TESTBED. SekChek for Windows Security Report. System: PUFFADDER (Snake.com) 10 November SekChek IPS

Transcription

1 TESTBED SekChek for Windows Security Report 10 November 2013 SekChek IPS

2 Declaration The provided observations and recommendations are in response to a benchmarking analysis that compares the client s information security features against industry. The recommendations are organised to identify possible implications to the company based on the gathered information, to identify an industry average rating of the controls and provide possible recommended actions. The benchmarking analysis and the related observations and recommendations should supplement management s analysis but should not be and cannot be solely relied upon in any instance to identify and/or remediate information security deficiencies. Further, the observations and recommendations herein do not identify the cause of a possible deficiency or the cause of any previously unidentified deficiencies. The causes of the deficiencies must be determined and addressed by management for the recommendations selected to be relevant SekChek IPS. All rights reserved. SekChek is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.

3 Contents SekChek Options 5 System Details 6 System Configuration 7 1. Report Summary Comparisons Against Industry Average and Leading Practice Answers to Common Questions Summary of Changes since the Previous Analysis Domain Structure Domain Accounts Policy Domain Controller Policy Settings (Local Policy) Audit Policy Settings Event log Settings Security Option Settings Group Policy Objects Description and Properties for Group Policy Objects Summary of GPOs defined on the system Summary of GPOs and their Links to OUs Summary of OUs and their Links to GPOs GPOs Defined and their Details GPO Version Discrepancies Password Setting Objects (PSOs) Customer-Selected Registry Key Values User Accounts Defined In The Domain Groups Defined In the Domain Domain Local Groups and their Members Domain Global Groups and their Members Domain Universal Groups and their Members Last Logons, 30 Days and Older Passwords, 30 Days and Older Passwords that Never Expire Accounts not Requiring a Password Invalid Logon Attempts Greater than Users not Allowed to Change Passwords Accounts with Expiry Date Disabled Accounts Locked Out Accounts Accounts Whose Passwords Must Change at Next Logon Accounts Created in the Last 90 Days 90

4 24. Rights and Privileges Descriptions & General Recommendations for Rights Rights Assigned to Local Groups Rights Assigned to Universal Groups (Native mode only) Rights Assigned to Global Groups Rights Assigned to Users Rights Assigned to Well-Known Objects Rights Assigned to External Objects Discretionary Access Controls (DACL) for Containers Trusted and Trusting Domains Servers and Workstations Domain Controllers in the Domain Accounts Allowed to Dial In through RAS Services and Drivers on the Machine Server Roles and Features Task Scheduler Security Updates, Patches and Hot-Fixes Products Installed Current Network Connections Logical Drives Network Shares Home Directories, Logon Scripts and Profiles File Permissions and Auditing 152

5 SekChek Options Reference Number Requester Internal Audit Telephone Number +44 (20) City London Client Country UK Charge Code Snake - Windows Client Code SEK001 Client Industry Type Manufacturing Host Country Belize Security Standards Template 0 - SekChek Default Evaluate Against Industry Type Manufacturing Compare Against Previous Analysis Not Selected Scan All DCs for Last Logon Times Yes (scanned 2 of 2 DCs) Report Format Word 2007 Paper Size A4 (21 x 29.7 cms) Spelling English UK Large Report Format MS-Excel spreadsheet Large Report (Max Lines in Word Tables) 1500 Summary Document Requested Yes Scan Software Version Used Version Scan Software Release Date 08-Nov-2013 Your SekChek report was produced using the above options and parameters. You can change these settings for all files you send to us for processing via the Options menu in the SekChek Client software on your PC. You can also tailor them (i.e. temporarily override your default options) for a specific file via the Enter Client Details screen. This screen is displayed: For SekChek for NetWare and Windows - during the Scan process on the target Host system; For SekChek for AS/400 and UNIX - during the file encryption process in the SekChek Client software. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 5 of 154

