Belarc Advisor Security Benchmark Summary

Transcription

1 Page 1 of 5 The license associated with the Belarc Advisor product allows for free personal use only. Use on multiple computers in a corporate, educational, military or government installation is prohibited. See the license agreement for details. The information on this page was created locally on your computer by the Belarc Advisor. Your computer profile was not sent to a web server. About Belarc System Management Products Back to Profile Summary Click any setting at right for documentation. Security Benchmark Score Details Computer Name: rdpdata (in RDP) Chinquapin Data Server Profile Date: Wednesday, February 08, :27:59 PM Advisor Version: 8.2g Windows Logon: administrator Click here for Belarc's products, for large and small companies. Score: 3.96 of 10 (more on this score...) Benchmark: CIS Win2003 Domain Controller Legacy, Version 1.1 = Pass = Fail Service Packs and Hotfixes Current Service Pack Section Score: 1.25 of Latest Service Pack Critical and Security Hotfixes Section Score: 1.25 of Latest Critical and Security Hotfixes Account and Audit Policies Password Policies Section Score: 0.00 of Current Password Ages 2. Minimum Password Length Audit and Account Policies Section Score: 0.00 of Audit Account Logon Events 2. Audit Account Management 3. Audit Logon Events 4. Audit Object Access 5. Audit Policy Change 6. Audit System Events 7. Minimum Password Age 8. Maximum Password Age 9. Password Complexity 10. Store Passwords using Reversible Encryption 11. Password History Size 12. Account Lockout Duration 13. Account Lockout Threshold 14. Reset Account Lockout Count Time Event Log Policies Section Score: 0.83 of Application Event Log: Maximum Size 2. Application Event Log: Restrict Guest Access 3. Security Event Log: Maximum Size 4. Security Event Log: Restrict Guest Access Why are s important for IT? Many current threats are not stopped by perimeter systems such as firewall and anti-virus systems. Setting and monitoring configurations based on consensus s is a critical step because this is a pro-active way to avoid many successful attacks. The U.S. National Security Agency has found that configuring computers with proper settings blocks 90% of the existing threats ("Security Benchmarks: A Gold Standard." IA Newsletter, vol. 5 no. 3 Click here to view) To request a copy of our white paper, "Securing the Enterprise", click here. What is the USGCB Benchmark? The United States Configuration Baseline (USGCB) is a US OMB-mandated configuration for Windows 7 and Internet Explorer 8. Developed by DoD, with NIST

