TESTBED. SekChek for Windows Security Report. System: PUFFADDER (Snake.com) 10 November SekChek IPS

Transcription

1 TESTBED SekChek for Windows Security Report 10 November 2013 SekChek IPS

2 Declaration The provided observations and recommendations are in response to a benchmarking analysis that compares the client s information security features against industry. The recommendations are organised to identify possible implications to the company based on the gathered information, to identify an industry average rating of the controls and provide possible recommended actions. The benchmarking analysis and the related observations and recommendations should supplement management s analysis but should not be and cannot be solely relied upon in any instance to identify and/or remediate information security deficiencies. Further, the observations and recommendations herein do not identify the cause of a possible deficiency or the cause of any previously unidentified deficiencies. The causes of the deficiencies must be determined and addressed by management for the recommendations selected to be relevant SekChek IPS. All rights reserved. SekChek is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.

3 Contents SekChek Options 5 System Details 6 System Configuration 7 1. Report Summary Comparisons Against Industry Average and Leading Practice Answers to Common Questions Summary of Changes since the Previous Analysis Domain Structure Domain Accounts Policy Domain Controller Policy Settings (Local Policy) Audit Policy Settings Event log Settings Security Option Settings Group Policy Objects Description and Properties for Group Policy Objects Summary of GPOs defined on the system Summary of GPOs and their Links to OUs Summary of OUs and their Links to GPOs GPOs Defined and their Details GPO Version Discrepancies Password Setting Objects (PSOs) Customer-Selected Registry Key Values User Accounts Defined In The Domain Groups Defined In the Domain Domain Local Groups and their Members Domain Global Groups and their Members Domain Universal Groups and their Members Last Logons, 30 Days and Older Passwords, 30 Days and Older Passwords that Never Expire Accounts not Requiring a Password Invalid Logon Attempts Greater than Users not Allowed to Change Passwords Accounts with Expiry Date Disabled Accounts Locked Out Accounts Accounts Whose Passwords Must Change at Next Logon Accounts Created in the Last 90 Days 90

4 24. Rights and Privileges Descriptions & General Recommendations for Rights Rights Assigned to Local Groups Rights Assigned to Universal Groups (Native mode only) Rights Assigned to Global Groups Rights Assigned to Users Rights Assigned to Well-Known Objects Rights Assigned to External Objects Discretionary Access Controls (DACL) for Containers Trusted and Trusting Domains Servers and Workstations Domain Controllers in the Domain Accounts Allowed to Dial In through RAS Services and Drivers on the Machine Server Roles and Features Task Scheduler Security Updates, Patches and Hot-Fixes Products Installed Current Network Connections Logical Drives Network Shares Home Directories, Logon Scripts and Profiles File Permissions and Auditing 152

5 SekChek Options Reference Number Requester Internal Audit Telephone Number +44 (20) City London Client Country UK Charge Code Snake - Windows Client Code SEK001 Client Industry Type Manufacturing Host Country Belize Security Standards Template 0 - SekChek Default Evaluate Against Industry Type Manufacturing Compare Against Previous Analysis Not Selected Scan All DCs for Last Logon Times Yes (scanned 2 of 2 DCs) Report Format Word 2007 Paper Size A4 (21 x 29.7 cms) Spelling English UK Large Report Format MS-Excel spreadsheet Large Report (Max Lines in Word Tables) 1500 Summary Document Requested Yes Scan Software Version Used Version Scan Software Release Date 08-Nov-2013 Your SekChek report was produced using the above options and parameters. You can change these settings for all files you send to us for processing via the Options menu in the SekChek Client software on your PC. You can also tailor them (i.e. temporarily override your default options) for a specific file via the Enter Client Details screen. This screen is displayed: For SekChek for NetWare and Windows - during the Scan process on the target Host system; For SekChek for AS/400 and UNIX - during the file encryption process in the SekChek Client software. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 5 of 154

6 System Details Domain Name Snake.com (SNAKE) Domain Sid *S Forest Snake.com DC Functionality Windows Server 2008 R2 Mode Domain Functionality** Windows Server 2003 Domain Mode Forest Functionality** Windows 2000 Forest Mode Computer Domain Controllers/PUFFADDER Site Name Default-First-Site-Name Windows Version 6.1 (Windows 2008 R2) Build / Service Pack 7601/Service Pack 1 System Locale Id 2052 (x804) Scan Time 08-Nov :47 Scanned By Users/ Administrator Report Date: 10 November, 2013 ** Functional Levels (available from SekChek V5.0.4 / Windows Server 2003) DC Functionality: The functional level of the Domain Controller (DC) Domain Functionality: The functional level of the domain Forest Functionality: The functional level of the forest General Note In Active Directory domains, objects, such as user accounts belong to a container object (e.g. an Organizational Unit in a domain or the domain object itself). In this report the path of objects are usually listed. The format of the path is, for example, Orgunit x/orgunit y. The / character separates the containers in the path. Paths are listed from the highest level down. A path can contain a domain name as the first container, for example, abc.xyz.com as a domain name. When the domain name is listed in the path, it means that the containers and object in that path belong to a domain other than the one being analysed. If a path is not listed for an object, it means that the object was defined at the domain level container and not in any container object of the domain.. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 6 of 154

7 System Configuration Operating System OS Name Microsoft Windows Server 2008 R2 Enterprise OS Version, Build OS Architecture 64-bit OS Locale Id x0804 OS Serial Number OS Installed Last BootUp Country Code 86 Time Zone GMT +02:00 Boot Device \Device\HarddiskVolume1 System Drive C: Windows Directory C:\Windows System Directory C:\Windows\system32 PAE Enabled No Visible Memory GB Free Memory GB Encryption Level 256 bits OS Language English - United States OS Stock Keeping Unit Name Enterprise Server Edition Maximum Number of Processes Unknown Number of Licensed Users Unlimited Number of Current Users 3 Registered User Windows User Data Execution Prevention (DEP)... DEP Available Yes DEP Enabled for 32-bit Appls Yes DEP Enabled for Drivers Yes DEP Policy Opt Out System Recovery Options Write an event to the system log Send an administrative alert Automatically restart Write debugging information Dump file Overwrite any existing file Yes No Yes Kernel memory dump %SystemRoot%\MEMORY.DMP Yes BIOS Manufacturer American Megatrends Inc. BIOS Version 2.3 Release Date Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 7 of 154

8 Base Board (Motherboard) Manufacturer Microsoft Corporation Product Virtual Machine Serial Number Version 7.0 Page Files Number of Page Files 1 Name of Page File #1 C:\pagefile.sys Temporary Page File No Create Date Allocated Size GB Current Usage GB Peak Usage GB Computer Manufacturer Microsoft Corporation Model Virtual Machine System Type x64-based PC Remote Desktop Enabled Unknown Nbr of Processors 1 Total Memory GB System Registry Size Current = MB; Max allowed = 2,048.0 MB Screen Resolution 1680 x 1050 pixels BootUp State Normal boot Wake-up Type Power Switch Boot ROM Supported Yes Infrared (IR) Supported No Power Management Supported No Computer Role Primary Domain Controller Computer Name PUFFADDER Computer Sid *S Domain Name (short) SNAKE Domain Name (DNS) Snake.com Processors Number of Processors 1 Processor #1... Manufacturer AuthenticAMD Name AMD Opteron(tm) Processor 6172 Family AMD Opteron 6172 Description AMD64 Family 16 Model 9 Stepping 1 Processor Id 1F8BFBFF000106A5 Clock Speed 3,108 MHz External Clock Speed 200 MHz Address Width 64 bits Data Width 64 bits Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 8 of 154

9 Level 2 Cache Size 512 KB Level 2 Cache Speed Unknown MHz Number of Cores 1 Nbr of Logical Processors 1 Chip Socket None Availability Running/Full Power Network Adapters (IP enabled) Connection Id Local Area Connection Connection Status Connected Name Microsoft Hyper-V Network Adapter #2 Service Name netvsc Manufacturer Microsoft Adapter Type Ethernet Speed (Mbs) 10,000 Mbs Last Reset :13:38 IP Enabled Yes IP Address IP Subnet Default Gateway MAC Address 00:15:5D:64:2F:1A DHCP Enabled No DHCP Lease Expires DHCP Lease Obtained DHCP Server DNS Search Order , Windows Firewall Domain Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response Private Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response Public Profile Firewall State Inbound Connections Outbound Connections Display Notifications Allow Unicast Response On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) On (recommended) Block, allow exceptions (default) Allow (default) No Yes (default) Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 9 of 154

10 Region & Language Options Current Format English (South Africa) Time Format 08:46:32 Short Date 08-Nov-2013 Long Date 08 November 2013 Short Date Format dd-mmm-yyyy Long Date Format dd MMMM yyyy Currency Symbol R Currency (International) ZAR System Locale English (South Africa) Screen Saver Policy Scan Account Screen Saver Enabled Screen Saver Timeout Screen Saver Secure Users/ Administrator Yes 600 seconds Yes User Access Control (UAC) UAC Enabled Yes Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 10 of 154

11 1. Report Summary The following two charts illustrate the diversity of regions and industries that make up the population of systems running Active Directory in our statistics database. The remaining graphs in the Report Summary section evaluate security on your system against this broad base of real-life security averages. SekChek is used by the Big Four audit firms, IS professionals, internal auditors, security consultants & general management in more than 130 countries. Statistics Population by Region As new reviews are processed, summaries of the results (excluding client identification) are automatically added to a unique statistics database containing more than 70,000 assessments. Statistics Population by Industry Type Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 11 of 154

12 1.1 Comparisons Against Industry Average and Leading Practice Summary of Domain Accounts Policy Values This graph compares the Domain Accounts Policy values against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = <All> This and the following summary reports are of most value when they are used to compare snapshots of your security measures at different points in time. Used in this way, they provide a fairly clear picture of whether your security measures are improving or becoming weaker. Industry Average is a dynamic, calculated average for all Active Directory domains analysed by SekChek using the above criteria. It indicates how your security measures compare with those of other organisations using Microsoft Windows systems. Leading Practice is the standard adopted by the top 10 to 20 percent of organisations. Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). This is an approximation and should be used as a guide only. For more information and details, see the report sections Domain Accounts Policy. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 12 of 154

13 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain User Accounts This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts defined to your domain: 16 This summary report presents the number of user accounts, with the listed characteristics, as a percentage of the total number of accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 13 of 154

14 Comparisons Against Industry Average and Leading Practice (continued) Summary of Effective Rights for the Domain Controller This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average This summary report presents the number of user accounts, with the listed rights, as a percentage of the total number of accounts defined to the domain controller. These rights are applied via the Local Policy of the domain controller being analysed. Other domain controllers may have different rights defined. For more details of rights assigned, refer to the Rights Assigned to Users sections in the main body of the report. The graph is sorted in alphabetical sequence. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 14 of 154

15 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain User Accounts (excluding disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts defined to your system: 16 This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 15 of 154

16 Comparisons Against Industry Average and Leading Practice (continued) Summary of Effective Rights for the Domain Controller (excl. disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed rights, as a percentage of the total number of accounts defined to your system. For more details, refer to the Rights Assigned to Users sections in the main body of the report. The graph is sorted in alphabetical sequence. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 16 of 154

17 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain Administrator Accounts This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts with administrative privileges defined to your domain: 2 This summary report presents the number of administrator accounts (i.e. accounts that have administrative privileges), with the listed characteristics, as a percentage of the total number of administrator accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 17 of 154

18 Comparisons Against Industry Average and Leading Practice (continued) Summary of Domain Administrator Accounts (excluding disabled accounts) This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small Above the industry average; About average; Below average Total number of user accounts with administrative privileges defined to your system: 2 This summary report presents the number of enabled administrator accounts (i.e. accounts that have administrative privileges, excluding those accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of administrator accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report. The graph is sorted in order of importance. This is an approximation and should be used as a guide only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 18 of 154

19 1.2 Answers to Common Questions The following charts are intended to provide quick answers to the most common questions regarding security of a system. The diagrams highlight the relative numbers of objects with the listed attributes. The total population used to plot each chart is included in brackets () after each chart title. Each section includes a link to more detailed information contained in other sections of this report. When were the user accounts created? The charts show when user accounts were created on your system. Grouped by all accounts and accounts with Administrative privileges. Includes active and disabled accounts. More information: Accounts Created in the Last 90 Days When were the group and computer accounts created? The chart shows when the group and computer accounts were created on your system. More information: Accounts Created in the Last 90 Days Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 19 of 154

20 What is the status of user accounts? The charts analyse user accounts by their status: active or disabled. An account may be disabled because: its status has been set to disabled; the account has expired; or the account was locked by the system due to excessive password guessing attempts. Note that an account may be both locked and expired, or disabled and expired. 5 out of 16 accounts are disabled on this system. More information: Disabled Accounts, Locked Accounts, Accounts with Expiry Date How active are user accounts? The charts indicate when accounts were last used to logon to the system. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. SekChek queried 2 out of 2 domain controllers to obtain the information. More information: Last Logons, 30 Days and Older How frequently do users change their passwords? The charts show when user login passwords were last changed. Next Logon means that the password must be changed the next time the account is used to logon to the domain. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: Passwords, 30 Days and Older, Password Must Change at Next Logon Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 20 of 154

21 Are users forced to change their passwords? The charts show the percentage of accounts with a password that is not required to be changed. Grouped by all accounts and accounts with Administratrative privileges. Excludes disabled accounts. More information: Passwords that Never Expire Are users allowed to change their passwords? The charts show the percentage of accounts that are not allowed to change their passwords. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: User Accounts not Allowed to Change Password Are users allowed to login without a password? The charts show the percentage of accounts that may have their passwords set to zero length (blank) by an administrative account. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts. More information: Accounts not Requiring a Password Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 21 of 154

22 What privileges are assigned to user accounts? The chart shows the percentage of user accounts with Administrative, User and Guest privileges. These privileges are determined by group memberships. Excludes disabled accounts. More information: User Accounts Defined In The Domain What are the types of group accounts? The chart analyses security groups by group type. Excludes Distribution groups. More information: Groups Defined In the Domain What are the service types and their start types? These charts summarise the types of services and drivers installed on the system and their start types. The charts include running and stopped services. More information: Services and Drivers Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 22 of 154

23 1.3 Summary of Changes since the Previous Analysis Need to quickly highlight changes in security controls since your previous review? SekChek s latest time-comparison graphs are just the solution! Note: The above graph is provided for illustrative purposes only. A collection of easy-to-read reports in a very familiar format provides you with visual indicators of: Whether security has improved, weakened, or remained about the same since your previous analysis The effectiveness of your measures to strengthen controls Whether risk is increasing or decreasing The degree of change, both positive and negative The applications are endless. Some of the practical benefits are: Time savings. Reduced time spent poring over volumes of unconnected information Objectivity. The results are guaranteed to be the same regardless of who performs the review Compliance with legislation. Easier monitoring for compliance with statutory requirements imposed by SOX, HIPAA and other legislative changes relating to corporate governance More powerful justifications. The ability to present more convincing arguments to senior, non-technical management who do not have the time, or the inclination, to understand masses of technical detail Interested? Contact us at [email protected] to find out how to get started! Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 23 of 154

24 2. Domain Structure This report section lists the Container objects in the domain. It summarises the Directory structure for your domain and may help you to understand the overall structure of the domain s Directory structure, especially where it is large or complex. Section Detail Object Name Object Type Snake.com domaindns --- Amazon organizationalunit --- Builtin builtindomain --- Computers container --- Domain Controllers organizationalunit --- ForeignSecurityPrincipals container --- Managed Service Accounts container --- Program Data container Microsoft container --- System container AdminSDHolder container ComPartitions container ComPartitionSets container DomainUpdates container ActiveDirectoryUpdate container Operations container b7fb c2e-94b10f67d1bf container e660ea3-8a5e ad7-ca1bd4638f9e container b3ad2a fa7-90fc-6377cbdc1b26 container d15cf0-e6c8-11d c04f container fb90b-c92a-40c bacfc313a3e3 container c60a-fe15-4d7a-a61e-dffd5df864d3 container f0798-ea5c f5d-45f33a30703b container c66f-b332-4a73-9a20-2d6a7d6e6a1c container c f57-4e2a-9b c9e71961 container e4f4182-ac5d-4378-b760-0eab2de593e2 container f24ea-cfd5-4c e170bcb912 container aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0 container c93ad42-178a d28f3aa container dfbb973-8a a90c-776e00f83222 container cba88b-99cf-4e16-bef2-c427b38d0767 container d75-bef7-43e1-938b-2e749f5a8d56 container c82b233-75fc-41b3-ac71-c69592e6bf15 container e1574f6-55df-493e-a671-aaeffca6a100 container b34cb0-55ee-4be9-b b92b017 container ada9ff7-c9df-45c1-908e-9fef2fab008a container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 24 of 154

25 Object Name Object Type bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd567a d6-977b-00c04f container bcd567b d6-977b-00c04f container bcd567c d6-977b-00c04f container bcd567d d6-977b-00c04f container bcd567e d6-977b-00c04f container bcd567f d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd d6-977b-00c04f container bcd568a d6-977b-00c04f container bcd568b d6-977b-00c04f container bcd568c d6-977b-00c04f container bcd568d d6-977b-00c04f container E157EDF-4E A82A-EC3F91021A22 container ff880d6-11e7-4ed1-a20f-aac45da48650 container d cb3-a438-b6fc9ec35d70 container d4c8-ac41-4e05-b e8e9f1 container cfb016c-4f bd9df943947f container ffef b-440a-8d58-35e8cd6e98c3 container ba0-7e4c-4a44-89d9-d46c9612bf91 container C3D BF38-79E4AC33DFA0 container c36ed c62-a18b-cf6ff container ca a4-4bd4-806f-ebed6acb5d0c container ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c container c d6e-b19d-c16cd container de1d3e b-8b4e-f4337f1ded0b container cac1f ad-a472-2a e4 container a1789bfb-e0a cc0-e77d892d080a container a3dac986-80e7-4e59-a059-54cb1ab43cb9 container a86fe12a-0f62-4e2a-b271-d27f601f8182 container ab d3c3-455d-9ff a1099b6 container aed72870-bf ac c8207f1 container b96ed a-4172-aa0c f125 container bab5f54d-06c8-48de-9b87-d78b796564e4 container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 25 of 154

26 Object Name Object Type c4f17608-e611-11d c04f container c88227bc-fcca-4b58-8d8a-cd3d64528a02 container d262aae8-41f7-48ed-9f35-56bbb677573d container d85c0bfd-094f-4cad-a2b5-82ac d container dda1d01d-4bd7-4c49-a184-46f9241b560e container de10d f-4fb0-9abb-4b7865c0fe80 container f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5 container f58300d1-b71a-4db6-88a1-a8b9538beaca container f607fd87-80cf-45e2-890b-6cf97ec0e284 container f7ed4553-d82b-49ef-a839-2f38a36bb069 container Windows2003Update container IP Security container Meetings container MicrosoftDNS container Policies container {31B2F D-11D2-945F-00C04FB984F9} grouppolicycontainer Machine container User container {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} grouppolicycontainer Machine container User container {5471F07B-E3BF-47E6-A2DF-40E D} grouppolicycontainer Machine container User container {6AC1786C-016F-11D2-945F-00C04fB984F9} grouppolicycontainer Machine container User container {F754BFE4-52E2-45B D5C65E8700} grouppolicycontainer Machine container User container {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F} grouppolicycontainer Machine container User container RAS and IAS Servers Access Check container WinsockServices container WMIPolicy container PolicyTemplate container PolicyType container SOM container WMIGPO container --- TEST GPO PC organizationalunit --- Users container Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 26 of 154

27 Domain In Active Directory a domain is a collection of computers defined by the administrator of a Windows 200x* Server network that shares a common directory database. A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all accounts within the domain. Domains can be organised into parent-child relationships to form a hierarchy, which is called a domain tree. The domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships. Organizational Unit An Organizational Unit (OU) is a general-purpose container that can hold objects and other OUs to create a hierarchy within a domain. OUs can form logical administrative units for users, groups, and resource objects, such as printers, computers, applications, and file shares. In large domains, various administrative tasks (such as access rights specification) can be delegated to an administrator for a specific OU, thereby freeing domain administrators from having to support such changes by proxy. Container A Container is used for grouping different objects together. Group Policy Container A Group Policy Container contains Group Policy objects. Active Directory Objects Active Directory objects are either container objects (e.g. OUs and Containers) or leaf objects. A container object stores other objects, and, as such, occupies a specific level in a tree or sub tree hierarchy. A leaf object does not contain other objects. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 27 of 154

28 3. Domain Accounts Policy This report lists the effective Domain Account Policies defined for your system and compares them with Leading Practice. Policy Policy Value Leading Practice Minimum Password Length 7 8 or greater Effective Minimum Password Length 7 8 or greater Maximum Password Age in Days to 60 Minimum Password Age in Days 1 0 Password History Size or greater Password Complexity Enabled Enabled Reversible Password Encryption Disabled Disabled Lockout Threshold 3 3 Lockout Duration 0 0 Reset Lockout Counter in Minutes Force Logoff When Logon Time Expires Disabled Enabled Rename Administrator Account Not Defined New Name Rename Guest Account Not Defined New Name Allow Lockout of Local Administrator Account Disabled Enabled Disable Password Changes for Machine Accounts Disabled Disabled Number of Password Setting Objects (PSOs) defined on the system: 1 Leading Practice is the standard adopted by the top 10 to 20 percent of organisations. Functions of Accounts Policy Values and Potential Exposures Domain Accounts Policy values set the defaults for all accounts in a domain. Note that certain account policies can be overridden by policies defined in Password Setting Objects (from Windows 2008) and settings defined at account level. Appropriate policy values do not necessarily mean that security at account level is similarly appropriate. You should consult other sections of this report to confirm that security settings for individual accounts do not override your intended policy settings. Minimum Password Length Defines the minimum number of characters a password must contain. If it is zero then blank passwords are allowed. Allowing blank passwords is a very high security risk, as it could allow any person in possession of a valid User ID (Account Name) to gain access to your system if the account has a null password. This policy can be overridden by the Password Complexity policy. See Effective Minimum Password Length for details. The Leading Practice value is 8 or greater. Effective Minimum Password Length The effective minimum number of characters a password must contain when changing a user password. The value is calculated from the settings of the Minimum Password Length and Password Complexity parameters. If the Password Complexity policy is enabled, the system will only accept user passwords with a minimum of 3 characters that comply with Password Complexity requirements. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 28 of 154