6 System Details Domain Name Snake.com (SNAKE) Domain Sid *S Forest Snake.com DC Functionality Windows Server 2008 R2 Mode Domain Functionality** Windows Server 2003 Domain Mode Forest Functionality** Windows 2000 Forest Mode Computer Domain Controllers/PUFFADDER Site Name Default-First-Site-Name Windows Version 6.1 (Windows 2008 R2) Build / Service Pack 7601/Service Pack 1 System Locale Id 2052 (x804) Scan Time 08-Nov :47 Scanned By Users/ Administrator Report Date: 10 November, 2013 ** Functional Levels (available from SekChek V5.0.4 / Windows Server 2003) DC Functionality: The functional level of the Domain Controller (DC) Domain Functionality: The functional level of the domain Forest Functionality: The functional level of the forest General Note In Active Directory domains, objects, such as user accounts belong to a container object (e.g. an Organizational Unit in a domain or the domain object itself). In this report the path of objects are usually listed. The format of the path is, for example, Orgunit x/orgunit y. The / character separates the containers in the path. Paths are listed from the highest level down. A path can contain a domain name as the first container, for example, abc.xyz.com as a domain name. When the domain name is listed in the path, it means that the containers and object in that path belong to a domain other than the one being analysed. If a path is not listed for an object, it means that the object was defined at the domain level container and not in any container object of the domain.. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 6 of 154

7 System Configuration Operating System OS Name Microsoft Windows Server 2008 R2 Enterprise OS Version, Build OS Architecture 64-bit OS Locale Id x0804 OS Serial Number OS Installed Last BootUp Country Code 86 Time Zone GMT +02:00 Boot Device \Device\HarddiskVolume1 System Drive C: Windows Directory C:\Windows System Directory C:\Windows\system32 PAE Enabled No Visible Memory GB Free Memory GB Encryption Level 256 bits OS Language English - United States OS Stock Keeping Unit Name Enterprise Server Edition Maximum Number of Processes Unknown Number of Licensed Users Unlimited Number of Current Users 3 Registered User Windows User Data Execution Prevention (DEP)... DEP Available Yes DEP Enabled for 32-bit Appls Yes DEP Enabled for Drivers Yes DEP Policy Opt Out System Recovery Options Write an event to the system log Send an administrative alert Automatically restart Write debugging information Dump file Overwrite any existing file Yes No Yes Kernel memory dump %SystemRoot%\MEMORY.DMP Yes BIOS Manufacturer American Megatrends Inc. BIOS Version 2.3 Release Date Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 7 of 154

8 Base Board (Motherboard) Manufacturer Microsoft Corporation Product Virtual Machine Serial Number Version 7.0 Page Files Number of Page Files 1 Name of Page File #1 C:\pagefile.sys Temporary Page File No Create Date Allocated Size GB Current Usage GB Peak Usage GB Computer Manufacturer Microsoft Corporation Model Virtual Machine System Type x64-based PC Remote Desktop Enabled Unknown Nbr of Processors 1 Total Memory GB System Registry Size Current = MB; Max allowed = 2,048.0 MB Screen Resolution 1680 x 1050 pixels BootUp State Normal boot Wake-up Type Power Switch Boot ROM Supported Yes Infrared (IR) Supported No Power Management Supported No Computer Role Primary Domain Controller Computer Name PUFFADDER Computer Sid *S Domain Name (short) SNAKE Domain Name (DNS) Snake.com Processors Number of Processors 1 Processor #1... Manufacturer AuthenticAMD Name AMD Opteron(tm) Processor 6172 Family AMD Opteron 6172 Description AMD64 Family 16 Model 9 Stepping 1 Processor Id 1F8BFBFF000106A5 Clock Speed 3,108 MHz External Clock Speed 200 MHz Address Width 64 bits Data Width 64 bits Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 8 of 154

