Active Directory report

Transcription

TESTBED
SekChek for Windows Security Report
System: PUFFADDER (Snake.com)
10 November 2013
SekChek IPS
[email protected]
www.sekchek.com
Declaration
The provided observations and recommendations are in response to a benchmarking analysis that compares the client’s information
security features against industry.
The recommendations are organised to identify possible implications to the company based on the gathered information, to identify
an industry average rating of the controls and provide possible recommended actions.
The benchmarking analysis and the related observations and recommendations should supplement management’s analysis but
should not be and cannot be solely relied upon in any instance to identify and/or remediate information security deficiencies.
Further, the observations and recommendations herein do not identify the cause of a possible deficiency or the cause of any
previously unidentified deficiencies. The causes of the deficiencies must be determined and addressed by management for the
recommendations selected to be relevant.
© 1996-2013 SekChek IPS. All rights reserved.
SekChek is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.
Contents
SekChek Options
5
System Details
6
System Configuration
7
1.
Report Summary
11
1.1
Comparisons Against Industry Average and Leading Practice
12
1.2
Answers to Common Questions
19
1.3
Summary of Changes since the Previous Analysis
23
2.
Domain Structure
24
3.
Domain Accounts Policy
28
4.
Domain Controller Policy Settings (Local Policy)
31
4.1
Audit Policy Settings
31
4.2
Event log Settings
36
4.3
Security Option Settings
38
5.
Group Policy Objects
42
5.1
Description and Properties for Group Policy Objects
42
5.2
Summary of GPOs defined on the system
44
5.3
Summary of GPOs and their Links to OUs
45
5.4
Summary of OUs and their Links to GPOs
46
5.5
GPOs Defined and their Details
47
5.6
GPO Version Discrepancies
58
6.
Password Setting Objects (PSOs)
59
7.
Customer-Selected Registry Key Values
61
8.
User Accounts Defined In The Domain
62
9.
Groups Defined In the Domain
65
10.
Domain Local Groups and their Members
68
11.
Domain Global Groups and their Members
72
12.
Domain Universal Groups and their Members
75
13.
Last Logons, 30 Days and Older
76
14.
Passwords, 30 Days and Older
78
15.
Passwords that Never Expire
80
16.
Accounts not Requiring a Password
82
17.
Invalid Logon Attempts Greater than 3
84
18.
Users not Allowed to Change Passwords
85
19.
Accounts with Expiry Date
86
20.
Disabled Accounts
87
21.
Locked Out Accounts
88
22.
Accounts Whose Passwords Must Change at Next Logon
89
23.
Accounts Created in the Last 90 Days
90
24.
Rights and Privileges
92
24.1
Descriptions & General Recommendations for Rights
94
24.2
Rights Assigned to Local Groups
98
24.3
Rights Assigned to Universal Groups (Native mode only)
100
24.4
Rights Assigned to Global Groups
101
24.5
Rights Assigned to Users
102
24.6
Rights Assigned to Well-Known Objects
109
24.7
Rights Assigned to External Objects
110
25.
Discretionary Access Controls (DACL) for Containers
111
26.
Trusted and Trusting Domains
112
27.
Servers and Workstations
114
28.
Domain Controllers in the Domain
115
29.
Accounts Allowed to Dial In through RAS
117
30.
Services and Drivers on the Machine
119
31.
Server Roles and Features
140
32.
Task Scheduler
142
33.
Security Updates, Patches and Hot-Fixes
143
34.
Products Installed
144
35.
Current Network Connections
146
36.
Logical Drives
148
37.
Network Shares
149
38.
Home Directories, Logon Scripts and Profiles
150
39.
File Permissions and Auditing
152
Security Analysis: TESTBED
System:
Analysis Date:
PUFFADDER (Snake.com)
08-Nov-2013
CONFIDENTIAL
SekChek Options
Reference Number
1201250012
Requester
Internal Audit
Telephone Number
+44 (20) 123 4567
City
London
Client Country
UK
Charge Code
Snake - Windows
Client Code
SEK001
Client Industry Type
Manufacturing
Host Country
Belize
Security Standards Template
0 - SekChek Default
Evaluate Against Industry Type
Manufacturing
Compare Against Previous Analysis
Not Selected
Scan All DCs for Last Logon Times
Yes (scanned 2 of 2 DCs)
Report Format
Word 2007
Paper Size
A4 (21 x 29.7 cms)
Spelling
English UK
Large Report Format
MS-Excel spreadsheet
Large Report (Max Lines in Word Tables)
1500
Summary Document Requested
Yes
Scan Software Version Used
Version 5.1.0
Scan Software Release Date
08-Nov-2013
Your SekChek report was produced using the above options and parameters.
You can change these settings for all files you send to us for processing via the Options menu in the SekChek Client
software on your PC. You can also tailor them (i.e. temporarily override your default options) for a specific file via the
Enter Client Details screen. This screen is displayed:

For SekChek for NetWare and Windows - during the Scan process on the target Host system;

For SekChek for AS/400 and UNIX - during the file encryption process in the SekChek Client software.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012)
Page 5 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System Details
Domain Name
Snake.com (SNAKE)
Domain Sid
*S-1-5-21-601740674-2353673397-942277617
Forest
Snake.com
DC Functionality
Windows Server 2008 R2 Mode
Domain Functionality**
Windows Server 2003 Domain Mode
Forest Functionality**
Windows 2000 Forest Mode
Computer
Domain Controllers/PUFFADDER
Site Name
Default-First-Site-Name
Windows Version
6.1 (Windows 2008 R2)
Build / Service Pack
7601/Service Pack 1
System Locale Id
2052 (x804)
Scan Time
08-Nov-2013 15:47
Scanned By
Users/ Administrator
Report Date: 10 November, 2013
** Functional Levels (available from SekChek V5.0.4 / Windows Server 2003)



DC Functionality: The functional level of the Domain Controller (DC)
Domain Functionality: The functional level of the domain
Forest Functionality: The functional level of the forest
General Note
In Active Directory domains, objects, such as user accounts belong to a container object (e.g. an Organizational Unit
in a domain or the domain object itself). In this report the path of objects are usually listed. The format of the path is,
for example, Orgunit x/Orgunit y. The “/” character separates the containers in the path.
Paths are listed from the highest level down. A path can contain a domain name as the first container, for example,
abc.xyz.com as a domain name. When the domain name is listed in the path, it means that the containers and object
in that path belong to a domain other than the one being analysed.
If a path is not listed for an object, it means that the object was defined at the domain level container and not in any
container object of the domain.
.
Page 6 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System Configuration
Operating System
OS Name
Microsoft Windows Server 2008 R2 Enterprise
OS Version, Build
6.1.7601
OS Architecture
64-bit
OS Locale Id
x0804
OS Serial Number
12345-6789-5183281-84887
OS Installed
2012-08-29
Last BootUp
2013-11-06
Country Code
86
Time Zone
GMT +02:00
Boot Device
\Device\HarddiskVolume1
System Drive
C:
Windows Directory
C:\Windows
System Directory
C:\Windows\system32
PAE Enabled
No
Visible Memory
1.000 GB
Free Memory
0.247 GB
Encryption Level
256 bits
OS Language
English - United States
OS Stock Keeping Unit Name
Enterprise Server Edition
Maximum Number of Processes
Unknown
Number of Licensed Users
Unlimited
Number of Current Users
3
Registered User
Windows User
Data Execution Prevention (DEP)...
DEP Available
Yes
DEP Enabled for 32-bit Appls
Yes
DEP Enabled for Drivers
Yes
DEP Policy
Opt Out
System Recovery Options
Write an event to the system log
Yes
Send an administrative alert
No
Automatically restart
Yes
Write debugging information
Kernel memory dump
Dump file
%SystemRoot%\MEMORY.DMP
Overwrite any existing file
Yes
BIOS
Manufacturer
American Megatrends Inc.
BIOS
080002
Version
2.3
Release Date
2010-05-05
Page 7 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Base Board (Motherboard)
Manufacturer
Microsoft Corporation
Product
Virtual Machine
Serial Number
1234-5678-6758-7771-5390-6277-74
Version
7.0
Page Files
Number of Page Files
1
Name of Page File #1
C:\pagefile.sys
Temporary Page File
No
Create Date
2011-08-29
Allocated Size
1.000 GB
Current Usage
0.179 GB
Peak Usage
0.199 GB
Computer
Manufacturer
Microsoft Corporation
Model
Virtual Machine
System Type
x64-based PC
Remote Desktop Enabled
Unknown
Nbr of Processors
1
Total Memory
1.000 GB
System Registry Size
Current = 100.3 MB; Max allowed = 2,048.0 MB
Screen Resolution
1680 x 1050 pixels
BootUp State
Normal boot
Wake-up Type
Power Switch
Boot ROM Supported
Yes
Infrared (IR) Supported
No
Power Management Supported
No
Computer Role
Primary Domain Controller
Computer Name
PUFFADDER
Computer Sid
*S-1-5-21-601740674-2353673397-942277617-1106
Domain Name (short)
SNAKE
Domain Name (DNS)
Snake.com
Processors
Number of Processors
1
Processor #1...
Manufacturer
AuthenticAMD
Name
AMD Opteron(tm) Processor 6172
Family
AMD Opteron 6172
Description
AMD64 Family 16 Model 9 Stepping 1
Processor Id
1F8BFBFF000106A5
Clock Speed
3,108 MHz
External Clock Speed
200 MHz
Address Width
64 bits
Data Width
64 bits
Page 8 of 154
System:
Analysis Date:
08-Nov-2013
Level 2 Cache Size
512 KB
Level 2 Cache Speed
Unknown MHz
Number of Cores
1
Nbr of Logical Processors
1
Chip Socket
None
Availability
Running/Full Power
CONFIDENTIAL
Network Adapters (IP enabled)
Connection Id
Local Area Connection
Connection Status
Connected
Name
Microsoft Hyper-V Network Adapter #2
Service Name
netvsc
Manufacturer
Microsoft
Adapter Type
Ethernet 802.3
Speed (Mbs)
10,000 Mbs
Last Reset
2013-11-08 14:13:38
IP Enabled
Yes
IP Address
200.200.100.234
IP Subnet
255.255.255.0
Default Gateway
MAC Address
00:15:5D:64:2F:1A
DHCP Enabled
No
DHCP Lease Expires
DHCP Lease Obtained
DHCP Server
DNS Search Order
200.200.100.235, 127.0.0.1
Windows Firewall
Domain Profile…
Firewall State
On (recommended)
Inbound Connections
Block, allow exceptions (default)
Outbound Connections
Allow (default)
Display Notifications
No
Allow Unicast Response
Yes (default)
Private Profile…
Firewall State
On (recommended)
Inbound Connections
Allow (default)
No
Yes (default)
Public Profile…
Firewall State
On (recommended)
Inbound Connections
Allow (default)
No
Yes (default)
Page 9 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Region & Language Options
Current Format
English (South Africa)
Time Format
08:46:32
Short Date
08-Nov-2013
Long Date
08 November 2013
Short Date Format
dd-MMM-yyyy
Long Date Format
dd MMMM yyyy
Currency Symbol
R
Currency (International)
ZAR
System Locale
English (South Africa)
Screen Saver Policy
Scan Account
Users/ Administrator
Screen Saver Enabled
Yes
Screen Saver Timeout
600 seconds
Screen Saver Secure
Yes
User Access Control (UAC)
UAC Enabled
Yes
Page 10 of 154
System:
Analysis Date:
1.
08-Nov-2013
CONFIDENTIAL
Report Summary
The following two charts illustrate the diversity of regions and industries that make up the population of systems
running Active Directory in our statistics database. The remaining graphs in the Report Summary section evaluate
security on your system against this broad base of real-life security averages.
SekChek is used by the Big Four audit firms, IS professionals, internal auditors, security consultants & general
management in more than 130 countries.
Statistics Population by Region
As new reviews are processed, summaries of the results (excluding client identification) are automatically added to a
unique statistics database containing more than 70,000 assessments.
Statistics Population by Industry Type
Page 11 of 154
System:
Analysis Date:
1.1
08-Nov-2013
CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice
Summary of Domain Accounts Policy Values
This graph compares the Domain Accounts Policy values against the industry average using the following criteria:
Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = <All>
This and the following summary reports are of most value when they are used to compare ‘snapshots’ of your security
measures at different points in time. Used in this way, they provide a fairly clear picture of whether your security
measures are improving or becoming weaker.
Industry Average is a dynamic, calculated average for all Active Directory domains analysed by SekChek using the
above criteria. It indicates how your security measures compare with those of other organisations using Microsoft
Windows systems.
Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.
Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards security of your
system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact
on security than those followed by 1 asterisk (*). This is an approximation and should be used as a guide only.
For more information and details, see the report sections Domain Accounts Policy.
Page 12 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Domain User Accounts
This graph compares against the industry average using the following criteria:
Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average;
About average;
Below average
Total number of user accounts defined to your domain: 16
This summary report presents the number of user accounts, with the listed characteristics, as a percentage of the total
number of accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security
measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.
The graph is sorted in order of importance. This is an approximation and should be used as a guide only.
Page 13 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Summary of Effective Rights for the Domain Controller
About average;
Below average
This summary report presents the number of user accounts, with the listed rights, as a percentage of the total number
of accounts defined to the domain controller. These rights are applied via the Local Policy of the domain controller
being analysed. Other domain controllers may have different rights defined. For more details of rights assigned, refer
to the Rights Assigned to Users sections in the main body of the report.
The graph is sorted in alphabetical sequence.
Page 14 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Summary of Domain User Accounts (excluding disabled accounts)
About average;
Below average
Total number of user accounts defined to your system: 16
This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or
accounts that are locked) with the listed characteristics, as a percentage of the total number of accounts defined to
your system. In general, longer bars highlight potential weaknesses in your security measures and should be
investigated. For more details, refer to the relevant sections in the main body of the report.
Page 15 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Summary of Effective Rights for the Domain Controller (excl. disabled accounts)
About average;
Below average
This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or
accounts that are locked) with the listed rights, as a percentage of the total number of accounts defined to your
system. For more details, refer to the Rights Assigned to Users sections in the main body of the report.
The graph is sorted in alphabetical sequence.
Page 16 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Summary of Domain Administrator Accounts
About average;
Below average
Total number of user accounts with administrative privileges defined to your domain: 2
This summary report presents the number of administrator accounts (i.e. accounts that have administrative privileges),
with the listed characteristics, as a percentage of the total number of administrator accounts defined to your domain.
In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For
more details, refer to the relevant sections in the main body of the report.
Page 17 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Summary of Domain Administrator Accounts (excluding disabled accounts)
About average;
Below average
Total number of user accounts with administrative privileges defined to your system: 2
This summary report presents the number of enabled administrator accounts (i.e. accounts that have administrative
privileges, excluding those accounts with a status of disabled or accounts that are locked) with the listed
characteristics, as a percentage of the total number of administrator accounts defined to your system. In general,
longer bars highlight potential weaknesses in your security measures and should be investigated. For more details,
refer to the relevant sections in the main body of the report.
Page 18 of 154
System:
Analysis Date:
1.2
08-Nov-2013
CONFIDENTIAL
Answers to Common Questions
The following charts are intended to provide quick answers to the most common questions regarding security of a
system.
The diagrams highlight the relative numbers of objects with the listed attributes. The total population used to plot each
chart is included in brackets () after each chart title. Each section includes a link to more detailed information
contained in other sections of this report.
When were the user accounts created?
The charts show when user accounts were created on your system. Grouped by all accounts and accounts with
Administrative privileges. Includes active and disabled accounts.
More information: Accounts Created in the Last 90 Days
When were the group and computer accounts created?
The chart shows when the group and computer accounts were created on your system.
More information: Accounts Created in the Last 90 Days
Page 19 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
What is the status of user accounts?
The charts analyse user accounts by their status: active or disabled. An account may be disabled because: its status
has been set to disabled; the account has expired; or the account was locked by the system due to excessive
password guessing attempts. Note that an account may be both locked and expired, or disabled and expired.
5 out of 16 accounts are disabled on this system.
More information: Disabled Accounts, Locked Accounts, Accounts with Expiry Date
How active are user accounts?
The charts indicate when accounts were last used to logon to the system. Grouped by all accounts and accounts with
Administrative privileges. Excludes disabled accounts.
SekChek queried 2 out of 2 domain controllers to obtain the information.
More information: Last Logons, 30 Days and Older
How frequently do users change their passwords?
The charts show when user login passwords were last changed. ‘Next Logon’ means that the password must be
changed the next time the account is used to logon to the domain. Grouped by all accounts and accounts with
Administrative privileges. Excludes disabled accounts.
More information: Passwords, 30 Days and Older, Password Must Change at Next Logon
Page 20 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Are users forced to change their passwords?
The charts show the percentage of accounts with a password that is not required to be changed. Grouped by all
accounts and accounts with Administratrative privileges. Excludes disabled accounts.
More information: Passwords that Never Expire
Are users allowed to change their passwords?
The charts show the percentage of accounts that are not allowed to change their passwords. Grouped by all accounts
and accounts with Administrative privileges. Excludes disabled accounts.
More information: User Accounts not Allowed to Change Password
Are users allowed to login without a password?
The charts show the percentage of accounts that may have their passwords set to zero length (blank) by an
administrative account. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled
accounts.
More information: Accounts not Requiring a Password
Page 21 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
What privileges are assigned to user accounts?
The chart shows the percentage of user accounts with Administrative, User and Guest privileges. These privileges are
determined by group memberships. Excludes disabled accounts.
More information: User Accounts Defined In The Domain
What are the types of group accounts?
The chart analyses security groups by group type. Excludes Distribution groups.
More information: Groups Defined In the Domain
What are the service types and their start types?
These charts summarise the types of services and drivers installed on the system and their start types. The charts
include running and stopped services.
More information: Services and Drivers
Page 22 of 154
System:
Analysis Date:
1.3
08-Nov-2013
CONFIDENTIAL
Summary of Changes since the Previous Analysis
Need to quickly highlight changes in security controls since your previous review?
SekChek’s latest time-comparison graphs are just the solution!
Note: The above graph is provided for illustrative purposes only.
A collection of easy-to-read reports in a very familiar format provides you with visual indicators of:

Whether security has improved, weakened, or remained about the same since your previous analysis

The effectiveness of your measures to strengthen controls

Whether risk is increasing or decreasing

The degree of change, both positive and negative
The applications are endless. Some of the practical benefits are:

Time savings. Reduced time spent poring over volumes of unconnected information

Objectivity. The results are guaranteed to be the same regardless of who performs the review

Compliance with legislation. Easier monitoring for compliance with statutory requirements imposed by
SOX, HIPAA and other legislative changes relating to corporate governance

More powerful justifications. The ability to present more convincing arguments to senior, non-technical
management who do not have the time, or the inclination, to understand masses of technical detail
Interested?
Contact us at [email protected] to find out how to get started!
Page 23 of 154
System:
Analysis Date:
2.
08-Nov-2013
CONFIDENTIAL
Domain Structure
This report section lists the Container objects in the domain.
It summarises the Directory structure for your domain and may help you to understand the overall structure of the
domain’s Directory structure, especially where it is large or complex.
Section Detail
Object Name
Object Type
Snake.com
domainDNS
--- Amazon
organizationalUnit
--- Builtin
builtinDomain
--- Computers
container
--- Domain Controllers
organizationalUnit
--- ForeignSecurityPrincipals
container
--- Managed Service Accounts
container
--- Program Data
container
------ Microsoft
container
--- System
container
------ AdminSDHolder
container
------ ComPartitions
container
------ ComPartitionSets
container
------ DomainUpdates
container
--------- ActiveDirectoryUpdate
container
--------- Operations
container
------------ 0b7fb422-3609-4587-8c2e-94b10f67d1bf
container
------------ 0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e
container
------------ 10b3ad2a-6883-4fa7-90fc-6377cbdc1b26
container
------------ 13d15cf0-e6c8-11d6-9793-00c04f613221
container
------------ 231fb90b-c92a-40c9-9379-bacfc313a3e3
container
------------ 2416c60a-fe15-4d7a-a61e-dffd5df864d3
container
------------ 293f0798-ea5c-4455-9f5d-45f33a30703b
container
------------ 3051c66f-b332-4a73-9a20-2d6a7d6e6a1c
container
------------ 3c784009-1f57-4e2a-9b04-6915c9e71961
container
------------ 3e4f4182-ac5d-4378-b760-0eab2de593e2
container
------------ 446f24ea-cfd5-4c52-8346-96e170bcb912
container
------------ 4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0
container
------------ 4c93ad42-178a-4275-8600-16811d28f3aa
container
------------ 4dfbb973-8a62-4310-a90c-776e00f83222
container
------------ 51cba88b-99cf-4e16-bef2-c427b38d0767
container
------------ 57428d75-bef7-43e1-938b-2e749f5a8d56
container
------------ 5c82b233-75fc-41b3-ac71-c69592e6bf15
container
------------ 5e1574f6-55df-493e-a671-aaeffca6a100
container
------------ 61b34cb0-55ee-4be9-b595-97810b92b017
container
------------ 6ada9ff7-c9df-45c1-908e-9fef2fab008a
container
Page 24 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Object Name
Object Type
------------ 6bcd5678-8314-11d6-977b-00c04f613221
container
------------ 6bcd5679-8314-11d6-977b-00c04f613221
container
------------ 6bcd567a-8314-11d6-977b-00c04f613221
container
------------ 6bcd567b-8314-11d6-977b-00c04f613221
container
------------ 6bcd567c-8314-11d6-977b-00c04f613221
container
------------ 6bcd567d-8314-11d6-977b-00c04f613221
container
------------ 6bcd567e-8314-11d6-977b-00c04f613221
container
------------ 6bcd567f-8314-11d6-977b-00c04f613221
container
------------ 6bcd5680-8314-11d6-977b-00c04f613221
container
------------ 6bcd5681-8314-11d6-977b-00c04f613221
container
------------ 6bcd5682-8314-11d6-977b-00c04f613221
container
------------ 6bcd5683-8314-11d6-977b-00c04f613221
container
------------ 6bcd5684-8314-11d6-977b-00c04f613221
container
------------ 6bcd5685-8314-11d6-977b-00c04f613221
container
------------ 6bcd5686-8314-11d6-977b-00c04f613221
container
------------ 6bcd5687-8314-11d6-977b-00c04f613221
container
------------ 6bcd5688-8314-11d6-977b-00c04f613221
container
------------ 6bcd5689-8314-11d6-977b-00c04f613221
container
------------ 6bcd568a-8314-11d6-977b-00c04f613221
container
------------ 6bcd568b-8314-11d6-977b-00c04f613221
container
------------ 6bcd568c-8314-11d6-977b-00c04f613221
container
------------ 6bcd568d-8314-11d6-977b-00c04f613221
container
------------ 6E157EDF-4E72-4052-A82A-EC3F91021A22
container
------------ 6ff880d6-11e7-4ed1-a20f-aac45da48650
container
------------ 71482d49-8870-4cb3-a438-b6fc9ec35d70
container
------------ 7868d4c8-ac41-4e05-b401-776280e8e9f1
container
------------ 7cfb016c-4f87-4406-8166-bd9df943947f
container
------------ 7ffef925-405b-440a-8d58-35e8cd6e98c3
container
------------ 82112ba0-7e4c-4a44-89d9-d46c9612bf91
container
------------ 8437C3D8-7689-4200-BF38-79E4AC33DFA0
container
------------ 860c36ed-5241-4c62-a18b-cf6ff9994173
container
------------ 8ca38317-13a4-4bd4-806f-ebed6acb5d0c
container
------------ 8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c
container
------------ 9738c400-7795-4d6e-b19d-c16cd6486166
container
------------ 98de1d3e-6611-443b-8b4e-f4337f1ded0b
container
------------ 9cac1f66-2167-47ad-a472-2a13251310e4
container
------------ a1789bfb-e0a2-4739-8cc0-e77d892d080a
container
------------ a3dac986-80e7-4e59-a059-54cb1ab43cb9
container
------------ a86fe12a-0f62-4e2a-b271-d27f601f8182
container
------------ ab402345-d3c3-455d-9ff7-40268a1099b6
container
------------ aed72870-bf16-4788-8ac7-22299c8207f1
container
------------ b96ed344-545a-4172-aa0c-68118202f125
container
------------ bab5f54d-06c8-48de-9b87-d78b796564e4
container
Page 25 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Object Name
Object Type
------------ c4f17608-e611-11d6-9793-00c04f613221
container
------------ c88227bc-fcca-4b58-8d8a-cd3d64528a02
container
------------ d262aae8-41f7-48ed-9f35-56bbb677573d
container
------------ d85c0bfd-094f-4cad-a2b5-82ac9268475d
container
------------ dda1d01d-4bd7-4c49-a184-46f9241b560e
container
------------ de10d491-909f-4fb0-9abb-4b7865c0fe80
container
------------ f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5
container
------------ f58300d1-b71a-4db6-88a1-a8b9538beaca
container
------------ f607fd87-80cf-45e2-890b-6cf97ec0e284
container
------------ f7ed4553-d82b-49ef-a839-2f38a36bb069
container
--------- Windows2003Update
container
------ IP Security
container
------ Meetings
container
------ MicrosoftDNS
container
------ Policies
container
--------- {31B2F340-016D-11D2-945F-00C04FB984F9}
groupPolicyContainer
------------ Machine
container
------------ User
container
--------- {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} groupPolicyContainer
------------ Machine
container
------------ User
container
--------- {5471F07B-E3BF-47E6-A2DF-40E55805852D}
------------ Machine
container
------------ User
container
--------- {6AC1786C-016F-11D2-945F-00C04fB984F9}
------------ Machine
container
------------ User
container
--------- {F754BFE4-52E2-45B3-9034-36D5C65E8700}
------------ Machine
container
------------ User
container
--------- {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
------------ Machine
container
------------ User
container
------ RAS and IAS Servers Access Check
container
------ WinsockServices
container
------ WMIPolicy
container
--------- PolicyTemplate
container
--------- PolicyType
container
--------- SOM
container
--------- WMIGPO
container
--- TEST GPO PC
organizationalUnit
--- Users
container
Page 26 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Domain
In Active Directory a domain is a collection of computers defined by the administrator of a Windows 200x* Server
network that shares a common directory database.
A domain provides access to the centralized user accounts and group accounts maintained by the domain
administrator. Each domain defines both an administrative boundary and a security boundary for a collection of
objects that are relevant to a specific group of users on a network.
A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a
security boundary because each domain has a security policy that extends to all accounts within the domain.
Domains can be organised into parent-child relationships to form a hierarchy, which is called a domain tree. The
domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together
into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships.
Organizational Unit
An Organizational Unit (OU) is a general-purpose container that can hold objects and other OUs to create a hierarchy
within a domain. OUs can form logical administrative units for users, groups, and resource objects, such as printers,
computers, applications, and file shares. In large domains, various administrative tasks (such as access rights
specification) can be delegated to an administrator for a specific OU, thereby freeing domain administrators from
having to support such changes by proxy.
Container
A Container is used for grouping different objects together.
Group Policy Container
A Group Policy Container contains Group Policy objects.
Active Directory Objects
Active Directory objects are either container objects (e.g. OUs and Containers) or leaf objects. A container object
stores other objects, and, as such, occupies a specific level in a tree or sub tree hierarchy. A leaf object does not
contain other objects.
Page 27 of 154
System:
Analysis Date:
3.
08-Nov-2013
CONFIDENTIAL
Domain Accounts Policy
This report lists the effective Domain Account Policies defined for your system and compares them with Leading
Practice.
Policy
Policy Value
Leading Practice
Minimum Password Length
7
8 or greater
Effective Minimum Password Length
7
8 or greater
Maximum Password Age in Days
20
30 to 60
Minimum Password Age in Days
1
0
Password History Size
24
22 or greater
Password Complexity
Enabled
Enabled
Reversible Password Encryption
Disabled
Disabled
Lockout Threshold
3
3
Lockout Duration
0
0
Reset Lockout Counter in Minutes
30
1440
Force Logoff When Logon Time Expires
Disabled
Enabled
Rename Administrator Account
Not Defined
New Name
Rename Guest Account
Not Defined
New Name
Allow Lockout of Local Administrator Account
Disabled
Enabled
Disable Password Changes for Machine Accounts
Disabled
Disabled
Number of Password Setting Objects (PSOs) defined on the system: 1
Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.
Functions of Accounts Policy Values and Potential Exposures
Domain Accounts Policy values set the defaults for all accounts in a domain.
Note that certain account policies can be overridden by policies defined in Password Setting Objects (from Windows
2008) and settings defined at account level.
Appropriate policy values do not necessarily mean that security at account level is similarly appropriate. You should
consult other sections of this report to confirm that security settings for individual accounts do not override your
intended policy settings.
Defines the minimum number of characters a password must contain. If it is zero then blank passwords are allowed.
Allowing blank passwords is a very high security risk, as it could allow any person in possession of a valid User ID
(Account Name) to gain access to your system if the account has a null password.
This policy can be overridden by the Password Complexity policy. See Effective Minimum Password Length for
details.
The Leading Practice value is 8 or greater.
Effective Minimum Password Length
The effective minimum number of characters a password must contain when changing a user password. The value is
calculated from the settings of the Minimum Password Length and Password Complexity parameters.
If the Password Complexity policy is enabled, the system will only accept user passwords with a minimum of 3
characters that comply with Password Complexity requirements.
Page 28 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
For example:



If the Minimum Password Length is 0 and the Password Complexity policy is enabled then the Effective Minimum
Password Length will be 3.
If the Minimum Password Length is 0 and the Password Complexity policy is disabled then the Effective Minimum
Password Length will be 0.
If the Minimum Password Length policy is set to a value of 3 or greater then the Effective Minimum Password
Length will be the same as the Minimum Password Length policy regardless of the setting of the Password
Complexity policy.
Maximum Password Age in Days
The period of time a password can be used before the system forces the user to change it. The value can be between
1 and 999 days.
A value of 0 means that passwords never expire. Passwords that never expire are a security risk as they can be
compromised over time.
Note that it is possible to override this value in individual user accounts via the Password Never Expires option.
Consult the Passwords that Never Expire report section.
The Leading Practice value is 30 days.
Minimum Password Age in Days
The minimum number of days that must elapse between password changes. The value can be between 0 and 999
days. A value of ‘0’ allows a user to change her password immediately if she suspects it is known by someone else.
However, this setting can increase the risk of passwords remaining the same despite system-enforced changes. This
is because a user could change her password several times in quick succession until it is set back to the original
value. Setting the Password History Size to a sufficiently large value can reduce this risk.
The Leading Practice value is 0 (no restrictions).
Password History Size
Determines whether old passwords can be reused. It is the number of new passwords that must be used by a user
account before an old password can be reused. For this to be fully effective, immediate changes should not be
allowed under Minimum Password Age.
The Leading Practice value is 22 or greater.
Password Complexity
In order to meet the password complexity requirement, passwords must contain characters from (for example) at least
three (3) of the following four (4) classes:




English Upper Case Letters (A, B, C, ... Z)
English Lower Case Letters (a, b, c, ... z)
Westernised Arabic Numerals (0, 1, 2, ... 9)
Non-alphanumeric ("Special characters") (E.g., punctuation symbols)
This policy has an effect on the Effective Minimum Password Length.
Determines whether Windows 200x* will store passwords using reversible encryption.
This policy setting provides support for applications, which use protocols that require knowledge of the user password
for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing cleartext versions of the passwords. For this reason, this policy should not be enabled unless application requirements
outweigh the need to protect password information.
By default, this setting is disabled in the Default Domain Group Policy for domains and in the local security policy of
workstations and servers.
Lockout Threshold, Lockout Duration and Reset Lockout Counter in Minutes
Lockout Threshold indicates the number of failed logon attempts for user accounts before accounts are locked out.
The value can be 1 to 999 failed attempts. A value of 0 will allow an unlimited number of failed logon attempts.
Page 29 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Lockout Duration indicates the amount of time an account will remain locked out when the Lockout Threshold is
exceeded. The value can be 1 to 99999 minutes; a value of 0 (forever) indicates that the account cannot log on until
an administrator unlocks it. N/A is set when Lockout Threshold is set to 0.
Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts are monitored. I.e. if
the number of failed logon attempts defined in Lockout Threshold is reached within the number of minutes defined
for Reset Lockout Counter in Minutes the account is locked out for the period specified under Lockout Duration. The
value for Reset Lockout Counter in Minutes can be 1 to 99999 minutes.
Allowing an excessive or unlimited number of invalid logon attempts can compromise security and allow intruders to
log on to your system.
Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted of potential intruder
attacks as only they can unlock accounts.
Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the effectiveness of the Lockout
Threshold and administrators might not be alerted to potential intruder attacks.
If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase the risk of intruders
gaining access to your system via repeated password guessing attempts. If the value is too high it may inconvenience
genuine users by locking out their accounts when they enter incorrect passwords accidentally.
The Leading Practice values are:



Lockout Threshold = 3
Lockout Duration = 0 (Forever)
Reset Lockout Counter in Minutes = 1440 minutes
Force Logoff When Logon Time Expires
When enabled users will be forcibly disconnected from servers on the domain immediately after their valid logon hours
are exceeded. Valid logon hours are defined at user account level.
This option enhances security by ensuring that users are disconnected if they exceed their valid logon hours or do not
log off when leaving work. However, it could be disruptive to users who have to work after hours and could
compromise data integrity etc.
This option should be used at the discretion of Management.
Rename Administrator, Rename Guest
It is good practice to ensure the Administrator and Guest built-in accounts are renamed via policy. This will minimise
the risks of intruders using these well-known accounts when attempting to log on to the domain.
Keep in mind that these accounts can also be renamed manually (for example, via the Active Directory Users and
Computers interface). However, when compared to the irrevocable policy change method, the disadvantage of the
manual approach is that administrative users can simply rename these accounts at a later stage (possibly back to
Administrator and Guest).
Allow Lockout of Local Administrator Account
Allows the built-in administrator account to be locked out from network logons. This policy setting can be modified
using the “passprop” command-line utility, which is included in the Windows 2000 Resource Kit.
Disable Password Changes for Machine Accounts
Removes the requirement that the machine account password be automatically changed every week. This value is
ignored in Windows XP and later.
Page 30 of 154
System:
Analysis Date:
4.
08-Nov-2013
CONFIDENTIAL
Domain Controller Policy Settings (Local Policy)
The following 3 subsections relate to the Local Policy on the domain controller being analysed.
In Active Directory, each domain controller can have different local policy settings. domain controllers generally inherit
the same local policy settings because they typically belong to the same OU (e.g. Domain Controllers) to which the
same policies apply. However, if domain controllers belong to different OUs, then different policy settings can be
applied to them.
This has important security implications as an account can, for example, be granted powerful rights on one or more
domain controller while being denied the same rights on other domain controllers. The policy for domain controllers
can then be inconsistent and increase security risks.
This report provides policy settings for the domain controller where the SekChek Scan process was run.
4.1
Audit Policy Settings
Account Logon
Audited Events
Credential Validation
Success & Failure
Kerberos Authentication Service
Failure
Kerberos Service Ticket Operations
Failure
Other Account Logon Events
Failure
Account Management
Audited Events
Application Group Management
Success
Computer Account Management
Success
Distribution Group Management
Success
Other Account Management Events
Success
Security Group Management
Success
User Account Management
Success
Detailed Tracking
Audited Events
DPAPI Activity
Success
Process Creation
Success & Failure
Process Termination
Success
RPC Events
Success
DS Access
Audited Events
Detailed Directory Service Replication
No Auditing
Directory Service Access
No Auditing
Directory Service Changes
Success
Directory Service Replication
No Auditing
Logon / Logoff
Audited Events
Account Lockout
Success
Audit User / Device Claims **
Failure
IPsec Extended Mode
Failure
IPsec Main Mode
Success
IPsec Quick Mode
Failure
Logoff
Success
Logon
Success & Failure
Page 31 of 154
System:
Analysis Date:
08-Nov-2013
Network Policy Server
Failure
Other Logon/Logoff Events
Failure
Special Logon
Failure
Object Access
Audited Events
Application Generated
Success & Failure
Central Access Policy Staging **
Failure
Certification Services
No Auditing
Detailed File Share
Failure
File Share
Success & Failure
File System
No Auditing
Filtering Platform Connection
Success & Failure
Filtering Platform Packet Drop
Success & Failure
Handle Manipulation
Success & Failure
Kernel Object
No Auditing
Other Object Access Events
Failure
Registry
Failure
Removable Storage **
Failure
SAM
No Auditing
Policy Change
Audited Events
Audit Policy Change
Success & Failure
Authentication Policy Change
Success & Failure
Authorization Policy Change
Success
Filtering Platform Policy Change
Success
MPSSVC Rule-Level Policy Change
Success
Other Policy Change Events
Success
Privilege Use
Audited Events
Non Sensitive Privilege Use
Failure
Other Privilege Use Events
Failure
Sensitive Privilege Use
Failure
System
Audited Events
IPsec Driver
Success
Other System Events
Success
Security State Change
Success & Failure
Security System Extension
Success
System Integrity
Success & Failure
CONFIDENTIAL
Page 32 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Explanation of Audit Policy Settings
Account Logon
Audit logon attempts by privileged accounts that log on to the domain controller. These
audit events are generated when the Kerberos Key Distribution Center (KDC) logs on
to the domain controller.
Credential Validation
Audits events generated by validation tests on user account logon credentials.
Kerberos Authentication Service
Audits events generated by Kerberos authentication ticket-granting ticket (TGT)
requests.
Kerberos Service Ticket Operations
Audits events generated by Kerberos service ticket requests.
Other Account Logon Events
Audits events generated by responses to credential requests submitted for a user
account logon that are not credential validation or Kerberos tickets.
Account Management
Audit attempts to create, delete, or change user or group accounts. Also, audit
password changes.
Application Group Management
Audits events generated by changes to application groups.
Computer Account Management
Audits events generated by changes to computer accounts, such as when a computer
account is created, changed, or deleted.
Distribution Group Management
Audits events generated by changes to distribution groups.
Other Account Management Events
Audits events generated by other user account changes that are not covered in this
category.
Security Group Management
Audits events generated by changes to security groups.
User Account Management
Audits changes to user accounts.
Detailed Tracking
Audit-specific events, such as program activation, some forms of handle duplication,
indirect access to an object, and process exit.
DPAPI Activity
Audits events generated when encryption or decryption requests are made to the Data
Protection application interface (DPAPI). DPAPI is used to protect secret information
such as stored password and key information.
Process Creation
Audits events generated when a process is created or starts. The name of the
application or user that created the process is also audited.
Process Termination
Audits events generated when a process ends.
RPC Events
Audits inbound remote procedure call (RPC) connections.
DS Access
Audit attempts to access the directory service.
Detailed Directory Service Replication
Audits events generated by detailed AD DS replication between domain controllers.
Directory Service Access
Audits events generated when an AD DS object is accessed.
Only AD DS objects with a matching SACL are logged.
Directory Service Changes
Audits events generated by changes to AD DS objects. Events are logged when an
object is created, deleted, modified, moved, or undeleted.
Directory Service Replication
Audits replication between two AD DS domain controllers.
Logon / Logoff
Audit attempts to log on to or log off of the system. Also, audit attempts to make a
network connection.
Account Lockout
Audits events generated by a failed attempt to log on to an account that is locked out.
Audit User / Device Claims **
From Server 2012.
Audits user and device claims information in the user's logon token. Events in this
subcategory are generated on the computer on which a logon session is created.
User claims are added to a logon token when claims are included with a user's
account attributes in Active Directory.
IPsec Extended Mode
Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated
Internet Protocol (AuthIP) during Extended Mode negotiations.
IPsec Main Mode
Internet Protocol (AuthIP) during Main Mode negotiations.
IPsec Quick Mode
Internet Protocol (AuthIP) during Quick Mode negotiations.
Page 33 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Logoff
Audits events generated by closing a logon session. These events occur on the
computer that was accessed. For an interactive logon, the security audit event is
generated on the computer that the user account logged on to.
Logon
Audits events generated by user account logon attempts on a computer.
Network Policy Server
Audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user
access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and
Unlock.
Other Logon/Logoff Events
Audits other events related to logon and logoff that are not included in the
Logon/Logoff category.
Special Logon
Audits events generated by special logons.
Object Access
Audit attempts to access securable objects.
Application Generated
Audits applications that generate events by using the Windows Auditing application
programming interfaces (APIs). Applications designed to use the Windows Auditing
API use this subcategory to log auditing events related to their function.
Central Access Policy Staging **
From Server 2012.
Audits access requests where the permission granted or denied by a proposed policy
differs from that granted or denied by the current central access policy on an object.
Certification Services
Audits Active Directory Certificate Services (AD CS) operations.
Detailed File Share
Audits every attempt to access objects in a shared folder.
File Share
Audits attempts to access a shared folder.
File System
Audits user attempts to access file system objects. A security audit event is generated
only for objects that have SACLs and only if the type of access requested, such as
Write, Read, or Modify, and the account making the request match the settings in the
SACL.
Filtering Platform Connection
Audits connections that are allowed or blocked by WFP.
Filtering Platform Packet Drop
Audits packets that are dropped by Windows Filtering Platform (WFP).
Handle Manipulation
Audits events generated when a handle to an object is opened or closed. Only objects
with a matching SACL generate security audit events. Open and close handle events
will be audited when both the Handle Manipulation subcategory is enabled along with
the corresponding resource manager identified by other Object Access audit
subcategory, like File System or Registry. Enabling Handle Manipulation causes
implementation-specific security event data to be logged identifying the permissions
that were used to grant or deny the access requested by the user; this is also known
as "Reason for access".
Kernel Object
Audits attempts to access the system kernel, which include mutexes and semaphores.
Only kernel objects with a matching SACL generate security audit events.
Note: The Audit: Audit the access of global system objects policy setting controls the
default SACL of kernel objects.
Other Object Access Events
Audits events generated by the management of Task Scheduler jobs or COM+
objects.
Registry
Audits attempts to access registry objects. A security audit event is generated only for
objects that have SACLs and only if the type of access requested, such as Read,
Write, or Modify, and the account making the request match the settings in the SACL.
Removable Storage **
From Server 2012.
Audits user attempts to access file system objects on any Removable Storage device.
A security audit event is generated for every read or write access to a file object on
any Removable Storage device attached to the user’s machine.
SAM
Audits events generated by attempts to access Security Accounts Manager (SAM)
objects.
Policy Change
Audit attempts to change Policy object rules.
Audit Policy Change
Audits changes in security audit policy settings.
Authentication Policy Change
Audits events generated by changes to the authorization policy.
Authorization Policy Change
Audits events generated by changes to the authentication policy.
Page 34 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Filtering Platform Policy Change
Audits events generated by changes to Windows Filtering Platform (WFP).
MPSSVC Rule-Level Policy Change
Audits events generated by changes in policy rules used by Windows Firewall.
Other Policy Change Events
Audits events generated by other security policy changes that are not audited in the
Policy Change category.
Privilege Use
Audit attempts to use privileges.
Non Sensitive Privilege Use
Audits events generated by the use of nonsensitive privileges (user rights), such as
logging on locally or with a Remote Desktop connection, changing the system time, or
removing a computer from a docking station.
Other Privilege Use Events
Audits other privilege use events.
Sensitive Privilege Use
Audits events generated by the use of sensitive privileges (user rights), such as acting
as part of the operating system, backing up files and directories, impersonating a client
computer, or generating security audits.
System
Audit attempts to shut down or restart the computer. Also, audit events that affect
system security or the security log.
IPsec Driver
Audits events that are generated by the IPsec filter driver.
Other System Events
Audits any of the following events:



Startup and shutdown of the Windows Firewall
Security policy processing by the Windows Firewall
Cryptography key file and migration operations
Security State Change
Audits events generated by changes in the security state of the computer.
Security System Extension
Audits events related to security system extensions or services.
System Integrity
Audits events that violate the integrity of the security subsystem.
Page 35 of 154
System:
Analysis Date:
4.2
08-Nov-2013
CONFIDENTIAL
Event log Settings
Policy
Policy Value
Maximum Application Log Size
20480
Maximum Security Log Size
131072
Maximum System Log Size
20480
Restrict Guest Access to Application Log
Enabled
Restrict Guest Access to Security Log
Enabled
Restrict Guest Access to System Log
Enabled
Retain Application Log
N/A
Retain Security Log
N/A
Retain System Log
N/A
Retention Method for Application Log
As Needed
Retention Method for Security Log
As Needed
Retention Method for System Log
As Needed
Shutdown Computer when Security Log is Full
Disabled
Event Logs Features
Event logs contain all events logged by the system auditing controls (audit policy). In this way a wide variety of events
can be monitored to track different activities. Information can also be gathered about hardware, software, and system
problems.
Careful monitoring of event logs can help in predicting and identifying the sources of system problems. For example, if
log warnings show that a disk driver can only read or write to a sector after several retries, the sector is likely to go
bad eventually.
Event logs can also confirm problems with software. If a program crashes, a program event log can provide a record
of activity leading up to the event.
Windows records events in the following Event logs:

Application log
The application log contains events logged for programs/applications.

Security log
The security log contains valid and invalid logon attempts as well as events related to resource use, such as
creating, opening, or deleting files or other objects. For example, if you have enabled logon and logoff auditing,
attempts to log on to the system are recorded in the security log.

System log
The system log contains events logged by Windows’ system components. For example, the failure of a driver or
other system component to load during start up is recorded in the system log. The event types logged by system
components are predetermined by Windows.
Log Size and Retention Method for Logs
The Log Size is in Kilobytes. When the Log Size Limit is reached the Retention Method for Logs defines the action
that will be taken:
If Overwrite events as needed (As needed) is selected, the log will not be archived. This option is a good choice for
low-maintenance systems.
The Overwrite events older than and Retain Log (in days) options specify the appropriate number of days the log
will be archived at scheduled intervals. This strategy minimises the chance of losing important log entries and at the
same time keeps log sizes reasonable.
If the Do not overwrite events (Manually) option is specified all the events will remain in the log. This option requires
that the log be cleared manually. When the maximum log size is reached, new events will be discarded.
If Overwrite events as needed (As needed) or Do not overwrite events (Manually) options are selected, the
Retain Log (in days) option is not available (N/A).
Page 36 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Restrict Guest Access to Application, Security, System Logs
It is a good practice to enable this feature as it minimises the risks of unauthorised persons getting read access to
logs.
The Shut down when Security Log is Full option ensures that no auditable activities, including security violations,
occur while the system is unable to log them. This option should be used at the discretion of Management, as the
system will automatically shutdown when the security log is full.
Page 37 of 154
System:
Analysis Date:
4.3
08-Nov-2013
CONFIDENTIAL
Security Option Settings
Policy
Description
Policy Value
Allow server operators to Determines if Server Operators are allowed to submit jobs by Disabled
schedule tasks
means of the AT schedule facility. By default, you must be an
administrator in order to submit jobs by means of the AT scheduler.
Enabling this security policy setting allows members of the Server
Operators group to submit AT schedule jobs on Domain
Controllers without having to make them Administrators. This
policy is not defined by default.
Allow system to be shut Determines whether a computer can be shut down without having Disabled
down without having to log to log on to Windows. When this policy is enabled, the Shut Down
on
command is available on the Windows logon screen. When this
policy is disabled, the option to shut down the computer does not
appear on the Windows logon screen. In this case, users must be
able to log on to the computer successfully and have the Shut
down the system user right in order to perform a system shutdown.
By default, this option is enabled on workstations and disabled on
servers in Local Computer Policy.
Amount of idle time required Determines the amount of continuous idle time that must pass in a 15
before disconnecting session Server Message Block (SMB) session before the session is
(minutes)
disconnected due to inactivity. Administrators can use this policy to
control when a computer disconnects an inactive SMB session. If
client activity resumes, the session is automatically reestablished.
This policy is defined for servers by default in Local Computer
Policy with a default value of 15 minutes. This policy is not defined
on workstations. For this policy setting, a value of 0 means to
disconnect an idle session as quickly as reasonably possible.
Audit the access of global Determines whether access of global system objects will be Disabled
system objects
audited.These objects are not generally visible to or known by a
typical user. Enabling this option can introduce so many audit
entries into the security log that locating real security problems
becomes considerably more difficult. In some situations, this option
can be useful. For example, where custom applications are being
developed, the “users” are not just the people that interactively log
on, but also the programmers who are developing applications.
These programmers might be able to directly access these objects.
Audit use of backup and When files are being backed up or restored, the system checks to Disabled
restore privilege
ensure that the user performing the backup has the Backup or
Restore right each time a file is copied to or being restored from
backup media. By default, the system does not record these
events, because this could flood the security log. This option
should be enabled only in special cases of auditing of high-level
security installations.
Clear virtual memory page A paging file is a system file, so it cannot be encrypted. The file Disabled
file when system shuts down system security for paging files prevents any user from gaining
access to and reading these files, and these security settings
cannot be changed. However, someone other than the authorized
user might start the computer under a different operating system to
read a Windows 2000 paging file. To prevent others from reading
the contents of paging files that might contain plaintext of
encrypted files, enabling this option will clear the paging files every
time the computer shuts down.
Digitally
sign
client Enabling this option ensures that the Client communicates with Disabled
communication (always)
only those Servers that are enabled for SMB (Server Message
Block) message signing.
Digitally
sign
communication
possible)
client This option enables the Server Message Block (SMB) Enabled
(when authentication protocol on the client. SMB places a digital security
signature into each message block. If SMB signing is enabled on a
server, then clients that are also enabled for SMB signing will use
the new protocol during all subsequent sessions and clients that
are not enabled for SMB signing will use the older SMB protocol.
Digitally
sign
server Enabling this option ensures that the Server communicates with Enabled
communication (always)
only those clients that are enabled for SMB (Server Message
Block) message signing.
Page 38 of 154
System:
Analysis Date:
08-Nov-2013
Policy
Description
Digitally
sign
communication
possible)
CONFIDENTIAL
Policy Value
server This option enables the Server Message Block (SMB) Enabled
(when authentication protocol on the server. SMB places a digital security
signature into each message block. If SMB signing is enabled on
the client, then the server that is also enabled for SMB signing will
use the new protocol during all subsequent sessions and the
server that is not enabled for SMB signing will use the older SMB
protocol.
Disable
CTRL+ALT+DEL By default, users are required to press CTRL+ALT+DEL before Disabled
requirement for logon
logging on. This is because programs can be designed to appear
as a logon screen and collect account passwords. By pressing
CTRL+ALT+DEL these programs can be foiled. Disabling
CTRL+ALT+DEL is a potential security risk.
Do not display last user By default, Windows 2000 places the username of the last user to Disabled
name in logon screen
log on the computer in the Username text box of the Logon dialog
box. This makes it more convenient for the most frequent user to
log on. To help keep usernames secret, you can enable this option.
This is especially useful if a computer that is generally accessible
is being used, for example, for the (renamed) built-in Administrator
account.
Message text for
attempting to logon
users Windows 2000 can display a message box with the caption and
text of your choice before a user logs on. Many organizations use
this message box to display a warning message that notifies
potential users that they can be held legally liable if they attempt to
use the computer without having been properly authorized to do
so. The absence of such a notice could be construed as an
invitation, without restriction, to enter and browse the system.
Message title for
attempting to logon
users This is the title for the message box above.
Prevent system maintenance Determines whether the computer account password should be Disabled
of
computer
account prevented from being reset every week. As a part of Windows
password
2000 security, computer account passwords are changed
automatically every seven days. If this policy is enabled, the
machine is prevented from requesting a weekly password change.
If this policy is disabled, a new password for the computer account
will be generated every week. This policy is defined by default in
Local Computer Policy where it is disabled by default.
Prevent users from installing Determines whether members of the Users group are prevented Enabled
printer drivers
from installing print drivers. If this policy is enabled, it prevents
users from installing printer drivers on the local machine. This
prevents users from "Adding Printers" when the device driver does
not exist on the local machine. If this policy is disabled, then a
member of the Users group can install printer drivers on the
computer. By default, this setting is enabled on servers and
disabled on workstations.
Prompt user to change Determines how far in advance Windows 2000 should warn users 0
password before expiration that their password is about to expire. By giving the user advanced
(days)
warning, the user has time to construct a sufficiently strong
password. By default, this value is set to 14 days.
Recovery
automatic
logon
Console: Allow By default, the Recovery Console requires you to provide the Disabled
administrative password for the Administrator account before accessing the
system. If this option is set, the Recovery Console does not require
you to provide a password and will automatically log on to the
system. Activating this policy eliminates a security barrier used to
protect your computer against intruders. You should only enable
this policy on systems that have controlled access to the console,
such as those in rooms that can be locked.
Recovery Console: Allow This policy allows a floppy/stiffy drive copy and access to all drives Disabled
floppy copy and access to all and all folders during a Recovery Console session (a text-mode
drives and all folders
command interpreter that allows the system administrator to gain
access to the hard disk of a computer running Windows 2000,
regardless of the file format used, for basic troubleshooting and
system maintenance).
Restrict CD-ROM access to By default, Windows 2000 allows any program to access files on Disabled
locally logged-on users only CDs. In a highly secure, multi-user environment, it can be useful to
allow only the person locally logged on to access those devices.
Page 39 of 154
System:
Analysis Date:
Policy
08-Nov-2013
Description
CONFIDENTIAL
Policy Value
Restrict floppy access to By default, Windows 2000 allows any program to access files on Disabled
locally logged-on users only floppy/stiffy disks. In a highly secure, multi-user environment, it can
be useful to allow only the person locally logged on to access
those devices.
Secure channel: Digitally Determines whether the computer will always digitally encrypt or Enabled
encrypt or sign secure sign secure channel data. When a Windows 2000 system joins a
channel data (always)
domain, a computer account is created. Thereafter, when the
system boots, it uses the password for that account to create a
secure channel with the domain controller for its domain. Requests
sent on the secure channel are authenticated, and sensitive
information (such as passwords) is encrypted, but the channel is
not integrity checked and not all information is encrypted. If this
policy is enabled, all outgoing secure channel traffic must be either
signed or encrypted. If this policy is disabled, signing and
encryption are negotiated with the domain controller. By default,
this policy is disabled. This option should only be enabled if all of
the domain controllers in all the trusted domains support signing
and sealing.
encrypt secure channel data sign secure channel data. When a Windows 2000 system joins a
(when possible)
policy is enabled, all outgoing secure channel traffic should be
encrypted. If this policy is disabled, outgoing secure channel traffic
will not be encrypted. By default, this option is enabled.
sign secure channel data sign secure channel data. When a Windows 2000 system joins a
(when possible)
policy is enabled, all outgoing secure channel traffic should be
signed. If this policy is disabled, no outgoing secure channel traffic
will be signed. By default, this option is enabled.
Secure channel: Require If this policy is enabled, all outgoing secure channel traffic will Enabled
strong (Windows 2000 or require a strong (Windows 2000 or later) encryption key. If this
later) session key
policy is disabled, the key strength is negotiated with the Domain
Controller (DC). This option should only be enabled if all of the
DCs in all trusted domains support strong keys. By default, this
value is disabled.
Send unencrypted password If this policy is enabled, the Server Message Block (SMB) Disabled
to connect to third-party SMB redirector is allowed to send clear-text passwords to non-Microsoft
servers
SMB servers which do not support password encryption during
authentication. By default, this option is disabled. This setting can
weaken the overall security of an environment and should only be
used after careful consideration of the consequences of plain text
passwords in your specific environment.
Shut
down
system Determines whether the system should shut down if it is unable to Disabled
immediately if unable to log log security events. If this policy is enabled, it causes the system to
security audits
halt if a security audit cannot be logged for any reason. Typically,
an event will fail to be logged when the security audit log is full and
the retention method specified for the security log is either Do Not
Overwrite Events or Overwrite Events by Days. If the security log is
full and an existing entry cannot be overwritten and this security
option is enabled, the following blue screen error will occur: STOP:
C0000244 {Audit Failed} An attempt to generate a security audit
failed. To recover, an administrator must log on, archive the log (if
desired), clear the log, and reset this option as desired. By default,
this policy is disabled.
Page 40 of 154
System:
Analysis Date:
08-Nov-2013
Policy
Description
CONFIDENTIAL
Policy Value
Strengthen
default Determines the strength of the default discretionary access control Enabled
permissions of global system list (DACL) for objects. Windows 2000 maintains a global list of
objects
shared system resources such as DOS device names, mutexes,
and semaphores. In this way, objects can be located and shared
among processes. Each type of object is created with a default
DACL that specifies who can access the objects with what
permissions. If this policy is enabled, the default DACL is stronger,
allowing non-admin users to read shared objects, but not modify
shared objects that they did not create. By default, this option is
enabled.
Unsigned driver installation Determines what should happen when an attempt is made to install Silently succeed
behavior
a device driver (by means of the Windows 2000 device installer)
that has not been certified by the Windows Hardware Quality Lab
(WHQL). The options are: Silently succeed, Warn but allow
installation, Do not allow installation. The default setting is to Warn
but allow installation.
Unsigned
non-driver Determines what should happen when an attempt is made to install Warn, but allow installation
installation behavior
a device driver (by means of the Windows 2000 device installer)
that has not been certified by the Windows Hardware Quality Lab
(WHQL). The options are: Silently succeed, Warn but allow
installation, Do not allow installation. The default setting is to Warn
but allow installation.
Implications
The correct Security Option settings will enhance security, auditing and management.
Enabling some of these policies can strengthen security but undermine the performance, operational ease of use, or
connectivity with clients using third party or earlier versions of authentication protocols. On the other hand, enabling
others, will decrease security, but enhance performance, functionality, and connectivity.
Risk Rating
Low to high. (Dependant on the security setting being considered).
Recommended Action
Ensure that Security Option settings are set to appropriate values as required.
Page 41 of 154
System:
Analysis Date:
5.
08-Nov-2013
CONFIDENTIAL
Group Policy Objects
The following five sub-sections list important properties of all the Group Policy Objects (GPOs) defined on your
system. This includes their status, their links to Organizational Units (OUs), account permissions over the GPOs and
the various policies defined by them.





