����@U����������A
������������������P ��P ��������;��€����Info��������;��€@���Fail��������;��€����Pass{�U{���P �����&��;��€��������������{�U{���P ������&��;��€@������������{�U{���P ������&��;��€��������癙���������������;�����������PassFailN/AInfoN��P ��
�Sheet13g��g��������D
����f2��蓘�����$�VI�~O�芔��\�Vb�~g�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?�"��������333333�?333333�?Fa��&��<3U��}����8��������������������������������������������������������������������������� �
�����
������������������������������"���0��� �!�#�+�$�%�&�'�(�)�*�,�5�-�.�/�1�C�2�3�4�6�>�7�8�9�:�;�<�=�@�N����A�B�D����E�O�G�H�I�J�K�L�M�?�U�P�Q�R�S�T����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �������
�����������������������
�����������������������������������������������������������������������������������������������������������������������������������������������������
t��
�ug�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�vI�
���q�
�vC�
���i�
����
�����
���
����
v��
��i�
�v��
���i�
�v��
���i�
v��
��i�
����
���i�
��J�
���q�
��K�
���q�
�v{�
���i�
�v|�
���i�
�v}�
���i�
�v~�
���i�
�v�
���i�
�z€�
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�v��
���i�
�vD�
��wi�D�l����������������������������������� �������!�������"�������#�������$�������%�������&�������'�������(�������)�������*�������+�������,�������-�������.�������/�������0�������1�������2�������3�������4�������5�������6�������7�������8�������9�������:�������;�������<��������=�������>�������?�����
v��
�wi�
!v��
!�wi�
"v��
"�[q�
#v��
#�wi�
$v��
$�wi�
%x��
%�y��
&e��
&�[q�
'e��
'�[q�
(e��
(�[q�
)v��
)�wi�
*v��
*�[q�
+x��
+�y��
,x��
,�y��
-v��
-�wi�
.x��
.�y��
/x��
/�y��
0x��
0�y��
1v��
1�wi�
2vE�
2�wi�
3v��
3�wi�
4v��
4�wi�
5v��
5�wi�
6v��
6�wi�
7v��
7�wi�
8e��
8�[��
9e��
9�[��
:e��
:�[��
;e��
;�[��
<�e��
<��[��
=e��
=�[��
>e �
>�[��
?vm�
?�wi�D�l�����������������������������������@�������A�������B�������C�������D�������E�������F�������G�������H�������I�������J�������K�������L�������M�������N�������O�������P�������Q�������R�������S�������T�������U�������V�������W�������X�������Y�������Z�������[�������\�������]�������^�������_�����
@vn�
@�wi�
Avo�
A�wi�
Bvp�
B�wi�
Cvr�
C�wi�
De��
D�[��
Ee��
E�[��
Fe��
F�[��
Ge��
G�[��
He��
H�[��
Ie��
I�[��
Je��
J�[��
Ke��
K�[��
Le��
L�[q�
Me��
M�[q�
Ne��
N�[q�
Oe��
O�[q�
Pe��
P�[q�
Qe��
Q�[q�
Re��
R�[q�
Se��
S�[��
Te��
T�[��
Ue��
U�[��
VeY�
V�Lq�
WeZ�
W�Li�
Xe[�
X�Lq�
Ye\�
Y�L��
Ze]�
Z�Lq�
[e^�
[�Lq�
\e_�
\�Lq�
]e`�
]�Lq�
^ea�
^�Lq�
_eb�
_�Lq�D�l�����������������������������������`�������a�������b�������c�������d�������e�������f�������g�������h�������i�������j�������k�������l�������m�������n�������o�������p�������q�������r�������s�������t�������u�������v�������w�������x�������y�������z�������{�������|�������}�������~������������
`ec�
`�Lq�
ax��
a�y��
bx��
b�y��
cx��
c�y��
dx��
d�y��
ex��
e�y��
fx��
f�y��
gx��
g�y��
hx��
h�y��
ivh�
i�wi�
jxj�
j�wi�
kvk�
k�wi�
lvl�
l�wi�
mvs�
m�wi�
nvt�
n�wi�
ovu�
o�wi�
pvv�
p�wi�
qvw�
q�wi�
rvx�
r�wi�
svy�
s�wi�
tv
�
t�wi�
uxz�
u�y��
vx��
v�wi�
wx��
w�wi�
xxL�
x�[q�
yxM�
y�[q�
zxN�
z�[q�
{v��
{�wi�
|�
�
|��i�
}v�
}��i�
~v��
~�wi�
v��
�wi�D�l�����������������������������������€�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
€vW�
€�[q�
�v��
��wi�
�v��
��wi�
�v��
��wi�
�v��
��[q�
�v��
��[q�
�vO�
��[q�
�vP�
��[q�
�vQ�
��[q�
�vF�
��[q�
�vR�
��[q�
�vS�
��[q�
�vT�
��[q�
�vG�
��wi�
�vU�
��[q�
�vV�
��[q�
�v��
��wi�
�v��
��wi�
�v��
��wi�
�vH�
��wi�
�v��
��wq�
�v��
��[i�
�v��
��[i�
�v��
��[i�
�x��
��y��
�xX�
��wq�8������������������������������P��餒�����X���0���(� ���
��X�>����@������A
�������������� 7�� �Sheet9g��g��������D
����f2��蓘��������n�辮�
����d�������褚MbP?_��*�+����€�%�������������&�ffffff�?'�ffffff�?(��?)��?Mb�CutePDF Writer������S飥����
o�d��X���X���Letter����PRIV�0��'�'�'�'�����\K�hC�u琟m�������SMTJ��CutePDF WriterResolution600dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne�"�d����X�X�333333�?333333�?���&��<3U��}�mc��}���$ ���������������������������������������������������������
�@��������������������� �������
�����������������������
���������������������������������������������
�����€�
��€��
�L������€�
��€��
�L������€������
���������
�Y���� ��
Y�������
�Y����
��
�Y�������
�Y�������
�Y��*��h������
�
�
�
�
�
�
�P��餒�����8���0���(� ���
��8�>���@������������
�Sheet14g��g��������D
����f2��蓘�������鄏��
����d�������褚MbP?_��*�+����€�%��������������&��?'��?(��?)��?�"����������?�?���&���U��}��O�}����X�}����1N�}���m}N�}�����N�}���m�O�}����N�}����&P�}���I�N�}� I�Q�}�
禔N�}����N�}���$ N���
����,��������X�@�������X�@���������@�������,�€�T�����,�@�������,�@���������@����� ���@�����
�,�@���������@���
����� � � ���
�
�"��������������RSSS�����N�
����@��������
��M������U�
��K��
��M�����N�
����=��������
��M������N����N�
����>��������
��M������N����N�
�������������
��M������N��� N�
���?��� ����
�M���� �N���
N�
���*���
����
�V4���
�N����N�
���� ��������
��W!�����N��������0&:::::>���@W�����R���
������J �������� ������������������
���� 7��
�Sheet11g��g��������D
����f2��蓘�������爘���
����d�������褚MbP?_��*�+����€�%�������������&��?'��?(��?)��?M��EPSON WorkForce 610 Seriese 61��������泙����
o�d��h���h������ �EPSON WorkForce 610 Series������������������������€����@@Version Erro���R�L���h�h���$�h�h���x�****��x�****��d��2������"�d�����?�?���&���U��}���$
��}���m%��}������������������������������������������������������������������������������������ �������
�����������������������
�������������������������������������
_$�
�_%�
�_&�
�_'�����?b理鉆��
��`(�
��a)����b`a�����b`a�����b`a�����b`a�����cda�����b`a�����b`a��� �b`a���
�b`a�����b`a�����b`a���
�b`a�����b`a�����b`a�����b`a�����b`a��(��T�82����������������P��餒�����0���0���(� ���
��0�>����@������A
����������� ��� �� 7��
�Sheet12g��g��������D
This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision.