9 Level 2 Cache Size 512 KB Level 2 Cache Speed Unknown MHz Number of Cores 1 Nbr of Logical Processors 1 Chip Socket None Availability Running/Full Power Network Adapters (IP enabled) Connection Id Local Area Connection Connection Status Connected Name Microsoft Hyper-V Network Adapter #2 Service Name netvsc Manufacturer Microsoft Adapter Type Ethernet Speed (Mbs) 10,000 Mbs Last Reset :13:38 IP Enabled Yes IP Address IP Subnet Default Gateway MAC Address 00:15:5D:64:2F:1A DHCP Enabled No DHCP Lease Expires DHCP Lease Obtained DHCP Server DNS Search Order , Windows Firewall Domain Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response Private Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response Public Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 9 of 154

10 Region & Language Options Current Format English (South Africa) Time Format 08:46:32 Short Date 08-Nov-2013 Long Date 08 November 2013 Short Date Format dd-mmm-yyyy Long Date Format dd MMMM yyyy Currency Symbol R Currency (International) ZAR System Locale English (South Africa) Screen Saver Policy Scan Account Screen Saver Enabled Screen Saver Timeout Screen Saver Secure Users/ Administrator Yes 600 seconds Yes User Access Control (UAC) UAC Enabled Yes Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 10 of 154

11 1. Report Summary The following two charts illustrate the diversity of regions and industries that make up the population of systems running Active Directory in our statistics database. The remaining graphs in the Report Summary section evaluate security on your system against this broad base of real-life security averages. SekChek is used by the Big Four audit firms, IS professionals, internal auditors, security consultants & general management in more than 130 countries. Statistics Population by Region As new reviews are processed, summaries of the results (excluding client identification) are automatically added to a unique statistics database containing more than 70,000 assessments. Statistics Population by Industry Type Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 11 of 154

12 1.1 Comparisons Against Industry Average and Leading Practice Summary of Domain Accounts Policy Values This graph compares the Domain Accounts Policy values against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = <All> This and the following summary reports are of most value when they are used to compare snapshots of your security measures at different points in time. Used in this way, they provide a fairly clear picture of whether your security measures are improving or becoming weaker. Industry Average is a dynamic, calculated average for all Active Directory domains analysed by SekChek using the above criteria. It indicates how your security measures compare with those of other organisations using Microsoft Windows systems. Leading Practice is the standard adopted by the top 10 to 20 percent of organisations. Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). This is an approximation and should be used as a guide only. For more information and details, see the report sections Domain Accounts Policy. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 12 of 154

13 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain User Accounts This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts defined to your domain: 16 This summary report presents the number of user accounts, with the listed characteristics, as a percentage of the total number of accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 13 of 154

14 Comparisons Against Industry Average and Leading Practice (continued) Summary of Effective Rights for the Domain Controller This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average This summary report presents the number of user accounts, with the listed rights, as a percentage of the total number of accounts defined to the domain controller. These rights are applied via the Local Policy of the domain controller being analysed. Other domain controllers may have different rights defined. For more details of rights assigned, refer to the Rights Assigned to Users sections in the main body of the report. The graph is sorted in alphabetical sequence. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 14 of 154

15 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain User Accounts (excluding disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts defined to your system: 16 This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 15 of 154

16 Comparisons Against Industry Average and Leading Practice (continued) Summary of Effective Rights for the Domain Controller (excl. disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed rights, as a percentage of the total number of accounts defined to your system. For more details, refer to the Rights Assigned to Users sections in the main body of the report. The graph is sorted in alphabetical sequence. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 16 of 154

17 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain Administrator Accounts This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts with administrative privileges defined to your domain: 2 This summary report presents the number of administrator accounts (i.e. accounts that have administrative privileges), with the listed characteristics, as a percentage of the total number of administrator accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 17 of 154

18 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain Administrator Accounts (excluding disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts with administrative privileges defined to your system: 2 This summary report presents the number of enabled administrator accounts (i.e. accounts that have administrative privileges, excluding those accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of administrator accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 18 of 154