2 Page 2 of 5 5. System Event Log: Maximum Size 6. System Event Log: Restrict Guest Access Security Settings Security Options Section Score: 0.00 of Accounts: Guest Account Status 2. Accounts: Limit Local Account Use of Blank Passwords to Console Logon Only 3. Accounts: Rename Administrator Account 4. Accounts: Rename Guest Account 5. Devices: Allowed to Format and Eject Removable Media 6. Devices: Prevent users from Installing Device Drivers 7. Devices: Unsigned Driver Installation Behavior 8. Domain Controller: Allow Server Operators to Schedule Tasks 9. Domain Controller: Refuse Machine Account Password Changes 10. Domain Member: Digitally Encrypt Secure Channel Data (When Possible) 11. Domain Member: Digitally Sign Secure Channel Data (When Possible) 12. Domain Member: Disable Machine Account Password Changes 13. Domain Member: Maximum Machine Account Password Age 14. Interactive Logon: Do Not Display Last User Name 15. Interactive Logon: Do Not Require CTRL+ALT+DEL 16. Interactive Logon: Message Text for Users Attempting to Log On 17. Interactive Logon: Message Title for Users Attempting to Log On 18. Interactive Logon: Prompt User to Change Password Before Expiration 19. Interactive Logon: Smart Card Removal Behavior 20. Microsoft Network Client: Digitally Sign Communication (if server agrees) Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party 21. SMB Server Microsoft Network Server: Amount of Idle Time Required Before Disconnecting 22. Session 23. Microsoft Network Server: Digitally Sign Communication (if client agrees) 24. Microsoft Network Server: Disconnect Clients When Logon Hours Expire 25. Network Access: Let Everyone Permissions Apply to Anonymous Users 26. Network Access: Named Pipes That Can Be Accessed Anonymously 27. Network Access: Remotely Accessible Registry Paths 28. Network Access: Remotely Accessible Registry Paths and sub-paths 29. Network Access: Restrict Anonymous Access to Named Pipes and Shares 30. Network Access: Shares That Can Be Accessed Anonymously 31. Network Access: Sharing and Security Model for Local Accounts 32. Network Security: LAN Manager Authentication Level 33. Network Security: LDAP Client Signing Requirements 34. Recovery Console: Allow Automatic Administrative Log On 35. Shutdown: Allow System to be Shut Down Without Having to Log On System Cryptography: Force Strong Key Protection for User Keys Stored on the 36. Computer System Objects: Default Owner for Objects Created by Members of the 37. Administrators Group 38. System Objects: Strengthen Default Permissions of Internal System Objects 39. System Settings: Optional Subsystems MSS: (AFD DynamicBacklogGrowthDelta) Number of Connections to Create When 40. Additional Connections are Necessary for Winsock Applications (10 recommended) MSS: (AFD EnableDynamicBacklog) Enable Dynamic Backlog for Winsock 41. Applications (recommended) MSS: (AFD MaximumDynamicBacklog) Maximum Number of 'quasi-free' 42. Connections for Winsock Applications MSS: (AFD MinimumDynamicBacklog) Minimum Number of Free Connections for 43. Winsock Applications (20 recommended for systems under attack, 10 otherwise) 44. MSS: (DisableIPSOurceRouting) IP Source Routing Protection Level assistance, the is the product of DoD consensus. Click here for details. What are FDCC Benchmarks? The Federal Desktop Core Configuration (FDCC) is a US OMB-mandated configuration for Windows Vista and XP. The Windows Vista FDCC is based on DoD the Microsoft Security Guides for both Windows Vista and Internet Explorer 7.0. Microsoft's Vista Security Guide was produced through a collaborative effort with DISA, NSA, and NIST, reflecting the consensus recommended settings from DISA, NSA, and NIST. The Windows XP FDCC is based on US Air Force the Specialized Security-Limited Functionality (SSLF) recommendations in NIST SP and DoD the recommendations in Microsoft's Security Guide for Internet Explorer 7.0. Click here for details. What are CIS Benchmarks? Center for Internet Security (CIS) s are developed by CIS members and staff and are consensus based, best-practice configurations for

3 Page 3 of 5 MSS: (EnableDeadGWDetect) Allow Automatic Detection of Dead Network 45. Gateways MSS: (EnableICMPRedirect) Allow ICMP Redirects to Override OSPF Generated 46. Routes MSS: (NoNameReleaseOnDemand) Allow the Computer to Ignore NetBIOS Name 47. Release Requests Except From WINS Servers MSS: (Perform Router Discovery) Allow IRDP to Detect and Configure Default 48. Gateway Addresses 49. MSS: (SynAttackProtect) Syn Attack Protection Level MSS: (TCPMaxConnectResponseRetransmissions) SYN - ACK Retransmissions 50. When a Connection Request is not Acknowledged MSS: (TCPMaxDataRetransmissions) How Many Times Unacknowledged Data is 51. Retransmitted (3 recommended, 5 is default) MSS: (TCPMaxPortsExhausted) How Many Dropped Connect Requests to Initiate 52. SYN Attack Protection (5 is recommended) 53. MSS: Disable Autorun for All Drives 54. MSS: Enable Safe DLL Search Mode 55. MSS: How Often Keep-alive Packets are Sent in Milliseconds 56. MSS: The time in seconds before the screen saver grace period expires Available Services and Other Requirements Available Services Section Score: 0.00 of Alerter Service Permissions 2. Client Service for Netware Permissions 3. Clipbook Service Permissions 4. FAX Service Permissions 5. File Replication Service Permissions 6. File Server for Macintosh Permissions 7. FTP Publishing Service Permissions 8. Help and Support Service Permissions 9. HTTP SSL Service Permissions 10. IIS Admin Service Permissions 11. Indexing Service Permissions 12. License Logging Service Permissions 13. Messenger Service Permissions 14. Microsoft POP3 Service Permissions 15. NetMeeting Remote Desktop Sharing Service Permissions 16. Network Connections Service Permissions 17. Network News Transport Protocol Service Permissions 18. Print Server for Macintosh Permissions 19. Remote Access Auto Connection Manager Service Permissions 20. Remote Access Connection Manager Service Permissions 21. Remote Administration Service Permissions 22. Remote Desktop Help Session Manager Permissions 23. Remote Installation Service Permissions 24. Remote Procedure Call (RPC) Locator Service Permissions 25. Remote Server Manager Service Permissions 26. Remote Server Monitor Service Permissions 27. Remote Storage Notification Service Permissions 28. Remote Storage Server Permissions 29. SMTP Service Permissions 30. SNMP Service Permissions 31. SNMP Trap Permissions 32. Telephony Service Permissions 33. Telnet Service Permissions 34. Trivial FTP Daemon Permissions 35. Wireless Configuration Service Permissions computers connected to the Internet. The CIS is an open association consisting of industry, government and academic members. Its mission is to help IT organizations more effectively manage their risks related to information. Click here for details. What is the Security Benchmark Score? The Belarc Advisor has audited the of your computer using a appropriate to your operating system. The result is a number between zero and ten that gives a measure of the vulnerability of your system to potential threats. The higher the number the less vulnerable your system. How can you reduce your vulnerability? The local group policy editor (accessed by running the gpedit.msc command) can be used to configure settings for your computer. Windows home editions don't include that editor, but most settings can also be made with registry entries instead. Warning: Applying these settings may cause some applications to stop working correctly. Back up your system prior to applying