29 For example: If the Minimum Password Length is 0 and the Password Complexity policy is enabled then the Effective Minimum Password Length will be 3. If the Minimum Password Length is 0 and the Password Complexity policy is disabled then the Effective Minimum Password Length will be 0. If the Minimum Password Length policy is set to a value of 3 or greater then the Effective Minimum Password Length will be the same as the Minimum Password Length policy regardless of the setting of the Password Complexity policy. Maximum Password Age in Days The period of time a password can be used before the system forces the user to change it. The value can be between 1 and 999 days. A value of 0 means that passwords never expire. Passwords that never expire are a security risk as they can be compromised over time. Note that it is possible to override this value in individual user accounts via the Password Never Expires option. Consult the Passwords that Never Expire report section. The Leading Practice value is 30 days. Minimum Password Age in Days The minimum number of days that must elapse between password changes. The value can be between 0 and 999 days. A value of 0 allows a user to change her password immediately if she suspects it is known by someone else. However, this setting can increase the risk of passwords remaining the same despite system-enforced changes. This is because a user could change her password several times in quick succession until it is set back to the original value. Setting the Password History Size to a sufficiently large value can reduce this risk. The Leading Practice value is 0 (no restrictions). Password History Size Determines whether old passwords can be reused. It is the number of new passwords that must be used by a user account before an old password can be reused. For this to be fully effective, immediate changes should not be allowed under Minimum Password Age. The Leading Practice value is 22 or greater. Password Complexity In order to meet the password complexity requirement, passwords must contain characters from (for example) at least three (3) of the following four (4) classes: English Upper Case Letters (A, B, C,... Z) English Lower Case Letters (a, b, c,... z) Westernised Arabic Numerals (0, 1, 2,... 9) Non-alphanumeric ("Special characters") (E.g., punctuation symbols) This policy has an effect on the Effective Minimum Password Length. Reversible Password Encryption Determines whether Windows 200x* will store passwords using reversible encryption. This policy setting provides support for applications, which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing cleartext versions of the passwords. For this reason, this policy should not be enabled unless application requirements outweigh the need to protect password information. By default, this setting is disabled in the Default Domain Group Policy for domains and in the local security policy of workstations and servers. Lockout Threshold, Lockout Duration and Reset Lockout Counter in Minutes Lockout Threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The value can be 1 to 999 failed attempts. A value of 0 will allow an unlimited number of failed logon attempts. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 29 of 154

30 Lockout Duration indicates the amount of time an account will remain locked out when the Lockout Threshold is exceeded. The value can be 1 to minutes; a value of 0 (forever) indicates that the account cannot log on until an administrator unlocks it. N/A is set when Lockout Threshold is set to 0. Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts are monitored. I.e. if the number of failed logon attempts defined in Lockout Threshold is reached within the number of minutes defined for Reset Lockout Counter in Minutes the account is locked out for the period specified under Lockout Duration. The value for Reset Lockout Counter in Minutes can be 1 to minutes. Allowing an excessive or unlimited number of invalid logon attempts can compromise security and allow intruders to log on to your system. Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted of potential intruder attacks as only they can unlock accounts. Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the effectiveness of the Lockout Threshold and administrators might not be alerted to potential intruder attacks. If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase the risk of intruders gaining access to your system via repeated password guessing attempts. If the value is too high it may inconvenience genuine users by locking out their accounts when they enter incorrect passwords accidentally. The Leading Practice values are: Lockout Threshold = 3 Lockout Duration = 0 (Forever) Reset Lockout Counter in Minutes = 1440 minutes Force Logoff When Logon Time Expires When enabled users will be forcibly disconnected from servers on the domain immediately after their valid logon hours are exceeded. Valid logon hours are defined at user account level. This option enhances security by ensuring that users are disconnected if they exceed their valid logon hours or do not log off when leaving work. However, it could be disruptive to users who have to work after hours and could compromise data integrity etc. This option should be used at the discretion of Management. Rename Administrator, Rename Guest It is good practice to ensure the Administrator and Guest built-in accounts are renamed via policy. This will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain. Keep in mind that these accounts can also be renamed manually (for example, via the Active Directory Users and Computers interface). However, when compared to the irrevocable policy change method, the disadvantage of the manual approach is that administrative users can simply rename these accounts at a later stage (possibly back to Administrator and Guest). Allow Lockout of Local Administrator Account Allows the built-in administrator account to be locked out from network logons. This policy setting can be modified using the passprop command-line utility, which is included in the Windows 2000 Resource Kit. Disable Password Changes for Machine Accounts Removes the requirement that the machine account password be automatically changed every week. This value is ignored in Windows XP and later. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 30 of 154

31 4. Domain Controller Policy Settings (Local Policy) The following 3 subsections relate to the Local Policy on the domain controller being analysed. In Active Directory, each domain controller can have different local policy settings. domain controllers generally inherit the same local policy settings because they typically belong to the same OU (e.g. Domain Controllers) to which the same policies apply. However, if domain controllers belong to different OUs, then different policy settings can be applied to them. This has important security implications as an account can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers. The policy for domain controllers can then be inconsistent and increase security risks. This report provides policy settings for the domain controller where the SekChek Scan process was run. 4.1 Audit Policy Settings Account Logon Credential Validation Kerberos Authentication Service Kerberos Service Ticket Operations Other Account Logon Events Account Management Application Group Management Computer Account Management Distribution Group Management Other Account Management Events Security Group Management User Account Management Detailed Tracking DPAPI Activity Process Creation Process Termination RPC Events DS Access Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication Logon / Logoff Account Lockout Audit User / Device Claims ** IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Logoff Logon Audited Events Success & Failure Failure Failure Failure Audited Events Success Success Success Success Success Success Audited Events Success Success & Failure Success Success Audited Events No Auditing No Auditing Success No Auditing Audited Events Success Failure Failure Success Failure Success Success & Failure Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 31 of 154

32 Network Policy Server Other Logon/Logoff Events Special Logon Object Access Application Generated Central Access Policy Staging ** Certification Services Detailed File Share File Share File System Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry Removable Storage ** SAM Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change Filtering Platform Policy Change MPSSVC Rule-Level Policy Change Other Policy Change Events Privilege Use Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use System IPsec Driver Other System Events Security State Change Security System Extension System Integrity Failure Failure Failure Audited Events Success & Failure Failure No Auditing Failure Success & Failure No Auditing Success & Failure Success & Failure Success & Failure No Auditing Failure Failure Failure No Auditing Audited Events Success & Failure Success & Failure Success Success Success Success Audited Events Failure Failure Failure Audited Events Success Success Success & Failure Success Success & Failure Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 32 of 154

33 Explanation of Audit Policy Settings Account Logon Credential Validation Kerberos Authentication Service Kerberos Service Ticket Operations Other Account Logon Events Account Management Application Group Management Computer Account Management Distribution Group Management Other Account Management Events Security Group Management User Account Management Detailed Tracking DPAPI Activity Process Creation Process Termination RPC Events DS Access Detailed Directory Service Replication Directory Service Access Directory Service Changes Directory Service Replication Logon / Logoff Account Lockout Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller. Audits events generated by validation tests on user account logon credentials. Audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Audits events generated by Kerberos service ticket requests. Audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Audit attempts to create, delete, or change user or group accounts. Also, audit password changes. Audits events generated by changes to application groups. Audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted. Audits events generated by changes to distribution groups. Audits events generated by other user account changes that are not covered in this category. Audits events generated by changes to security groups. Audits changes to user accounts. Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Audits events generated when a process is created or starts. The name of the application or user that created the process is also audited. Audits events generated when a process ends. Audits inbound remote procedure call (RPC) connections. Audit attempts to access the directory service. Audits events generated by detailed AD DS replication between domain controllers. Audits events generated when an AD DS object is accessed. Only AD DS objects with a matching SACL are logged. Audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted. Audits replication between two AD DS domain controllers. Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection. Audits events generated by a failed attempt to log on to an account that is locked out. Audit User / Device Claims ** From Server Audits user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. IPsec Extended Mode IPsec Main Mode IPsec Quick Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 33 of 154

34 Logoff Logon Network Policy Server Other Logon/Logoff Events Special Logon Object Access Application Generated Audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. Audits events generated by user account logon attempts on a computer. Audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Audits other events related to logon and logoff that are not included in the Logon/Logoff category. Audits events generated by special logons. Audit attempts to access securable objects. Audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Central Access Policy Staging ** From Server Audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object. Certification Services Detailed File Share File Share File System Filtering Platform Connection Filtering Platform Packet Drop Handle Manipulation Kernel Object Other Object Access Events Registry Audits Active Directory Certificate Services (AD CS) operations. Audits every attempt to access objects in a shared folder. Audits attempts to access a shared folder. Audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL. Audits connections that are allowed or blocked by WFP. Audits packets that are dropped by Windows Filtering Platform (WFP). Audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access". Audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events. Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. Audits events generated by the management of Task Scheduler jobs or COM+ objects. Audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. Removable Storage ** From Server Audits user attempts to access file system objects on any Removable Storage device. A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user s machine. SAM Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change Audits events generated by attempts to access Security Accounts Manager (SAM) objects. Audit attempts to change Policy object rules. Audits changes in security audit policy settings. Audits events generated by changes to the authorization policy. Audits events generated by changes to the authentication policy. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 34 of 154

35 Filtering Platform Policy Change MPSSVC Rule-Level Policy Change Other Policy Change Events Privilege Use Non Sensitive Privilege Use Other Privilege Use Events Sensitive Privilege Use System IPsec Driver Other System Events Security State Change Security System Extension System Integrity Audits events generated by changes to Windows Filtering Platform (WFP). Audits events generated by changes in policy rules used by Windows Firewall. Audits events generated by other security policy changes that are not audited in the Policy Change category. Audit attempts to use privileges. Audits events generated by the use of nonsensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station. Audits other privilege use events. Audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits. Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log. Audits events that are generated by the IPsec filter driver. Audits any of the following events: Startup and shutdown of the Windows Firewall Security policy processing by the Windows Firewall Cryptography key file and migration operations Audits events generated by changes in the security state of the computer. Audits events related to security system extensions or services. Audits events that violate the integrity of the security subsystem. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 35 of 154

36 4.2 Event log Settings Policy Policy Value Maximum Application Log Size Maximum Security Log Size Maximum System Log Size Restrict Guest Access to Application Log Restrict Guest Access to Security Log Restrict Guest Access to System Log Retain Application Log Retain Security Log Retain System Log Retention Method for Application Log Retention Method for Security Log Retention Method for System Log Shutdown Computer when Security Log is Full Enabled Enabled Enabled N/A N/A N/A As Needed As Needed As Needed Disabled Event Logs Features Event logs contain all events logged by the system auditing controls (audit policy). In this way a wide variety of events can be monitored to track different activities. Information can also be gathered about hardware, software, and system problems. Careful monitoring of event logs can help in predicting and identifying the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector is likely to go bad eventually. Event logs can also confirm problems with software. If a program crashes, a program event log can provide a record of activity leading up to the event. Windows records events in the following Event logs: Application log The application log contains events logged for programs/applications. Security log The security log contains valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you have enabled logon and logoff auditing, attempts to log on to the system are recorded in the security log. System log The system log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during start up is recorded in the system log. The event types logged by system components are predetermined by Windows. Log Size and Retention Method for Logs The Log Size is in Kilobytes. When the Log Size Limit is reached the Retention Method for Logs defines the action that will be taken: If Overwrite events as needed (As needed) is selected, the log will not be archived. This option is a good choice for low-maintenance systems. The Overwrite events older than and Retain Log (in days) options specify the appropriate number of days the log will be archived at scheduled intervals. This strategy minimises the chance of losing important log entries and at the same time keeps log sizes reasonable. If the Do not overwrite events (Manually) option is specified all the events will remain in the log. This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded. If Overwrite events as needed (As needed) or Do not overwrite events (Manually) options are selected, the Retain Log (in days) option is not available (N/A). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 36 of 154

37 Restrict Guest Access to Application, Security, System Logs It is a good practice to enable this feature as it minimises the risks of unauthorised persons getting read access to logs. The Shut down when Security Log is Full option ensures that no auditable activities, including security violations, occur while the system is unable to log them. This option should be used at the discretion of Management, as the system will automatically shutdown when the security log is full. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 37 of 154

38 4.3 Security Option Settings Policy Description Policy Value Allow server operators to schedule tasks Allow system to be shut down without having to log on Amount of idle time required before disconnecting session (minutes) Audit the access of global system objects Audit use of backup and restore privilege Clear virtual memory page file when system shuts down Digitally sign client communication (always) Digitally sign client communication (when possible) Digitally sign server communication (always) Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. By default, you must be an administrator in order to submit jobs by means of the AT scheduler. Enabling this security policy setting allows members of the Server Operators group to submit AT schedule jobs on Domain Controllers without having to make them. This policy is not defined by default. Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right in order to perform a system shutdown. By default, this option is enabled on workstations and disabled on servers in Local Computer Policy. Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. can use this policy to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This policy is defined for servers by default in Local Computer Policy with a default value of 15 minutes. This policy is not defined on workstations. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible. Determines whether access of global system objects will be audited.these objects are not generally visible to or known by a typical user. Enabling this option can introduce so many audit entries into the security log that locating real security problems becomes considerably more difficult. In some situations, this option can be useful. For example, where custom applications are being developed, the users are not just the people that interactively log on, but also the programmers who are developing applications. These programmers might be able to directly access these objects. When files are being backed up or restored, the system checks to ensure that the user performing the backup has the Backup or Restore right each time a file is copied to or being restored from backup media. By default, the system does not record these events, because this could flood the security log. This option should be enabled only in special cases of auditing of high-level security installations. A paging file is a system file, so it cannot be encrypted. The file system security for paging files prevents any user from gaining access to and reading these files, and these security settings cannot be changed. However, someone other than the authorized user might start the computer under a different operating system to read a Windows 2000 paging file. To prevent others from reading the contents of paging files that might contain plaintext of encrypted files, enabling this option will clear the paging files every time the computer shuts down. Enabling this option ensures that the Client communicates with only those Servers that are enabled for SMB (Server Message Block) message signing. This option enables the Server Message Block (SMB) authentication protocol on the client. SMB places a digital security signature into each message block. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions and clients that are not enabled for SMB signing will use the older SMB protocol. Enabling this option ensures that the Server communicates with only those clients that are enabled for SMB (Server Message Block) message signing. Disabled Disabled 15 Disabled Disabled Disabled Disabled Enabled Enabled Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 38 of 154

39 Policy Description Policy Value Digitally sign server communication (when possible) Disable CTRL+ALT+DEL requirement for logon Do not display last user name in logon screen Message text for users attempting to logon Message title for users attempting to logon Prevent system maintenance of computer account password Prevent users from installing printer drivers Prompt user to change password before expiration (days) Recovery Console: Allow automatic administrative logon Recovery Console: Allow floppy copy and access to all drives and all folders Restrict CD-ROM access to locally logged-on users only This option enables the Server Message Block (SMB) authentication protocol on the server. SMB places a digital security signature into each message block. If SMB signing is enabled on the client, then the server that is also enabled for SMB signing will use the new protocol during all subsequent sessions and the server that is not enabled for SMB signing will use the older SMB protocol. By default, users are required to press CTRL+ALT+DEL before logging on. This is because programs can be designed to appear as a logon screen and collect account passwords. By pressing CTRL+ALT+DEL these programs can be foiled. Disabling CTRL+ALT+DEL is a potential security risk. By default, Windows 2000 places the username of the last user to log on the computer in the Username text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep usernames secret, you can enable this option. This is especially useful if a computer that is generally accessible is being used, for example, for the (renamed) built-in Administrator account. Windows 2000 can display a message box with the caption and text of your choice before a user logs on. Many organizations use this message box to display a warning message that notifies potential users that they can be held legally liable if they attempt to use the computer without having been properly authorized to do so. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system. This is the title for the message box above. Determines whether the computer account password should be prevented from being reset every week. As a part of Windows 2000 security, computer account passwords are changed automatically every seven days. If this policy is enabled, the machine is prevented from requesting a weekly password change. If this policy is disabled, a new password for the computer account will be generated every week. This policy is defined by default in Local Computer Policy where it is disabled by default. Determines whether members of the Users group are prevented from installing print drivers. If this policy is enabled, it prevents users from installing printer drivers on the local machine. This prevents users from "Adding Printers" when the device driver does not exist on the local machine. If this policy is disabled, then a member of the Users group can install printer drivers on the computer. By default, this setting is enabled on servers and disabled on workstations. Determines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password. By default, this value is set to 14 days. By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system. If this option is set, the Recovery Console does not require you to provide a password and will automatically log on to the system. Activating this policy eliminates a security barrier used to protect your computer against intruders. You should only enable this policy on systems that have controlled access to the console, such as those in rooms that can be locked. This policy allows a floppy/stiffy drive copy and access to all drives and all folders during a Recovery Console session (a text-mode command interpreter that allows the system administrator to gain access to the hard disk of a computer running Windows 2000, regardless of the file format used, for basic troubleshooting and system maintenance). By default, Windows 2000 allows any program to access files on CDs. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices. Enabled Disabled Disabled Disabled Enabled 0 Disabled Disabled Disabled Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 39 of 154

40 Policy Description Policy Value Restrict floppy access to locally logged-on users only Secure channel: Digitally encrypt or sign secure channel data (always) Secure channel: Digitally encrypt secure channel data (when possible) Secure channel: Digitally sign secure channel data (when possible) Secure channel: Require strong (Windows 2000 or later) session key Send unencrypted password to connect to third-party SMB servers Shut down system immediately if unable to log security audits By default, Windows 2000 allows any program to access files on floppy/stiffy disks. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices. Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. If this policy is disabled, signing and encryption are negotiated with the domain controller. By default, this policy is disabled. This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing. Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be encrypted. If this policy is disabled, outgoing secure channel traffic will not be encrypted. By default, this option is enabled. Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be signed. If this policy is disabled, no outgoing secure channel traffic will be signed. By default, this option is enabled. If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the Domain Controller (DC). This option should only be enabled if all of the DCs in all trusted domains support strong keys. By default, this value is disabled. If this policy is enabled, the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-microsoft SMB servers which do not support password encryption during authentication. By default, this option is disabled. This setting can weaken the overall security of an environment and should only be used after careful consideration of the consequences of plain text passwords in your specific environment. Determines whether the system should shut down if it is unable to log security events. If this policy is enabled, it causes the system to halt if a security audit cannot be logged for any reason. Typically, an event will fail to be logged when the security audit log is full and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error will occur: STOP: C {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired. By default, this policy is disabled. Disabled Enabled Enabled Enabled Enabled Disabled Disabled Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 40 of 154

41 Policy Description Policy Value Strengthen default permissions of global system objects Unsigned driver installation behavior Unsigned non-driver installation behavior Determines the strength of the default discretionary access control list (DACL) for objects. Windows 2000 maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create. By default, this option is enabled. Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation. Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation. Enabled Silently succeed Warn, but allow installation Implications The correct Security Option settings will enhance security, auditing and management. Enabling some of these policies can strengthen security but undermine the performance, operational ease of use, or connectivity with clients using third party or earlier versions of authentication protocols. On the other hand, enabling others, will decrease security, but enhance performance, functionality, and connectivity. Risk Rating Low to high. (Dependant on the security setting being considered). Recommended Action Ensure that Security Option settings are set to appropriate values as required. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 41 of 154

42 5. Group Policy Objects The following five sub-sections list important properties of all the Group Policy Objects (GPOs) defined on your system. This includes their status, their links to Organizational Units (OUs), account permissions over the GPOs and the various policies defined by them. Description and Properties for Group Policy Objects Summary of GPOs defined on the system Summary of GPOs and their Links to OUs Summary of OUs and their Links to GPOs Detailed listing of GPOs defined on the system GPO Version Discrepancies 5.1 Description and Properties for Group Policy Objects GPOs are applied in a hierarchical fashion starting with GPOs linked to Containers at the top of the tree and ending with GPO-links at the bottom of the tree. The sequence in which GPOs are applied is: The Local GPO on the machine used to login to the system GPOs linked to Sites Domain-linked GPOs GPOs linked to Organizational Units In general, policies applied later override those defined earlier. However, this can be altered by the No Override and Block Inheritance options, by disabling a GPO-link or a Policy Configuration segment, or by removing Read or Apply Policy access from accounts. Explanation of Common Terms What follows is an explanation of the common terms used in this sub-section: GPO Display Name. The user-friendly name for the GPO. GPO Exists on Disk. Indicates whether the GPO physically exists in the SYSVOL directory. If it does not exist it has probably been deleted directly, rather than through the appropriate Group Policy maintenance functions. Computer Configuration Disabled. Indicates the status of the Computer Configuration part of the GPO. If disabled, the various policies (e.g. Rights definitions) defined in the Computer segment of the GPO are ignored when the system applies policy on the system. User Configuration Disabled. Indicates the status of the User Configuration part of the GPO. If disabled, the various policies defined in the User segment of the GPO are ignored when the system applies policy on the system. This does not affect the policies in the Computer segment of the GPO. Container. The name of the Container (OU) objects to which the GPO is linked. Type. The type of the Container object. This can be a Domain, OU (Organizational Unit) or Site. No Override. Indicates whether the policies defined in the GPO can be overridden by conflicting policies linked to other Container at lower levels in the Active Directory tree. If Yes, policies defined in this GPO cannot be overridden by GPOs linked at lower levels. Link Disabled. Indicates the status of the GPO-link to the specified Container. If Yes, the GPO is not applied to that Container. This does not affect links that the GPO may have to other Container objects. Block Inheritance. Indicates whether policies from higher-level Container are inherited by this Container. If Yes, policies flowing down from higher-level Container objects are not inherited. If No Override and Block Inheritance options conflict with each other (i.e. they are both set) the No Override option will always take precedence. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 42 of 154

43 Policies Reported On The following policy definitions are listed for each GPO on your system: GPO Permissions. Lists the permissions that user accounts and groups have over the GPO. The GPO will not be applied to the account (or members of the group) if it does not have Read or Extended Rights (Apply Group Policy) access to the GPO. Rights Policies. Lists the various Rights defined in the GPO. An empty space in the Account Name column indicates that the Right is defined, but is not assigned to anyone. Rights not listed under Rights Defined are not defined in the GPO. Rights policies can only be defined in the Computer Configuration part of the GPO. Event Audit. Lists the various Event Audit settings defined in the GPO. Several events such as when users are logged on, when they access resources, or when they attempt to use special privileges can be configured for the GPO audit. Audited events can only be defined in the Computer Configuration part of the GPO. Event Logging. This lists the control settings such as size and retention method for the Application, Security and System event logs. Event logging can only be defined in the Computer Configuration part of the GPO. System Access. Lists the security control settings for the password and lockout policy in Windows 200x* domains. System access can only be defined in the Computer Configuration part of the GPO. Kerberos Policy. Lists the Kerberos settings defined in the GPO. Kerberos policy can only be defined in the Computer Configuration part of the GPO. Registry Keys. Lists the various Registry keys used to configure security settings for the GPO, including access control, audit, and ownership. Registry keys can only be defined in the Computer Configuration part of the GPO. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 43 of 154

44 5.2 Summary of GPOs defined on the system There are a total of 6 GPOs defined on your system: 0% (0) exist on disk, but are not linked to any container 50% (3) do not exist on disk 0% (0) have the Computer Configuration Disabled 0% (0) have the User Configuration Disabled 50% (3) are not linked to a container Policy GUID Display Name GPO Exists on Disk {31B2F D-11D2-945F-00C04FB984F9} {4AFDCFC6-BAED-4E1D- A3F8-6D5DC846945A} {5471F07B-E3BF-47E6- A2DF-40E D} {6AC1786C-016F-11D2-945F-00C04fB984F9} {F754BFE4-52E2-45B D5C65E8700} {F9BA3B20-1DDA-41D1- B91A-77D94D6EAB7F} Computer Config Disabled User Config Disabled Default Domain Policy No No No 0 Regional Settings workstations No No No 0 New Group Policy Object No No No 0 Default Domain Controllers Policy Yes No No 1 Snake GPO test Yes No No 1 Regional and Language Yes No No 1 For details of all GPO properties see worksheet GPOs_Summary in the MS-Excel workbook. Nbr Links Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 44 of 154