19 1.2 Answers to Common Questions The following charts are intended to provide quick answers to the most common questions regarding security of a system. The diagrams highlight the relative numbers of objects with the listed attributes. The total population used to plot each chart is included in brackets () after each chart title. Each section includes a link to more detailed information contained in other sections of this report. When were the user accounts created? The charts show when user accounts were created on your system. Grouped by all accounts and accounts with Administrative privileges. Includes active and disabled accounts. More information: Accounts Created in the Last 90 Days When were the group and computer accounts created? The chart shows when the group and computer accounts were created on your system. More information: Accounts Created in the Last 90 Days Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 19 of 154

20 What is the status of user accounts? The charts analyse user accounts by their status: active or disabled. An account may be disabled because: its status has been set to disabled; the account has expired; or the account was locked by the system due to excessive password guessing attempts. Note that an account may be both locked and expired, or disabled and expired. 5 out of 16 accounts are disabled on this system. More information: Disabled Accounts, Locked Accounts, Accounts with Expiry Date How active are user accounts? The charts indicate when accounts were last used to logon to the system. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. SekChek queried 2 out of 2 domain controllers to obtain the information. More information: Last Logons, 30 Days and Older How frequently do users change their passwords? The charts show when user login passwords were last changed. Next Logon means that the password must be changed the next time the account is used to logon to the domain. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: Passwords, 30 Days and Older, Password Must Change at Next Logon Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 20 of 154

21 Are users forced to change their passwords? The charts show the percentage of accounts with a password that is not required to be changed. Grouped by all accounts and accounts with Administratrative privileges. Excludes disabled accounts. More information: Passwords that Never Expire Are users allowed to change their passwords? The charts show the percentage of accounts that are not allowed to change their passwords. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: User Accounts not Allowed to Change Password Are users allowed to login without a password? The charts show the percentage of accounts that may have their passwords set to zero length (blank) by an administrative account. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: Accounts not Requiring a Password Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 21 of 154

22 What privileges are assigned to user accounts? The chart shows the percentage of user accounts with Administrative, User and Guest privileges. These privileges are determined by group memberships. Excludes disabled accounts. More information: User Accounts Defined In The Domain What are the types of group accounts? The chart analyses security groups by group type. Excludes Distribution groups. More information: Groups Defined In the Domain What are the service types and their start types? These charts summarise the types of services and drivers installed on the system and their start types. The charts include running and stopped services. More information: Services and Drivers Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 22 of 154

23 1.3 Summary of Changes since the Previous Analysis Need to quickly highlight changes in security controls since your previous review? SekChek s latest time-comparison graphs are just the solution! Note: The above graph is provided for illustrative purposes only. A collection of easy-to-read reports in a very familiar format provides you with visual indicators of: Whether security has improved, weakened, or remained about the same since your previous analysis The effectiveness of your measures to strengthen controls Whether risk is increasing or decreasing The degree of change, both positive and negative The applications are endless. Some of the practical benefits are: Time savings. Reduced time spent poring over volumes of unconnected information Objectivity. The results are guaranteed to be the same regardless of who performs the review Compliance with legislation. Easier monitoring for compliance with statutory requirements imposed by SOX, HIPAA and other legislative changes relating to corporate governance More powerful justifications. The ability to present more convincing arguments to senior, non-technical management who do not have the time, or the inclination, to understand masses of technical detail Interested? Contact us at inbox@sekchek.com to find out how to get started! Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 23 of 154