4 Page 4 of World Wide Web Publishing Services Permissions User Rights Section Score: 0.00 of Act as Part of the Operating System 2. Allow Logon Locally 3. Allow Logon through Terminal Services 4. Change the System Time 5. Create a Token Object 6. Create Permanent Shared Objects 7. Debug Programs 8. Enable Computer and User Accounts to be Trusted for Delegation 9. Impersonate a Client after Authentication 10. Load and Unload Device Drivers 11. Log on as a Batch Job 12. Replace a Process Level Token 13. Synchronize Directory Service Data 14. Take Ownership of File or Other Objects Other System Requirements Section Score: 0.63 of All Local Volumes NTFS 2. Restricted Group: Remote Desktop Users these templates or apply the templates on a test system first. For domain member computers, the configurations are available from the creator's web site as Microsoft Group Policy Object files that can be used with Active Directory. Follow the links above to the web site of your Benchmark's creator. File and Registry Permissions Section Score: 0.00 of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer 2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 3. HKLM\System\CurrentControlSet\Enum 4. HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers 5. HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities 6. USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots HKLM\SOFTWARE\Microsoft\Windows 7. NT\CurrentVersion\SeCEdit 8. %SystemRoot%\system32\tftp.exe 9. %SystemRoot%\system32\telnet.exe 10. %SystemRoot%\system32\tlntsvr.exe 11. %SystemRoot%\system32\subst.exe 12. %SystemRoot%\system32\sc.exe 13. %SystemRoot%\system32\runas.exe 14. %SystemRoot%\system32\rsh.exe 15. %SystemRoot%\system32\rexec.exe 16. %SystemRoot%\system32\regsvr32.exe 17. %SystemRoot%\system32\regedt32.exe 18. %SystemRoot%\regedit.exe 19. %SystemRoot%\system32\reg.exe 20. %SystemRoot%\system32\rcp.exe 21. %SystemRoot%\system32\netsh.exe 22. %SystemRoot%\system32\net1.exe 23. %SystemRoot%\system32\net.exe 24. %SystemRoot%\system32\ftp.exe 25. %SystemRoot%\system32\eventtriggers.exe 26. %SystemRoot%\system32\eventcreate.exe 27. %SystemRoot%\system32\edlin.exe 28. %SystemRoot%\system32\drwtsn32.exe 29. %SystemRoot%\system32\drwatson.exe 30. %SystemRoot%\system32\debug.exe

5 Page 5 of %SystemRoot%\system32\cacls.exe 32. %SystemRoot%\system32\attrib.exe 33. %SystemRoot%\system32\at.exe Copyright , Belarc, Inc. All rights reserved. Legal notice. U.S. Patents , and Patents pending.