45 5.3 Summary of GPOs and their Links to OUs Policy GUID Object Object Type {6AC1786C-016F-11D2-945F-00C04fB984F9} {F754BFE4-52E2-45B D5C65E8700} {F9BA3B20-1DDA-41D1- B91A-77D94D6EAB7F} No O/Ride Link Disabled Block Inh at OU Level GPO Exists on Disk Computer Config Disabled Domain Controllers OU No No No Yes No No TEST GPO PC OU No No No Yes No No TEST GPO PC OU Yes No No Yes No No User Config Disabled Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 45 of 154

46 5.4 Summary of OUs and their Links to GPOs Note: GPOs are listed in order of precedence. Object Object Type Policy GUID Domain Controllers OU {6AC1786C-016F-11D2-945F-00C04fB984F9} TEST GPO PC OU {F9BA3B20-1DDA-41D1- B91A-77D94D6EAB7F} OU {F754BFE4-52E2-45B D5C65E8700} No O/Ride Link Disabled Block Inh at OU Level GPO Exists on Disk Computer Config Disabled No No No Yes No No Yes No No Yes No No No No No Yes No No User Config Disabled Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 46 of 154

47 5.5 GPOs Defined and their Details System/ Policies/ {31B2F D-11D2-945F-00C04FB984F9} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: Default Domain Policy No No No GPO Links: ** No data found ** GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Domain Users group All Extended Rights Allow Domain Users group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow User4 user All Extended Rights Allow User4 user Read All Properties Allow Rights Policies: ** No data found ** Event Audit: ** No data found ** Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 47 of 154

48 Registry Keys: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 48 of 154

49 System/ Policies/ {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: Regional Settings workstations No No No GPO Links: ** No data found ** GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Domain Users group All Extended Rights Allow Domain Users group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow User4 user All Extended Rights Allow User4 user Read All Properties Allow Users group All Extended Rights Allow Users group Read All Properties Allow Rights Policies: ** No data found ** Event Audit: ** No data found ** Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 49 of 154

50 Registry Keys: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 50 of 154

51 System/ Policies/ {5471F07B-E3BF-47E6-A2DF-40E D} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: New Group Policy Object No No No GPO Links: ** No data found ** GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow Rights Policies: ** No data found ** Event Audit: ** No data found ** Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Registry Keys: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 51 of 154

52 System/ Policies/ {6AC1786C-016F-11D2-945F-00C04fB984F9} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: Default Domain Controllers Policy Yes No No GPO Links: Object Type No O/Ride Link Disabled Domain Controllers OU No No No Block Inheritance at OU Level GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow Rights Policies: Right Account Name Type Access this computer from the network group Act as part of the operating system Authenticated Users Enterprise Domain Controllers Everyone Pre-Windows 2000 Compatible Access well-known well-known well-known Add workstations to domain Authenticated Users well-known Adjust memory quotas for a process *S *S Local Service Network Service Allow log on locally Account Operators group Backup Operators Print Operators group unknown unknown group well-known well-known group group group Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 52 of 154

53 Right Account Name Type Server Operators Backup files and directories group Bypass traverse checking Backup Operators Server Operators *S *S Authenticated Users Everyone Pre-Windows 2000 Compatible Access Change the system time group Local Service Server Operators Create a page file group Create a token object Create permanent shared objects Debug programs group Deny access to this computer from the network SUPPORT_388945a0 user Deny log on as a batch job Deny log on as a service Deny log on locally SophosSAUPUFFADDER0 user SUPPORT_388945a0 Enable accounts to be trusted for delegation group Force shutdown from a remote system group Server Operators group group group unknown unknown group well-known well-known group well-known Generate security audits Local Service well-known Network Service Increase scheduling priority group Load and unload device drivers group Lock pages in memory Print Operators group user group well-known Log on as a batch job Local Service well-known Log on as a service SUPPORT_388945a0 *S *S Network Service SophosSAUPUFFADDER0 SQLServer2005SQLBrowserUser$PUFFADDER SYSTEM Manage auditing and security log group group user unknown unknown well-known user group well-known Modify firmware environment values group Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 53 of 154

54 Right Account Name Type Profile single process group Profile system performance group Remove computer from docking station group Replace a process-level token *S *S Local Service Network Service Restore files and directories group Backup Operators Server Operators Shut down the system group Synchronize directory service data Backup Operators Print Operators Server Operators Take ownership of files or other objects group unknown unknown well-known well-known group group group group group Event Audit: Policy Name Policy Value Audit Account Logon Events Success Audit Account Management Success Audit Directory Service Access Success Audit Logon Events Success Audit Object Access No Auditing Audit Policy Change Success Audit Privilege Use No Auditing Audit Process Tracking No Auditing Audit System Events Success Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Registry Keys: Registry Key Registry Value HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel 2 Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 54 of 154

55 Registry Key Registry Value HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature 1 HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature 1 HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal 1 HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity 1 Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 55 of 154

56 System/ Policies/ {F754BFE4-52E2-45B D5C65E8700} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: Snake GPO test Yes No No GPO Links: Object Type No O/Ride Link Disabled TEST GPO PC OU No No No Block Inheritance at OU Level GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow Rights Policies: ** No data found ** Event Audit: ** No data found ** Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Registry Keys: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 56 of 154

57 System/ Policies/ {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F} GPO Display Name: GPO Exists on Disk: Computer Configuration Disabled: User Configuration Disabled: Regional and Language Yes No No GPO Links: Object Type No O/Ride Link Disabled TEST GPO PC OU Yes No No Block Inheritance at OU Level GPO Permissions: Account Name Type Permission Allow/Deny Authenticated Users well-known All Extended Rights Allow Authenticated Users well-known Read All Properties Allow CREATOR OWNER well-known Read All Properties Allow Domain Admins group Read All Properties Allow Domain Admins group Read All Properties Allow Enterprise Admins group Read All Properties Allow ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow SYSTEM well-known Read All Properties Allow Rights Policies: ** No data found ** Event Audit: ** No data found ** Event Logging: ** No data found ** System Access: ** No data found ** Kerberos Policy: ** No data found ** Registry Keys: ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 57 of 154

58 5.6 GPO Version Discrepancies Section Summary SekChek found 0 discrepancies between the versions of GPOs in AD and SYSVOL. Section Detail ** No data found ** Implications The versions of Group Policy Objects (GPOs) defined in Active Directory and in SYSVOL should normally be identical. If the GPO versions differ it may indicate a replication problem. This will cause unintended differences between the policies that are defined and those that are actually applied on the system. Risk Rating Low to high (dependent on the nature of the GPO). Recommended Action Ensure you understand the reason for any discrepancies between the versions of GPO objects. Where appropriate, ensure you take the necessary action to address the cause of the problem. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 58 of 154

59 6. Password Setting Objects (PSOs) Section Summary There is one PSO defined on your system: 0% (0) are not linked to any user or group objects. Section Detail PSO: Snake PSO test Property Value PSO Precedence 1 PSO Description Test PSO 1 PSO DisplayName Test PSO 1 Lockout Duration (never) (D:HH:MM:SS) Lockout Observation Window 1:00:00:00 (D:HH:MM:SS) Lockout Threshold 5 Maximum Password Age 35:00:00:00 (D:HH:MM:SS) Minimum Password Age (none) (D:HH:MM:SS) Minimum Password Length 10 Password Complexity Enabled Y Password History Length 12 Reversible Password Encryption N When Changed (not replicated) 25-Jan :34:00 When Created 25-Jan :34:00 PSO Applies To... CN=TestGroup3, CN=Users, DC=Snake, DC=com (Object Type= Group, Members= 0) CN=Cloud 2, OU=Amazon, DC=Snake, DC=com (Object Type= Group, Members= 1) Notes Password Setting Objects (PSOs) were introduced in Microsoft Windows Server 2008, and only apply to domains where the domain functional level is set to Windows Server 2008 or higher. PSOs can only be applied to User / inetorgperson objects and global security groups. PSO Precedence: Establishes the PSO s precedence in situations where a user is a member of multiple groups with different password policies. Account Policies (Lockout Duration etc): Refer Domain Accounts Policy for a definition of each policy setting. PSO Applies To: The users and groups to which the Account Policies in the PSO are applied. Implications PSOs allow you to define multiple Account Policies per Active Directory domain, which was not permitted prior to Windows The main benefit of PSOs is that they allow you to control Account Policies at a more granular level by applying different Account Policies to selected users and groups. Note that the Account Policies defined in a PSO will always override the settings defined in the Domain Accounts Policy for the users and groups to which the PSO is linked. For more information, see SekChek s white paper MS-Windows Password Settings Objects (PSOs) at: Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 59 of 154

60 Risk Rating Medium to high depending on the policies in effect over groups and users. Recommended Action If PSOs are employed, you should ensure that the Account Policies defined in the PSOs are set to appropriate values. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 60 of 154

61 7. Customer-Selected Registry Key Values Section Summary The following subsection lists the 2 registry keys that were selected during the extract. Section Detail Registry Key Key Value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\Installer - ServiceControl 601 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos - EEServer v2 Implications The correct settings of certain registry keys will enhance security, auditing and management on the system. For example, having appropriate values for remote access will decrease the risk of intruders gaining illegal access to the system. For many registry keys a value of 0 means that the feature is not enabled and a value of 1 or greater means enabled. Risk Rating Low to high. (Dependant on the registry setting being considered). Recommended Action Ensure that registry values are set to appropriate values where applicable. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 61 of 154

62 8. User Accounts Defined In The Domain Section Summary There are 16 user accounts defined in your domain: 12.5% (2) of user accounts have Administrator privileges 6.3% (1) of user accounts have Guest privileges 81.3% (13) of user accounts have User privileges 0.0% (0) of user accounts are protected against accidental deletion Section Detail Common Name Path Privilege Member of Group Administrator Users Administrator SLB Domain Admins Domain Users Enterprise Admins Group Policy Creator Owners Schema Admins Sophos Sophos DB Admins Sophos Full SophosAdministrator Console Bradley test TEST GPO PC User Domain Users SG GpLink Test Users Administrator SLB Domain Users Sophos Sophos DB Admins Sophos Full SophosAdministrator Console Guest Users Guest Domain Guests SG Guests krbtgt Users User Denied RODC Password Replication Group Domain Users SekTest User4 Users User Domain Users SG Utilisateurs EPM Sharepoint SekTest User5 Users User Domain Users SG Utilisateurs EPM Sharepoint SekTest User6 Users User Domain Users SG Sophos Sophos DB Admins Sophos Full SophosAdministrator Console Utilisateurs EPM Sharepoint SekTest User7 Users User Domain Users SG Type/ Scope SG SG SU SG SU SL SL SL SL SG SL SL SL SL SLB SL SG SG SG SL SL SL SL SG Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 62 of 154

63 Common Name Path Privilege Member of Group Utilisateurs EPM Sharepoint SekTest User9 Users User Domain Users SG Utilisateurs EPM Sharepoint SophosSAUPUFFADDER0 Users User Domain Users SG SophosUpdateMgr Users User Domain Users SG Sun user Amazon User Domain Users SG Nature SUPPORT_388945a0 Users User Domain Users SG HelpServicesGroup Virtual1 Cloud Amazon User Cloud 1 SG Domain Users Virtual2 Cloud Amazon User Cloud 2 SG Domain Users Type/ Scope For details of all user properties see worksheet _All_User_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms. For details of internal system accounts see worksheet System_Accounts in the MS-Excel workbook. Note. The above is a list of user accounts, which have been defined in the domain. It does not include user accounts from other domains or servers that are members of this domain s groups. For those other accounts, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members. Account Name: This name is unique in the domain. Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different container for another user with a different Account Name (above). This is the name under which the user is listed in the Active Directory MMC Console under the container it belongs to. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Group Type / Scope: SG Security Global SL Security Local SLB Security Local - Builtin SU Security Universal Note. The list only shows memberships of Security groups. I.e. memberships of Distribution groups are excluded from the list. For a more detailed description of group types refer to report section Groups Defined in the Domain. Implications Varying levels of control (rights) over the domain, domain containers and domain organizational units can be delegated to users and/or groups of the domain or other domains. If users belong to groups with permissions and rights greater than they need, they will have access to resources and system functions not in line with their job functions. The Administrator privilege is the most powerful privilege in the domain and can perform all actions on the domain. Users with Administrator privilege have full control over the domain resources. Members of groups such as Print Operators, Account Operators, Server Operators and Backup Operators also acquire special privileges. Consult the report section titled: Domain Local Groups and their Members, for a more detailed analysis. SG SG SG SL SG SG Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 63 of 154

64 Risk Rating Medium to high (dependent on users job functions and the number of accounts with special privileges). Recommended Action Ensure that user accounts are defined in containers or organizational units where the controls over them are appropriate. Users rights and group memberships should be checked to ensure they are not granted unnecessary privileges or rights. Most users should be assigned to the built-in global group Domain Users and the built-in local group Users. The number of accounts with Administrator privilege should be kept to a minimum. These accounts should only be used for administrative functions. Users with administrative privileges should use a separate account for normal dayto-day use. You should consider renaming the built-in Administrator account to a less obvious name to lessen the possibility of hackers guessing the password, as they would have to guess the account name also. This account can never be locked out due to failed logon attempts. The account cannot be disabled or deleted. You should consider renaming the built-in Guest account to a less obvious name. Hackers trying to obtain illegal access often target this account. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 64 of 154

65 9. Groups Defined In the Domain Section Summary All Group Types There are a total of 57 group accounts defined on your domain: 64.9% (37) of groups are Local Groups 29.8% (17) of groups are Global Groups 5.3% (3) of groups are Universal Groups 0.0% (0) of groups are Application Basic Groups 0.0% (0) of groups are Application Query Groups 0.0% (0) of groups are protected against accidental deletion Security Groups Only There are 57 security groups defined on your domain: 64.9% (37) of these are Local security Groups 29.8% (17) of these are Global security Groups 5.3% (3) of these are Universal security Groups Section Detail Common Name Path Type/ Scope Account Operators Builtin SLB Builtin SLB Allowed RODC Password Replication Group Users SL Backup Operators Builtin SLB Cert Publishers Users SL Certificate Service DCOM Access Builtin SLB Cloud 1 Amazon SG Cloud 2 Amazon SG Cryptographic Operators Builtin SLB Denied RODC Password Replication Group Users SL Distributed COM Users Builtin SLB DnsAdmins Users SL DnsUpdateProxy Users SG Domain Admins Users SG Domain Computers Users SG Domain Controllers Users SG Domain Guests Users SG Domain Users Users SG Enterprise Admins Users SU Enterprise Read-only Domain Controllers Users SU Event Log Readers Builtin SLB Group Policy Creator Owners Users SG Guests Builtin SLB HelpServicesGroup Users SL IIS_IUSRS Builtin SLB Incoming Forest Trust Builders Builtin SLB Nature Amazon SG Network Configuration Operators Builtin SLB Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 65 of 154

66 Common Name Path Type/ Scope Performance Log Users Builtin SLB Performance Monitor Users Builtin SLB Pre-Windows 2000 Compatible Access Builtin SLB Print Operators Builtin SLB RAS and IAS Servers Users SL Read-only Domain Controllers Users SG Remote Desktop Users Builtin SLB Replicator Builtin SLB Schema Admins Users SU Server Operators Builtin SLB Sophos Console Users SL Sophos DB Admins Users SL Sophos Full Users SL SophosAdministrator Users SL SophosDomainAdministrator Users SG SophosDomainPowerUser Users SG SophosDomainUser Users SG SophosOnAccess Users SL SophosPowerUser Users SL SophosUser Users SL SQLServer2005SQLBrowserUser$PUFFADDE R SQLServerMSSQLServerADHelperUser$PUF FADDER Users Users SL SL TelnetClients Users SL Terminal Server License Servers Builtin SLB TestGroup3 Users SG TestGroup4 Users SG Users Builtin SLB Utilisateurs EPM Sharepoint Users SG Windows Authorization Access Group Builtin SLB For details of all properties see worksheet Group_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms. NOTE: The above is a list of groups, which have been defined in the domain. It does not include groups, from other domains or servers that are members of this domain s groups. Account Name: This name is unique in the domain. Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different container for another group with a different Account Name (above). This is the name under which the group is listed in the Active Directory MMC Console under the container it belongs to. Path: Container or Organizational Unit the group belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 66 of 154

67 Group Type/Scope: AB Application Basic AQ Application Query DG Distribution Global DL Distribution Local DU Distribution Universal SG Security Global SL Security Local SLB Security Local - Builtin SU Security Universal There are 3 types of groups in Windows 200x* domains: Security groups Distribution groups Application groups Security groups can define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to the individual users. The permissions are assigned once to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network. Distribution groups are not security-enabled. Distribution groups can be used, for example, with applications (such as Exchange), to send to collections of users. Application groups are not security enabled and include basic application groups and LDAP query groups. Application groups are specific to Authorization Manager role-based administration. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Membership of an Application Query group is dynamically calculated from LDAP queries. Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three different group scopes: universal, global, and local. Built-in Local Security groups are defined by the Windows 200x* security system. They cannot be moved or deleted from their original container (Builtin). Those groups cannot be members of other groups. For membership of groups and more details on group scope, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members. Implications Varying levels of control (rights) over the domain; domain containers and domain organizational units can be delegated to groups of the domain or other domains. Risk Rating Medium to high (dependent on groups functions and what controls are granted over the groups). Recommended Action Ensure that groups are defined in containers or organizational units where the controls over them are appropriate. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 67 of 154

68 10. Domain Local Groups and their Members Section Summary There are a total of 37 Local Security groups, containing the following 47 members, defined on your domain: 59.5% (22) of these groups are empty / have no members 2.1% (1) of the members are defined in other domains Section Detail Group Name Member Member Domain Account Operators Administrator user Allowed RODC Password Replication Group Backup Operators Cert Publishers Certificate Service DCOM Access Cryptographic Operators Denied RODC Password Replication Group Distributed COM Users DnsAdmins Event Log Readers Domain Admins Enterprise Admins GpLinkTest Cert Publishers Domain Admins Domain Controllers Enterprise Admins Group Policy Creator Owners krbtgt Read-only Domain Controllers Schema Admins Mbr Class Guests Domain Guests group Guest HelpServicesGroup SUPPORT_388945a0 user IIS_IUSRS IUSR Unknown unknown Domain (NT AUTHORITY) Incoming Forest Trust Builders Network Configuration Operators Performance Log Users Performance Monitor Users Pre-Windows 2000 Compatible Access Authenticated Users well-known Print Operators RAS and IAS Servers group group user group group group group group user group group user Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 68 of 154

69 Group Name Member Member Domain Mbr Class Remote Desktop Users Cloud 1 group Replicator Server Operators Cloud 2 Sophos Console Administrator user Domain Admins Enterprise Admins GpLinkTest User6 Sophos DB Admins Administrator user Domain Admins Enterprise Admins GpLinkTest User6 Sophos Full Administrator user Domain Admins Enterprise Admins GpLinkTest User6 SophosAdministrator Administrator user SophosOnAccess Domain Admins Enterprise Admins GpLinkTest SophosDomainAdministrator User6 SophosPowerUser SophosDomainPowerUser group SophosUser Domain Users group SQLServer2005SQLBrowserUser$PUFF ADDER SQLServerMSSQLServerADHelperUser$ PUFFADDER TelnetClients Terminal Server License Servers SophosDomainUser Users Authenticated Users well-known Domain Users Interactive group group group user user group group user user group group user user group group user group user group group well-known Windows Authorization Access Group Enterprise Domain Controllers well-known Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 69 of 154

70 Notes Members of Local Distribution groups are not listed here, as there is no security implication on these groups. Group Account Name or Member Account Name: This name is unique in the domain. Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analysed, this field will be empty. Member Class: When = Unknown, it means that the account or group is a member of the local group but that the server/domain where the account or group is registered could not be reached to obtain the account information. The local groups showing these accounts as members should be checked to establish the origin and details of these accounts. When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain. Domain Local Groups Groups with domain local scope can have as their members groups and accounts from Windows 200x* or Windows NT domains and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as Local Groups. In native-mode Windows 200x* domains, Local Groups can have accounts, global groups, and universal groups from any domain, as well as local groups from the same domain, as members. In mixed-mode Windows 200x* domains, Local Groups can have accounts and global groups from any domain as members but cannot have local groups as members. Groups with domain local scope are typically used to define and manage access to resources within a single domain. Built-in Local Groups are installed in the domain. These groups are security groups and represent common sets of rights and permissions that can be used to grant certain roles, rights, and permissions to the accounts and groups that are placed into these default groups. Default groups with domain local scope are located in the Builtin container. The default (built-in) Local Groups are: Account Operators Backup Operators Guests Pre-Windows 2000 Compatible Access Print Operators Replicator Server Operators Users These built-in groups have domain local scope and are primarily used to assign default sets of permissions to users who may have some administrative control in that domain. For example, the group in a domain has a broad set of administrative authority over all accounts and resources in the domain. The following shows the default rights held by some of these groups. : Members of the group have full control over the computer. It is the only built-in group that is automatically granted every built-in right and ability in the system. Backup Operators: Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log onto the computer and shut it down, but they cannot change security settings. Replicator: The Replicator group supports directory replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of the domain controller. Do not add the user accounts of actual users to this group. Implications If users or groups belong to Local Groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the Local Groups. The built-in Local Group, which has normal default user rights and permissions, is the Users group. Another built-in Local Group with limited default privileges is Guests. Built-in Local Groups cannot be deleted. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 70 of 154

71 New Local Groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) can be assigned to them. Risk Rating Medium to high (dependent on users job functions and groups roles). Recommended Action Privileges and rights acquired by users and groups via their membership of Local Groups should be checked to ensure they are consistent with the users job functions and groups roles. Most users or groups should be assigned to the Users Local Group. Users or groups assigned to privileged Local Groups should be kept to a minimum and their membership fully justified. As a rule, only individual users and not groups, should be added to privileged Local Groups as this affords better control. Those accounts or groups from other domains, which are members of privileged Local Groups, should be carefully checked and fully justified. If it can be avoided, users and groups from other domains should not be members of privileged Local Groups. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 71 of 154

72 11. Domain Global Groups and their Members Section Summary There are a total of 17 Global Security groups, containing the following 30 members, defined on your domain: 41.2% (7) of these groups are empty / have no members Section Detail Group Name Member Member Class Cloud 1 Virtual1 user Cloud 2 Virtual2 user DnsUpdateProxy Domain Admins Administrator user Domain Computers BEOWOLF Computer REDWOLF Computer Domain Controllers BOOMSLANG Computer PUFFADDER Computer Domain Guests Guest user Domain Users Administrator user bradley user GpLinkTest user krbtgt user SophosSAUPUFFADDER0 user SophosUpdateMgr user Sun user SUPPORT_388945a0 user User4 user User5 user User6 user User7 user User9 user Virtual1 user Virtual2 user Group Policy Creator Owners Administrator user Nature Sun user Read-only Domain Controllers SophosDomainAdministrator SophosDomainPowerUser SophosDomainUser TestGroup3 TestGroup4 Utilisateurs EPM Sharepoint User4 user User5 user User6 user User7 user User9 user Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 72 of 154