24 2. Domain Structure This report section lists the Container objects in the domain. It summarises the Directory structure for your domain and may help you to understand the overall structure of the domain s Directory structure, especially where it is large or complex. Section Detail Object Name Object Type Snake.com domaindns --- Amazon organizationalunit --- Builtin builtindomain --- Computers container --- Domain Controllers organizationalunit --- ForeignSecurityPrincipals container --- Managed Service Accounts container --- Program Data container Microsoft container --- System container AdminSDHolder container ComPartitions container ComPartitionSets container DomainUpdates container ActiveDirectoryUpdate container Operations container b7fb c2e-94b10f67d1bf container e660ea3-8a5e ad7-ca1bd4638f9e container b3ad2a fa7-90fc-6377cbdc1b26 container d15cf0-e6c8-11d c04f container fb90b-c92a-40c bacfc313a3e3 container c60a-fe15-4d7a-a61e-dffd5df864d3 container f0798-ea5c f5d-45f33a30703b container c66f-b332-4a73-9a20-2d6a7d6e6a1c container c f57-4e2a-9b c9e71961 container e4f4182-ac5d-4378-b760-0eab2de593e2 container f24ea-cfd5-4c e170bcb912 container aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0 container c93ad42-178a d28f3aa container dfbb973-8a a90c-776e00f83222 container cba88b-99cf-4e16-bef2-c427b38d0767 container d75-bef7-43e1-938b-2e749f5a8d56 container c82b233-75fc-41b3-ac71-c69592e6bf15 container e1574f6-55df-493e-a671-aaeffca6a100 container b34cb0-55ee-4be9-b b92b017 container ada9ff7-c9df-45c1-908e-9fef2fab008a container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 24 of 154

25 Object Name Object Type bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd567a d6-977b-00c04f container bcd567b d6-977b-00c04f container bcd567c d6-977b-00c04f container bcd567d d6-977b-00c04f container bcd567e d6-977b-00c04f container bcd567f d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd568a d6-977b-00c04f container bcd568b d6-977b-00c04f container bcd568c d6-977b-00c04f container bcd568d d6-977b-00c04f container E157EDF-4E A82A-EC3F91021A22 container ff880d6-11e7-4ed1-a20f-aac45da48650 container d cb3-a438-b6fc9ec35d70 container d4c8-ac41-4e05-b e8e9f1 container cfb016c-4f bd9df943947f container ffef b-440a-8d58-35e8cd6e98c3 container ba0-7e4c-4a44-89d9-d46c9612bf91 container C3D BF38-79E4AC33DFA0 container c36ed c62-a18b-cf6ff container ca a4-4bd4-806f-ebed6acb5d0c container ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c container c d6e-b19d-c16cd container de1d3e b-8b4e-f4337f1ded0b container cac1f ad-a472-2a e4 container a1789bfb-e0a cc0-e77d892d080a container a3dac986-80e7-4e59-a059-54cb1ab43cb9 container a86fe12a-0f62-4e2a-b271-d27f601f8182 container ab d3c3-455d-9ff a1099b6 container aed72870-bf ac c8207f1 container b96ed a-4172-aa0c f125 container bab5f54d-06c8-48de-9b87-d78b796564e4 container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 25 of 154

26 Object Name Object Type c4f17608-e611-11d c04f container c88227bc-fcca-4b58-8d8a-cd3d64528a02 container d262aae8-41f7-48ed-9f35-56bbb677573d container d85c0bfd-094f-4cad-a2b5-82ac d container dda1d01d-4bd7-4c49-a184-46f9241b560e container de10d f-4fb0-9abb-4b7865c0fe80 container f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5 container f58300d1-b71a-4db6-88a1-a8b9538beaca container f607fd87-80cf-45e2-890b-6cf97ec0e284 container f7ed4553-d82b-49ef-a839-2f38a36bb069 container Windows2003Update container IP Security container Meetings container MicrosoftDNS container Policies container {31B2F D-11D2-945F-00C04FB984F9} grouppolicycontainer Machine container User container {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} grouppolicycontainer Machine container User container {5471F07B-E3BF-47E6-A2DF-40E D} grouppolicycontainer Machine container User container {6AC1786C-016F-11D2-945F-00C04fB984F9} grouppolicycontainer Machine container User container {F754BFE4-52E2-45B D5C65E8700} grouppolicycontainer Machine container User container {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F} grouppolicycontainer Machine container User container RAS and IAS Servers Access Check container WinsockServices container WMIPolicy container PolicyTemplate container PolicyType container SOM container WMIGPO container --- TEST GPO PC organizationalunit --- Users container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 26 of 154