DocumentLibraryFormDocumentLibraryFormDocumentLibraryForm
��������������#����鼡��������������������������������������虫���惭贰����������������������������������������������������������������������������������������������������������������������������������������������(�<��&�6
�����<����<������������������"�����`����������������������
�� �$���������X�%@�(��������������������������������������������%����H��������������������������������������������������€�������������������������������x儻lM��$*\Rffff*0x50212ff0��
"���€����€����€ ��������4�����P����X����x�������������������]��@]��`���A1 ,���A65536 *�%&��%�� *�%&��.(�_��(���' 2��0� (�%.��.$� $�����G $�!4�B@6�j€ $�����,o��P����H�����Attribute VB_Name = "Module1"
Sub DeleteRows()
�
Dim c As Rang�e�&SrchRn
g� ��Set ��.碅ctive@Sheet.�x(@"A1", ��65536").End(xlUp)��}o�`��]cW�aH.Fi,"'QLookIn:=x€lValues�<�3 If Not 罥s��hing€ Then c€5鑤ir乽.儂�4&€p While���
€O €�
rU€€€€�~|� ���������k__SRP_2��&�����vT__SRP_3��������������xgThisWorkbook����$����z��Sheet14������������rU€€€� �����������$��`�����������n�����������������鼡纫��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�������������������������������������������������������������������������������������������������������������������������������������������������SL�����S������S�����<���������N0{00020819-0000-0000-C000-000000000046}������8�€��������(�������������%����H����������������������������������������������������������������������������������������������������������x�����鞍Attribute VB_Name = "ThisWorkboo�k"
孊as���0{00020P819-�0��C�����$0046}�
|Global���Spac�扚al�se�dCreat�abl��Pred恊cla�Id��Tru
BExpo�se��TemplateDeriv���払ustomi�z�D�2�����������������鼡聤��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����┌Attribute VB_Name = "She€et14"
��Bas�x0{00€020820- ���C����$004�6}
|GlobaBl�芐pac�扚�alse�dCre atabl��Pr@edecla�I"d琓ru
BEx�pose��TemplateDer�iv�$払usto�miz�D�2�����������������鼡7���#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�Sheet2���%�����������Sheet3������������Sheet7�����������Sheet5���� �������SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et2"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡軾��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et3"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡懫��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et7"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡馵��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et5"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡����#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�Sheet9���!�����������Sheet11���"�����������Sheet12���#�������Sheet4��������������
���SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et9"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡卐��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����┌Attribute VB_Name = "She€et11"
��Bas�x0{00€020820- ���C����$004�6}
|GlobaBl�芐pac�扚�alse�dCre atabl��Pr@edecla�I"d琓ru
BEx�pose��TemplateDer�iv�$払usto�miz�D�2�����������������鼡(A��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(����������������� ��������
�������������������������������������� �!�"�#�$�%�&�'�(�)����+�,�-�.�/�0�1�2�3�4�5�6�7�8�9����;�<�=�>�?�蔼�础�叠�颁�顿�贰�贵�骋�贬�滨����碍�尝�惭�狈�翱�笔�蚕�搁�厂�罢�鲍�痴�奥�齿�驰����摆�袄�闭�镑�冲�缚�补�产�肠�诲�别�蹿�驳����颈�箩�办�濒�尘�苍�辞�辫�辩�谤�蝉�迟�耻�惫�飞�虫�测�锄�调�触�皑�词��赌�厂尝�����厂������厂�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����┌Attribute VB_Name = "She€et12"
��Bas�x0{00€020820- ���C����$004�6}
|GlobaBl�芐pac�扚�alse�dCre atabl��Pr@edecla�I"d琓ru