73 Notes Group Account Name or Member Account Name: This name is unique in the domain. Global Group Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in a domain tree or forest. Groups with a global scope are referred to as Global Groups. In native-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain and global groups from the same domain. In mixed-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain but cannot have groups as members. Default predefined groups with global scope are normally located in the Users container. The predefined Global Groups placed in the Users container are: Cert Publishers Domain Admins Domain Computers Domain Controllers Domain Guests Domain Users Enterprise Admins Group Policy Admins Schema Admins These groups with global scope can be used to collect the various types of user accounts in the domain (regular users, administrators, and guests) into groups. These groups can then be placed in Local Groups. By default, any user account created in a domain is automatically added to the Domain Users group and any computer account created is automatically added to the Domain Computers group. The Domain Users and Domain Computers groups can be used to represent all the accounts created in the domain. For example, if all the users in this domain need to have access to a printer, permissions for the printer can be assigned to the Domain Users group (or the Domain Users group can be placed into a local group that has permissions for the printer). Groups with global scope are normally used to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside their own domain, accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog. Global groups cannot be created or maintained on Windows NT/200x* Workstations or Windows NT/200x* Servers, which are not Domain Controllers. However, for Windows NT/200x* Workstations or NT/200x* Server computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers, and can be members of local groups at those workstations or servers. Implications If users are assigned to global groups with permissions and rights greater than they need, they will have access to unnecessary system resources and functions via the permissions and rights associated with the global groups. Global groups can be members of local groups in the domain and other domains or members of other global groups in the domain, thus acquiring their rights and granting those rights to users belonging to the global groups. New global groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) assigned to them. Risk Rating Medium to high (dependent on users job functions and groups functions). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 73 of 154

74 Recommended Action Privileges and rights assigned to global groups and their membership of other groups should be checked to ensure that they are justified. Most users should only be assigned to the Domain Users global group. Users assigned to privileged global groups (such as Domain Admins) should be kept to a minimum and their membership fully justified. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 74 of 154

75 12. Domain Universal Groups and their Members Section Summary There are a total of 3 Universal Security groups, containing the following 2 members, defined in your domain: 33.3% (1) of these groups are empty / have no members 0.0% (0) of these members are defined in other domains Section Detail Group Name Member Member Domain Enterprise Admins Administrator user Enterprise Read-only Domain Controllers Schema Admins Administrator user Mbr Class Notes Group Account Name or Member Account Name: This name is unique in the domain. Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analyzed, this field will be empty. Member Class: When = Unknown, it means that the account or group is a member of the universal group but that the server/domain where the account or group is registered could not be reached to obtain the account information. The universal groups showing these accounts as members should be checked to establish the origin and details of these accounts. When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain. Universal Groups Groups with universal scope can have as members groups and accounts from any Windows 200x* domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with a universal scope are referred to as Universal Groups. In native-mode Windows 200x* domains, Universal Groups can have, as their members, accounts from any domain, global groups from any domain and universal groups from any domain. In mixed-mode Windows 200x* domains, groups with universal scope cannot be created. Groups with universal scope can be used to consolidate groups that span domains. For example, global groups from different domains can be nested in universal groups. Using this strategy, any membership changes in the groups having global scope do not affect the group with universal scope. Implications If users or groups are assigned to universal groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the universal groups. Risk Rating Medium to high (dependent on users job functions and groups functions). Recommended Action Privileges and rights assigned to universal groups and their membership of other groups should be checked to ensure that they are justified. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 75 of 154

76 13. Last Logons, 30 Days and Older Section Summary All Accounts 50.0% (8) of the user accounts on your domain have not logged-on in the last 30 days: 43.8% (7) have not logged-on in the last 60 days 43.8% (7) have not logged-on in the last 90 days 37.5% (6) have not logged-on in the last 180 days 37.5% (6) have not logged-on in the last 360 days 37.5% (6) have not logged-on in the last 2 years 37.5% (6) have never been used, or their last logon date is unknown Excluding Disabled Accounts 25.0% (4) of the user accounts on your domain have not logged-on in the last 30 days: 18.8% (3) have not logged-on in the last 60 days 18.8% (3) have not logged-on in the last 90 days 18.8% (3) have not logged-on in the last 180 days 18.8% (3) have not logged-on in the last 360 days 18.8% (3) have not logged-on in the last 2 years 18.8% (3) have never been used, or their last logon date is unknown All Administrator Accounts 0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days: 0.0% (0) have not logged-on in the last 60 days 0.0% (0) have not logged-on in the last 90 days 0.0% (0) have not logged-on in the last 180 days 0.0% (0) have not logged-on in the last 360 days 0.0% (0) have not logged-on in the last 2 years 0.0% (0) have never been used, or their last logon date is unknown Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days: 0.0% (0) have not logged-on in the last 60 days 0.0% (0) have not logged-on in the last 90 days 0.0% (0) have not logged-on in the last 180 days 0.0% (0) have not logged-on in the last 360 days 0.0% (0) have not logged-on in the last 2 years 0.0% (0) have never been used, or their last logon date is unknown Domain Controllers (DCs) Scanned SekChek scanned 2 out of 2 DCs for users' last logon times. See Domain Controllers in the Domain for more information. The last logon for the builtin Administrator account was 0 days ago. Industry Average Comparison (> 30 days) Note: This is an exception report, so only lists accounts that have not logged on in the last 30 days. I.e. if an account logged in 29 days ago (or more recently) it will not be listed in the report section. Section Detail Last Logon Account Name Path State Privilege Guest Users D Guest krbtgt Users D User Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 76 of 154

77 Last Logon Account Name Path State Privilege SophosSAUPUFFADDER0 Users User SophosUpdateMgr Users User Sun Amazon User SUPPORT_388945a0 Users D User 02-Aug-2013 User6 Users E User 24-Sep-2013 User4 Users User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). Implications Some of these user accounts may no longer be required. Inactive user accounts are a prime target for intruders. If their passwords are compromised, they can be used with little fear of detection. Risk Rating Low to Medium. Recommended Action The list of accounts should be reviewed and redundant ones should be deleted. Accounts that will be required later (longer term), should be disabled until required. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 77 of 154

78 14. Passwords, 30 Days and Older Section Summary All Accounts 50.0% (8) of the user accounts on your domain have not had their passwords changed in the last 30 days: 43.8% (7) have not had their passwords changed in the last 60 days 43.8% (7) have not had their passwords changed in the last 90 days 43.8% (7) have not had their passwords changed in the last 180 days 25.0% (4) have not had their passwords changed in the last 360 days 12.5% (2) have not had their passwords changed in the last 2 years Excluding Disabled Accounts 25.0% (4) of the user accounts on your domain have not had their passwords changed in the last 30 days: 18.8% (3) have not had their passwords changed in the last 60 days 18.8% (3) have not had their passwords changed in the last 90 days 18.8% (3) have not had their passwords changed in the last 180 days 12.5% (2) have not had their passwords changed in the last 360 days 6.3% (1) have not had their passwords changed in the last 2 years All Administrator Accounts 50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days: 50.0% (1) have not had their passwords changed in the last 60 days 50.0% (1) have not had their passwords changed in the last 90 days 50.0% (1) have not had their passwords changed in the last 180 days 50.0% (1) have not had their passwords changed in the last 360 days 50.0% (1) have not had their passwords changed in the last 2 years Administrator Accounts (Excluding Disabled Accounts) 50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days: 50.0% (1) have not had their passwords changed in the last 60 days 50.0% (1) have not had their passwords changed in the last 90 days 50.0% (1) have not had their passwords changed in the last 180 days 50.0% (1) have not had their passwords changed in the last 360 days 50.0% (1) have not had their passwords changed in the last 2 years The password for the builtin Administrator account was last changed 1556 days ago. Industry Average Comparison (> 30 days) Note: This is an exception report, so only lists accounts whose passwords have not changed in the last 30 days. I.e. if an account's password was changed 29 days ago (or more recently) it will not be listed in the report section. Section Detail Password Age (days) Account Name Path State Privilege 1556 Administrator Users Administrator 1556 SUPPORT_388945a0 Users D User 436 krbtgt Users D User 436 User5 Users User 337 User6 Users E User 292 User9 Users LE User Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 78 of 154

79 Password Age (days) Account Name Path State Privilege 270 User7 Users User 51 User4 Users User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account State: L Locked An account is automatically locked by the system once the number of invalid login attempts, as defined by the security policy, has been reached. D Disabled A disabled account has been manually disabled by the administrator. E Expired An account expires once the expiry date, which has been set by the administrator is reached. DE Disabled & Expired An expired account which has also been manually disabled by the administrator. DL Disabled & Locked A locked account which has also been manually disabled by the administrator. Implications This could indicate that these users are not required to change their passwords on a regular basis or that the accounts are inactive and redundant. A password that is not changed on a frequent basis increases the risk of it being compromised over time. Risk Rating Medium. If password controls are weak (e.g. Password Never Expires set in user accounts) the risk is high. Recommended Action The accounts should be reviewed and deleted if they are no longer required. Otherwise, their password change interval should be brought in line with installation standards. The Leading Practice is to force users to change their passwords every 30 to 60 days. Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 79 of 154

80 15. Passwords that Never Expire Section Summary All Accounts 87.5% (14) of users are never required to change their passwords due to security settings in individual user accounts. Excluding Disabled Accounts 62.5% (10) of users are never required to change their passwords due to security settings in individual user accounts. All Administrator Accounts 50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts. Administrator Accounts (Excluding Disabled Accounts) 50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts. Industry Average Comparison Section Detail Account Name Path State Privilege Administrator Users Administrator bradley TEST GPO PC User Guest Users D Guest SophosSAUPUFFADDER0 Users User SophosUpdateMgr Users User Sun Amazon User SUPPORT_388945a0 Users D User User4 Users User User5 Users User User6 Users E User User7 Users User User9 Users LE User Virtual1 Amazon User Virtual2 Amazon User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 80 of 154

81 Implications If users are not required to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the real user changes the password to a new one. The password change interval is set in the Password Policies. However, the system default can be overridden via the Password Never Expires parameter at user account level. Risk Rating Medium to High. Recommended Action Password change intervals for these user accounts should be brought in-line with the installation standard. The Leading Practice for a password change interval is between 30 and 60 days. You should also check the Accounts Policy to confirm that the Maximum Password Change Interval is set to an acceptable value. Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 81 of 154

82 16. Accounts not Requiring a Password Section Summary All Accounts 6.3% (1) of users are allowed to logon with a zero length password due to security settings in individual user accounts. Excluding Disabled Accounts 0.0% (0) of users are allowed to logon with a zero length password due to security settings in individual user accounts. All Administrator Accounts 0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts. Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts. Industry Average Comparison Section Detail Account Name Path State Privilege Guest Users D Guest Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See the General Note in the System Details section for a general explanation of paths. Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). Implications The setting that allows zero-length (null) passwords to be defined at user account level is one of the values that cannot be displayed via the standard Windows 'Active Directory Users and Computers' interface. It can only be displayed (or set) via a special programmatic interface. An Administrator can set passwords for the listed accounts to null regardless of domain-level security settings. The accounts could then be used to login to the system without a password, despite the security policy settings defined at domain-level. However, the system will not allow users to change their own passwords to null provided that domainlevel security settings prevent it. This can only be done by an Administrator via the 'Reset Password' function or via a programmatic interface. Because SekChek for Windows does not analyse user passwords it is not possible to determine which of the listed accounts actually have null passwords assigned to them. For more information, see SekChek s white paper MS-Windows Accounts not Requiring a Password at: Risk Rating Low to High. (Dependant on the privileges assigned to the user account) In general, allowing the use of null passwords is a very high security risk, because it will allow any person in possession of a valid account name to gain access to your system and information resources. However, there may be Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 82 of 154

83 some special situations where it is appropriate for null passwords to be assigned to some special accounts (e.g. anonymous access with minimal privileges). Recommended Action In general, you should ensure strong passwords are assigned to all user accounts defined on your system. The Leading Practice for a minimum password length is 7 characters. You should also ensure that all accounts allowed null passwords are fully justified. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 83 of 154

84 17. Invalid Logon Attempts Greater than 3 Section Summary All Accounts 0.0% (0) of user accounts have invalid logon attempts greater than 3. Excluding Disabled Accounts 0.0% (0) of user accounts have invalid logon attempts greater than 3. All Administrator Accounts 0.0% (0) of administrator accounts have invalid logon attempts greater than 3. Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of administrator accounts have invalid logon attempts greater than 3. Industry Average Comparison Section Detail ** No data found ** Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). Implications Invalid logon attempts indicate the number of unsuccessful attempts at signing on to your system with the listed accounts. The value is reset to 0 after a successful sign-on to the system. Consistently high values could indicate that an intruder is attempting to guess user passwords to gain access to your system. The Lockout Threshold parameter in the Account Lockout Policies determines the number of failed logon attempts for user accounts before accounts are locked out. Risk Rating Low to Medium. (Dependent on the value assigned to the Lockout Threshold parameter in the Account Lockout Policies) Recommended Action You should ensure that the Lockout Threshold in the Accounts Policy is set to a reasonable value. A value of 3 is the Leading Practice. Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 84 of 154

85 18. Users not Allowed to Change Passwords Section Summary All Accounts 56.3% (9) of the users defined to your system are not allowed to change their passwords. Excluding Disabled Accounts 37.5% (6) of the users defined to your system are not allowed to change their passwords. All Administrator Accounts 0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords. Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords. Industry Average Comparison Section Detail Account Name Path State Privilege Guest Users D Guest SophosSAUPUFFADDER0 Users User SophosUpdateMgr Users User Sun Amazon User SUPPORT_388945a0 Users D User User7 Users User User9 Users LE User Virtual1 Amazon User Virtual2 Amazon User Implications If users are not permitted to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the password is changed to a new one. The password change interval is set in the Accounts Policy. However, individual accounts can have the User Cannot Change Password parameter set which overrides the policy standard. A value of Yes in the Account Disabled column indicates that the account has been disabled by a security administrator, is locked due to excessive failed login attempts, or has expired. See Disabled Accounts for details. Risk Rating Medium to High. Recommended Action The User Cannot Change Password parameter in user accounts should only be set for those accounts where a common sign on is required (The built in Guest account is an example of a common account). The privileges and group membership of these accounts should be carefully monitored. Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 85 of 154

86 19. Accounts with Expiry Date Section Summary All Accounts 12.5% (2) of user accounts are set to expire on a certain date. 12.5% (2) of accounts have expired All Administrator Accounts 0.0% (0) of administrator accounts are set to expire on a certain date. 0.0% (0) of administrator accounts have expired Section Detail: Account Name Path Account Expires Privilege User6 Users 06-Oct-2011 User User9 Users 01-Oct-2011 User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Implications The Account Expires parameter allows you to ensure the account is automatically disabled on the assigned date. When an account expires, a user who is logged on remains logged on but cannot establish new network connections. After logging off, that user cannot log on again unless the expiration date is reset or cleared. Risk Rating Low to Medium. Recommended Action It is good practice to set an expiration date for temporary accounts or accounts assigned to contractors and part-time workers. For added security and to help ensure that accounts are disabled when no longer used, you could consider setting expiration dates for all user accounts. Note however, that this will add to the administrative workload and may inconvenience genuine users when their accounts expire and need to be reset by an administrator. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 86 of 154

87 20. Disabled Accounts Section Summary All Accounts 18.8% (3) of user accounts have been disabled. All Administrator Accounts 0.0% (0) of administrator accounts have been disabled. Industry Average Comparison Section Detail Account Name Path Last Logon Privilege Guest Users Guest krbtgt Users User SUPPORT_388945a0 Users User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Implications No security risks. A housekeeping issue only. Accounts are disabled because they have reached the expiration date or have been disabled by the administrator. Risk Rating None. Recommended Action These accounts should be checked and deleted if no longer required. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 87 of 154

88 21. Locked Out Accounts Section Summary All Accounts 6.3% (1) of user accounts are 'locked out'. All Administrator Accounts 0.0% (0) of administrator accounts are 'locked out'. Industry Average Comparison Section Detail Account Name Path Last Logon Privilege User9 Users 07-Nov-2013 User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Implications These accounts are locked due to an excessive number of failed logon attempts. This could be an indication that intruders are attempting to access your system. Lockout Threshold in the accounts policy defines the number of failed logon attempts for user accounts before accounts are locked out. Risk Rating Medium to High. Recommended Action The reason these accounts have been locked out should be investigated and appropriate action taken. You should ensure that the Lockout Threshold is set to a reasonable value. A value of 3 is the Leading Practice. Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 88 of 154

89 22. Accounts Whose Passwords Must Change at Next Logon Section Summary All Accounts 6.3% (1) of user accounts must change their password at next logon. Excluding Disabled Accounts 0.0% (0) of user accounts must change their password at next logon. All Administrator Accounts 0.0% (0) of administrator accounts must change their password at next logon. Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of administrator accounts must change their password at next logon. Section Detail Account Name Path State Privilege krbtgt Users D User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). Implications The list details those accounts that must change their password at next logon. This can be as a result of a new account or as a result of the account password having been reset by an administrator with the indicator User Must Change Password At Next Logon turned on. If the chosen passwords are default passwords known to most persons, those accounts could be used by anybody to gain illegal access to the domain with the rights/privileges of the account. Risk Rating Low to Medium (depending on the password assigned by the administrator). Recommended Action It is good practice to set the User Must Change Password At Next Logon indicator for new user accounts or when administrators reset passwords. This will force the user to change the initial or new password allocated at the first or next logon. The password chosen by the administrator should be unique and not a default password known to most persons. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 89 of 154

90 23. Accounts Created in the Last 90 Days Section Summary All Accounts 68.8% (11) of user accounts were created in the last 360 days: 18.8% (3) were created in the last 30 days 18.8% (3) were created in the last 60 days 43.8% (7) were created in the last 90 days 43.8% (7) were created in the last 180 days 68.8% (11) were created in the last 360 days 31.3% (5) were created more than a year ago All Administrator Accounts 50.0% (1) of administrator accounts were created in the last 360 days: 0.0% (0) were created in the last 30 days 0.0% (0) were created in the last 60 days 0.0% (0) were created in the last 90 days 0.0% (0) were created in the last 180 days 50.0% (1) were created in the last 360 days 50.0% (1) were created more than a year ago Group Accounts 19.3% (11) of group accounts were created in the last 360 days: 5.3% (3) were created in the last 30 days 5.3% (3) were created in the last 60 days 5.3% (3) were created in the last 90 days 5.3% (3) were created in the last 180 days 19.3% (11) were created in the last 360 days 80.7% (46) were created more than a year ago Computer Accounts 25.0% (1) of computer accounts were created in the last 360 days: 0.0% (0) were created in the last 30 days 0.0% (0) were created in the last 60 days 0.0% (0) were created in the last 90 days 0.0% (0) were created in the last 180 days 25.0% (1) were created in the last 360 days 75.0% (3) were created more than a year ago Note: This is an exception report, so it only lists accounts created in the last 90 days. For details of accounts created more than 90 days ago, see column 'Created' in worksheets _All_User_Accounts and Group_Accounts in the MS- Excel workbook. Section Detail Create Date Account Name Path Account Type Privilege 07-Nov-2013 Cloud 1 Amazon Group - 07-Nov-2013 Cloud 2 Amazon Group - 07-Nov-2013 Nature Amazon Group - 07-Nov-2013 Sun Amazon User User 07-Nov-2013 Virtual1 Amazon User User 07-Nov-2013 Virtual2 Amazon User User 29-Aug-2013 User5 Users User User 29-Aug-2013 User6 Users User User 29-Aug-2013 User7 Users User User Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 90 of 154

91 Create Date Account Name Path Account Type Privilege 29-Aug-2013 User9 Users User User Notes Account Name: This name is unique in the domain. Path: Container or Organizational Unit the account belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths. Account Type: User or Group. Implications The authorisation of new accounts, as well as changes to existing accounts, are key management controls that underpin the security of system and information resources. If accounts are defined without management s knowledge or authorisation, they could be used to gain illegal access to your domain and system resources with little fear of detection. Risk Rating High (if accounts are defined without appropriate management authorisation). Recommended Action You should ensure management authorisation was formally provided prior to defining new accounts. Supporting documentation should minimally include: a reason for creating the account; the security groups the account should belong to; and the system resources required by the account owner. Before management gives an employee access to a user account they should ensure the employee is made aware of the organisation s security policies and the employee s responsibilities for system security. Independent audits of new accounts should be conducted on a regular basis to ensure management controls are appropriate and are being applied in a consistent and effective manner. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 91 of 154

92 24. Rights and Privileges The following seven subsections provide general recommendations regarding rights, and analyses of the Effective rights assigned to Local, Global and Universal groups, user accounts, Well Known objects and external objects: Descriptions & General Recommendations for Rights Rights Assigned to Local Groups Rights Assigned to Universal Groups (Native mode only) Rights Assigned to Global Groups Rights Assigned to Users Rights Assigned to Well-Known Objects Rights Assigned to External Objects Notes In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies apply. However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers. This has important security implications as accounts can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers. Implications Rights and privileges allow users to perform certain actions on the system, such as the ability to Backup Files & Directories. Rights/Privileges apply to the system as a whole and are different to permissions, which apply to specific objects. User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system resources, and they can override the permissions that are set on a particular object on the computer. The special account LocalSystem has built-in capabilities that correspond to almost all privileges and logon rights. Processes that are running as part of the operating system are associated with this account, and they require a complete set of user rights. The system services that are supplied with Windows 200x* are configured automatically to run as LocalSystem. Although other services can be configured to also run under this account, it is recommended that this be done with care. Logon rights control how security principals are allowed access to the computer, whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights, one to allow logging on to the computer and another to deny logging on to the computer. A deny logon right can be used to exclude groups or individual accounts that have been assigned an allow logon right. Deny rights take precedence over allow rights. Rights and privileges are assigned to specific accounts directly via the User Rights policy, or indirectly via group membership. Note that members of a Local, Global or Universal group automatically inherit all rights granted to that group. This includes Global groups or users from other domains that are members of a Local or Universal group. To ease the task of account administration, it is recommended that Rights are primarily assigned to groups rather than to individual user accounts. When Rights are assigned to a group, the Rights are assigned automatically to each user who is added to the group. This is easier than assigning Rights to individual user accounts as each account is created. If users are given inappropriate rights it can lead to a high security risk. Risk Rating Medium to high depending on the rights granted to groups and users. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 92 of 154

93 Recommended Action Rights should be justified according to the person s job function. In general, rights should be assigned by adding user accounts to one of the built-in groups that already has the needed rights, rather than by administering the User Rights policy. The recommendations on the following page serve as a guideline only. Powerful rights should only be granted to users or special accounts (e.g. SMS account) when absolutely necessary. They should also be reviewed on a regular basis. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 93 of 154

94 24.1 Descriptions & General Recommendations for Rights Right Description Recommendation Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on locally Allow log on through Terminal Services Backup files and directories Bypass traverse checking Change the system time Create a page file Allows a user to connect to the computer from the network. By default, this right is assigned to, Everyone, and Power Users. Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. Note that the calling process can also build an anonymous token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to use the LocalSystem account (which already includes the privilege), rather than create a separate account and assign the privilege to it. Allows a user to add workstations to the domain. Adding a workstation to a domain enables the workstation to recognize the domain's user and global groups accounts. By default, members of a domain's and Account Operators groups have the right to add a workstation to a domain. This right cannot be taken away. They can also grant this right to other users. Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denialof-service attack. By default, this privilege is assigned to. Allows a user to log on locally at the computer s keyboard. For servers and domain controllers, by default, this right is assigned to, Account Operators, Backup Operators, Print Operators, and Server Operators. Windows XP (or later) only. Allows a user to log on to the computer by using a Remote Desktop connection. Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. By default, this privilege is assigned to and Backup Operators. (See also Restore files and directories in this table.) Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. By default, this privilege is assigned to, Backup Operators, Power Users, Users, and Everyone. Allows the user to set the time for the internal clock of the computer. By default, this privilege is assigned to and Power Users. Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties. By default, this privilege is assigned to. Initially granted to, Everyone and Power Users. Restrict as required. Grant to no one. Grant to and Account Operators. Grant to no one. For servers and domain controllers (I.e. not work stations), grant to and Operators only. By default, this right is assigned to and Remote Desktop Users. Grant only to Administrator and Backup Operator. Restrict as required. It is enabled by default for all users. Grant to only. Grant to only. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 94 of 154