27 Domain In Active Directory a domain is a collection of computers defined by the administrator of a Windows 200x* Server network that shares a common directory database. A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all accounts within the domain. Domains can be organised into parent-child relationships to form a hierarchy, which is called a domain tree. The domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships. Organizational Unit An Organizational Unit (OU) is a general-purpose container that can hold objects and other OUs to create a hierarchy within a domain. OUs can form logical administrative units for users, groups, and resource objects, such as printers, computers, applications, and file shares. In large domains, various administrative tasks (such as access rights specification) can be delegated to an administrator for a specific OU, thereby freeing domain administrators from having to support such changes by proxy. Container A Container is used for grouping different objects together. Group Policy Container A Group Policy Container contains Group Policy objects. Active Directory Objects Active Directory objects are either container objects (e.g. OUs and Containers) or leaf objects. A container object stores other objects, and, as such, occupies a specific level in a tree or sub tree hierarchy. A leaf object does not contain other objects. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 27 of 154

28 3. Domain Accounts Policy This report lists the effective Domain Account Policies defined for your system and compares them with Leading Practice. Policy Policy Value Leading Practice Minimum Password Length 7 8 or greater Effective Minimum Password Length 7 8 or greater Maximum Password Age in Days to 60 Minimum Password Age in Days 1 0 Password History Size or greater Password Complexity Enabled Enabled Reversible Password Encryption Disabled Disabled Lockout Threshold 3 3 Lockout Duration 0 0 Reset Lockout Counter in Minutes Force Logoff When Logon Time Expires Disabled Enabled Rename Administrator Account Not Defined New Name Rename Guest Account Not Defined New Name Allow Lockout of Local Administrator Account Disabled Enabled Disable Password Changes for Machine Accounts Disabled Disabled Number of Password Setting Objects (PSOs) defined on the system: 1 Leading Practice is the standard adopted by the top 10 to 20 percent of organisations. Functions of Accounts Policy Values and Potential Exposures Domain Accounts Policy values set the defaults for all accounts in a domain. Note that certain account policies can be overridden by policies defined in Password Setting Objects (from Windows 2008) and settings defined at account level. Appropriate policy values do not necessarily mean that security at account level is similarly appropriate. You should consult other sections of this report to confirm that security settings for individual accounts do not override your intended policy settings. Minimum Password Length Defines the minimum number of characters a password must contain. If it is zero then blank passwords are allowed. Allowing blank passwords is a very high security risk, as it could allow any person in possession of a valid User ID (Account Name) to gain access to your system if the account has a null password. This policy can be overridden by the Password Complexity policy. See Effective Minimum Password Length for details. The Leading Practice value is 8 or greater. Effective Minimum Password Length The effective minimum number of characters a password must contain when changing a user password. The value is calculated from the settings of the Minimum Password Length and Password Complexity parameters. If the Password Complexity policy is enabled, the system will only accept user passwords with a minimum of 3 characters that comply with Password Complexity requirements. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 28 of 154

29 For example: If the Minimum Password Length is 0 and the Password Complexity policy is enabled then the Effective Minimum Password Length will be 3. If the Minimum Password Length is 0 and the Password Complexity policy is disabled then the Effective Minimum Password Length will be 0. If the Minimum Password Length policy is set to a value of 3 or greater then the Effective Minimum Password Length will be the same as the Minimum Password Length policy regardless of the setting of the Password Complexity policy. Maximum Password Age in Days The period of time a password can be used before the system forces the user to change it. The value can be between 1 and 999 days. A value of 0 means that passwords never expire. Passwords that never expire are a security risk as they can be compromised over time. Note that it is possible to override this value in individual user accounts via the Password Never Expires option. Consult the Passwords that Never Expire report section. The Leading Practice value is 30 days. Minimum Password Age in Days The minimum number of days that must elapse between password changes. The value can be between 0 and 999 days. A value of 0 allows a user to change her password immediately if she suspects it is known by someone else. However, this setting can increase the risk of passwords remaining the same despite system-enforced changes. This is because a user could change her password several times in quick succession until it is set back to the original value. Setting the Password History Size to a sufficiently large value can reduce this risk. The Leading Practice value is 0 (no restrictions). Password History Size Determines whether old passwords can be reused. It is the number of new passwords that must be used by a user account before an old password can be reused. For this to be fully effective, immediate changes should not be allowed under Minimum Password Age. The Leading Practice value is 22 or greater. Password Complexity In order to meet the password complexity requirement, passwords must contain characters from (for example) at least three (3) of the following four (4) classes: English Upper Case Letters (A, B, C,... Z) English Lower Case Letters (a, b, c,... z) Westernised Arabic Numerals (0, 1, 2,... 9) Non-alphanumeric ("Special characters") (E.g., punctuation symbols) This policy has an effect on the Effective Minimum Password Length. Reversible Password Encryption Determines whether Windows 200x* will store passwords using reversible encryption. This policy setting provides support for applications, which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing cleartext versions of the passwords. For this reason, this policy should not be enabled unless application requirements outweigh the need to protect password information. By default, this setting is disabled in the Default Domain Group Policy for domains and in the local security policy of workstations and servers. Lockout Threshold, Lockout Duration and Reset Lockout Counter in Minutes Lockout Threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The value can be 1 to 999 failed attempts. A value of 0 will allow an unlimited number of failed logon attempts. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 29 of 154