BEx�pose��TemplateDer�iv�$払usto�miz�D�2�����������������鼡刺��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et4"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡����#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�Sheet6������������������Sheet8��������������*���Sheet10��������������:���Sheet13���������������J���SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et6"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡4���#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H����������������������������������������������������������������������������������������������������������x�����òAttribute VB_Name = "She@et8"
鐱�as�t0{000�20820- ���C����$0046�}
|Global!�腟pac�扚a�lse�dCrea�tabl��Pre decla�Id�玊ru
BExp�ose��TemplateDeri�v�$払ustom�iz�D�2�����������������鼡坪��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����┌Attribute VB_Name = "She€et10"
��Bas�x0{00€020820- ���C����$004�6}
|GlobaBl�芐pac�扚�alse�dCre atabl��Pr@edecla�I"d琓ru
BEx�pose��TemplateDer�iv�$払usto�miz�D�2�����������������鼡硤��#�����������������������������������x���ME������������������������������������������������������������������������������������������������������������������������������������������������(�SL�����S������S�����<���������N0{00020820-0000-0000-C000-000000000046}������8�€��������(�������������%����H�����������������������������������������������������������������������������������������������������������x�����┌Attribute VB_Name = "She€et13"
��Bas�x0{00€020820- ���C����$004�6}
|GlobaBl�芐pac�扚�alse�dCre atabl��Pr@edecla�I"d琓ru
BEx�pose��TemplateDer�iv�$払usto�miz�D�2�A硛���0*��� p��H���d���
�VBAProje坈t�4@��j��
=�
��r������ ��儻lM����J<�
��r€stdole>��stdo€le
h%�^�*\G{00€020430-����C
����0046}#2.0#0#C:\Windows\SysW OW64\�e2.tlb#OLE Automati�on`�僂OffDic凟Of€i�c侲�殌�丒2DF8D04C-5BFA-10€1B-BDE5€E訟A€C4€�2圗€�gram Files (x86)€\Common� \Microsoft Shared\OFFICE14\MSO.D楲L#��働 1€t� Ob伳 Lib皉aryN��傋_VBA_PROJECT��������������F�M�dir��������������Z�E�__SRP_0�������'����h�e�__SRP_1����������������z�������������������������������������������������
(���ysWOW64\stdole2.tlb#OLE Automation4�*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.5#0#�����鼡���€
Module01G���癲��1� �2����€�HB�1BrZ��B���,B��T�!B�+B��BsThisWorkb@ookG�@�TA纓isW€ rPkb��o���
��2���$%�q�$纫"B#�$ABS@heet14CBS�€#e€wt14烡B��CB��c�聤K�沉���2GB9��2€�MG�2N���7樵�3曂�3��3��3�
゛佪Y�
7�
7�
�7�
7�
"K懫�
�5�
5�
5�
5�
┾
馵�
9�
9�
�9�
9�
�
���
_鋟塒鍀1疶1罂���卐��繲��k�U��2��2����(嗀��r!脟�羜��Mm+4�
�
刺�
6誱96i96�
6�
�
T���
8�
8�
8晚
8�
�
4码
�/�0@����80_��U坪_��)� G�#AGW�PG��G_�P硤Y��抅���� �ThisWorkbook�0i50212揔*�������������������������rU�€€€�~�~�~�~�~�~o� ���?繿�*�2F��堵N篛�� � ����������� �)�����p����� �����
���������������
������������a��
������������A��
������������Y��
������������q��
���������������
���������������
���������������
���������������
���������������
���������������
���������������
������������1��
������������I��������������
VBAProject���Module1���ThisWorkbook���Sheet1���Sheet2���Sheet3���Sheet7���Sheet5���Sheet9���Sheet11���Sheet12���Sheet4���Sheet6���Sheet8���Sheet10���Sheet13���Sheet14������F�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL���VBA
y������� �� �0������F
��:C:\Program ob体育s (x86)\Microsoft Office\Office14\EXCEL.EXE���Excel
q������� ���@��0���F���C:\Windows\SysWOW64\stdole2.tlb���stdole
�������!�i�P��L续-鶾��藉�D轗��EC:\Program ob体育s (x86)\Common ob体育s\Microsoft Shared\OFFICE14\MSO.DLL���Office
������������`��
DeleteRows�
���������鵲p彰茘N��U鳏t`>�rU€€€