95 Right Description Recommendation Create a token object Create global objects Create permanent shared objects Debug programs Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Deny log on through Terminal Services Enable accounts to be trusted for delegation Force shutdown from a remote system Generate security audits Impersonate a Client after authentication Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. When a process requires this privilege, use the LocalSystem account (which already includes the privilege), rather than create a separate user account and assign this privilege to it. Windows 2000 (SP4 or later) only. Allows a user account to create global objects in a Terminal Services session. Note that users can still create sessionspecific objects without being assigned this user right. Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that extend the Windows object namespace. Components that are running in kernel mode already have this privilege assigned to them; it is not necessary to assign them the privilege. Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. By default, this privilege is assigned to. Prohibits a user or group from connecting to the computer from the network. By default, no one is denied this right. Prohibits a user or group from logging on through a batch-queue facility. By default, no one is denied the right to log on as a batch job. Prohibits a user or group from logging on as a service. By default, no one is denied the right to log on as a service. Prohibits a user or group from logging on locally at the keyboard. By default, no one is denied this right. Windows XP (or later) only. Prohibits a user from logging on to the computer using a Remote Desktop connection. Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. Allows a user to shut down a computer from a remote location on the network. (See also Shut down the system in this table.) By default, this privilege is assigned to. Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. (See also Manage auditing and security log in this table.) Windows 2000 (SP4 or later) only. Permits programs that run on behalf of the user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes. Grant to no one. By default, members of the group, the System account, and Services that are started by the Service Control Manager are assigned the "Create global objects" user right. Grant to no one or to only. Grant to no one unless required for development purposes. Grant as required. Grant as required. Grant as required. Grant as required. Grant as required. Grant to only. Misuse of this privilege could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. Grant to only. Give this right to secure servers. By default, members of the group and the System account are assigned the right. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 95 of 154

96 Right Description Recommendation Increase scheduling priority Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box. By default, this privilege is assigned to. Load and unload device drivers Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; these device drivers can be installed only by. Note that device drivers run as trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. By default, this privilege is assigned to. Lock pages in memory Log on as a batch job Log on as a service Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. This privilege is obsolete and is therefore never selected. Allows a user to log on by using a batch-queue facility. By default, this right is assigned to. Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. By default, this right is not assigned to anyone. Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, registry keys and other objects. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer. By default, this privilege is assigned to. Allows modification of system environment variables either by a process through an API or by a user through System Properties. By default, this privilege is assigned to. Windows XP (or later) only. Allows a nonadministrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user's access token when a process running in the user's security context calls SetFileValidData(). Allows a user to run Microsoft Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of nonsystem processes. By default, this privilege is assigned to and Power Users. Profile system performance Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes. By default, this privilege is assigned to. Remove computer from docking station Replace a process-level token Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. By default, this privilege is assigned to, Power Users, and Users. Allows a parent process to replace the access token that is associated with a child process. Grant to only. Grant to only. Grant to no one. Grant to no one. Grant to no one. Grant to only. Grant to only. By default, this right is assigned to members of the group. Grant to only. Grant to or Operators. Grant as required. Grant to no one. This is a powerful right used only by the system. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 96 of 154

97 Right Description Recommendation Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. (See also Back up files and directories in this table.) By default, this privilege is assigned to and Backup Operators. Allows a user to shut down the local computer. At domain level this applies to all domain controllers in the domain. On a server or workstation, this applies to that machine only. Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers. By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers. Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. At domain level this applies to all domain controllers in the domain. On a server or workstation, this applies to that machine only. Grant to and Backup Operators only. This right overrides file and directory permissions. Grant to and Operators only. Especially for domain controllers or servers. On workstations, this can be granted to all users. Grant to only. Grant to only. This right overrides permissions protecting the object(s). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 97 of 154

98 24.2 Rights Assigned to Local Groups Local groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g. Local Group has Right via membership of Local1*Local2*Local3 In Native Mode domains, a Local Security Group can be a member of other Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the group acquires the right. In Mixed Mode domains, a Local Security Group cannot be a member of another Local Security Group. For a complete list of groups see report section Groups Defined in the Domain. Local Group Right Via Groups Account Operators Backup Operators Pre-Windows 2000 Compatible Access Allow log on locally Access this computer from the network Adjust memory quotas for a process Allow log on locally Allow log on through Terminal Services Backup files and directories Bypass traverse checking Change the system time Create a page file Create global objects Debug programs Enable accounts to be trusted for delegation Force shutdown from a remote system Impersonate a Client after authentication Increase scheduling priority Load and unload device drivers Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects Allow log on locally Backup files and directories Restore files and directories Shut down the system Access this computer from the network Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 98 of 154

99 Local Group Right Via Groups Bypass traverse checking Print Operators Server Operators SQLServer2005SQLBrowserUser$PUFFADDE R Allow log on locally Load and unload device drivers Shut down the system Allow log on locally Backup files and directories Change the system time Force shutdown from a remote system Restore files and directories Shut down the system Log on as a service Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 99 of 154

100 24.3 Rights Assigned to Universal Groups (Native mode only) Universal groups can acquire rights indirectly via membership of another Universal or Local security group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g. Universal Group has Right via membership of Local1*Local2*Universal1*Universal2 or Universal1*Universal2*Universal3 In Native Mode domains, a Universal Security Group can be a member of other Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the group acquires the right. In Mixed Mode domains, Universal Security Groups cannot be created. For a complete list of groups see report section Groups Defined in the Domain. ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 100 of 154

101 24.4 Rights Assigned to Global Groups Global groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g. Global Group has Right via membership of LocalGroup or Local1*Local2*Universal1*Global1 or Universal1*Universal2*Global1 or Global1*Global2*Global3 In Native Mode domains a Global Security Group can be a member of other Global, Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the group acquires the right. In Mixed Mode domains a Global Security Group can be a member of Local Security Groups only. For a complete list of groups see report section Groups Defined in the Domain. Global Group Right Via Groups Domain Admins Access this computer from the network Adjust memory quotas for a process Allow log on locally Allow log on through Terminal Services Backup files and directories Bypass traverse checking Change the system time Create a page file Create global objects Debug programs Enable accounts to be trusted for delegation Force shutdown from a remote system Impersonate a Client after authentication Increase scheduling priority Load and unload device drivers Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 101 of 154

102 24.5 Rights Assigned to Users The following two reports list all rights assigned to users, including rights assigned directly to users (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name). The first report is Grouped by Right and the second is Grouped by User Account. In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the user acquires the right. E.g. User Account has Right via membership of Group1*Group2*Group3 Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups. For a complete list of groups see report section Groups Defined in the Domain. Section Summary 12.5% (2) of user accounts have right 'Access this computer from the network' 6.3% (1) of user accounts have right 'Deny access to this computer from the network' 12.5% (2) of user accounts have right 'Access this computer from the network(effective)' 0.0% (0) of user accounts have right 'Act as part of the operating system' 0.0% (0) of user accounts have right 'Add workstations to domain' 12.5% (2) of user accounts have right 'Adjust memory Quotas for a process' 12.5% (2) of user accounts have right 'Backup files and directories' 12.5% (2) of user accounts have right 'Bypass traverse checking' 12.5% (2) of user accounts have right 'Change the system time' 0.0% (0) of user accounts have right 'Create a token object' 12.5% (2) of user accounts have right 'Create global objects' 12.5% (2) of user accounts have right 'Create a page file' 0.0% (0) of user accounts have right 'Create permanent shared objects' 12.5% (2) of user accounts have right 'Debug programs' 12.5% (2) of user accounts have right 'Force shutdown from a remote system' 0.0% (0) of user accounts have right 'Generate security audits' 12.5% (2) of user accounts have right 'Impersonate a Client after authentication' 12.5% (2) of user accounts have right 'Increase scheduling priority' 12.5% (2) of user accounts have right 'Load and unload device drivers' 0.0% (0) of user accounts have right 'Lock pages in memory' 6.3% (1) of user accounts have right 'Log on as a batch job' 0.0% (0) of user accounts have right 'Deny logon as a batch job' 6.3% (1) of user accounts have right 'Logon as a batch job(effective)' 6.3% (1) of user accounts have right 'Log on as a service' 0.0% (0) of user accounts have right 'Deny logon as a service' 6.3% (1) of user accounts have right 'Logon as a service(effective)' 12.5% (2) of user accounts have right 'Log on locally' 12.5% (2) of user accounts have right 'Deny user from logging on locally' 12.5% (2) of user accounts have right 'Log on locally(effective)' 12.5% (2) of user accounts have right 'Allow logon through Terminal Services' 0.0% (0) of user accounts have right 'Deny logon through Terminal Services' 12.5% (2) of user accounts have right 'Logon through Terminal Services(Effective)' 12.5% (2) of user accounts have right 'Manage auditing and security log' 12.5% (2) of user accounts have right 'Modify firmware environment values' 12.5% (2) of user accounts have right 'Perform volume maintenance tasks' 12.5% (2) of user accounts have right 'Profile single process' 12.5% (2) of user accounts have right 'Profile system performance' 0.0% (0) of user accounts have right 'Replace a process-level token' 12.5% (2) of user accounts have right 'Restore files and directories' 12.5% (2) of user accounts have right 'Shut down the system' 12.5% (2) of user accounts have right 'Take ownership of files or other objects' 12.5% (2) of user accounts have right 'Set the Trusted for Delegation setting' 12.5% (2) of user accounts have right 'Undock a laptop with the Windows 2000 interface' 0.0% (0) of user accounts have right 'Synchronize directory service data' Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 102 of 154

103 Grouped by Right Note. Where the Account Name is blank this means that the Privilege is assigned to nobody. Right Account Name Via Groups Access this computer from the network Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Access this computer from the network (Effective) Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Act as part of the operating system Adjust memory quotas for a process Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Allow log on locally Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Allow log on through Terminal Services Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Backup files and directories Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Bypass traverse checking Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Change the system time Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Create a page file Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Create a token object Create global objects Administrator Administrator *Domain Admins Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 103 of 154

104 Right Account Name Via Groups Administrator *Enterprise Admins GpLinkTest Create permanent shared objects Debug programs Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Deny access to this computer from the network SUPPORT_388945a0 Deny log on as a batch job Deny log on as a service Deny log on locally SophosSAUPUFFADDER0 SUPPORT_388945a0 Deny log on through Terminal Services Enable accounts to be trusted for delegation Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Force shutdown from a remote system Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Generate security audits Impersonate a Client after authentication Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Increase scheduling priority Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Load and unload device drivers Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Lock pages in memory Log on as a batch job SUPPORT_388945a0 Log on as a batch job (Effective) SUPPORT_388945a0 Log on as a service SophosSAUPUFFADDER0 Log on as a service (Effective) SophosSAUPUFFADDER0 Manage auditing and security log Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 104 of 154

105 Right Account Name Via Groups Modify firmware environment values Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Perform volume maintenance tasks Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Profile single process Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Profile system performance Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Remove computer from docking station Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Replace a process-level token Restore files and directories Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Shut down the system Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Synchronize directory service data Take ownership of files or other objects Administrator Administrator *Domain Admins Administrator *Enterprise Admins GpLinkTest Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 105 of 154

106 Grouped by User Account Note. Where the Account Name is blank this means that the Privilege is assigned to nobody. Account Name Right Via Groups Act as part of the operating system Create a token object Create permanent shared objects Deny log on as a batch job Deny log on as a service Deny log on through Terminal Services Generate security audits Lock pages in memory Replace a process-level token Synchronize directory service data Administrator Access this computer from the network *Domain Admins *Enterprise Admins Access this computer from the network (Effective) *Domain Admins *Enterprise Admins Adjust memory quotas for a process Allow log on locally Allow log on through Terminal Services Backup files and directories Bypass traverse checking Change the system time Create a page file Create global objects *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 106 of 154

107 Account Name Right Via Groups Debug programs Enable accounts to be trusted for delegation Force shutdown from a remote system Impersonate a Client after authentication Increase scheduling priority Load and unload device drivers Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins *Domain Admins *Enterprise Admins Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 107 of 154

108 Account Name Right Via Groups *Domain Admins *Enterprise Admins GpLinkTest Access this computer from the network Access this computer from the network (Effective) Adjust memory quotas for a process Allow log on locally Allow log on through Terminal Services Backup files and directories Bypass traverse checking Change the system time Create a page file Create global objects Debug programs Enable accounts to be trusted for delegation Force shutdown from a remote system Impersonate a Client after authentication Increase scheduling priority Load and unload device drivers Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects SophosSAUPUFFADDER0 Deny log on locally Log on as a service Log on as a service (Effective) SUPPORT_388945a0 Deny access to this computer from the network Deny log on locally Log on as a batch job Log on as a batch job (Effective) Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 108 of 154

109 24.6 Rights Assigned to Well-Known Objects Notes Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local System, Principal Self, Authenticated Users, Creator Owner, and so on. The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name). In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the user acquires the right. E.g. Well- Known Object has Right via membership of Group1*Group2*Group3 Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups. For a complete list of groups see report section Groups Defined in the Domain. Account Name Right Via Groups Authenticated Users Access this computer from the network Access this computer from the network Add workstations to domain Bypass traverse checking Bypass traverse checking Enterprise Domain Controllers Access this computer from the network Everyone Access this computer from the network Bypass traverse checking Service Create global objects Impersonate a Client after authentication SYSTEM Log on as a service Pre-Windows 2000 Compatible Access Pre-Windows 2000 Compatible Access Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 109 of 154

110 24.7 Rights Assigned to External Objects Notes The external objects are users, groups or computers that belong to other domains. When Unknown is reflected, it means that the server/domain where the object is registered could not be reached to obtain the information. When a server/domain cannot be reached for information, the server/domain is either not available through the network or the server/domain no longer exists in the domain. The following report lists rights assigned to external objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name). In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3, starting from the higher-level group from which the user acquires the right. E.g. External Object has Right via membership of Group1*Group2*Group3 Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups. For a complete list of groups see report section Groups Defined in the Domain. ** No data found ** Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 110 of 154

111 25. Discretionary Access Controls (DACL) for Containers Section Summary This report section analyses 4,572 DACLs defined on the following classes of container objects: Containers: 4,366 DACLs Domains: 51 DACLs Organizational Units: 129 DACLs Sites: 26 DACLs Notes A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known object) and specifies a set of permissions allowed or denied for that account. Key: Permission Type Trustee Object Permission Applies To Bhvr (Behaviour) Section Detail The permission(s) the trustee has over the object. Allow = Allow permission to trustee Deny = Deny Permission to trustee The account to which the permission is assigned for the specified object. (G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer; (?) = The account is from an external domain and we cannot resolve the account type The object on which the account has the permission. (D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site Specifies where the permissions are applied: This object only This object and all child objects Child objects only Computer objects Group objects GroupPolicyContainer objects Organizational Unit objects Site objects Trusted Domain objects User objects P -The permission applies to objects within the container specified (object the permission applies to) only. If omitted, the permission will propagate to all child objects of the container within the tree. I - The permission is inherited from the parent object. If omitted, the permission is defined directly on the specified object. PI Both Options For details see worksheet DACLs in the MS-Excel workbook. Implications Some of the permissions are very powerful and they should be carefully assigned to users and groups. Risk Rating Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.) Recommended Action You should check that the listed permissions over objects are appropriate and in line with users job functions. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 111 of 154

112 26. Trusted and Trusting Domains Section Summary The domain being analysed has trust relationships with 2 other domains 50.0% (1) are trusted domains 50.0% (1) are trusting domains 0.0% (0) are both trusted and trusting domains Section Detail Domain Name Trust Type Attributes Trusted Trusting SnakeNY MIT Kerberos realm Disallow transitivity Yes SnakeWP MIT Kerberos realm Disallow transitivity Yes Implications A trust relationship is a link between two domains where the trusting domain honours logon authentications of the trusted domain. Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts. In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A. In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C. Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships. Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other domain trees. A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides for distributed authentication and authorization in Windows 200x*. In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA. If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa. Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree. Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains. The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain. Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in trusted domains can undermine security on the trusting domains. Risk Rating Medium to High (dependant on the quality of security standards applied in trusted domains). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 112 of 154

113 Recommended Action You should satisfy yourself that security in domains trusted by your domain is implemented and administered to appropriate standards. You should consider running SekChek on domain controllers for all trusted domains. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 113 of 154

114 27. Servers and Workstations Notes Role: DC = Domain Controller, S = Server, WS = Workstation When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that the object does not refer to an actual machine. Section Summary There are 4 computer accounts defined in your domain: 50.0% (2) are Domain Controllers 0.0% (0) are Servers 50.0% (2) are Workstations 0.0% (0) of computer accounts are protected against accidental deletion Breakdown of Operating Systems: 25.0% (1) are running Windows 7 Enterprise 25.0% (1) are running Windows Server % (1) are running Windows Server 2008 R2 Enterprise 25.0% (1) are running Windows Vista? Enterprise Section Detail Common Name Path OS & Version Role BEOWOLF Computers Windows Vista? Enterprise 6.0 (6002) WS BOOMSLANG Domain Controllers Windows Server (3790) DC PUFFADDER Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601) DC REDWOLF Computers Windows 7 Enterprise 6.1 (7601) WS Implications Every server and workstation will provide various services to users within the domain. Servers normally offer services such as SQL databases, business applications, Active Directory, and remote access services. Workstations are normally used by end users to logon to thedomain and make use of domain resources and services as required. Resources and services can be shared, with varying access permission settings, on all servers and workstations. Every server and workstation is a potential security risk because they provide an access path to domain resources. Risk Rating Medium to High (Depending on the type of servers, their configuration and security setting standards applied). Recommended Action You should ensure that: Configurations and security settings are defined to appropriate standards Services and resources are appropriately restricted on servers and workstations Accounts databases have the appropriate security settings to help prevent illegal access The rights assigned to accounts and groups are effectively controlled Effective virus detection and prevention services are installed, running and started automatically at system startup time Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 114 of 154

115 28. Domain Controllers in the Domain Section Summary There are 2 Domain Controllers (DCs) defined in your domain. 0 DCs are configured as Read Only Domain Controllers (RODC) 100.0% (2) were scanned for users' last logon times. Section Detail Common Name Path Scanned for Last Logons RODC FSMO/GC Role BOOMSLANG Domain Controllers Yes No Domain Naming Master Global Catalog Schema Master PUFFADDER Domain Controllers Yes No Global Catalog Infrastructure Master PDC Emulator RID Master Domain Controller A domain controller (DC) is a computer running Windows 200x* Server that holds a copy of Active Directory. DCs authenticate domain logons and track changes made to accounts, groups, and policy and trust relationships in a domain. A domain can contain more than one DC. Windows 200x* Server domain controllers provide an extension of the capabilities and features provided by Windows NT Server 4.0 domain controllers. For example, domain controllers in Windows 200x* support multimaster replication, synchronizing data on each domain controller and ensuring consistency of information over time. Multimaster replication is an evolution of the primary and backup domain controller of Windows NT Server 4.0, in which only one server, the primary domain controller, had a read and write copy of the directory. Read Only Domain Controller (RODC) A read-only domain controller (RODC) was introduced in the Windows Server 2008 operating system. Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. Flexible Single Master Operation (FSMO) Roles FSMO Roles are roles assigned to Domain Controllers on a domain running Active Directory, and include: Domain Naming Master: The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain. Infrastructure Master: When an object in Domain A is referenced by another object in Domain B, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the Active Directory object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. Unique per domain. PDC Emulator: In a Windows 200x domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Unique per domain. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 115 of 154

116 RID Master: The RID (Relative ID) Master is responsible for assigning pools of RIDs to other DCs on the domain. Each DC on a domain is allowed to create new security principal objects. The RID Master issues each DC with a pool of RIDs to assign to these newly created objects. Naturally, as new objects are created, this pool diminishes. Once the pool falls below a threshold, the DC issues a request to the RID Master for an additional pool of RIDs. Unique per domain. Schema Master: The DC holding the role of Schema Master is responsible for processing updates to the AD schema. Once the Schema Master updates the AD schema, these changes are then replicated to other DCs on the domain. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain. Global Catalog (GC) A DC can also hold a copy of the global catalog. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in an Active Directory forest. The global catalog is stored on DCs that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different DCs. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a DC that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. Risk Rating Low to medium depending on the security standards applied to all Domain Controllers in the Domain. Recommended Action You should confirm that the security standards applied to all Domain Controllers conform to the expected security standards. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 116 of 154

117 29. Accounts Allowed to Dial In through RAS Section Summary SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan. All Acounts 12.5% (2) of users have permission to dial-in to your domain through RAS 0.0% (0) of these users are not called back by RAS 100.0% (2) of these users can set their own RAS Call-back Number 0.0% (0) of these users have their RAS Call-back Number set by the Administrator Excluding Disabled Accounts 12.5% (2) of users have permission to dial-in to your domain through RAS 0.0% (0) of these users are not called back by RAS 100.0% (2) of these users can set their own RAS Call-back Number 0.0% (0) of these users have their RAS Call-back Number set by the Administrator All Administrator Acounts 0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS Administrator Accounts (Excluding Disabled Accounts) 0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS Section Detail SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan. ** No data found ** The following profiles have permission to dial-in to your domain through RAS: Account Name Callback Callback Nbr Set By Phone Number Service Type Virtual1 Yes Caller Callback Framed User Virtual2 Yes Caller Callback Framed User Privilege Account State LEGEND: Call Back = Yes : The Server will call back the user before log on is allowed. Callback Number Set By = Administrator : The call back number is pre set. Callback Number Set By = Caller : The user provides a call back number every time. Phone Number Reflects the pre set phone number for call back. Account State : Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE). If there are accounts listed with RAS privileges and no RAS servers found, it means that the accounts have been granted RAS privileges but that either: No RAS servers were visible when this analysis was done; or There was a RAS service installed at some stage but it has been discontinued. 0 ports listed in RAS servers indicates that the server has the RAS service configured but not active (started). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 117 of 154

118 Implications RAS (Remote Access Service) allows users to access your system remotely via modems, ISDN etc. RAS increases the risk of unauthorised access to your system because your system is visible to a much larger number of potential intruders via the public telephone network. The risk is greater if privileged users, such as, are allowed access through RAS. In general, multiple RAS servers also increase security risks simply because the number of external access points, which all require securing, is obviously greater. The strength of general security and RAS security on those servers is an important factor in controlling the risks. You will obtain the most comprehensive view of RAS privileges by running SekChek on the domain controller, selected RAS servers, and domain controllers for each trusted domain and on their RAS servers. When servers and workstations are members of a domain, they will usually allow users to logon to the domain. For workstations and servers that are not domain members (i.e. Standalone machines), domain logon is normally not available to users. Inappropriate security settings in RAS can create significant security exposures. Risk Rating Medium to high (dependent on settings for RAS users, RAS parameters and the strength of password controls.). Recommended Action You should only grant dial in (RAS) access to those users who require it for their job functions. Ensure that RAS access is not granted to all user accounts by default. In general, you should ensure that the call back feature is enabled for all RAS users and that a pre-set phone number is used. Do not grant RAS access to privileged accounts (e.g. ) unless absolutely necessary. If possible, restrict the log-on hours for RAS users. This feature can be set for individual user accounts. Ensure that the option to prevent clear-text passwords being negotiated is utilised. This is a setting within RAS. Review the RAS settings on all RAS servers on a regular basis and ensure that appropriate security standards are applied on all of these machines. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 118 of 154