30 Lockout Duration indicates the amount of time an account will remain locked out when the Lockout Threshold is exceeded. The value can be 1 to minutes; a value of 0 (forever) indicates that the account cannot log on until an administrator unlocks it. N/A is set when Lockout Threshold is set to 0. Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts are monitored. I.e. if the number of failed logon attempts defined in Lockout Threshold is reached within the number of minutes defined for Reset Lockout Counter in Minutes the account is locked out for the period specified under Lockout Duration. The value for Reset Lockout Counter in Minutes can be 1 to minutes. Allowing an excessive or unlimited number of invalid logon attempts can compromise security and allow intruders to log on to your system. Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted of potential intruder attacks as only they can unlock accounts. Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the effectiveness of the Lockout Threshold and administrators might not be alerted to potential intruder attacks. If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase the risk of intruders gaining access to your system via repeated password guessing attempts. If the value is too high it may inconvenience genuine users by locking out their accounts when they enter incorrect passwords accidentally. The Leading Practice values are: Lockout Threshold = 3 Lockout Duration = 0 (Forever) Reset Lockout Counter in Minutes = 1440 minutes Force Logoff When Logon Time Expires When enabled users will be forcibly disconnected from servers on the domain immediately after their valid logon hours are exceeded. Valid logon hours are defined at user account level. This option enhances security by ensuring that users are disconnected if they exceed their valid logon hours or do not log off when leaving work. However, it could be disruptive to users who have to work after hours and could compromise data integrity etc. This option should be used at the discretion of Management. Rename Administrator, Rename Guest It is good practice to ensure the Administrator and Guest built-in accounts are renamed via policy. This will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain. Keep in mind that these accounts can also be renamed manually (for example, via the Active Directory Users and Computers interface). However, when compared to the irrevocable policy change method, the disadvantage of the manual approach is that administrative users can simply rename these accounts at a later stage (possibly back to Administrator and Guest). Allow Lockout of Local Administrator Account Allows the built-in administrator account to be locked out from network logons. This policy setting can be modified using the passprop command-line utility, which is included in the Windows 2000 Resource Kit. Disable Password Changes for Machine Accounts Removes the requirement that the machine account password be automatically changed every week. This value is ignored in Windows XP and later. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 30 of 154

