Security Options... 1



Similar documents
Web. Security Options Comparison

Windows Server 2008/2012 Server Hardening

About Microsoft Windows Server 2003

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Defense Security Service Office of the Designated Approving Authority

NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v

Belarc Advisor Security Benchmark Summary

Microsoft Solutions for Security and Compliance. Windows Server 2003 Security Guide

Secure configuration document

Local Groups by Computer... 1

Defense Security Service Industrial Security Field Operations NISP Authorization Office. Technical Assessment Guide for Windows 7 Operating System

CIS Microsoft Windows Server v Benchmark

CIS Microsoft Windows 7 Benchmark. v

NNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/ :37

Installed Applications Summary... 1

Diebold Security Analysis of ATM Operating and Application Systems Using the Center for Internet Security Scoring Tool

How To Set A Group Policy On A Computer With A Network Security Policy On Itunes.Com (For Acedo) On A Pc Or Mac Mac (For An Ubuntu) On An Ubode (For Mac) On Pc Or Ip

CIS Microsoft Windows Server Benchmark. v

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Windows XP Professional Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Baseline Security Settings

How To Audit A Windows Active Directory System

Objectives. At the end of this chapter students should be able to:

Set 'Reset account lockout counter after' to '15' or more

Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

Ecora Enterprise Auditor Instructional Whitepaper. Who Made Change

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

Default Domain Policy Data collected on: 10/12/2012 5:28:08 PM General

Services Summary... 1

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

CREDENTIAL MANAGER IN WINDOWS 7

JapanCert 専 門 IT 認 証 試 験 問 題 集 提 供 者

Setting Up, Managing, and Troubleshooting Security Accounts and Policies

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Data Stored on a Windows Server Connected to a Network

Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Controllers

Windows security for n00bs part 1 Security architecture & Access Control

HP LeftHand SAN Solutions

DriveLock and Windows 7

Setup process for a secure workstation

Windows Server 2003 Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Security Settings for Domain Member Servers

VERITAS Backup Exec TM 10.0 for Windows Servers

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Symantec Backup Exec 12.5 for Windows Servers. Quick Installation Guide

APPENDIX I Basic Windows NT Server 4.0 Installation and Configuration

How to monitor AD security with MOM

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

IBM Client Security Solutions. Client Security User's Guide

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Security Configuration Benchmark For. Microsoft Windows 7. Version July 30 th 2010

DriveLock and Windows 8

Active Directory network protocols and traffic

Q&A. DEMO Version

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

NETASQ SSO Agent Installation and deployment

Data Stored on a Windows Computer Connected to a Network

NETWRIX PASSWORD MANAGER

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Managing and Maintaining a Microsoft Windows Server 2003 Environment

DC Agent Troubleshooting

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

Remote Administration

Intel Entry Storage System SS4000-E

Managing and Maintaining a Windows Server 2003 Network Environment

ANNE ARUNDEL COMMUNITY COLLEGE ARNOLD, MARYLAND COURSE OUTLINE CATALOG DESCRIPTION

Securing SQL Server. Protecting Your Database from. Second Edition. Attackers. Denny Cherry. Michael Cross. Technical Editor ELSEVIER

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

SIEMENS. Sven Lehmberg. ZT IK 3, Siemens CERT. Siemens AG 2000 Siemens CERT Team / 1

Windows Advanced Audit Policy Configuration

Passcape Software. DPAPI flaw. Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012

Use of Commercial Backup Software with Juris (Juris 2.x w/msde)

Windows XP Exchange Client Installation Instructions

Entrust Managed Services PKI

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Microsoft Windows Server 2008

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

File and Printer Sharing with Microsoft Windows

Desktop Web Access Single Sign-On Configuration Guide

Xerox DocuShare Security Features. Security White Paper

Quick Scan Features Setup Guide

Password Manager Windows Desktop Client

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

Configuring Virtual Blades

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

DigitalPersona Pro Enterprise

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Windows IIS Server hardening checklist