119 30. Services and Drivers on the Machine Section Summary There are a total of 367 Services installed. These Services include the following types: 53.1% (195) are Kernel Drivers 7.4% (27) are File System Drivers 12.5% (46) are Own Process 26.4% (97) are Shared Process 0.5% (2) are Own Process (Interactive) 0.0% (0) are Shared Process (Interactive) The Services start types are: 8.2% (30) System Boot 7.1% (26) System 18.5% (68) Automatic 62.7% (230) Manual 3.5% (13) Disabled Their current states are: 52.3% (192) Stopped 0.0% (0) Starting 0.0% (0) Stopping 47.7% (175) Running 0.0% (0) Continuing 0.0% (0) Pausing 0.0% (0) Paused Following are two reports. The first enumerates services, their state and start type. The second enumerates services with their logon account and path name containing the executable. The services listed are on the machine being analysed and do not reflect services installed on other machines. Section Detail Service Name Display Name State Service Type Start Type 1394ohci 1394 OHCI Compliant Host Controller Stopped Kernel Driver Manual ACPI Microsoft ACPI Driver Running Kernel Driver Boot AcpiPmi ACPI Power Meter Driver Stopped Kernel Driver Manual adp94xx adp94xx Stopped Kernel Driver Manual adpahci adpahci Stopped Kernel Driver Manual adpu320 adpu320 Stopped Kernel Driver Manual ADWS Active Directory Web Services Running Own Process Automatic AeLookupSvc Application Experience Running Shared Process Manual AFD Ancillary Function Driver for Winsock Running Kernel Driver System agp440 Intel AGP Bus Filter Stopped Kernel Driver Manual ALG Application Layer Gateway Service Stopped Own Process Manual aliide aliide Stopped Kernel Driver Manual amdide amdide Stopped Kernel Driver Manual AmdK8 AMD K8 Processor Driver Stopped Kernel Driver Manual AmdPPM AMD Processor Driver Stopped Kernel Driver Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 119 of 154

120 Service Name Display Name State Service Type Start Type amdsata amdsata Stopped Kernel Driver Manual amdsbs amdsbs Stopped Kernel Driver Manual amdxata amdxata Running Kernel Driver Boot AppID AppID Driver Stopped Kernel Driver Manual AppIDSvc Application Identity Stopped Shared Process Manual Appinfo Application Information Stopped Shared Process Manual AppMgmt Application Management Running Shared Process Manual arc arc Stopped Kernel Driver Manual arcsas arcsas Stopped Kernel Driver Manual AsyncMac RAS Asynchronous Media Driver Running Kernel Driver Manual atapi IDE Channel Running Kernel Driver Boot AudioEndpointBuilder Windows Audio Endpoint Builder Stopped Shared Process Manual AudioSrv Windows Audio Stopped Shared Process Manual b06bdrv Broadcom NetXtreme II VBD Stopped Kernel Driver Manual b57nd60a Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 Stopped Kernel Driver Manual BDESVC BitLocker Drive Encryption Service Stopped Shared Process Manual Beep Beep Stopped Kernel Driver Manual BFE Base Filtering Engine Running Shared Process Automatic BITS Background Intelligent Transfer Service Stopped Shared Process Manual blbdrive blbdrive Running Kernel Driver System bowser Browser Support Driver Running File System Driver Manual BrFiltLo Brother USB Mass-Storage Lower Filter Driver Stopped Kernel Driver Manual BrFiltUp Brother USB Mass-Storage Upper Filter Driver Stopped Kernel Driver Manual Browser Computer Browser Stopped Shared Process Disabled Brserid Brother MFC Serial Port Interface Driver (WDM) Stopped Kernel Driver Manual BrSerWdm Brother WDM Serial driver Stopped Kernel Driver Manual BrUsbMdm Brother MFC USB Fax Only Modem Stopped Kernel Driver Manual BrUsbSer Brother MFC USB Serial WDM Driver Stopped Kernel Driver Manual cdfs CD/DVD File System Reader Running File System Driver Disabled cdrom CD-ROM Driver Running Kernel Driver System CertPropSvc Certificate Propagation Running Shared Process Manual CLFS Common Log (CLFS) Running Kernel Driver Boot clr_optimization_v _32 Microsoft.NET Framework NGEN v _x86 Running Own Process Automatic clr_optimization_v _64 Microsoft.NET Framework NGEN v _x64 Running Own Process Automatic CmBatt Microsoft ACPI Control Method Battery Driver Stopped Kernel Driver Manual cmdide cmdide Stopped Kernel Driver Manual CNG CNG Running Kernel Driver Boot Compbatt Compbatt Stopped Kernel Driver Manual CompositeBus Composite Bus Enumerator Driver Running Kernel Driver Manual COMSysApp COM+ System Application Stopped Own Process Manual crcdisk Crcdisk Filter Driver Stopped Kernel Driver Disabled CryptSvc Cryptographic Services Running Shared Process Automatic DcomLaunch DCOM Server Process Launcher Running Shared Process Automatic Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 120 of 154

121 Service Name Display Name State Service Type Start Type defragsvc Disk Defragmenter Stopped Own Process Manual Dfs DFS Namespace Running Own Process Automatic DfsC DFS Namespace Client Driver Running File System Driver System DfsDriver DFS Namespace Server Filter Driver Running File System Driver System DFSR DFS Replication Running Own Process Automatic DfsrRo DFS Replication ReadOnly Driver Running File System Driver Boot Dhcp DHCP Client Running Shared Process Automatic discache System Attribute Cache Running Kernel Driver System Disk Disk Driver Running Kernel Driver Boot DNS DNS Server Running Own Process Automatic Dnscache DNS Client Running Shared Process Automatic dot3svc Wired AutoConfig Stopped Shared Process Manual DPS Diagnostic Policy Service Running Shared Process Automatic DXGKrnl LDDM Graphics Subsystem Stopped Kernel Driver Manual EapHost Extensible Authentication Protocol Stopped Shared Process Manual ebdrv Broadcom NetXtreme II 10 GigE VBD Stopped Kernel Driver Manual EFS Encrypting File System (EFS) Stopped Shared Process Manual elxstor elxstor Stopped Kernel Driver Manual ErrDev Microsoft Hardware Error Device Driver Stopped Kernel Driver Manual eventlog Windows Event Log Running Shared Process Automatic EventSystem COM+ Event System Running Shared Process Automatic exfat exfat File System Driver Stopped File System Driver Manual fastfat FAT12/16/32 File System Driver Stopped File System Driver Manual FCRegSvc Microsoft Fibre Channel Platform Registration Service Stopped Shared Process Manual fdc Floppy Disk Controller Driver Running Kernel Driver Manual fdphost Function Discovery Provider Host Running Shared Process Manual FDResPub Function Discovery Resource Publication Stopped Shared Process Manual FileInfo File Information FS MiniFilter Stopped File System Driver Manual Filetrace Filetrace Stopped File System Driver Manual flpydisk Floppy Disk Driver Running Kernel Driver Manual FltMgr FltMgr Running File System Driver Boot FontCache Windows Font Cache Service Running Shared Process Automatic FontCache Windows Presentation Foundation Font Cache Stopped Own Process Manual FsDepends File System Dependency Minifilter Stopped File System Driver Manual fvevol Bitlocker Drive Encryption Filter Driver Running Kernel Driver Boot gagp30kx Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms Stopped Kernel Driver Manual gpsvc Group Policy Client Running Shared Process Automatic HDAudBus Microsoft UAA Bus Driver for High Definition Audio Stopped Kernel Driver Manual HidBatt HID UPS Battery Driver Stopped Kernel Driver Manual hidserv Human Interface Device Access Stopped Shared Process Manual HidUsb Microsoft HID Class Driver Stopped Kernel Driver Manual hkmsvc Health Key and Certificate Management Stopped Shared Process Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 121 of 154

122 Service Name Display Name State Service Type Start Type HpSAMD HpSAMD Stopped Kernel Driver Manual HTTP HTTP Running Kernel Driver Manual hwpolicy Hardware Policy Driver Running Kernel Driver Boot i8042prt i8042 Keyboard and PS/2 Mouse Port Driver Running Kernel Driver Manual iastorv Intel RAID Controller Windows 7 Stopped Kernel Driver Manual idsvc Windows CardSpace Stopped Shared Process Manual iirsp iirsp Stopped Kernel Driver Manual IKEEXT IKE and AuthIP IPsec Keying Modules Stopped Shared Process Manual intelide intelide Running Kernel Driver Boot intelppm Intel Processor Driver Running Kernel Driver Manual ioatdma Intel(R) QuickData Technology Device Stopped Kernel Driver Manual IPBusEnum PnP-X IP Bus Enumerator Stopped Shared Process Disabled IpFilterDriver IP Traffic Filter Driver Stopped Kernel Driver Manual iphlpsvc IP Helper Running Shared Process Automatic IPMIDRV IPMIDRV Stopped Kernel Driver Manual IPNAT IP Network Address Translator Stopped Kernel Driver Manual isapnp isapnp Stopped Kernel Driver Manual iscsiprt iscsiport Driver Stopped Kernel Driver Manual IsmServ Intersite Messaging Running Own Process Automatic kbdclass Keyboard Class Driver Running Kernel Driver Manual kbdhid Keyboard HID Driver Stopped Kernel Driver Manual kdc Kerberos Key Distribution Center Running Shared Process Automatic KeyIso CNG Key Isolation Stopped Shared Process Manual KSecDD KSecDD Running Kernel Driver Boot KSecPkg KSecPkg Running Kernel Driver Boot ksthunk Kernel Streaming Thunks Stopped Kernel Driver Manual KtmRm KtmRm for Distributed Transaction Coordinator Stopped Shared Process Manual LanmanServer Server Running Shared Process Automatic LanmanWorkstation Workstation Running Shared Process Automatic lltdio Link-Layer Topology Discovery Mapper I/O Driver Running Kernel Driver Automatic lltdsvc Link-Layer Topology Discovery Mapper Stopped Shared Process Manual lmhosts TCP/IP NetBIOS Helper Running Shared Process Automatic LSI_FC LSI_FC Stopped Kernel Driver Manual LSI_SAS LSI_SAS Stopped Kernel Driver Manual LSI_SAS2 LSI_SAS2 Stopped Kernel Driver Manual LSI_SCSI LSI_SCSI Stopped Kernel Driver Manual luafv UAC File Virtualization Running File System Driver Automatic megasas megasas Stopped Kernel Driver Manual MegaSR MegaSR Stopped Kernel Driver Manual Microsoft SharePoint Microsoft SharePoint Workspace Audit Service Stopped Own Process Manual Workspace Audit Service MMCSS Multimedia Class Scheduler Stopped Shared Process Manual Modem Modem Stopped Kernel Driver Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 122 of 154

123 Service Name Display Name State Service Type Start Type monitor Microsoft Monitor Class Function Driver Service Stopped Kernel Driver Manual mouclass Mouse Class Driver Running Kernel Driver Manual mouhid Mouse HID Driver Running Kernel Driver Manual mountmgr Mount Point Manager Running Kernel Driver Boot mpio Microsoft Multi-Path Bus Driver Stopped Kernel Driver Manual mpsdrv Windows Firewall Authorization Driver Running Kernel Driver Manual MpsSvc Windows Firewall Running Shared Process Automatic mrxsmb SMB MiniRedirector Wrapper and Engine Running File System Driver Manual mrxsmb10 SMB 1.x MiniRedirector Running File System Driver Manual mrxsmb20 SMB 2.0 MiniRedirector Running File System Driver Manual msahci msahci Stopped Kernel Driver Manual msdsm Microsoft Multi-Path Device Specific Module Stopped Kernel Driver Manual MSDTC Distributed Transaction Coordinator Running Own Process Automatic Msfs Msfs Running File System Driver System mshidkmdf Pass-through HID to KMDF Filter Driver Stopped Kernel Driver Manual msisadrv msisadrv Running Kernel Driver Boot MSiSCSI Microsoft iscsi Initiator Service Stopped Shared Process Manual msiserver Windows Installer Stopped Own Process Manual MsRPC MsRPC Stopped Kernel Driver Manual mssmbios Microsoft System Management BIOS Driver Running Kernel Driver System MSSQL$SOPHOS SQL Server (SOPHOS) Running Own Process Automatic MSSQLServerADHelper100 SQL Active Directory Helper Service Stopped Own Process Disabled MTConfig Microsoft Input Configuration Driver Stopped Kernel Driver Manual Mup Mup Running File System Driver Boot napagent Network Access Protection Agent Stopped Shared Process Manual NDIS NDIS System Driver Running Kernel Driver Boot NdisCap NDIS Capture LightWeight Filter Stopped Kernel Driver Manual NdisTapi Remote Access NDIS TAPI Driver Running Kernel Driver Manual Ndisuio NDIS Usermode I/O Protocol Stopped Kernel Driver Manual NdisWan Remote Access NDIS WAN Driver Running Kernel Driver Manual NDProxy NDIS Proxy Running Kernel Driver Manual NetBIOS NetBIOS Interface Running File System Driver System NetBT NetBT Running Kernel Driver System Netlogon Netlogon Running Shared Process Automatic Netman Network Connections Running Shared Process Manual netprofm Network List Service Running Shared Process Manual NetTcpPortSharing Net.Tcp Port Sharing Service Stopped Shared Process Disabled netvsc netvsc Running Kernel Driver Manual nfrd960 nfrd960 Stopped Kernel Driver Manual NlaSvc Network Location Awareness Running Shared Process Automatic Npfs Npfs Running File System Driver System nsi Network Store Interface Service Running Shared Process Automatic nsiproxy NSI proxy service driver. Running Kernel Driver System Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 123 of 154

124 Service Name Display Name State Service Type Start Type NTDS Active Directory Domain Services Running Shared Process Automatic NtFrs File Replication Service Running Own Process Automatic Ntfs Ntfs Running File System Driver Manual Null Null Running Kernel Driver System nv_agp NVIDIA nforce AGP Bus Filter Stopped Kernel Driver Manual nvraid nvraid Stopped Kernel Driver Manual nvstor nvstor Stopped Kernel Driver Manual ohci OHCI Compliant Host Controller (Legacy) Stopped Kernel Driver Manual ose Office Source Engine Stopped Own Process Manual osppsvc Office Software Protection Platform Stopped Own Process Manual Parport Parallel port driver Stopped Kernel Driver Manual partmgr Partition Manager Running Kernel Driver Boot pci PCI Bus Driver Running Kernel Driver Boot pciide pciide Stopped Kernel Driver Manual pcmcia pcmcia Stopped Kernel Driver Manual pcw Performance Counters for Windows Driver Running Kernel Driver Boot PEAUTH PEAUTH Running Kernel Driver Automatic PerfHost Performance Counter DLL Host Stopped Own Process Manual pla Performance Logs & Alerts Stopped Shared Process Manual PlugPlay Plug and Play Running Shared Process Automatic PolicyAgent IPsec Policy Agent Stopped Shared Process Manual Power Power Running Shared Process Automatic PptpMiniport WAN Miniport (PPTP) Running Kernel Driver Manual Processor Processor Driver Stopped Kernel Driver Manual ProfSvc User Profile Service Running Shared Process Automatic ProtectedStorage Protected Storage Stopped Shared Process Manual Psched QoS Packet Scheduler Running Kernel Driver System ql2300 ql2300 Stopped Kernel Driver Manual ql40xx ql40xx Stopped Kernel Driver Manual RasAcd Remote Access Auto Connection Driver Stopped Kernel Driver Manual RasAgileVpn WAN Miniport (IKEv2) Running Kernel Driver Manual RasAuto Remote Access Auto Connection Manager Stopped Shared Process Manual Rasl2tp WAN Miniport (L2TP) Running Kernel Driver Manual RasMan Remote Access Connection Manager Stopped Shared Process Manual RasPppoe Remote Access PPPOE Driver Running Kernel Driver Manual RasSstp WAN Miniport (SSTP) Running Kernel Driver Manual rdbss Redirected Buffering Sub Sysytem Running File System Driver System rdpbus Remote Desktop Device Redirector Bus Driver Running Kernel Driver Manual RDPCDD RDPCDD Running Kernel Driver System RDPDR Terminal Server Device Redirector Driver Running Kernel Driver Manual RDPENCDD RDP Encoder Mirror Driver Running Kernel Driver System RDPREFMP Reflector Display Driver used to gain access to graphics data Running Kernel Driver System Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 124 of 154

125 Service Name Display Name State Service Type Start Type RDPWD RDP Winstation Driver Running Kernel Driver Manual RemoteAccess Routing and Remote Access Stopped Shared Process Disabled RemoteRegistry Remote Registry Running Shared Process Automatic RpcEptMapper RPC Endpoint Mapper Running Shared Process Automatic RpcLocator Remote Procedure Call (RPC) Locator Stopped Own Process Manual RpcSs Remote Procedure Call (RPC) Running Shared Process Automatic RSoPProv Resultant Set of Policy Provider Stopped Shared Process Manual rspndr Link-Layer Topology Discovery Responder Running Kernel Driver Automatic s3cap s3cap Running Kernel Driver Manual sacdrv sacdrv Stopped Kernel Driver Boot sacsvr Special Administration Console Helper Stopped Shared Process Manual SamSs Security Accounts Manager Running Shared Process Automatic SAVAdminService Sophos Anti-Virus status reporter Running Own Process Automatic SAVOnAccess SAVOnAccess Running File System Driver System SAVService Sophos Anti-Virus Running Own Process Automatic sbp2port SBP-2 Transport/Protocol Bus Driver Stopped Kernel Driver Manual SCardSvr Smart Card Stopped Shared Process Manual scfilter Smart card PnP Class Filter Driver Stopped Kernel Driver Manual Schedule Task Scheduler Running Shared Process Automatic SCPolicySvc Smart Card Removal Policy Stopped Shared Process Manual secdrv Security Driver Running Kernel Driver Automatic seclogon Secondary Logon Stopped Shared Process Manual SENS System Event Notification Service Running Shared Process Automatic Serenum Serenum Filter Driver Running Kernel Driver Manual Serial Serial port driver Running Kernel Driver System sermouse Serial Mouse Driver Stopped Kernel Driver Manual SessionEnv Remote Desktop Configuration Running Shared Process Manual sffdisk SFF Storage Class Driver Stopped Kernel Driver Manual sffp_mmc SFF Storage Protocol Driver for MMC Stopped Kernel Driver Manual sffp_sd SFF Storage Protocol Driver for SDBus Stopped Kernel Driver Manual sfloppy High-Capacity Floppy Disk Drive Stopped Kernel Driver Manual SharedAccess Internet Connection Sharing (ICS) Stopped Shared Process Disabled ShellHWDetection Shell Hardware Detection Running Shared Process Automatic SiSRaid2 SiSRaid2 Stopped Kernel Driver Manual SiSRaid4 SiSRaid4 Stopped Kernel Driver Manual Smb Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session) Stopped Kernel Driver Manual SNMPTRAP SNMP Trap Stopped Own Process Manual Sophos Agent Sophos Agent Running Own Process Automatic Sophos AutoUpdate Service Sophos AutoUpdate Service Running Own Process Automatic Sophos Certification Manager Sophos Certification Manager Running Own Process Automatic Sophos Management Service Sophos Management Service Running Own Process Automatic Sophos Message Router Sophos Message Router Running Own Process Automatic Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 125 of 154

126 Service Name Display Name State Service Type Start Type SophosBootDriver SophosBootDriver Stopped Kernel Driver Disabled spldr Security Processor Loader Driver Running Kernel Driver Boot Spooler Print Spooler Running Own Process(I) Automatic sppsvc Software Protection Stopped Own Process Automatic sppuinotify SPP Notification Service Stopped Shared Process Manual SQLAgent$SOPHOS SQL Server Agent (SOPHOS) Stopped Own Process Disabled SQLBrowser SQL Server Browser Running Own Process Automatic SQLWriter SQL Server VSS Writer Running Own Process Automatic srv Server SMB 1.xxx Driver Running File System Driver Manual srv2 Server SMB 2.xxx Driver Running File System Driver Manual srvnet srvnet Running File System Driver Manual SSDPSRV SSDP Discovery Stopped Shared Process Disabled SstpSvc Secure Socket Tunneling Protocol Service Stopped Shared Process Manual stexstor stexstor Stopped Kernel Driver Manual storflt Disk Virtual Machine Bus Acceleration Filter Driver Running Kernel Driver Boot storvsc storvsc Stopped Kernel Driver Manual storvsp storvsp Stopped Kernel Driver Manual SUM Sophos Update Manager Running Own Process Automatic swenum Software Bus Driver Running Kernel Driver Manual swi_service Sophos Web Intelligence Service Running Own Process Automatic swprv Microsoft Software Shadow Copy Provider Stopped Own Process Manual SynthVid SynthVid Running Kernel Driver Manual TapiSrv Telephony Stopped Own Process Manual TBS TPM Base Services Stopped Shared Process Manual Tcpip TCP/IP Protocol Driver Running Kernel Driver Boot TCPIP6 Microsoft IPv6 Protocol Driver Stopped Kernel Driver Manual tcpipreg TCP/IP Registry Compatibility Running Kernel Driver Automatic TDPIPE TDPIPE Stopped Kernel Driver Manual TDTCP TDTCP Running Kernel Driver Manual tdx NetIO Legacy TDI Support Driver Running Kernel Driver System TermDD Terminal Device Driver Running Kernel Driver System TermService Remote Desktop Services Running Shared Process Manual THREADORDER Thread Ordering Server Stopped Shared Process Manual TrkWks Distributed Link Tracking Client Stopped Shared Process Manual TrustedInstaller Windows Modules Installer Running Own Process Manual tssecsrv Remote Desktop Services Security Filter Driver Running Kernel Driver Manual TsUsbFlt TsUsbFlt Stopped Kernel Driver Manual tunnel Microsoft Tunnel Miniport Adapter Driver Running Kernel Driver Manual uagp35 Microsoft AGPv3.5 Filter Stopped Kernel Driver Manual udfs udfs Stopped File System Driver Disabled UI0Detect Interactive Services Detection Stopped Own Process(I) Manual uliagpkx Uli AGP Bus Filter Stopped Kernel Driver Manual umbus UMBus Enumerator Driver Running Kernel Driver Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 126 of 154