31 4. Domain Controller Policy Settings (Local Policy) The following 3 subsections relate to the Local Policy on the domain controller being analysed. In Active Directory, each domain controller can have different local policy settings. domain controllers generally inherit the same local policy settings because they typically belong to the same OU (e.g. Domain Controllers) to which the same policies apply. However, if domain controllers belong to different OUs, then different policy settings can be applied to them. This has important security implications as an account can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers. The policy for domain controllers can then be inconsistent and increase security risks. This report provides policy settings for the domain controller where the SekChek Scan process was run. 4.1 Audit Policy Settings Account Logon Credential Validation Kerberos Authentication Service Kerberos Service Ticket Operations Other Account Logon Events Account Management Application Group Management Computer Account Management Distribution Group Management Other Account Management Events Security Group Management User Account Management Detailed Tracking DPAPI Activity Process Creation Process Termination RPC Events DS Access Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication Logon / Logoff Account Lockout Audit User / Device Claims ** IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Logoff Logon Audited Events Success & Failure Failure Failure Failure Audited Events Success Success Success Success Success Success Audited Events Success Success & Failure Success Success Audited Events No Auditing No Auditing Success No Auditing Audited Events Success Failure Failure Success Failure Success Success & Failure Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 31 of 154

32 Network Policy Server Other Logon/Logoff Events Special Logon Object Access Application Generated Central Access Policy Staging ** Certification Services Detailed File Share File Share File System Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry Removable Storage ** SAM Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change Filtering Platform Policy Change MPSSVC Rule-Level Policy Change Other Policy Change Events Privilege Use Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use System IPsec Driver Other System Events Security State Change Security System Extension System Integrity Failure Failure Failure Audited Events Success & Failure Failure No Auditing Failure Success & Failure No Auditing Success & Failure Success & Failure Success & Failure No Auditing Failure Failure Failure No Auditing Audited Events Success & Failure Success & Failure Success Success Success Success Audited Events Failure Failure Failure Audited Events Success Success Success & Failure Success Success & Failure Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 32 of 154

33 Explanation of Audit Policy Settings Account Logon Credential Validation Kerberos Authentication Service Kerberos Service Ticket Operations Other Account Logon Events Account Management Application Group Management Computer Account Management Distribution Group Management Other Account Management Events Security Group Management User Account Management Detailed Tracking DPAPI Activity Process Creation Process Termination RPC Events DS Access Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication Logon / Logoff Account Lockout Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller. Audits events generated by validation tests on user account logon credentials. Audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Audits events generated by Kerberos service ticket requests. Audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Audit attempts to create, delete, or change user or group accounts. Also, audit password changes. Audits events generated by changes to application groups. Audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted. Audits events generated by changes to distribution groups. Audits events generated by other user account changes that are not covered in this category. Audits events generated by changes to security groups. Audits changes to user accounts. Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Audits events generated when a process is created or starts. The name of the application or user that created the process is also audited. Audits events generated when a process ends. Audits inbound remote procedure call (RPC) connections. Audit attempts to access the directory service. Audits events generated by detailed AD DS replication between domain controllers. Audits events generated when an AD DS object is accessed. Only AD DS objects with a matching SACL are logged. Audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted. Audits replication between two AD DS domain controllers. Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection. Audits events generated by a failed attempt to log on to an account that is locked out. Audit User / Device Claims ** From Server Audits user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 33 of 154

34 Logoff Logon Network Policy Server Other Logon/Logoff Events Special Logon Object Access Application Generated Audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. Audits events generated by user account logon attempts on a computer. Audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Audits other events related to logon and logoff that are not included in the Logon/Logoff category. Audits events generated by special logons. Audit attempts to access securable objects. Audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Central Access Policy Staging ** From Server Audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object. Certification Services Detailed File Share File Share File System Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry Audits Active Directory Certificate Services (AD CS) operations. Audits every attempt to access objects in a shared folder. Audits attempts to access a shared folder. Audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL. Audits connections that are allowed or blocked by WFP. Audits packets that are dropped by Windows Filtering Platform (WFP). Audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access". Audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events. Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. Audits events generated by the management of Task Scheduler jobs or COM+ objects. Audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. Removable Storage ** From Server Audits user attempts to access file system objects on any Removable Storage device. A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user s machine. SAM Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change Audits events generated by attempts to access Security Accounts Manager (SAM) objects. Audit attempts to change Policy object rules. Audits changes in security audit policy settings. Audits events generated by changes to the authorization policy. Audits events generated by changes to the authentication policy. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 34 of 154