SQL Server Hardening

Managing Multi-Hypervisor Environments with vcenter Server

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Windows Operating Systems. Basic Security

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Symantec Backup Exec 2010 R2. Quick Installation Guide

Transcription:

Effective Server Security Options Period: Last 20 week(s) Generated: For: Brian Bartlett bbartlett@ecora.com By: Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Using: Customized FFR Definition based on 'Effective Server Security Options' Description: A Fact-Finding report will show values greater than, less than, or unlike a threshold value you set. These reports are very surgical in their precision - you can pull precisely the data you need, but they also offer a wealth of data through hundreds of built-in reports created by experts. Effective Server Security Options Table of Contents Security Options... 1 Collected Not-Collected Legend DEFAULT *UA* *FC* *NS* Security Options Table 1. BSP/BIGMOUNTAIN The value presented in the report was not directly reported by the target, but implied by the current value or lack of a value for the attribute Unavailable attribute. The current configuration or version of target platform does not provide a value for this attribute. More detail in logs Collection of value failed Value not selected for collection Accounts: Limit local account use of blank passwords to console logon only Devices: Allow undock without having to log on Devices: Prevent users from installing printer drivers Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 1 of 14

Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Disable machine account password changes Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Prompt user to change password before expiration Digitally sign communications (always) Digitally sign communications (if client agrees) Network access: Do not allow anonymous enumeration of SAM accounts Warn but allow installation None 14 days Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 2 of 14

Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously COMNAP COMNODE SQL\QUERY SPOOLSS LLSRPC TrkSrv netlogon lsarpc samr browser System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog System\CurrentControlSet\Services\Replicator System\CurrentControlSet\Control\ContentIndex\Catalogs System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows COMCFG DFS$ CHEYALERT$ Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 3 of 14

Network access: Sharing and security model for local accounts Network security: LAN Manager authentication level Network security: LDAP client signing requirements Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Rename administrator account Classic - local users authenticate as themselves Send NTLM response only Negotiate signing Donald Rename guest account Gerald Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems Administrators group Posix Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 4 of 14

Table 2. BSP/CHEYENNE Security Option Accounts: Limit local account use of blank passwords to console logon only Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Security Option Settings Administrators Warn but allow installation 30 days Overriden By GPO Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 5 of 14

Security Option Security Option Settings Overriden By GPO Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Amount of idle time required before suspending session Do not display user information 10 logons 14 days No Action 15 minutes Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 6 of 14

Security Option Digitally sign communications (always) Digitally sign communications (if client agrees) Disconnect clients when logon hours expire Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Security Option Settings COMNAP COMNODE SQL\QUERY SPOOLSS NETLOGON LSARPC SAMR BROWSER System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration System\CurrentControlSet\Services\Wins Overriden By GPO Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 7 of 14

Security Option Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile Security Option Settings Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog SYSTEM\CurrentControlSet\Services\CertSvc COMCFG DFS$ Classic - local users authenticate as themselves Send NTLM response only Negotiate signing 0 0 Overriden By GPO Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 8 of 14

Security Option System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Security Option Settings Administrators group Posix Overriden By GPO Table 3. BSP/PITA1 Accounts: Limit local account use of blank passwords to console logon only Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Administrators Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 9 of 14

Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: LDAP server signing requirements Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Warn but allow installation None 30 days Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 10 of 14

Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Amount of idle time required before suspending session Digitally sign communications (always) Digitally sign communications (if client agrees) Disconnect clients when logon hours expire Network access: Do not allow anonymous enumeration of SAM accounts 10 logons 14 days No Action 15 minutes Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 11 of 14

Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or.net Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub-paths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts COMNAP COMNODE SQL\QUERY SPOOLSS netlogon lsarpc samr browser System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog COMCFG DFS$ Classic - local users authenticate as themselves Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 12 of 14

Network security: Do not store LAN Manager hash value on next password change Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-windows subsystems Send NTLM response only Negotiate signing 0 0 Administrators group Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 13 of 14

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Posix Powered by Ecora Auditor Professional 4.5 - Windows Module 4.5.8010.20310 Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information