127 Service Name Display Name State Service Type Start Type UmPass Microsoft UMPass Driver Stopped Kernel Driver Manual UmRdpService Remote Desktop Services UserMode Port Redirector Running Shared Process Manual upnphost UPnP Device Host Stopped Shared Process Disabled usbccgp Microsoft USB Generic Parent Driver Stopped Kernel Driver Manual usbehci Microsoft USB 2.0 Enhanced Host Controller Miniport Driver Stopped Kernel Driver Manual usbhub Microsoft USB Standard Hub Driver Stopped Kernel Driver Manual usbohci Microsoft USB Open Host Controller Miniport Driver Stopped Kernel Driver Manual usbprint Microsoft USB PRINTER Class Stopped Kernel Driver Manual USBSTOR USB Mass Storage Driver Stopped Kernel Driver Manual usbuhci Microsoft USB Universal Host Controller Miniport Driver Stopped Kernel Driver Manual UxSms Desktop Window Manager Session Manager Running Shared Process Automatic VaultSvc Credential Manager Stopped Shared Process Manual vdrvroot Microsoft Virtual Drive Enumerator Driver Running Kernel Driver Boot vds Virtual Disk Running Own Process Manual vga vga Stopped Kernel Driver Manual VgaSave VgaSave Running Kernel Driver System vhdmp vhdmp Stopped Kernel Driver Manual viaide viaide Stopped Kernel Driver Manual Vid Vid Stopped Kernel Driver Manual vmbus Virtual Machine Bus Running Kernel Driver Boot VMBusHID VMBusHID Running Kernel Driver Manual vmicheartbeat Hyper-V Heartbeat Service Running Own Process Automatic vmickvpexchange Hyper-V Data Exchange Service Running Own Process Automatic vmicshutdown Hyper-V Guest Shutdown Service Running Own Process Automatic vmictimesync Hyper-V Time Synchronization Service Running Own Process Automatic vmicvss Hyper-V Volume Shadow Copy Requestor Running Own Process Automatic volmgr Volume Manager Driver Running Kernel Driver Boot volmgrx Dynamic Volume Manager Running Kernel Driver Boot volsnap Storage volumes Running Kernel Driver Boot vsmraid vsmraid Stopped Kernel Driver Manual VSS Volume Shadow Copy Stopped Own Process Manual W32Time Windows Time Running Shared Process Manual WacomPen Wacom Serial Pen HID Driver Stopped Kernel Driver Manual WANARP Remote Access IP ARP Driver Stopped Kernel Driver Manual Wanarpv6 Remote Access IPv6 ARP Driver Running Kernel Driver System WcsPlugInService Windows Color System Stopped Shared Process Manual Wd Wd Stopped Kernel Driver Manual Wdf01000 Kernel Mode Driver Frameworks service Running Kernel Driver Boot WdiServiceHost Diagnostic Service Host Stopped Shared Process Manual WdiSystemHost Diagnostic System Host Stopped Shared Process Manual Wecsvc Windows Event Collector Stopped Shared Process Manual wercplsupport Problem Reports and Solutions Control Panel Support Stopped Shared Process Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 127 of 154

128 Service Name Display Name State Service Type Start Type WerSvc Windows Error Reporting Service Stopped Shared Process Manual WfpLwf WFP Lightweight Filter Running Kernel Driver System WIMMount WIMMount Stopped File System Driver Manual WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service Stopped Shared Process Manual Winmgmt Windows Management Instrumentation Running Shared Process Automatic WinRM Windows Remote Management (WS-Management) Running Shared Process Automatic WmiAcpi Microsoft Windows Management Interface for ACPI Stopped Kernel Driver Manual wmiapsrv WMI Performance Adapter Stopped Own Process Manual WPDBusEnum Portable Device Enumerator Service Stopped Shared Process Manual ws2ifsl Windows Socket 2.0 Non-IFS Service Provider Support Environment Running Kernel Driver System wuauserv Windows Update Running Shared Process Automatic WudfPf User Mode Driver Frameworks Platform Driver Stopped Kernel Driver Manual wudfsvc Windows Driver Foundation - User-mode Driver Framework Stopped Shared Process Manual Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 128 of 154

129 Section Detail Service Name Logon Name Path Name 1394ohci ACPI AcpiPmi adp94xx adpahci adpu320 \SystemRoot\system32\drivers\1394ohci.sys \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\acpipmi.sys \SystemRoot\system32\DRIVERS\adp94xx.sys \SystemRoot\system32\DRIVERS\adpahci.sys \SystemRoot\system32\DRIVERS\adpu320.sys ADWS LocalSystem C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe AeLookupSvc localsystem C:\Windows\system32\svchost.exe -k netsvcs AFD agp440 \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\drivers\agp440.sys ALG NT AUTHORITY\ LocalService C:\Windows\System32\alg.exe aliide amdide AmdK8 AmdPPM amdsata amdsbs amdxata AppID \SystemRoot\system32\drivers\aliide.sys \SystemRoot\system32\drivers\amdide.sys \SystemRoot\system32\DRIVERS\amdk8.sys \SystemRoot\system32\DRIVERS\amdppm.sys \SystemRoot\system32\drivers\amdsata.sys \SystemRoot\system32\DRIVERS\amdsbs.sys \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\appid.sys AppIDSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation Appinfo LocalSystem C:\Windows\system32\svchost.exe -k netsvcs AppMgmt LocalSystem C:\Windows\system32\svchost.exe -k netsvcs arc arcsas AsyncMac atapi \SystemRoot\system32\DRIVERS\arc.sys \SystemRoot\system32\DRIVERS\arcsas.sys system32\drivers\asyncmac.sys \SystemRoot\system32\drivers\atapi.sys AudioEndpointBuilder LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted AudioSrv NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted b06bdrv b57nd60a \SystemRoot\system32\DRIVERS\bxvbda.sys system32\drivers\b57nd60a.sys BDESVC localsystem C:\Windows\System32\svchost.exe -k netsvcs Beep BFE NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork BITS LocalSystem C:\Windows\System32\svchost.exe -k netsvcs blbdrive bowser BrFiltLo BrFiltUp system32\drivers\blbdrive.sys system32\drivers\bowser.sys \SystemRoot\system32\DRIVERS\BrFiltLo.sys \SystemRoot\system32\DRIVERS\BrFiltUp.sys Browser LocalSystem C:\Windows\System32\svchost.exe -k netsvcs Brserid \SystemRoot\System32\Drivers\Brserid.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 129 of 154

130 Service Name Logon Name Path Name BrSerWdm BrUsbMdm BrUsbSer cdfs cdrom \SystemRoot\System32\Drivers\BrSerWdm.sys \SystemRoot\System32\Drivers\BrUsbMdm.sys \SystemRoot\System32\Drivers\BrUsbSer.sys system32\drivers\cdfs.sys \SystemRoot\system32\drivers\cdrom.sys CertPropSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs CLFS clr_optimization_v _32 LocalSystem clr_optimization_v _64 LocalSystem CmBatt cmdide CNG Compbatt CompositeBus \SystemRoot\System32\CLFS.sys C:\Windows\Microsoft.NET\Framework\v \mscorsvw.e xe C:\Windows\Microsoft.NET\Framework64\v \mscorsvw.exe \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\drivers\cmdide.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\drivers\CompositeBus.sys COMSysApp LocalSystem C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1- FD88-11D1-960D-00805FC79235} crcdisk \SystemRoot\system32\DRIVERS\crcdisk.sys CryptSvc NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkService DcomLaunch LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch defragsvc localsystem C:\Windows\system32\svchost.exe -k defragsvc Dfs LocalSystem C:\Windows\system32\dfssvc.exe DfsC DfsDriver System32\Drivers\dfsc.sys system32\drivers\dfs.sys DFSR LocalSystem C:\Windows\system32\DFSRs.exe DfsrRo \SystemRoot\system32\drivers\dfsrro.sys Dhcp NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted discache Disk System32\drivers\discache.sys \SystemRoot\system32\DRIVERS\disk.sys DNS LocalSystem C:\Windows\system32\dns.exe Dnscache NT AUTHORITY\ NetworkService C:\Windows\system32\svchost.exe -k NetworkService dot3svc localsystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted DPS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork DXGKrnl \SystemRoot\System32\drivers\dxgkrnl.sys EapHost localsystem C:\Windows\System32\svchost.exe -k netsvcs ebdrv \SystemRoot\system32\DRIVERS\evbda.sys EFS LocalSystem C:\Windows\System32\lsass.exe elxstor ErrDev \SystemRoot\system32\DRIVERS\elxstor.sys \SystemRoot\system32\drivers\errdev.sys eventlog NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted EventSystem NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 130 of 154

131 Service Name Logon Name Path Name exfat fastfat FCRegSvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted fdc system32\drivers\fdc.sys fdphost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService FDResPub NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation FileInfo Filetrace flpydisk FltMgr system32\drivers\fileinfo.sys system32\drivers\filetrace.sys system32\drivers\flpydisk.sys \SystemRoot\system32\drivers\fltmgr.sys FontCache NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation FontCache NT Authority\ LocalService C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\Presentatio nfontcache.exe FsDepends fvevol gagp30kx System32\drivers\FsDepends.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\gagp30kx.sys gpsvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs HDAudBus HidBatt \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\HidBatt.sys hidserv LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted HidUsb \SystemRoot\system32\drivers\hidusb.sys hkmsvc localsystem C:\Windows\System32\svchost.exe -k netsvcs HpSAMD HTTP hwpolicy i8042prt iastorv \SystemRoot\system32\drivers\HpSAMD.sys system32\drivers\http.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\system32\drivers\i8042prt.sys \SystemRoot\system32\drivers\iaStorV.sys idsvc LocalSystem C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe iirsp \SystemRoot\system32\DRIVERS\iirsp.sys IKEEXT LocalSystem C:\Windows\system32\svchost.exe -k netsvcs intelide intelppm ioatdma \SystemRoot\system32\drivers\intelide.sys system32\drivers\intelppm.sys \SystemRoot\System32\Drivers\qd260x64.sys IPBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted IpFilterDriver system32\drivers\ipfltdrv.sys iphlpsvc LocalSystem C:\Windows\System32\svchost.exe -k NetSvcs IPMIDRV IPNAT isapnp iscsiprt \SystemRoot\system32\drivers\IPMIDrv.sys System32\drivers\ipnat.sys \SystemRoot\system32\drivers\isapnp.sys \SystemRoot\system32\drivers\msiscsi.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 131 of 154

132 Service Name Logon Name Path Name IsmServ LocalSystem C:\Windows\System32\ismserv.exe kbdclass kbdhid \SystemRoot\system32\drivers\kbdclass.sys \SystemRoot\system32\drivers\kbdhid.sys kdc LocalSystem C:\Windows\System32\lsass.exe KeyIso LocalSystem C:\Windows\system32\lsass.exe KSecDD KSecPkg ksthunk KtmRm NT AUTHORITY\ NetworkService \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\system32\drivers\ksthunk.sys C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation LanmanServer LocalSystem C:\Windows\system32\svchost.exe -k netsvcs LanmanWorkstation NT AUTHORITY\ NetworkService lltdio C:\Windows\System32\svchost.exe -k NetworkService system32\drivers\lltdio.sys lltdsvc NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService lmhosts NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted LSI_FC LSI_SAS LSI_SAS2 LSI_SCSI luafv megasas MegaSR Microsoft SharePoint Workspace Audit Service \SystemRoot\system32\DRIVERS\lsi_fc.sys \SystemRoot\system32\DRIVERS\lsi_sas.sys \SystemRoot\system32\DRIVERS\lsi_sas2.sys \SystemRoot\system32\DRIVERS\lsi_scsi.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\megasas.sys \SystemRoot\system32\DRIVERS\MegaSR.sys NT AUTHORITY\ LocalService C:\Program Files (x86)\microsoft Office\Office14\GROOVE.EXE'' /auditservice MMCSS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs Modem monitor mouclass mouhid mountmgr mpio mpsdrv system32\drivers\modem.sys system32\drivers\monitor.sys \SystemRoot\system32\drivers\mouclass.sys system32\drivers\mouhid.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\mpio.sys System32\drivers\mpsdrv.sys MpsSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork mrxsmb mrxsmb10 mrxsmb20 msahci msdsm MSDTC NT AUTHORITY\ NetworkService Msfs mshidkmdf msisadrv system32\drivers\mrxsmb.sys system32\drivers\mrxsmb10.sys system32\drivers\mrxsmb20.sys \SystemRoot\system32\drivers\msahci.sys \SystemRoot\system32\drivers\msdsm.sys C:\Windows\System32\msdtc.exe \SystemRoot\System32\drivers\mshidkmdf.sys \SystemRoot\system32\drivers\msisadrv.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 132 of 154

133 Service Name Logon Name Path Name MSiSCSI LocalSystem C:\Windows\system32\svchost.exe -k netsvcs msiserver LocalSystem C:\Windows\system32\msiexec.exe /V MsRPC mssmbios \SystemRoot\system32\drivers\mssmbios.sys MSSQL$SOPHOS LocalSystem C:\Program Files (x86)\microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\sqlservr.exe'' - ssophos MSSQLServerADHelper100 LocalSystem C:\Program Files (x86)\microsoft SQL Server\100\Shared\SQLADHLP.EXE MTConfig Mup napagent NT AUTHORITY\ NetworkService NDIS NdisCap NdisTapi Ndisuio NdisWan NDProxy NetBIOS NetBT \SystemRoot\system32\DRIVERS\MTConfig.sys \SystemRoot\System32\Drivers\mup.sys C:\Windows\System32\svchost.exe -k NetworkService \SystemRoot\system32\drivers\ndis.sys system32\drivers\ndiscap.sys system32\drivers\ndistapi.sys system32\drivers\ndisuio.sys system32\drivers\ndiswan.sys system32\drivers\netbios.sys System32\DRIVERS\netbt.sys Netlogon LocalSystem C:\Windows\system32\lsass.exe Netman LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted netprofm NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService NetTcpPortSharing NT AUTHORITY\ LocalService C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe netvsc nfrd960 NlaSvc NT AUTHORITY\ NetworkService Npfs \SystemRoot\system32\drivers\netvsc60.sys \SystemRoot\system32\DRIVERS\nfrd960.sys C:\Windows\System32\svchost.exe -k NetworkService nsi NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService nsiproxy system32\drivers\nsiproxy.sys NTDS LocalSystem C:\Windows\System32\lsass.exe NtFrs LocalSystem C:\Windows\system32\ntfrs.exe Ntfs Null nv_agp nvraid nvstor ohci1394 \SystemRoot\system32\drivers\nv_agp.sys \SystemRoot\system32\drivers\nvraid.sys \SystemRoot\system32\drivers\nvstor.sys \SystemRoot\system32\drivers\ohci1394.sys ose LocalSystem C:\Program Files (x86)\common Files\Microsoft Shared\Source Engine\OSE.EXE osppsvc NT AUTHORITY\ NetworkService Parport C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE \SystemRoot\system32\DRIVERS\parport.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 133 of 154

134 Service Name Logon Name Path Name partmgr pci pciide pcmcia pcw PEAUTH \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\DRIVERS\pcmcia.sys \SystemRoot\System32\drivers\pcw.sys system32\drivers\peauth.sys PerfHost NT AUTHORITY\ LocalService C:\Windows\SysWow64\perfhost.exe pla NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork PlugPlay LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch PolicyAgent NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted Power LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch PptpMiniport Processor system32\drivers\raspptp.sys \SystemRoot\system32\DRIVERS\processr.sys ProfSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs ProtectedStorage LocalSystem C:\Windows\system32\lsass.exe Psched ql2300 ql40xx RasAcd RasAgileVpn system32\drivers\pacer.sys \SystemRoot\system32\DRIVERS\ql2300.sys \SystemRoot\system32\DRIVERS\ql40xx.sys System32\DRIVERS\rasacd.sys system32\drivers\agilevpn.sys RasAuto localsystem C:\Windows\System32\svchost.exe -k netsvcs Rasl2tp system32\drivers\rasl2tp.sys RasMan localsystem C:\Windows\System32\svchost.exe -k netsvcs RasPppoe RasSstp rdbss rdpbus RDPCDD RDPDR RDPENCDD RDPREFMP RDPWD system32\drivers\raspppoe.sys system32\drivers\rassstp.sys system32\drivers\rdbss.sys system32\drivers\rdpbus.sys System32\DRIVERS\RDPCDD.sys System32\drivers\rdpdr.sys system32\drivers\rdpencdd.sys system32\drivers\rdprefmp.sys RemoteAccess localsystem C:\Windows\System32\svchost.exe -k netsvcs RemoteRegistry NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k regsvc RpcEptMapper NT AUTHORITY\ NetworkService RpcLocator NT AUTHORITY\ NetworkService RpcSs NT AUTHORITY\ NetworkService C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\system32\locator.exe C:\Windows\system32\svchost.exe -k rpcss RSoPProv LocalSystem C:\Windows\system32\RSoPProv.exe rspndr s3cap sacdrv system32\drivers\rspndr.sys \SystemRoot\system32\drivers\vms3cap.sys \SystemRoot\system32\DRIVERS\sacdrv.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 134 of 154

135 Service Name Logon Name Path Name sacsvr LocalSystem C:\Windows\System32\svchost.exe -k netsvcs SamSs LocalSystem C:\Windows\system32\lsass.exe SAVAdminService LocalSystem C:\Program Files (x86)\sophos\sophos Anti- Virus\SAVAdminService.exe SAVOnAccess system32\drivers\savonaccess.sys SAVService NT AUTHORITY\ LocalService C:\Program Files (x86)\sophos\sophos Anti- Virus\SavService.exe sbp2port \SystemRoot\system32\drivers\sbp2port.sys SCardSvr NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation scfilter System32\DRIVERS\scfilter.sys Schedule LocalSystem C:\Windows\system32\svchost.exe -k netsvcs SCPolicySvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs secdrv seclogon LocalSystem C:\Windows\system32\svchost.exe -k netsvcs SENS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs Serenum Serial sermouse system32\drivers\serenum.sys system32\drivers\serial.sys \SystemRoot\system32\DRIVERS\sermouse.sys SessionEnv localsystem C:\Windows\System32\svchost.exe -k netsvcs sffdisk sffp_mmc sffp_sd sfloppy \SystemRoot\system32\drivers\sffdisk.sys \SystemRoot\system32\drivers\sffp_mmc.sys \SystemRoot\system32\drivers\sffp_sd.sys \SystemRoot\system32\DRIVERS\sfloppy.sys SharedAccess LocalSystem C:\Windows\System32\svchost.exe -k netsvcs ShellHWDetection LocalSystem C:\Windows\System32\svchost.exe -k netsvcs SiSRaid2 SiSRaid4 Smb \SystemRoot\system32\DRIVERS\SiSRaid2.sys \SystemRoot\system32\DRIVERS\sisraid4.sys system32\drivers\smb.sys SNMPTRAP NT AUTHORITY\ LocalService C:\Windows\System32\snmptrap.exe Sophos Agent LocalSystem C:\Program Files (x86)\sophos\enterprise Console\Remote Management System\ManagementAgentNT.exe'' -service - name Agent Sophos AutoUpdate Service LocalSystem C:\Program Files (x86)\sophos\autoupdate\alsvc.exe'' Sophos Certification Manager LocalSystem C:\Program Files (x86)\sophos\enterprise Console\CertificationManagerServiceNT.exe'' -background - ORBSvcConf ''C:\Program Files (x86)\sophos\enterprise Console\svc.conf Sophos Management Service LocalSystem C:\Program Files (x86)\sophos\enterprise Console\MgntSvc.exe'' Sophos Message Router LocalSystem C:\Program Files (x86)\sophos\enterprise Console\Remote Management System\RouterNT.exe'' -service -name Router - ORBListenEndpoints iiop://:8193/ssl_port=8194 SophosBootDriver spldr system32\drivers\sophosbootdriver.sys Spooler LocalSystem C:\Windows\System32\spoolsv.exe sppsvc NT AUTHORITY\ NetworkService C:\Windows\system32\sppsvc.exe Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 135 of 154

136 Service Name Logon Name Path Name sppuinotify NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService SQLAgent$SOPHOS NT AUTHORITY\ NETWORK SERVICE SQLBrowser NT AUTHORITY\ LOCAL SERVICE C:\Program Files (x86)\microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\SQLAGENT.EXE'' -i SOPHOS C:\Program Files (x86)\microsoft SQL Server\90\Shared\sqlbrowser.exe SQLWriter LocalSystem C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe srv srv2 srvnet System32\DRIVERS\srv.sys System32\DRIVERS\srv2.sys System32\DRIVERS\srvnet.sys SSDPSRV NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation SstpSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService stexstor storflt storvsc storvsp \SystemRoot\system32\DRIVERS\stexstor.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\storvsc.sys \SystemRoot\system32\drivers\storvsp.sys SUM LocalSystem C:\Program Files (x86)\sophos\enterprise Console\SUM\SUMService.exe swenum \SystemRoot\system32\drivers\swenum.sys swi_service NT AUTHORITY\ LocalService C:\Program Files (x86)\sophos\sophos Anti-Virus\Web Intelligence\swi_service.exe swprv LocalSystem C:\Windows\System32\svchost.exe -k swprv SynthVid TapiSrv NT AUTHORITY\ NetworkService \SystemRoot\system32\drivers\VMBusVideoM.sys C:\Windows\System32\svchost.exe -k tapisrv TBS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation Tcpip TCPIP6 tcpipreg TDPIPE TDTCP tdx TermDD \SystemRoot\System32\drivers\tcpip.sys system32\drivers\tcpip.sys System32\drivers\tcpipreg.sys system32\drivers\tdpipe.sys system32\drivers\tdtcp.sys system32\drivers\tdx.sys \SystemRoot\system32\drivers\termdd.sys TermService NT Authority\ NetworkService C:\Windows\System32\svchost.exe -k termsvcs THREADORDER NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService TrkWks LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted TrustedInstaller localsystem C:\Windows\servicing\TrustedInstaller.exe tssecsrv TsUsbFlt tunnel uagp35 udfs System32\DRIVERS\tssecsrv.sys system32\drivers\tsusbflt.sys system32\drivers\tunnel.sys \SystemRoot\system32\DRIVERS\uagp35.sys system32\drivers\udfs.sys UI0Detect LocalSystem C:\Windows\system32\UI0Detect.exe uliagpkx \SystemRoot\system32\drivers\uliagpkx.sys Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 136 of 154

137 Service Name Logon Name Path Name umbus UmPass system32\drivers\umbus.sys \SystemRoot\system32\DRIVERS\umpass.sys UmRdpService localsystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted upnphost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation usbccgp usbehci usbhub usbohci usbprint USBSTOR usbuhci \SystemRoot\system32\drivers\usbccgp.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\drivers\usbhub.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\usbprint.sys \SystemRoot\system32\drivers\USBSTOR.SYS \SystemRoot\system32\DRIVERS\usbuhci.sys UxSms localsystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted VaultSvc LocalSystem C:\Windows\system32\lsass.exe vdrvroot \SystemRoot\system32\drivers\vdrvroot.sys vds LocalSystem C:\Windows\System32\vds.exe vga VgaSave vhdmp viaide Vid vmbus VMBusHID vmicheartbeat NT AUTHORITY\ NetworkService system32\drivers\vgapnp.sys \SystemRoot\System32\drivers\vga.sys \SystemRoot\system32\drivers\vhdmp.sys \SystemRoot\system32\drivers\viaide.sys \SystemRoot\system32\drivers\Vid.sys \SystemRoot\system32\drivers\vmbus.sys \SystemRoot\system32\drivers\VMBusHID.sys C:\Windows\system32\vmicsvc.exe -feature Heartbeat vmickvpexchange NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature KvpExchange vmicshutdown LocalSystem C:\Windows\system32\vmicsvc.exe -feature Shutdown vmictimesync NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature TimeSync vmicvss LocalSystem C:\Windows\system32\vmicsvc.exe -feature VSS volmgr volmgrx volsnap vsmraid \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\system32\DRIVERS\vsmraid.sys VSS LocalSystem C:\Windows\system32\vssvc.exe W32Time NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService WacomPen WANARP Wanarpv6 \SystemRoot\system32\DRIVERS\wacompen.sys system32\drivers\wanarp.sys system32\drivers\wanarp.sys WcsPlugInService NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k wcssvc Wd Wdf01000 \SystemRoot\system32\DRIVERS\wd.sys \SystemRoot\system32\drivers\Wdf01000.sys WdiServiceHost NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 137 of 154