������������ ���������������������������������������������������������tModule1Module1ThisWorkbookThisWorkbookSheet2Sheet2Sheet3Sheet3Sheet5Sheet5Sheet9Sheet9Sheet11Sheet11Sheet12Sheet12Sheet7Sheet7Sheet4Sheet4Sheet6Sheet6蘟��� � ��������*\G{000204EF-0000-0000-C000-000000000046}#4.1#9#C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL#Visual Basic For Applications��*\G{00020813-0000-0000-C000-000000000046}#1.7#0#C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE#Microsoft Excel 14.0 Object Library�*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation4�*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.5#0#C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL#Microsoft Office 12.0 Object Library������������������������������������������儻lM����������������������������������������������
���鼡��Module1�0x50212ff0�����Module1������� �ThisWorkbook�0i50212fe8��9��ThisWorkbook��纫��%����Sheet14�0w50212fe8��U��Sheet14��聤h�%����Sheet2�0k50212fe8��=��Sheet2��7�H�%����Sheet3�0l50212fe8��?��Sheet3��軾`�%����Sheet7�0m50212fe8��A��Sheet7��懫x�%����Sheet5�0n50212fe8��C��Sheet5��馵��%����Sheet9�0o50212fe8��E��Sheet9������%����Sheet11�0p50212fe8��G��Sheet11��卐��%����Sheet12�0q50212fe8��I��Sheet12��(A��%����Sheet4�0r50212fe8��K��Sheet4��刺��%����Sheet6�0s50212fe8��M��Sheet6������%����Sheet8�0t50212fe8��O��Sheet8��4� �%����Sheet10�0u50212fe8��Q��Sheet10��坪8�%����Sheet13�0v50212fe8��S��Sheet13��硤P�%���0�����������������������������������������������������������������������������������������������������������������������������������������������������8�������������������������������������`�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������x���������������������H����������������������������� ���������P�����������������h�������������������������j��A\F瞊烴G��������=鳳t跕葛��)艁^����������棷衔琌�����鵲p彰茘N��U鳏t`>�����|� �)岷G┚}��v0F�����椆]�.蟐M暛T���漗�����攀�7+揞A磒��庾�����q狻A萵萂����濡�=��垑c8慲淍�3�>诂昑�����W账鈜�+J梻钫�'���������CEH揘S疩�.�����傞>袄��霫愗缚<蒘/:�����@ゐ蠩�,E箉喿)s緳���(䦶w赴
M劻�68P栰�����,Zd#壑蒅冑乷Y寀$�����D菜�)�+L粆嘡��隋���������x�€,�)��<*��Excel€+���VBA麾���Win16羱���Win32����Win64x���Mac巢���VBA6�#���VBA7�#�
�VBAProject究��stdole揱��Office�u���Module1b�� _Evaluate���
�DeleteRows�����cZ���Range�����SrchRng裏��ActiveSheet%N��xlUp犵��Findn���LookIn襊��xlValueso�� EntireRow����Delete竫���ThisWorkbook|����Sheet1�����Sheet2�����Sheet3�����Sheet7�����Sheet5�����Sheet9�����Sheet11!P���Sheet12"P���Sheet4�����Sheet6�����Sheet8�����Sheet10 P���Sheet13#P���Sheet14$P���Workbookk�� �Worksheet窿�������������������������������9���������=���?���A���C���E�� G��
I� �K�
�M���O���Q�
�S���U��������������
���������������������������������������������������������PROJECTwm����������������a�PROJECT����(������E��SummaryInformation(���+������L��DocumentSummaryInformation8�����������������Sheet8Sheet8Sheet10Sheet10Sheet13Sheet13Sheet14Sheet14ID="{2DC36A00-D6CD-4163-8371-37987E0BC458}"
Module=Module1
Document=ThisWorkbook/&H00000000
Document=Sheet2/&H00000000
Document=Sheet3/&H00000000
Document=Sheet5/&H00000000
Document=Sheet9/&H00000000
Document=Sheet11/&H00000000
Document=Sheet12/&H00000000
Document=Sheet7/&H00000000
Document=Sheet4/&H00000000
Document=Sheet6/&H00000000
Document=Sheet8/&H00000000
Document=Sheet10/&H00000000
Document=Sheet13/&H00000000
Document=Sheet14/&H00000000
Name="VBAProject"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="595BE71DEB1DEB1DEB1DEB"
DPB="4341FD15E616E616E6"
GC="2D2F930797F098F0980F"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
