Security Options... 1

Transcription

1 Effective Server Security Options Period: Last 20 week(s) Generated: For: Brian Bartlett By: Ecora Auditor Professional Windows Module Using: Customized FFR Definition based on 'Effective Server Security Options' Description: A Fact-Finding report will show values greater than, less than, or unlike a threshold value you set. These reports are very surgical in their precision - you can pull precisely the data you need, but they also offer a wealth of data through hundreds of built-in reports created by experts. Effective Server Security Options Table of Contents Security Options... 1 Collected Not-Collected Legend DEFAULT *UA* *FC* *NS* Security Options Table 1. BSP/BIGMOUNTAIN The value presented in the report was not directly reported by the target, but implied by the current value or lack of a value for the attribute Unavailable attribute. The current configuration or version of target platform does not provide a value for this attribute. More detail in logs Collection of value failed Value not selected for collection Accounts: Limit local account use of blank passwords to console logon only Devices: Allow undock without having to log on Devices: Prevent users from installing printer drivers Powered by Ecora Auditor Professional Windows Module Page 1 of 14

2 Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Disable machine account password changes Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Prompt user to change password before expiration Digitally sign communications (always) Digitally sign communications (if client agrees) Network access: Do not allow anonymous enumeration of SAM accounts Warn but allow installation None 14 days Powered by Ecora Auditor Professional Windows Module Page 2 of 14

3 Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously COMNAP COMNODE SQL\QUERY SPOOLSS LLSRPC TrkSrv netlogon lsarpc samr browser System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog System\CurrentControlSet\Services\Replicator System\CurrentControlSet\Control\ContentIndex\Catalogs System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows COMCFG DFS$ CHEYALERT$ Powered by Ecora Auditor Professional Windows Module Page 3 of 14

4 Network access: Sharing and security model for local accounts Network security: LAN Manager authentication level Network security: LDAP client signing requirements Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Rename administrator account Classic - local users authenticate as themselves Send NTLM response only Negotiate signing Donald Rename guest account Gerald Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems Administrators group Posix Powered by Ecora Auditor Professional Windows Module Page 4 of 14

5 Table 2. BSP/CHEYENNE Security Option Accounts: Limit local account use of blank passwords to console logon only Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Security Option Settings Administrators Warn but allow installation 30 days Overriden By GPO Powered by Ecora Auditor Professional Windows Module Page 5 of 14

6 Security Option Security Option Settings Overriden By GPO Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Amount of idle time required before suspending session Do not display user information 10 logons 14 days No Action 15 minutes Powered by Ecora Auditor Professional Windows Module Page 6 of 14

7 Security Option Digitally sign communications (always) Digitally sign communications (if client agrees) Disconnect clients when logon hours expire Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Security Option Settings COMNAP COMNODE SQL\QUERY SPOOLSS NETLOGON LSARPC SAMR BROWSER System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration System\CurrentControlSet\Services\Wins Overriden By GPO Powered by Ecora Auditor Professional Windows Module Page 7 of 14

8 Security Option Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile Security Option Settings Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog SYSTEM\CurrentControlSet\Services\CertSvc COMCFG DFS$ Classic - local users authenticate as themselves Send NTLM response only Negotiate signing 0 0 Overriden By GPO Powered by Ecora Auditor Professional Windows Module Page 8 of 14

9 Security Option System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Security Option Settings Administrators group Posix Overriden By GPO Table 3. BSP/PITA1 Accounts: Limit local account use of blank passwords to console logon only Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Administrators Powered by Ecora Auditor Professional Windows Module Page 9 of 14

10 Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: LDAP server signing requirements Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Warn but allow installation None 30 days Powered by Ecora Auditor Professional Windows Module Page 10 of 14

11 Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Amount of idle time required before suspending session Digitally sign communications (always) Digitally sign communications (if client agrees) Disconnect clients when logon hours expire Network access: Do not allow anonymous enumeration of SAM accounts 10 logons 14 days No Action 15 minutes Powered by Ecora Auditor Professional Windows Module Page 11 of 14

12 Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts COMNAP COMNODE SQL\QUERY SPOOLSS netlogon lsarpc samr browser System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog COMCFG DFS$ Classic - local users authenticate as themselves Powered by Ecora Auditor Professional Windows Module Page 12 of 14

13 Network security: Do not store LAN Manager hash value on next password change Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems Send NTLM response only Negotiate signing 0 0 Administrators group Powered by Ecora Auditor Professional Windows Module Page 13 of 14

14 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Posix Powered by Ecora Auditor Professional Windows Module Page 14 of 14