138 Service Name Logon Name Path Name WdiSystemHost LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted Wecsvc NT AUTHORITY\ NetworkService C:\Windows\system32\svchost.exe -k NetworkService wercplsupport localsystem C:\Windows\System32\svchost.exe -k netsvcs WerSvc localsystem C:\Windows\System32\svchost.exe -k WerSvcGroup WfpLwf WIMMount system32\drivers\wfplwf.sys system32\drivers\wimmount.sys WinHttpAutoProxySvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService Winmgmt localsystem C:\Windows\system32\svchost.exe -k netsvcs WinRM NT AUTHORITY\ NetworkService WmiAcpi C:\Windows\System32\svchost.exe -k NetworkService \SystemRoot\system32\drivers\wmiacpi.sys wmiapsrv localsystem C:\Windows\system32\wbem\WmiApSrv.exe WPDBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted ws2ifsl \SystemRoot\system32\drivers\ws2ifsl.sys wuauserv LocalSystem C:\Windows\system32\svchost.exe -k netsvcs WudfPf system32\drivers\wudfpf.sys wudfsvc LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted Services and Drivers A service is an executable object that is installed in a registry database maintained by the Service Control Manager. The executable file associated with a service can be started at boot time by a boot program or by the system, or the Service Control Manager can start it on demand. The two types of service are Win32 services and driver services. A Win32 service is a service that conforms to the interface rules of the Service Control Manger. This enables the Service Control Manager to start the service at system start-up or on demand and enables communication between the service and service control programs. A Win32 service can execute in its own process, or it can share a process with other Win32 services. A driver service is a service that follows the device driver protocols for Microsoft Windows rather than using the Service Control Manager interface. Implications Having inappropriate or unnecessary services installed can create security risks and provide potential access paths or tools to intruders. There are a great number of services that can be installed and it would require volumes to document the security implications attached to each one. Some of them will increase security risks if not appropriately configured, controlled and secured. Examples are; Remote Access Services (RAS), Internet related services and network services. Some of the more common services are: Service Function Comments NetDDE, NetDDEdsdm Services for creating a communication Shares (directories, files and printers) should be channel or a trusted share for Windows managed to ensure that sensitive information is applications to share data over a network. not made available unnecessarily via this channel. EventLog, SENS Event Log Service and System Event Notification Service. Ensure these services are started to enable the capturing of event messages to the logs. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 138 of 154

139 Service Function Comments SNMP, SNMPTRAP W3SVC, IISADMIN, IAS RemoteAccess, Rasman, RasAcd, RasAuto, RasArp NdisTapi, NdisWan, NetBIOS, NwlnkSpx, Tcpip Simple Network Management Protocol to manage devices on a network. Internet Information Server, World Wide Web Publishing Service and Internet Authentication Service. Remote Access services. Network Protocol and Transport layer services/drivers. Attaching unsecured logon accounts to services can create significant security exposures. Manage access to information via this protocol, as it can supply valuable information about your network and network devices. Ensure correct configuration of these services as misconfiguration of these can compromise security. Ensure correct configuration of these services as misconfiguration of these can compromise security. Ensure that these protocols/drivers are configured correctly as incorrect configuration can leave the network open to penetration. Installing service executables in unsecured directories can also create significant security exposures. Risk Rating Medium to High (Depending on the type of services installed, their configuration and security settings). Recommended Action You should ensure that: Only required and appropriate services are installed. Their configuration and security settings are to appropriate standards. Service executables are in secure directories. Logon accounts attached to services have the appropriate security settings to help prevent illegal access. The rights assigned to user accounts and groups are effectively controlled (consult report section titled Rights and Privileges). Effective virus detection and prevention services are installed, running and activated/started automatically at system start-up time. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 139 of 154

140 31. Server Roles and Features Section Summary There are 26 Server roles and features installed on the system. Section Detail Server Roles and Features.NET Framework 4.5 Features ---.NET Framework WCF Services TCP Port Sharing Active Directory Domain Services DNS Server File And Storage Services --- File and iscsi Services File Server --- Storage Services Group Policy Management Remote Server Administration Tools --- Role Administration Tools AD DS and AD LDS Tools Active Directory module for Windows PowerShell AD DS Tools Active Directory Administrative Center AD DS Snap-Ins and Command-Line Tools DNS Server Tools User Interfaces and Infrastructure --- Graphical Management Tools and Infrastructure --- Server Graphical Shell Windows PowerShell --- Windows PowerShell Windows PowerShell ISE WoW64 Support Implications All roles and features installed on your Server increase the attack surface of your system and present additional opportunities for intruders to exploit any vulnerabilities that may exist. Your system is particularly vulnerable if Windows features are incorrectly configured. Unnecessary roles and features also consume system resources, such as disk space and CPU cycles. In addition, they increase the frequency of Microsoft updates and associated system restarts. Risk Rating Medium to High (Depending on the role or feature). Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 140 of 154

141 Recommended Action You should ensure that: All installed roles and features are appropriate and authorised Windows roles and features are appropriately configured You should also consider using a mimimal Server Core installation, rather than versions of Windows Server that installs the full GUI with unnecessary components, such as Windows Explorer, Internet Explorer and the Control Panel. For more information about Server Core see: Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 141 of 154

142 32. Task Scheduler Section Summary There are 71 scheduled tasks defined in 52 task folders: 33.8% (24) of tasks are hidden 73.2% (52) of tasks are enabled 26.8% (19) of tasks are disabled 39.4% (28) of tasks have never executed 12.7% (9) of tasks returned a non-zero result (may have failed) The registered tasks contain 69 event triggers 17.4% (12) of event triggers are disabled Section Detail For details see worksheet Scheduled_Tasks in the MS-Excel workbook. Implications The Task Scheduler ensures that important system maintenance and diagnostic functions are performed on a regular and consistent basis without the need for manual intervention. Some examples of scheduled tasks are jobs that: Create regular system protection points Download and install anti-virus updates Ensure digital certificates for users and machines are current and valid Consolidate fragmented space on disk drives Synchronise the system time If certain tasks do not execute, or they fail to complete successfully, it could impact on the performance, stability or security of your system. Risk Rating Low to medium (Depending on the task and its status). Recommended Action You should ensure that important scheduled tasks: Are configured in accordance with your requirements Are not accidentally disabled Execute successfully Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 142 of 154

143 33. Security Updates, Patches and Hot-Fixes Section Summary There are 2 Security Updates, Patches and Hot-Fixes installed on this system. Windows Update Settings Windows Update status: OK Important updates: Download updates but let me choose whether to install them Install new updates: Every day at 03:00 Recommended updates: No Allow all users to install: Yes Configuration enforced: No Updates were installed: 23-Sep :09:13 Most recent check for updates: 25-Oct :52:33 Section Detail Update Reference Install Date Installed By Service Pack Description KB /14/2013 SNAKE\administrator Update KB /14/2013 SNAKE\administrator Service Pack Implications This report section lists hot-fixes installed on the system by Microsoft s hotfix.exe or update.exe utilities. Note that hot-fixes and patches applied to third-party (non-microsoft) software products are not included because they are typically not installed by these utilities. Examples of other exclusions are entries written by Shavlik (records are in a proprietary format) and records relating to uninstall routines, such as ServicePackUninstall. A software patch or hot-fix is a program file that installs one or more files on your system to correct a software problem. A Windows hot-fix program file is typically named KB (or Q) nnnnnn.exe, where nnnnnn is a six-digit number assigned by Microsoft. You can obtain details of a hot-fix by searching Microsoft s Knowledge Base (KB) on the unique hot-fix number. Many hot-fixes address security vulnerabilities that are discovered in software components, such as Windows, Exchange, Internet Explorer, IIS and SQL. If you lack a policy to ensure relevant hot-fixes are promptly identified and installed, your system will be exposed to an increased risk of being compromised, damaged or exploited. Some examples of these security exposures are: unauthorised remote access to your system; illegal execution of code; elevation of privileges; and denial of service attacks. Risk Rating Medium to High (Depending on the vulnerability). Recommended Action You should implement policy to ensure you are aware of newly discovered security vulnerabilities. You should also ensure that appropriate hot-fixes are promptly evaluated and installed on your systems. Microsoft offers several advisory services and tools that can assist you with the process. These include Technet, various notification services and security bulletins, and tools such as Hfnetchk, which checks computers for the absence of security patches / hot-fixes. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 143 of 154

144 34. Products Installed Section Summary There are 39 MSI-installed software products on this system. Section Detail Product Name Version Install Date Publisher Acrobat.com Adobe Systems Incorporated Adobe AIR Adobe Systems Inc. Adobe Reader Adobe Systems Incorporated Microsoft Office Access MUI (English) Microsoft Corporation Microsoft Office Access Setup Metadata MUI (English) Microsoft Corporation Microsoft Office Excel MUI (English) Microsoft Corporation Microsoft Office Groove MUI (English) Microsoft Corporation Microsoft Office InfoPath MUI (English) Microsoft Corporation Microsoft Office Office 64-bit Components Microsoft Corporation Microsoft Office OneNote MUI (English) Microsoft Corporation Microsoft Office Outlook MUI (English) Microsoft Corporation Microsoft Office PowerPoint MUI (English) Microsoft Corporation Microsoft Office Professional Plus Microsoft Corporation Microsoft Office Proof (English) Microsoft Corporation Microsoft Office Proof (French) Microsoft Corporation Microsoft Office Proof (Spanish) Microsoft Corporation Microsoft Office Proofing (English) Microsoft Corporation Microsoft Office Publisher MUI (English) Microsoft Corporation Microsoft Office Shared 64-bit MUI (English) Microsoft Corporation Microsoft Office Shared 64-bit Setup Metadata MUI (English) Microsoft Corporation Microsoft Office Shared MUI (English) Microsoft Corporation Microsoft Office Shared Setup Metadata MUI (English) Microsoft Corporation Microsoft Office Word MUI (English) Microsoft Corporation Microsoft SQL Server 2008 Browser Microsoft Corporation Microsoft SQL Server 2008 Common Files Microsoft Corporation Microsoft SQL Server 2008 Common Files Microsoft Corporation Microsoft SQL Server 2008 Database Engine Services Microsoft SQL Server 2008 Database Engine Services Microsoft SQL Server 2008 Database Engine Shared Microsoft SQL Server 2008 Database Engine Shared Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft SQL Server 2008 Native Client Microsoft Corporation Microsoft SQL Server 2008 RsFx Driver Microsoft Corporation Microsoft SQL Server 2008 Setup Support Files Microsoft Corporation Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 144 of 154

145 Product Name Version Install Date Publisher Microsoft SQL Server VSS Writer Microsoft Corporation Sophos Anti-Virus Sophos Limited Sophos AutoUpdate Sophos Limited Sophos Enterprise Console Sophos Plc Sophos Update Manager Sophos plc Sql Server Customer Experience Improvement Program Microsoft Corporation For details of all properties see worksheet Products in the MS-Excel workbook. Implications This report section lists software products that were installed by Windows Installer (MSI). Unauthorised software installations could cause the following risks: Compromised security, if the software does not originate from a reputable vendor or it has not been properly tested prior to implementation. Legal action and penalties due to the use of unlicensed software on your systems. Additional training and maintenance costs due to the need to support multiple versions of similar software. Risk Rating Medium / High (if unauthorised software is installed on your system). Recommended Action You should ensure that software policies define a list of approved software and prevent the installation of unauthorised software products. Policies should be consistently enforced and regularly monitored for compliance. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 145 of 154

146 35. Current Network Connections Section Summary SekChek was unable to analyse active network connections because the required dll was not present on the system. Section Detail ** No data found. ** Process ID The process identification number attached to the Current Network Connection. Local Address The address of the local end of the socket. Local Port The port number of the local end of the socket. Remote Address The address of the remote end of the socket. Remote Port The port number of the remote end of the socket. State Shows the connection state of the socket. This can be one of the following values: CLOSE_WAIT CLOSED CLOSING ESTABLISHED FIN_WAIT1 FIN_WAIT2 IDLE LAST_ACK LISTENING SYN_RECV SYN_SENT TIME_WAIT UNKNOWN The remote end has shut down, waiting for the socket to close The socket is not being used Both sockets are shut down but we still don t have all our data sent The socket has an established connection The socket is closed and the connection is shutting down The connection is closed and the socket is waiting for a shutdown from the remote end Idle, opened but not bound The remote end has shut down and the socket is closed. Waiting for acknowledgement The socket is listening for incoming connections A connection request has been received from the network The socket is actively attempting to establish a connection The socket is waiting after close to handle packets still in the network The state of the socket is unknown Filename The filename of the process that is attached to the Current Network Connection. Implications This report section lists all active network connections for TCP protocols, including the local and remote addresses, the ports in use and the state of each connection. It does not indicate which services are configured to use these ports. The port numbers used by some of the most common network services are: Port number Service 7 echo 20 ftp data 21 ftp 22 ssh 23 telnet 25 smtp 43 whois 53 DNS 69 tftp 79 finger 80 http 110 POP3 Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 146 of 154

147 119 nntp 143 IMAP 161 snmp 443 https 512 exec 194 Irc Network services and their associated ports provide several opportunities for intruders to exploit your system. Some examples are: Services such as telnet (port 23) and ftp (port 21) transmit user passwords in clear text format, which makes them vulnerable to access via sniffer software; Older versions of services often contain security weaknesses, which can be exploited to gain access to your system using the account under which the service is run; Services such as finger (port 79), provide intruders with useful information about your system, such as details of inactive user accounts, which can be used to gain access to your system. Risk Rating Medium to High. (If inappropriate network services are running) Recommended Action You should determine what services are configured to use these ports and: Disable any unused or redundant services; Limit the number of services that run under the administrator account by running them under an account with less privileges; Frequently check with your software vendor for security vulnerabilities in the services you are running and apply any relevant software patches; Consider replacing services that transmit passwords in clear text format with more secure software; Ensure that hosts running open services are located behind properly configured firewall machines; Monitor open ports and connections for signs of unusual activity, particularly from addresses external to your organisation. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 147 of 154

148 36. Logical Drives Section Summary There were a total of 4 logical drives defined to your domain controller when this analysis was run. Section Detail Drive Type A:\ Removable Volume Name Serial Number File System Disk Size (MB) Free Space (MB) C:\ Fixed 7CA7-6D3D NTFS % D:\ CDROM _1531 C71C-CE20 CDFS % Z:\ Remote New Volume 45BD-987 NTFS % % Free Comment Disk Quotas Note that the free space displayed for a drive may exceed the disk size if disk quotas are used (indicated by **User Quotas** in the Comment field). This is because the Free Space column indicates the total amount of free space on the drive, while the Disk Size column indicates the space available to the user under the disk quota rules. Implications The NTFS file system provides more security features than the FAT system. It should be used whenever security is a concern. With NTFS, you can assign a variety of protections to files and directories. Risk Rating Medium to High (Depending on the sensitivity of files and directories). Recommended Action As a rule, you should ensure that sensitive files and directories are on NTFS partitions. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 148 of 154

149 37. Network Shares Section Summary There were a total of 10 Network Shares defined to your domain controller when this analysis was run. Section Detail Share Name Path Type Max Uses Remark ADMIN$ C:\Windows Special Share *unlimited* Remote Admin BG temp C:\BG temp File Share *unlimited* C$ C:\ Special Share *unlimited* Default share IPC$ NETLOGON SophosUpdate C:\Windows\SYSVOL\sysvol\Snake.co m\scripts C:\ProgramData\Sophos\Update Manager\Update Manager SUMInstallSet C:\Program Files (x86)\sophos\enterprise Console\SUMInstaller Interprocess communication (IPC) File Share File Share File Share *unlimited* Remote IPC *unlimited* Logon server share *unlimited* *unlimited* Sophos Update Manager Installer SYSVOL C:\Windows\SYSVOL\sysvol File Share *unlimited* Logon server share WolfSpace_2 C:\BG temp File Share *unlimited* WolfSpace1 C:\DfsRoots\WolfSpace1 File Share *unlimited* Implications Windows Server enables you to designate resources you want to share with others. For example: When a directory is shared, authorised users can make connections to the directory (and access its files) from their own workstations. When a printer is shared, many users can print from it over the network. Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user. With Windows Server, you create the appropriate level of network resources security with a combination of resource sharing and resource permissions. Risk Rating Medium to High (Depending on the sensitivity of the data stored in the shared directories). Recommended Action You should ensure that directories containing sensitive data files are not shared or are adequately secured via resource permissions. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 149 of 154

150 38. Home Directories, Logon Scripts and Profiles Section Summary All Accounts 100.0% (16) of user accounts do not have a home directory % (16) of user accounts do not have a logon script % (16) of user accounts are not restricted to logging on from specific workstations % (16) of user accounts do not have specific logon profiles. Excluding Disabled Accounts 68.8% (11) of user accounts do not have a home directory. 68.8% (11) of user accounts do not have a logon script. 68.8% (11) of user accounts are not restricted to logging on from specific workstations. 68.8% (11) of user accounts do not have specific logon profiles. All Administrator Accounts 100.0% (2) of administrator accounts do not have a home directory % (2) of administrator accounts do not have a logon script % (2) of administrator accounts are not restricted to logging on from specific workstations % (2) of administrator accounts do not have specific logon profiles. Administrator Accounts (Excluding Disabled Accounts) 100.0% (2) of administrator accounts do not have a home directory % (2) of administrator accounts do not have a logon script % (2) of administrator accounts are not restricted to logging on from specific workstations % (2) of administrator accounts do not have specific logon profiles. Industry Average Comparison (All Accounts) Section Detail Account Name Home Directory Logon Script Path Workstation Restrictions Logon Profile State Privilege Administrator No No No No Administrator bradley No No No No User GpLinkTest No No No No Administrator Guest No No No No D Guest krbtgt No No No No D User SophosSAUPUFFADDER0 No No No No User SophosUpdateMgr No No No No User Sun No No No No User SUPPORT_388945a0 No No No No D User User4 No No No No User User5 No No No No User User6 No No No No E User User7 No No No No User User9 No No No No LE User Virtual1 No No No No User Virtual2 No No No No User Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 150 of 154

151 Implications A home directory is used as the user s default directory for the File Open and Save As dialog boxes, for the command prompt, and for all applications that do not have a defined working directory. Home directories make it easier for an administrator to back up user files and delete user accounts because they are grouped in one location. The home directory can be a local directory on a user s computer or a shared network directory, and can be assigned to a single user or many users. A user s logon script runs automatically every time the user logs on. It can be used to configure a user s working environment at every logon, and allows an administrator to affect a user s environment without managing all its aspects. A logon script can be assigned to one or more user accounts. In Windows 200x* Server, Workstation Restrictions can be used to control the computers from which a user is allowed to log on. The alternative is to allow a user to logon from any computer. Restricting the workstations a user can use to log on to your system can improve security and discourage potential hackers. This is especially true for sensitive accounts. A user profile defines the Windows 200x* configuration for a specific user or group of users. By default, and excepting Guest accounts, each Windows 200x* computer maintains a profile for each user who has logged on to the computer. A profile contains information about a user's Windows 200x* configuration. Much of this information controls options the user can set, such as colour scheme, screen savers, and mouse and keyboard layout. Other information control options that can be set only by a Windows 200x* administrator include access to common program groups or network printers. Risk Rating Medium to Low. Recommended Action To minimise potential loss of data and ease administration, users should have defined home directories, which can be regularly backed up. To ease administration and afford better control over user environments, each user should have a logon script. You should consider the additional benefits in security that workstation restrictions can provide. It is particularly suited to those environments with high security needs or very sensitive systems and information. You should consider the benefits of defining logon profiles for users. This can ease administration and enhance security. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 151 of 154

152 39. File Permissions and Auditing Section Summary This report section details the permissions and audit settings for 5 predefined and 0 user selected directories/files on your system. Section Detail For details see worksheet Permissions in the MS-Excel workbook. Implications This report section lists the owner and access permissions (DACL) for selected files and directories. It also lists the audit settings (SACL) for files and directories. More specifically, the report section lists the contents of each Access Control Entry (ACE) in the file or directory s Discretionary Access Control List (DACL). A DACL contains one or more ACEs that control access to the associated resource. An ACE in a DACL can Allow or Deny access to a resource. A Deny ACE always overrides an Allow ACE. The report section also lists the contents of each Access Control Entry (ACE) in the file or directory s System Access Control List (SACL). A SACL contains one or more ACEs that define what actions on the object are audited (e.g. deletion of a file and changes to a folder s permissions). The event types are Success and Failure. Legend: Resource Name Resource Type ACL Type Owner Owner Domain Owner Account Type Ace Nbr Account Domain Account Type Ace Type Apply Onto Inherited The name of the resource being analysed. The type of resource being analysed. At present the only resource types analysed by SekChek are files and directories. The type of ACL being analysed: a DACL or a SACL. The owner of the resource. The resource owner s domain. The owner s account type. E.g. Alias, User. The sequential number of the ACE. Window s reads ACEs in this order until it finds a Deny or Allow ACE that denies or permits access to the resource or an Audit ACE that defines what is audited and the event type. The name of the account to which this ACE applies. The account s domain. Special Permissions (ACE in a DACL): The type of the account. E.g. Alias, User, Group. Allow or Deny access to the resource in the case of an ACE in a DACL; Success or Failure events for a SACL. Specifies where permissions or auditing are applied. These values are shown as they appear in the Windows property box. E.g.: This folder / object only This folder, subfolders & files This folder & subfolders This folder & files Subfolders & files only Subfolders only Files only Indicates whether the permissions or audit settings are inherited from a higher level. Traverse Folder / Execute File For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 152 of 154

153 List Folder / Read Data Read Attributes Read Extended Attributes Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Delete Subfolders And Files Delete Read Permissions Change Permissions Take Ownership File Synchronise Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.). For files: Execute File allows or denies running program files (applies to files only). Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. Applies to folders only. Read Data allows or denies viewing data in files (applies to files only). Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS. Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Create Files allows or denies creating files within the folder (applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content (applies to files only). Create Folders allows or denies creating folders within the folder (applies to folders only). Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only). Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders) Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder. Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write. Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write. Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder. Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs. Windows special permissions are logically grouped to form generic permissions: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 153 of 154

154 The following table illustrates how special permissions are grouped together into these higher-level generic permissions. Special Permissions Full Control Modify Read & Execute List Folder Contents (folders only) Read Write Traverse Folder/Execute File x x x x List Folder/Read Data x x x x x Read Attributes x x x x x Read Extended Attributes x x x x x Create Files/Write Data x x x Create Folders/Append Data x x x Write Attributes x x x Write Extended Attributes x x x Delete Subfolders and Files x Delete x x Read Permissions x x x x x x Change Permissions Take Ownership x x Synchronize x x x x x x Risk Rating High (if access permissions are inappropriate and allow unintended access to sensitive resources). Recommended Action You should: Periodically check access permissions for sensitive files and directories to ensure they remain appropriate and reflect the requirements of a person s job function. Ensure that all changes to access permissions are properly authorised by management. Consider logging audit events for sensitive files and directories. Note that large numbers of audit log entries may be generated for frequently accessed files and directories Produced by SekChek for Windows V , 10-Nov-2013 (Ref ) Page 154 of 154