Module1=22, 22, 649, 483, Z
ThisWorkbook=0, 0, 0, 0, C
Sheet1=0, 0, 0, 0, C
Sheet2=0, 0, 0, 0, C
Sheet3=0, 0, 0, 0, C
Sheet5=0, 0, 0, 0, C
Sheet9=0, 0, 0, 0, C
Sheet11=0, 0, 0, 0, C
Sheet12=0, 0, 0, 0, C
Sheet7=0, 0, 0, 0, C
Sheet4=0, 0, 0, 0, C
Sheet6=0, 0, 0, 0, C
Sheet8=0, 0, 0, 0, C
Sheet10=0, 0, 0, 0, C
Sheet13=0, 0, 0, 0, C
Sheet14=0, 0, 0, 0, C
�����鄥燆鵒h�珣�+'迟0�� �P�X����������
���������8Safeguard Computer Security Evaluation Matrix (SCSEM) ��� Internal Revenue Service (IRS)��Christian, Michele [USA]@>迳g枋�@€T睶軈��@€UO��~���������胀諟.��摋�+,D�胀諟.��摋�+,d� ���H�P�X�`�h�p
x����������������Cover�Purpose
Dashboard�General�Oracle 9i on Windows�Oracle 9i on Unix�Oracle 10g on Windows�Oracle 10g on Unix�SQL Server 2000�SQL Server 2005�DB2 v8.1.7�Out of Scope Controls�Sources�Legend�Change Log�Dashboard!Print_Area"'Oracle 9i on Windows'!Print_Area�Purpose!Print_Area�����Worksheets���
Named Ranges��|� P����������������0��P��p����_PID_HLINKS��_AdHocReviewCycleID��_NewReviewCycle��_EmailSubject�
_AuthorEmail��_AuthorEmailDisplayName��_ReviewingToolsShownOnce���A���kH�������mailto:First.M.Last@xx.xxx���kH������mailto:First.M.Last@xx.xxx����敺���� Manual Database SCSEM Update��Caruso_Michael@bah.com��Caruso, Michael C [USA]�����
���� ���F�Microsoft Excel 2003 Worksheet�Biff8�Excel.Sheet.8�9瞦�CompObj����������������k������������������������������������Root Entry����������� ���F�����~���|捥��nWorkbook���,
����E飥�_VBA_PROJECT_CUR"���������)P漬��~�� v薅�~��MsoDataStore����*�P漬��~���$倍�~������������������ �
�����
������������������������������"���0��� �!�#�+�$�%�&�'�(�)�*�,�5�-�.�/�1�`�2�3�4�6�>�7�8�9�:�;�<�=�@�a����A�B�D�����E�O�G�H�I�J�K�L�M�?�����P�Q�b�����������������������������������������������U�c�d������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�g�h�i�j�k�l�m�n�p�����q�r�s�t�u�v�w�x�y�z�{�|�}�~��€���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�g�h�j�����k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�{�|�}�~��€���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� �
�����
������������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�[�\�]�^�_�`�a�b�c�d�e�f�h�����i�j�k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z�{�|�}�~��€������������������������������������������������������������������������������������������������������������������������������������������������DC�
��
������������������ !"#���%&'()*+,-./0123456789:���<�=>?蔼础叠�������贵骋贬滨闯碍尝惭狈翱笔蚕搁厂罢鲍痴奥齿驰窜摆袄闭镑冲缚补产肠诲蹿����驳丑颈箩办濒尘苍辞辫辩谤蝉迟耻惫飞虫测锄调触皑词赌�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������笔搁翱闯贰颁罢飞尘����������������补�笔搁翱闯贰颁罢����(������贰��厂耻尘尘补谤测滨苍蹿辞谤尘补迟颈辞苍(���+������尝��顿辞肠耻尘别苍迟厂耻尘尘补谤测滨苍蹿辞谤尘补迟颈辞苍8���������������<��Christian, Michele [USA]@>迳g枋�@€T睶軈��@€UO��~���������胀諟.��摋�+,D�胀諟.��摋�+,d� ���H�P�X�`�h�p
x����������������Cover�Purpose
Dashboard�General�Oracle 9i on Windows�Oracle 9i on Unix�Oracle 10g on Windows�Oracle 10g on Unix�SQL Server 2000�SQL Server 2005�DB2 v8.1.7�Out of Scope Controls�Sources�Legend�Change Log�Dashboard!Print_Area"'Oracle 9i on Windows'!Print_Area�Purpose!Print_Area�����Worksheets���
Named Ranges�����(����������_PID_HLINKS��_AdHocReviewCycleID��_NewReviewCycle��_EmailSubject�
_AuthorEmail��_AuthorEmailDisplayName��_ReviewingToolsShownOnce���A���kH�������mailto:First.M.Last@xx.xxx���kH������mailto:First.M.Last@xx.xxx����xx.xxx����敺���� Manual Database SCSEM Update��Caruso_Michael@bah.com��Caruso, Michael C [USA]�����
���� ���F�Microsoft Excel 2003 Worksheet�Biff8�Excel.Sheet.8�9瞦