Detailed listing of GPOs defined on the system

5.1
GPOs are applied in a hierarchical fashion starting with GPOs linked to Containers at the top of the tree and ending
with GPO-links at the bottom of the tree. The sequence in which GPOs are applied is:




The Local GPO on the machine used to login to the system
GPOs linked to Sites
Domain-linked GPOs
GPOs linked to Organizational Units
In general, policies applied later override those defined earlier. However, this can be altered by the ‘No Override’ and
‘Block Inheritance’ options, by disabling a GPO-link or a Policy Configuration segment, or by removing ‘Read’ or
‘Apply Policy’ access from accounts.
Explanation of Common Terms
What follows is an explanation of the common terms used in this sub-section:

GPO Display Name. The user-friendly name for the GPO.

GPO Exists on Disk. Indicates whether the GPO physically exists in the SYSVOL directory. If it does not exist it
has probably been deleted directly, rather than through the appropriate Group Policy maintenance functions.

Computer Configuration Disabled. Indicates the status of the Computer Configuration part of the GPO. If
disabled, the various policies (e.g. Rights definitions) defined in the Computer segment of the GPO are ignored
when the system applies policy on the system.

User Configuration Disabled. Indicates the status of the User Configuration part of the GPO. If disabled, the
various policies defined in the User segment of the GPO are ignored when the system applies policy on the
system. This does not affect the policies in the Computer segment of the GPO.

Container. The name of the Container (OU) objects to which the GPO is linked.

Type. The type of the Container object. This can be a Domain, ‘OU’ (Organizational Unit) or Site.

No Override. Indicates whether the policies defined in the GPO can be overridden by conflicting policies linked to
other Container at lower levels in the Active Directory tree. If ‘Yes’, policies defined in this GPO cannot be
overridden by GPOs linked at lower levels.

Link Disabled. Indicates the status of the GPO-link to the specified Container. If ‘Yes’, the GPO is not applied to
that Container. This does not affect links that the GPO may have to other Container objects.

Block Inheritance. Indicates whether policies from higher-level Container are inherited by this Container. If ‘Yes’,
policies flowing down from higher-level Container objects are not inherited. If ‘No Override’ and ‘Block Inheritance’
options conflict with each other (i.e. they are both set) the ‘No Override’ option will always take precedence.
Page 42 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Policies Reported On
The following policy definitions are listed for each GPO on your system:

GPO Permissions. Lists the permissions that user accounts and groups have over the GPO. The GPO will not
be applied to the account (or members of the group) if it does not have ‘Read’ or ‘Extended Rights’ (Apply Group
Policy) access to the GPO.

Rights Policies. Lists the various Rights defined in the GPO. An empty space in the Account Name column
indicates that the Right is defined, but is not assigned to anyone. Rights not listed under ‘Rights Defined’ are not
defined in the GPO. Rights policies can only be defined in the Computer Configuration part of the GPO.

Event Audit. Lists the various Event Audit settings defined in the GPO. Several events such as when users are
logged on, when they access resources, or when they attempt to use special privileges can be configured for the
GPO audit. Audited events can only be defined in the Computer Configuration part of the GPO.

Event Logging. This lists the control settings such as size and retention method for the Application, Security and
System event logs. Event logging can only be defined in the Computer Configuration part of the GPO.

System Access. Lists the security control settings for the password and lockout policy in Windows 200x*
domains. System access can only be defined in the Computer Configuration part of the GPO.

Kerberos Policy. Lists the Kerberos settings defined in the GPO. Kerberos policy can only be defined in the
Computer Configuration part of the GPO.

Registry Keys. Lists the various Registry keys used to configure security settings for the GPO, including
access control, audit, and ownership. Registry keys can only be defined in the Computer Configuration part of
the GPO.
Page 43 of 154
System:
Analysis Date:
5.2
08-Nov-2013
CONFIDENTIAL
There are a total of 6 GPOs defined on your system:

0% (0) exist on disk, but are not linked to any container

50% (3) do not exist on disk

0% (0) have the Computer Configuration Disabled

0% (0) have the User Configuration Disabled

50% (3) are not linked to a container
Policy GUID
Display Name
GPO
Computer User
Nbr
Exists
Config
Config
Links
on Disk Disabled Disabled
{31B2F340-016D-11D2945F-00C04FB984F9}
Default Domain Policy
No
No
No
0
{4AFDCFC6-BAED-4E1DA3F8-6D5DC846945A}
Regional Settings workstations
No
No
No
0
{5471F07B-E3BF-47E6A2DF-40E55805852D}
New Group Policy Object
No
No
No
0
{6AC1786C-016F-11D2945F-00C04fB984F9}
Default Domain Controllers Policy
Yes
No
No
1
{F754BFE4-52E2-45B39034-36D5C65E8700}
Snake GPO test
Yes
No
No
1
{F9BA3B20-1DDA-41D1B91A-77D94D6EAB7F}
Regional and Language
Yes
No
No
1
For details of all GPO properties see worksheet GPOs_Summary in the MS-Excel workbook.
Page 44 of 154
System:
Analysis Date:
5.3
08-Nov-2013
CONFIDENTIAL
Policy GUID
Object
Object
Type
No
O/Ride
Link
Block GPO
Computer User
Disabled Inh at Exists Config
Config
OU
on
Disabled Disabled
Level Disk
{6AC1786C-016F-11D2945F-00C04fB984F9}
Domain Controllers
OU
No
No
No
Yes
No
No
{F754BFE4-52E2-45B39034-36D5C65E8700}
TEST GPO PC
OU
No
No
No
Yes
No
No
TEST GPO PC
OU
Yes
No
No
Yes
No
No
Page 45 of 154
System:
Analysis Date:
5.4
08-Nov-2013
CONFIDENTIAL
Note: GPOs are listed in order of precedence.
Object
Object
Type
Policy GUID
No
Link
Block GPO
Computer User
O/Ride Disabled Inh at Exists Config
Config
OU
on
Disabled Disabled
Level Disk
Domain Controllers
OU
{6AC1786C-016F-11D2945F-00C04fB984F9}
No
No
No
Yes
No
No
TEST GPO PC
OU
Yes
No
No
Yes
No
No
OU
{F754BFE4-52E2-45B39034-36D5C65E8700}
No
No
No
Yes
No
No
Page 46 of 154
System:
Analysis Date:
5.5
08-Nov-2013
CONFIDENTIAL
GPOs Defined and their Details
System/ Policies/ {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Display Name:
Default Domain Policy
GPO Exists on Disk:
No
Computer Configuration Disabled:
No
User Configuration Disabled:
No
GPO Links:
** No data found **
GPO Permissions:
Account Name
Type
Permission
Allow/Deny
Authenticated Users
well-known All Extended Rights Allow
Authenticated Users
well-known Read All Properties Allow
CREATOR OWNER
Domain Admins
group
Read All Properties Allow
Domain Admins
group
Domain Users
group
All Extended Rights Allow
Domain Users
group
Enterprise Admins
group
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM
User4
user
User4
user
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Page 47 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Registry Keys:
** No data found **
Page 48 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System/ Policies/ {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}
GPO Display Name:
Regional Settings workstations
GPO Exists on Disk:
No
No
No
GPO Links:
** No data found **
GPO Permissions:
Account Name
Type
Permission
Allow/Deny
Authenticated Users
Authenticated Users
CREATOR OWNER
Domain Admins
group
Domain Admins
group
Domain Users
group
Domain Users
group
Enterprise Admins
group
SYSTEM
User4
user
User4
user
Users
group
Users
group
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Page 49 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Registry Keys:
** No data found **
Page 50 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System/ Policies/ {5471F07B-E3BF-47E6-A2DF-40E55805852D}
GPO Display Name:
New Group Policy Object
GPO Exists on Disk:
No
No
No
GPO Links:
** No data found **
GPO Permissions:
Account Name
Type
Permission
Allow/Deny
Authenticated Users
Authenticated Users
CREATOR OWNER
Domain Admins
group
Domain Admins
group
Enterprise Admins
group
SYSTEM
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
** No data found **
Page 51 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System/ Policies/ {6AC1786C-016F-11D2-945F-00C04fB984F9}
GPO Display Name:
Default Domain Controllers Policy
GPO Exists on Disk:
Yes
No
No
GPO Links:
Object
Type
No
O/Ride
Link
Block Inheritance
Disabled at OU Level
Domain Controllers
OU
No
No
No
GPO Permissions:
Account Name
Type
Authenticated Users
Permission
Allow/Deny
Authenticated Users
CREATOR OWNER
Domain Admins
group
Domain Admins
group
Enterprise Admins
group
SYSTEM
Rights Policies:
Right
Account Name
Type
Access this computer from the network
Administrators
group
Authenticated Users
well-known
Enterprise Domain Controllers
well-known
Everyone
well-known
Pre-Windows 2000 Compatible Access
group
Add workstations to domain
Authenticated Users
well-known
Adjust memory quotas for a process
*S-1-5-80-1144924461-1383973570-550994615-10934346893433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-11627625682405087996
unknown
Administrators
group
Local Service
well-known
Network Service
well-known
Account Operators
group
Administrators
group
Backup Operators
group
Print Operators
group
Act as part of the operating system
Allow log on locally
Page 52 of 154
System:
Analysis Date:
08-Nov-2013
Right
CONFIDENTIAL
Account Name
Type
Server Operators
group
Administrators
group
Backup Operators
group
Server Operators
group
*S-1-5-80-1144924461-1383973570-550994615-10934346893433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-11627625682405087996
unknown
Administrators
group
Authenticated Users
well-known
Everyone
well-known
group
Administrators
group
Local Service
well-known
Server Operators
group
Administrators
group
Debug programs
Administrators
group
Deny access to this computer from the network
SUPPORT_388945a0
user
SophosSAUPUFFADDER0
user
SUPPORT_388945a0
user
Enable accounts to be trusted for delegation
Administrators
group
Force shutdown from a remote system
Administrators
group
Server Operators
group
Local Service
well-known
Network Service
well-known
Increase scheduling priority
Administrators
group
Load and unload device drivers
Administrators
group
Print Operators
group
Local Service
well-known
SUPPORT_388945a0
user
*S-1-5-80-1144924461-1383973570-550994615-10934346893433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-11627625682405087996
unknown
Network Service
well-known
SophosSAUPUFFADDER0
user
SQLServer2005SQLBrowserUser$PUFFADDER
group
SYSTEM
well-known
Manage auditing and security log
Administrators
group
Modify firmware environment values
Administrators
group
Backup files and directories
Bypass traverse checking
Change the system time
Create a page file
Create a token object
Create permanent shared objects
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Generate security audits
Lock pages in memory
Log on as a batch job
Log on as a service
Page 53 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Right
Account Name
Type
Profile single process
Administrators
group
Profile system performance
Administrators
group
Remove computer from docking station
Administrators
group
Replace a process-level token
*S-1-5-80-1144924461-1383973570-550994615-10934346893433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-11627625682405087996
unknown
Local Service
well-known
Network Service
well-known
Administrators
group
Backup Operators
group
Server Operators
group
Administrators
group
Backup Operators
group
Print Operators
group
Server Operators
group
Administrators
group
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Event Audit:
Policy Name
Policy Value
Audit Account Logon Events
Success
Audit Account Management
Success
Audit Directory Service Access Success
Audit Logon Events
Success
Audit Object Access
No Auditing
Audit Policy Change
Success
Audit Privilege Use
No Auditing
Audit Process Tracking
No Auditing
Audit System Events
Success
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
Registry Key
Registry Value
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
2
Page 54 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Registry Key
Registry Value
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature 1
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
1
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
1
Page 55 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System/ Policies/ {F754BFE4-52E2-45B3-9034-36D5C65E8700}
GPO Display Name:
Snake GPO test
GPO Exists on Disk:
Yes
No
No
GPO Links:
Object
Type
No
O/Ride
Link
Block Inheritance
TEST GPO PC
OU
No
No
No
GPO Permissions:
Account Name
Type
Authenticated Users
Permission
Allow/Deny
Authenticated Users
CREATOR OWNER
Domain Admins
group
Domain Admins
group
Enterprise Admins
group
SYSTEM
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
** No data found **
Page 56 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
System/ Policies/ {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
GPO Display Name:
Regional and Language
GPO Exists on Disk:
Yes
No
No
GPO Links:
Object
Type
No
O/Ride
Link
Block Inheritance
TEST GPO PC
OU
Yes
No
No
GPO Permissions:
Account Name
Type
Authenticated Users
Permission
Allow/Deny
Authenticated Users
CREATOR OWNER
Domain Admins
group
Domain Admins
group
Enterprise Admins
group
SYSTEM
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
** No data found **
Page 57 of 154
System:
Analysis Date:
5.6
08-Nov-2013
CONFIDENTIAL
Section Summary
SekChek found 0 discrepancies between the versions of GPOs in AD and SYSVOL.
Section Detail
** No data found **
Implications
The versions of Group Policy Objects (GPOs) defined in Active Directory and in SYSVOL should normally be identical.
If the GPO versions differ it may indicate a replication problem. This will cause unintended differences between the
policies that are defined and those that are actually applied on the system.
Risk Rating
Low to high (dependent on the nature of the GPO).
Recommended Action
Ensure you understand the reason for any discrepancies between the versions of GPO objects.
Where appropriate, ensure you take the necessary action to address the cause of the problem.
Page 58 of 154
System:
Analysis Date:
6.
08-Nov-2013
CONFIDENTIAL
Password Setting Objects (PSOs)
Section Summary
There is one PSO defined on your system:

0% (0) are not linked to any user or group objects.
Section Detail
PSO: Snake PSO test
Property
Value
PSO Precedence
1
PSO Description
Test PSO 1
PSO DisplayName
Test PSO 1
Lockout Duration
(never) (D:HH:MM:SS)
Lockout Observation Window
1:00:00:00 (D:HH:MM:SS)
Lockout Threshold
5
Maximum Password Age
35:00:00:00 (D:HH:MM:SS)
Minimum Password Age
(none) (D:HH:MM:SS)
10
Password Complexity Enabled
Y
Password History Length
12
N
When Changed (not replicated)
25-Jan-2013 13:34:00
When Created
25-Jan-2013 13:34:00
PSO Applies To...
CN=TestGroup3, CN=Users, DC=Snake, DC=com (Object Type= Group, Members= 0)
CN=Cloud 2, OU=Amazon, DC=Snake, DC=com (Object Type= Group, Members= 1)
Notes
Password Setting Objects (PSOs) were introduced in Microsoft Windows Server 2008, and only apply to domains
where the domain functional level is set to Windows Server 2008 or higher.
PSOs can only be applied to User / inetOrgPerson objects and global security groups.
PSO Precedence: Establishes the PSO’s precedence in situations where a user is a member of multiple groups with
different password policies.
Account Policies (Lockout Duration etc): Refer Domain Accounts Policy for a definition of each policy setting.
PSO Applies To: The users and groups to which the Account Policies in the PSO are applied.
Implications
PSOs allow you to define multiple Account Policies per Active Directory domain, which was not permitted prior to
Windows 2008. The main benefit of PSOs is that they allow you to control Account Policies at a more granular level by
applying different Account Policies to selected users and groups.
Note that the Account Policies defined in a PSO will always override the settings defined in the Domain Accounts
Policy for the users and groups to which the PSO is linked.
For more information, see SekChek’s white paper MS-Windows Password Settings Objects (PSOs) at:
www.sekchek.com/White-Papers.htm.
Page 59 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Risk Rating
Medium to high depending on the policies in effect over groups and users.
Recommended Action
If PSOs are employed, you should ensure that the Account Policies defined in the PSOs are set to appropriate values.
Page 60 of 154
System:
Analysis Date:
7.
08-Nov-2013
CONFIDENTIAL
Customer-Selected Registry Key Values
Section Summary
The following subsection lists the 2 registry keys that were selected during the extract.
Section Detail
Registry Key
Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\Installer - ServiceControl 601
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos - EEServer
v2
Implications
The correct settings of certain registry keys will enhance security, auditing and management on the system.
For example, having appropriate values for “remote access” will decrease the risk of intruders gaining illegal access to
the system.
For many registry keys a value of ‘0’ means that the feature is not enabled and a value of ‘1’ or greater means
enabled.
Risk Rating
Low to high. (Dependant on the registry setting being considered).
Recommended Action
Ensure that registry values are set to appropriate values where applicable.
Page 61 of 154
System:
Analysis Date:
8.
08-Nov-2013
CONFIDENTIAL
User Accounts Defined In The Domain
Section Summary
There are 16 user accounts defined in your domain:

12.5% (2) of user accounts have Administrator privileges

6.3% (1) of user accounts have Guest privileges

81.3% (13) of user accounts have User privileges

0.0% (0) of user accounts are protected against accidental deletion
Section Detail
Common Name
Path
Privilege
Member
of Group
Type/
Scope
Administrator
Users
Administrator
Administrators
SLB
Domain Admins
SG
Domain Users
SG
Enterprise Admins
SU
Group Policy Creator Owners
SG
Schema Admins
SU
Sophos
Administrators
Console SL
Sophos DB Admins
SL
Sophos Full Administrators
SL
SophosAdministrator
SL
Bradley test
TEST GPO PC
User
Domain Users
SG
GpLink Test
Users
Administrator
Administrators
SLB
Domain Users
SG
Sophos
Administrators
Console SL
Guest
Users
Guest
krbtgt
Users
User
SekTest User4
Users
User
Sophos DB Admins
SL
SL
SophosAdministrator
SL
Domain Guests
SG
Guests
SekTest User5
SekTest User6
SekTest User7
Users
Users
Users
User
User
User
Denied
RODC
Replication Group
SLB
Password SL
Domain Users
SG
Domain Users
SG
Utilisateurs EPM Sharepoint
SG
Domain Users
SG
SG
Domain Users
SG
Sophos
Administrators
Console SL
Sophos DB Admins
SL
SL
SophosAdministrator
SL
SG
Domain Users
SG
Page 62 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Common Name
Path
Privilege
SekTest User9
Users
User
Member
of Group
Type/
Scope
SG
Domain Users
SG
SG
SophosSAUPUFFADDER0
Users
User
Domain Users
SG
SophosUpdateMgr
Users
User
Domain Users
SG
Sun user
Amazon
User
Domain Users
SG
Nature
SG
SUPPORT_388945a0
Users
User
Domain Users
SG
HelpServicesGroup
SL
Cloud 1
SG
Domain Users
SG
Cloud 2
SG
Domain Users
SG
Virtual1 Cloud
Virtual2 Cloud
Amazon
Amazon
User
User
For details of all user properties see worksheet _All_User_Accounts in the MS-Excel workbook. For definitions of the
properties please see Glossary of Terms.
For details of internal system accounts see worksheet System_Accounts in the MS-Excel workbook.
Note. The above is a list of user accounts, which have been defined in the domain. It does not include user accounts
from other domains or servers that are members of this domain’s groups.
For those other accounts, consult the report sections: Domain Local Groups and their Members, Domain Global
Groups and their Members and Domain Universal Groups and their Members.
Account Name: This name is unique in the domain.
Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different
container for another user with a different Account Name (above). This is the name under which the user is listed in
the Active Directory MMC Console under the container it belongs to.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are
written first in the path, followed by the lower level containers or organizational units. See General Note in the System
Details section for a general explanation on paths.
Group Type / Scope:
SG – Security Global
SL – Security Local
SLB – Security Local - Builtin
SU – Security Universal
Note. The list only shows memberships of Security groups. I.e. memberships of Distribution groups are excluded from
the list.
For a more detailed description of group types refer to report section Groups Defined in the Domain .
Implications
Varying levels of control (rights) over the domain, domain containers and domain organizational units can be
delegated to users and/or groups of the domain or other domains.
If users belong to groups with permissions and rights greater than they need, they will have access to resources and
system functions not in line with their job functions.
The Administrator privilege is the most powerful privilege in the domain and can perform all actions on the
domain. Users with Administrator privilege have full control over the domain resources.
Members of groups such as Print Operators, Account Operators, Server Operators and Backup Operators also
acquire special privileges. Consult the report section titled: Domain Local Groups and their Members, for a more
detailed analysis.
Page 63 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Risk Rating
Medium to high (dependent on users’ job functions and the number of accounts with special privileges).
Recommended Action
Ensure that user accounts are defined in containers or organizational units where the controls over them are
appropriate.
Users’ rights and group memberships should be checked to ensure they are not granted unnecessary privileges or
rights.
Most users should be assigned to the built-in global group Domain Users and the built-in local group Users.
The number of accounts with Administrator privilege should be kept to a minimum. These accounts should only be
used for administrative functions. Users with administrative privileges should use a separate account for normal dayto-day use.
You should consider renaming the built-in Administrator account to a less obvious name to lessen the possibility of
hackers guessing the password, as they would have to guess the account name also. This account can never be
locked out due to failed logon attempts. The account cannot be disabled or deleted.
You should consider renaming the built-in Guest account to a less obvious name. Hackers trying to obtain illegal
access often target this account.
Page 64 of 154
System:
Analysis Date:
9.
08-Nov-2013
CONFIDENTIAL
Groups Defined In the Domain
Section Summary
All Group Types
There are a total of 57 group accounts defined on your domain:

64.9% (37) of groups are Local Groups

29.8% (17) of groups are Global Groups

5.3% (3) of groups are Universal Groups

0.0% (0) of groups are Application Basic Groups

0.0% (0) of groups are Application Query Groups

0.0% (0) of groups are protected against accidental deletion
Security Groups Only
There are 57 security groups defined on your domain:

64.9% (37) of these are Local security Groups

29.8% (17) of these are Global security Groups

5.3% (3) of these are Universal security Groups
Section Detail
Common Name
Path
Type/
Scope
Account Operators
Builtin
SLB
Administrators
Builtin
SLB
Allowed RODC Password Replication Group
Users
SL
Backup Operators
Builtin
SLB
Cert Publishers
Users
SL
Certificate Service DCOM Access
Builtin
SLB
Cloud 1
Amazon
SG
Cloud 2
Amazon
SG
Cryptographic Operators
Builtin
SLB
Denied RODC Password Replication Group
Users
SL
Distributed COM Users
Builtin
SLB
DnsAdmins
Users
SL
DnsUpdateProxy
Users
SG
Domain Admins
Users
SG
Domain Computers
Users
SG
Domain Controllers
Users
SG
Domain Guests
Users
SG
Domain Users
Users
SG
Enterprise Admins
Users
SU
Enterprise Read-only Domain Controllers
Users
SU
Event Log Readers
Builtin
SLB
Users
SG
Guests
Builtin
SLB
HelpServicesGroup
Users
SL
IIS_IUSRS
Builtin
SLB
Incoming Forest Trust Builders
Builtin
SLB
Nature
Amazon
SG
Network Configuration Operators
Builtin
SLB
Page 65 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Common Name
Path
Type/
Scope
Performance Log Users
Builtin
SLB
Performance Monitor Users
Builtin
SLB
Builtin
SLB
Print Operators
Builtin
SLB
RAS and IAS Servers
Users
SL
Read-only Domain Controllers
Users
SG
Remote Desktop Users
Builtin
SLB
Replicator
Builtin
SLB
Schema Admins
Users
SU
Server Operators
Builtin
SLB
Sophos Console Administrators
Users
SL
Sophos DB Admins
Users
SL
Users
SL
SophosAdministrator
Users
SL
SophosDomainAdministrator
Users
SG
SophosDomainPowerUser
Users
SG
SophosDomainUser
Users
SG
SophosOnAccess
Users
SL
SophosPowerUser
Users
SL
SophosUser
Users
SL
SQLServer2005SQLBrowserUser$PUFFADDE Users
R
SL
SQLServerMSSQLServerADHelperUser$PUF
FADDER
Users
SL
TelnetClients
Users
SL
Terminal Server License Servers
Builtin
SLB
TestGroup3
Users
SG
TestGroup4
Users
SG
Users
Builtin
SLB
Users
SG
Windows Authorization Access Group
Builtin
SLB
For details of all properties see worksheet Group_Accounts in the MS-Excel workbook. For definitions of the
properties please see Glossary of Terms.
NOTE: The above is a list of groups, which have been defined in the domain. It does not include groups, from other
domains or servers that are members of this domain’s groups.
Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different
container for another group with a different Account Name (above). This is the name under which the group is listed in
the Active Directory MMC Console under the container it belongs to.
Path: Container or Organizational Unit the group belongs to. The higher-level containers or organizational units are
Page 66 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Group Type/Scope:
AB
AQ
DG
DL
DU
SG
SL
SLB
SU
Application Basic
Application Query
Distribution Global
Distribution Local
Distribution Universal
Security Global
Security Local
Security Local - Builtin
Security Universal
There are 3 types of groups in Windows 200x* domains:



Security groups
Distribution groups
Application groups
Security groups can define permissions on resources and objects. When assigning permissions for resources (file
shares, printers, and so on), administrators should assign those permissions to a security group rather than to the
individual users. The permissions are assigned once to the group, instead of several times to each individual user.
This helps simplify the maintenance and administration of a network.
Distribution groups are not security-enabled. Distribution groups can be used, for example, with e-mail applications
(such as Exchange), to send e-mail to collections of users.
Application groups are not security enabled and include basic application groups and LDAP query groups.
Application groups are specific to Authorization Manager role-based administration. An application group is a group of
users, computers, or other security principals. An application group is not a group of applications.
Membership of an Application Query group is dynamically calculated from LDAP queries.
Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain
tree or forest. There are three different group scopes: universal, global, and local.
Built-in Local Security groups are defined by the Windows 200x* security system. They cannot be moved or deleted
from their original container (Builtin). Those groups cannot be members of other groups.
For membership of groups and more details on group scope, consult the report sections: Domain Local Groups and
their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members.
Implications
Varying levels of control (rights) over the domain; domain containers and domain organizational units can be
delegated to groups of the domain or other domains.
Risk Rating
Medium to high (dependent on groups’ functions and what controls are granted over the groups).
Recommended Action
Ensure that groups are defined in containers or organizational units where the controls over them are appropriate.
Page 67 of 154
System:
Analysis Date:
10.
08-Nov-2013
CONFIDENTIAL
Domain Local Groups and their Members
Section Summary
There are a total of 37 Local Security groups, containing the following 47 members, defined on your domain:


59.5% (22) of these groups are empty / have no members
2.1% (1) of the members are defined in other domains
Section Detail
Group Name
Member
Member
Domain
Mbr
Class
Account Operators
Administrators
Administrator
user
Domain Admins
group
Enterprise Admins
group
GpLinkTest
user
Allowed RODC Password Replication
Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Cert Publishers
Group
group
Domain Admins
group
Domain Controllers
group
Enterprise Admins
group
group
krbtgt
user
group
Schema Admins
group
Domain Guests
group
Distributed COM Users
DnsAdmins
Event Log Readers
Guests
Guest
user
HelpServicesGroup
SUPPORT_388945a0
user
IIS_IUSRS
IUSR
Unknown
unknown
Domain
(NT
AUTHORITY)
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Authenticated Users
well-known
Print Operators
RAS and IAS Servers
Page 68 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Group Name
Member
Member
Domain
Mbr
Class
Remote Desktop Users
Cloud 1
group
Cloud 2
group
Administrator
user
Domain Admins
group
Enterprise Admins
group
GpLinkTest
user
User6
user
Administrator
user
Domain Admins
group
Enterprise Admins
group
GpLinkTest
user
User6
user
Administrator
user
Domain Admins
group
Enterprise Admins
group
GpLinkTest
user
User6
user
Administrator
user
Domain Admins
group
Enterprise Admins
group
GpLinkTest
user
group
User6
user
SophosPowerUser
group
SophosUser
Domain Users
group
SophosDomainUser
group
Authenticated Users
well-known
Domain Users
group
Interactive
well-known
Enterprise Domain Controllers
well-known
Replicator
Server Operators
Sophos Console Administrators
Sophos DB Admins
SophosAdministrator
SophosOnAccess
SQLServer2005SQLBrowserUser$PUFF
ADDER
SQLServerMSSQLServerADHelperUser$
PUFFADDER
TelnetClients
Terminal Server License Servers
Users
Windows Authorization Access Group
Page 69 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Notes
Members of Local Distribution groups are not listed here, as there is no security implication on these groups.
Group Account Name or Member Account Name: This name is unique in the domain.
Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs
to the domain analysed, this field will be empty.
Member Class: When = Unknown, it means that the account or group is a member of the local group but that the
server/domain where the account or group is registered could not be reached to obtain the account information. The
local groups showing these accounts as members should be checked to establish the origin and details of these
accounts.
When a server/domain cannot be reached for account information, the server/domain is either not available through
the network or the server/domain no longer exists in the domain.
Domain Local Groups
Groups with domain local scope can have as their members groups and accounts from Windows 200x* or Windows
NT domains and can be used to grant permissions only within a domain. Groups with a domain local scope are
referred to as Local Groups.
In native-mode Windows 200x* domains, Local Groups can have accounts, global groups, and universal groups from
any domain, as well as local groups from the same domain, as members.
In mixed-mode Windows 200x* domains, Local Groups can have accounts and global groups from any domain as
members but cannot have local groups as members.
Groups with domain local scope are typically used to define and manage access to resources within a single domain.
Built-in Local Groups are installed in the domain. These groups are security groups and represent common sets of
rights and permissions that can be used to grant certain roles, rights, and permissions to the accounts and groups that
are placed into these default groups. Default groups with domain local scope are located in the ‘Builtin’ container.
The default (built-in) Local Groups are:









Account Operators
Administrators
Backup Operators
Guests
Print Operators
Replicator
Server Operators
Users
These built-in groups have domain local scope and are primarily used to assign default sets of permissions to users
who may have some administrative control in that domain. For example, the Administrators group in a domain has a
broad set of administrative authority over all accounts and resources in the domain.
The following shows the default rights held by some of these groups.
Administrators: Members of the Administrators group have full control over the computer. It is the only built-in group
that is automatically granted every built-in right and ability in the system.
Backup Operators: Members of the Backup Operators group can back up and restore files on the computer,
regardless of any permissions that protect those files. They can also log onto the computer and shut it down, but they
cannot change security settings.
Replicator: The Replicator group supports directory replication functions. The only member of the Replicator group
should be a domain user account used to log on the Replicator services of the domain controller. Do not add the user
accounts of actual users to this group.
Implications
If users or groups belong to Local Groups with permissions and rights greater than they need, they will have access to
unnecessary resources and functions via the permissions and rights associated with the Local Groups.
The built-in Local Group, which has normal default user rights and permissions, is the Users group. Another built-in
Local Group with limited default privileges is Guests.
Built-in Local Groups cannot be deleted.
Page 70 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
New Local Groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) can be
assigned to them.
Risk Rating
Medium to high (dependent on users’ job functions and groups’ roles).
Recommended Action
Privileges and rights acquired by users and groups via their membership of Local Groups should be checked to
ensure they are consistent with the users’ job functions and groups’ roles.
Most users or groups should be assigned to the Users Local Group.
Users or groups assigned to privileged Local Groups should be kept to a minimum and their membership fully
justified. As a rule, only individual users and not groups, should be added to privileged Local Groups as this affords
better control.
Those accounts or groups from other domains, which are members of privileged Local Groups, should be carefully
checked and fully justified.
If it can be avoided, users and groups from other domains should not be members of privileged Local Groups.
Page 71 of 154
System:
Analysis Date:
11.
08-Nov-2013
CONFIDENTIAL
Domain Global Groups and their Members
Section Summary
There are a total of 17 Global Security groups, containing the following 30 members, defined on your domain:

Section Detail
Group Name
Member
Member Class
Cloud 1
Virtual1
user
Cloud 2
Virtual2
user
Domain Admins
Administrator
user
Domain Computers
BEOWOLF
Computer
REDWOLF
Computer
BOOMSLANG
Computer
PUFFADDER
Computer
Domain Guests
Guest
user
Domain Users
Administrator
user
bradley
user
GpLinkTest
user
krbtgt
user
DnsUpdateProxy
Domain Controllers
SophosSAUPUFFADDER0 user
SophosUpdateMgr
user
Sun
user
SUPPORT_388945a0
user
User4
user
User5
user
User6
user
User7
user
User9
user
Virtual1
user
Virtual2
user
Administrator
user
Nature
Sun
user
User4
user
User5
user
User6
user
User7
user
User9
user
SophosDomainUser
TestGroup3
TestGroup4
Page 72 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Notes
Global Group
Groups with global scope can have as their members groups and accounts only from the domain in which the group is
defined and can be granted permissions in any domain in a domain tree or forest. Groups with a global scope are
referred to as Global Groups.
In native-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain
and global groups from the same domain.
In mixed-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain
but cannot have groups as members.
Default predefined groups with global scope are normally located in the Users container.
The predefined Global Groups placed in the Users container are:









Cert Publishers
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Group Policy Admins
Schema Admins
These groups with global scope can be used to collect the various types of user accounts in the domain (regular
users, administrators, and guests) into groups. These groups can then be placed in Local Groups.
By default, any user account created in a domain is automatically added to the Domain Users group and any
computer account created is automatically added to the Domain Computers group.
The Domain Users and Domain Computers groups can be used to represent all the accounts created in the domain.
For example, if all the users in this domain need to have access to a printer, permissions for the printer can be
assigned to the Domain Users group (or the Domain Users group can be placed into a local group that has
permissions for the printer).
Groups with global scope are normally used to manage directory objects that require daily maintenance, such as user
and computer accounts. Because groups with global scope are not replicated outside their own domain, accounts in a
group having global scope can be changed frequently without generating replication traffic to the global catalog.
Global groups cannot be created or maintained on Windows NT/200x* Workstations or Windows NT/200x* Servers,
which are not Domain Controllers. However, for Windows NT/200x* Workstations or NT/200x* Server computers that
participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers,
and can be members of local groups at those workstations or servers.
Implications
If users are assigned to global groups with permissions and rights greater than they need, they will have access to
unnecessary system resources and functions via the permissions and rights associated with the global groups.
Global groups can be members of local groups in the domain and other domains or members of other global groups in
the domain, thus acquiring their rights and granting those rights to users belonging to the global groups.
New global groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) assigned to
them.
Risk Rating
Medium to high (dependent on users’ job functions and groups’ functions).
Page 73 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Recommended Action
Privileges and rights assigned to global groups and their membership of other groups should be checked to ensure
that they are justified.
Most users should only be assigned to the Domain Users global group.
Users assigned to privileged global groups (such as Domain Admins) should be kept to a minimum and their
membership fully justified.
Page 74 of 154
System:
Analysis Date:
12.
08-Nov-2013
CONFIDENTIAL
Domain Universal Groups and their Members
Section Summary
There are a total of 3 Universal Security groups, containing the following 2 members, defined in your domain:


0.0% (0) of these members are defined in other domains
Section Detail
Group Name
Member
Member
Domain
Mbr
Class
Enterprise Admins
Administrator
user
Administrator
user
Enterprise Read-only Domain Controllers
Schema Admins
Notes
Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs
to the domain analyzed, this field will be empty.
Member Class: When = Unknown, it means that the account or group is a member of the universal group but that the
server/domain where the account or group is registered could not be reached to obtain the account information. The
universal groups showing these accounts as members should be checked to establish the origin and details of these
accounts.
When a server/domain cannot be reached for account information, the server/domain is either not available through
the network or the server/domain no longer exists in the domain.
Universal Groups
Groups with universal scope can have as members groups and accounts from any Windows 200x* domain in the
domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with a
universal scope are referred to as Universal Groups.
In native-mode Windows 200x* domains, Universal Groups can have, as their members, accounts from any domain,
global groups from any domain and universal groups from any domain.
In mixed-mode Windows 200x* domains, groups with universal scope cannot be created.
Groups with universal scope can be used to consolidate groups that span domains. For example, global groups from
different domains can be nested in universal groups. Using this strategy, any membership changes in the groups
having global scope do not affect the group with universal scope.
Implications
If users or groups are assigned to universal groups with permissions and rights greater than they need, they will have
access to unnecessary resources and functions via the permissions and rights associated with the universal groups.
Risk Rating
Medium to high (dependent on users’ job functions and groups’ functions).
Recommended Action
Privileges and rights assigned to universal groups and their membership of other groups should be checked to ensure
that they are justified.
Page 75 of 154
System:
Analysis Date:
13.
08-Nov-2013
CONFIDENTIAL
Last Logons, 30 Days and Older
Section Summary
All Accounts
50.0% (8) of the user accounts on your domain have not logged-on in the last 30 days:






43.8% (7) have not logged-on in the last 60 days
37.5% (6) have not logged-on in the last 2 years
37.5% (6) have never been used, or their last logon date is unknown
Excluding Disabled Accounts
25.0% (4) of the user accounts on your domain have not logged-on in the last 30 days:






All Administrator Accounts
0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days:






Administrator Accounts (Excluding Disabled Accounts)
0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days:






Domain Controllers (DCs) Scanned
SekChek scanned 2 out of 2 DCs for users' last logon times. See Domain Controllers in the Domain for more
information.
The last logon for the builtin Administrator account was 0 days ago.
Industry Average Comparison (> 30 days)
Note:
This is an exception report, so only lists accounts that have not logged on in the last 30 days. I.e. if an account logged
in 29 days ago (or more recently) it will not be listed in the report section.
Section Detail
Last Logon
Account Name
Path
State Privilege
Guest
Users
D
Guest
krbtgt
Users
D
User
Page 76 of 154
System:
Analysis Date:
Last Logon
08-Nov-2013
CONFIDENTIAL
Account Name
Path
State Privilege
SophosSAUPUFFADDER0
Users
User
SophosUpdateMgr
Users
User
Sun
Amazon
User
SUPPORT_388945a0
Users
D
User
02-Aug-2013
User6
Users
E
User
24-Sep-2013
User4
Users
User
Notes
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Implications
Some of these user accounts may no longer be required. Inactive user accounts are a prime target for intruders. If
their passwords are compromised, they can be used with little fear of detection.
Risk Rating
Low to Medium.
Recommended Action
The list of accounts should be reviewed and redundant ones should be deleted.
Accounts that will be required later (longer term), should be disabled until required.
Page 77 of 154
System:
Analysis Date:
14.
08-Nov-2013
CONFIDENTIAL
Passwords, 30 Days and Older
Section Summary
All Accounts
50.0% (8) of the user accounts on your domain have not had their passwords changed in the last 30 days:





43.8% (7) have not had their passwords changed in the last 60 days
12.5% (2) have not had their passwords changed in the last 2 years
25.0% (4) of the user accounts on your domain have not had their passwords changed in the last 30 days:





50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days:





50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days:





The password for the builtin Administrator account was last changed 1556 days ago.
Industry Average Comparison (> 30 days)
Note:
This is an exception report, so only lists accounts whose passwords have not changed in the last 30 days. I.e. if an
account's password was changed 29 days ago (or more recently) it will not be listed in the report section.
Section Detail
Password Account Name
Age (days)
Path
State Privilege
1556
Administrator
Users
1556
SUPPORT_388945a0 Users D
User
436
krbtgt
Users D
User
436
User5
Users
User
337
User6
Users E
User
292
User9
Users LE
User
Administrator
Page 78 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Password Account Name
Age (days)
Path
State Privilege
270
User7
Users
User
51
User4
Users
User
Notes
Account State:
L
Locked
An account is automatically locked by the system once the number of invalid login
attempts, as defined by the security policy, has been reached.
D
Disabled
A disabled account has been manually disabled by the administrator.
E
Expired
An account expires once the expiry date, which has been set by the administrator
is reached.
DE
Disabled & Expired
An expired account which has also been manually disabled by the administrator.
DL
Disabled & Locked
A locked account which has also been manually disabled by the administrator.
Implications
This could indicate that these users are not required to change their passwords on a regular basis or that the accounts
are inactive and redundant. A password that is not changed on a frequent basis increases the risk of it being
compromised over time.
Risk Rating
Medium. If password controls are weak (e.g. Password Never Expires set in user accounts) the risk is high.
Recommended Action
The accounts should be reviewed and deleted if they are no longer required. Otherwise, their password change
interval should be brought in line with installation standards.
The Leading Practice is to force users to change their passwords every 30 to 60 days.
Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those
accounts, the account name and password should be such that they are very difficult to guess.
Page 79 of 154
System:
Analysis Date:
15.
08-Nov-2013
CONFIDENTIAL
Passwords that Never Expire
Section Summary
All Accounts
87.5% (14) of users are never required to change their passwords due to security settings in individual user accounts.
62.5% (10) of users are never required to change their passwords due to security settings in individual user accounts.
50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual
user accounts.
50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual
user accounts.
Industry Average Comparison
Section Detail
Account Name
Path
State Privilege
Administrator
Users
Administrator
bradley
TEST GPO PC
User
Guest
Users
D
Guest
SophosSAUPUFFADDER0 Users
User
SophosUpdateMgr
Users
User
Sun
Amazon
User
SUPPORT_388945a0
Users
User4
Users
User5
Users
User6
Users
User7
Users
User9
Users
Virtual1
Amazon
User
Virtual2
Amazon
User
D
User
User
User
E
User
User
LE
User
Notes
Page 80 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Implications
If users are not required to change their passwords on a frequent basis, their passwords are likely to become known
to other employees and potential intruders. The user profile could then be used to gain unauthorised access to
systems and data until the real user changes the password to a new one.
The password change interval is set in the Password Policies. However, the system default can be overridden via
the Password Never Expires parameter at user account level.
Risk Rating
Medium to High.
Recommended Action
Password change intervals for these user accounts should be brought in-line with the installation standard.
The Leading Practice for a password change interval is between 30 and 60 days.
You should also check the Accounts Policy to confirm that the Maximum Password Change Interval is set to an
acceptable value.
Page 81 of 154
System:
Analysis Date:
16.
08-Nov-2013
CONFIDENTIAL
Accounts not Requiring a Password
Section Summary
All Accounts
6.3% (1) of users are allowed to logon with a zero length password due to security settings in individual user
accounts.
0.0% (0) of users are allowed to logon with a zero length password due to security settings in individual user
accounts.
0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in
individual user accounts.
0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in
individual user accounts.
Section Detail
Account Name Path
Guest
State Privilege
Users D
Guest
Notes
written first in the path, followed by the lower level containers or organizational units. See the General Note in the
System Details section for a general explanation of paths.
Implications
The setting that allows zero-length (null) passwords to be defined at user account level is one of the values that
cannot be displayed via the standard Windows 'Active Directory Users and Computers' interface. It can only be
displayed (or set) via a special programmatic interface.
An Administrator can set passwords for the listed accounts to null regardless of domain-level security settings. The
accounts could then be used to login to the system without a password, despite the security policy settings defined at
domain-level. However, the system will not allow users to change their own passwords to null provided that domainlevel security settings prevent it. This can only be done by an Administrator via the 'Reset Password' function or via a
programmatic interface.
Because SekChek for Windows does not analyse user passwords it is not possible to determine which of the listed
accounts actually have null passwords assigned to them.
For more information, see SekChek’s white paper MS-Windows Accounts not Requiring a Password at:
www.sekchek.com/White-Papers.htm.
Risk Rating
Low to High. (Dependant on the privileges assigned to the user account)
In general, allowing the use of null passwords is a very high security risk, because it will allow any person in
possession of a valid account name to gain access to your system and information resources. However, there may be
Page 82 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
some special situations where it is appropriate for null passwords to be assigned to some special accounts (e.g.
anonymous access with minimal privileges).
Recommended Action
In general, you should ensure strong passwords are assigned to all user accounts defined on your system. The
Leading Practice for a minimum password length is 7 characters.
You should also ensure that all accounts allowed null passwords are fully justified.
Page 83 of 154
System:
Analysis Date:
17.
08-Nov-2013
CONFIDENTIAL
Invalid Logon Attempts Greater than 3
Section Summary
All Accounts
0.0% (0) of user accounts have invalid logon attempts greater than 3.
0.0% (0) of user accounts have invalid logon attempts greater than 3.
0.0% (0) of administrator accounts have invalid logon attempts greater than 3.
0.0% (0) of administrator accounts have invalid logon attempts greater than 3.
Section Detail
** No data found **
Notes
Implications
Invalid logon attempts indicate the number of unsuccessful attempts at signing on to your system with the listed
accounts. The value is reset to ‘0’ after a successful sign-on to the system.
Consistently high values could indicate that an intruder is attempting to guess user passwords to gain access to your
system.
The Lockout Threshold parameter in the Account Lockout Policies determines the number of failed logon attempts
for user accounts before accounts are locked out.
Risk Rating
Low to Medium. (Dependent on the value assigned to the Lockout Threshold parameter in the Account Lockout
Policies)
Recommended Action
You should ensure that the Lockout Threshold in the Accounts Policy is set to a reasonable value. A value of 3 is the
Leading Practice.
Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are
locked when the lockout threshold is exceeded and can only be unlocked by Administrators.
Page 84 of 154
System:
Analysis Date:
18.
08-Nov-2013
CONFIDENTIAL
Users not Allowed to Change Passwords
Section Summary
All Accounts
56.3% (9) of the users defined to your system are not allowed to change their passwords.
37.5% (6) of the users defined to your system are not allowed to change their passwords.
0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords.
0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords.
Section Detail
Account Name
Path
State
Privilege
Guest
Users
D
Guest
SophosSAUPUFFADDER0
Users
User
SophosUpdateMgr
Users
User
Sun
Amazon
User
SUPPORT_388945a0
Users
User7
Users
User9
Users
Virtual1
Amazon
User
Virtual2
Amazon
User
D
User
User
LE
User
Implications
If users are not permitted to change their passwords on a frequent basis, their passwords are likely to become known
to other employees and potential intruders. The user profile could then be used to gain unauthorised access to
systems and data until the password is changed to a new one.
The password change interval is set in the Accounts Policy. However, individual accounts can have the User
Cannot Change Password parameter set which overrides the policy standard.
A value of Yes in the Account Disabled column indicates that the account has been disabled by a security
administrator, is locked due to excessive failed login attempts, or has expired. See Disabled Accounts for details.
Risk Rating
Medium to High.
Recommended Action
The User Cannot Change Password parameter in user accounts should only be set for those accounts where a
common sign on is required (The “built in” Guest account is an example of a “common” account). The privileges and
group membership of these accounts should be carefully monitored.
Page 85 of 154
System:
Analysis Date:
19.
08-Nov-2013
CONFIDENTIAL
Accounts with Expiry Date
Section Summary
All Accounts
12.5% (2) of user accounts are set to expire on a certain date.

12.5% (2) of accounts have expired
0.0% (0) of administrator accounts are set to expire on a certain date.

0.0% (0) of administrator accounts have expired
Section Detail:
Account Name
Path
Account
Expires
Privilege
User6
Users
06-Oct-2011
User
User9
Users
01-Oct-2011
User
Notes
Implications
The Account Expires parameter allows you to ensure the account is automatically disabled on the assigned date.
When an account expires, a user who is logged on remains logged on but cannot establish new network connections.
After logging off, that user cannot log on again unless the expiration date is reset or cleared.
Risk Rating
Low to Medium.
Recommended Action
It is good practice to set an expiration date for temporary accounts or accounts assigned to contractors and part-time
workers.
For added security and to help ensure that accounts are disabled when no longer used, you could consider setting
expiration dates for all user accounts. Note however, that this will add to the administrative workload and may
inconvenience genuine users when their accounts expire and need to be reset by an administrator.
Page 86 of 154
System:
Analysis Date:
20.
08-Nov-2013
CONFIDENTIAL
Disabled Accounts
Section Summary
All Accounts
18.8% (3) of user accounts have been disabled.
0.0% (0) of administrator accounts have been disabled.
Section Detail
Account Name
Path
Last Logon
Privilege
Guest
Users
Guest
krbtgt
Users
User
SUPPORT_388945a0
Users
User
Notes
Implications
No security risks. A housekeeping issue only.
Accounts are disabled because they have reached the expiration date or have been disabled by the administrator.
Risk Rating
None.
Recommended Action
These accounts should be checked and deleted if no longer required.
Page 87 of 154
System:
Analysis Date:
21.
08-Nov-2013
CONFIDENTIAL
Locked Out Accounts
Section Summary
All Accounts
6.3% (1) of user accounts are 'locked out'.
0.0% (0) of administrator accounts are 'locked out'.
Section Detail
Account Name
Path
Last Logon
Privilege
User9
Users
07-Nov-2013 User
Notes
Implications
These accounts are locked due to an excessive number of failed logon attempts. This could be an indication that
intruders are attempting to access your system.
Lockout Threshold in the accounts policy defines the number of failed logon attempts for user accounts before
accounts are locked out.
Risk Rating
Medium to High.
Recommended Action
The reason these accounts have been “locked out” should be investigated and appropriate action taken.
You should ensure that the Lockout Threshold is set to a reasonable value. A value of 3 is the Leading Practice.
Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are
locked when the lockout threshold is exceeded and can only be unlocked by Administrators.
Page 88 of 154
System:
Analysis Date:
22.
08-Nov-2013
CONFIDENTIAL
Accounts Whose Passwords Must Change at Next Logon
Section Summary
All Accounts
6.3% (1) of user accounts must change their password at next logon.
0.0% (0) of user accounts must change their password at next logon.
0.0% (0) of administrator accounts must change their password at next logon.
0.0% (0) of administrator accounts must change their password at next logon.
Section Detail
Account Name Path
krbtgt
State Privilege
Users D
User
Notes
Implications
The list details those accounts that must change their password at next logon. This can be as a result of a new
account or as a result of the account password having been reset by an administrator with the indicator User Must
Change Password At Next Logon turned on.
If the chosen passwords are default passwords known to most persons, those accounts could be used by anybody to
gain illegal access to the domain with the rights/privileges of the account.
Risk Rating
Low to Medium (depending on the password assigned by the administrator).
Recommended Action
It is good practice to set the User Must Change Password At Next Logon indicator for new user accounts or when
administrators reset passwords. This will force the user to change the initial or new password allocated at the first or
next logon.
The password chosen by the administrator should be unique and not a default password known to most persons.
Page 89 of 154
System:
Analysis Date:
23.
08-Nov-2013
CONFIDENTIAL
Accounts Created in the Last 90 Days
Section Summary
All Accounts
68.8% (11) of user accounts were created in the last 360 days:






18.8% (3) were created in the last 30 days
31.3% (5) were created more than a year ago
50.0% (1) of administrator accounts were created in the last 360 days:






Group Accounts
19.3% (11) of group accounts were created in the last 360 days:






Computer Accounts
25.0% (1) of computer accounts were created in the last 360 days:






Note: This is an exception report, so it only lists accounts created in the last 90 days. For details of accounts created
more than 90 days ago, see column 'Created' in worksheets _All_User_Accounts and Group_Accounts in the MSExcel workbook.
Section Detail
Create Date
Account Name
Path
Account
Type
Privilege
07-Nov-2013 Cloud 1
Amazon
Group
-
07-Nov-2013 Cloud 2
Amazon
Group
-
07-Nov-2013 Nature
Amazon
Group
-
07-Nov-2013 Sun
Amazon
User
User
07-Nov-2013 Virtual1
Amazon
User
User
07-Nov-2013 Virtual2
Amazon
User
User
29-Aug-2013 User5
Users
User
User
29-Aug-2013 User6
Users
User
User
29-Aug-2013 User7
Users
User
User
Page 90 of 154
System:
Analysis Date:
Create Date
08-Nov-2013
Account Name
29-Aug-2013 User9
CONFIDENTIAL
Path
Account
Type
Privilege
Users
User
User
Notes
Path: Container or Organizational Unit the account belongs to. The higher-level containers or organizational units are
Account Type: User or Group.
Implications
The authorisation of new accounts, as well as changes to existing accounts, are key management controls that
underpin the security of system and information resources.
If accounts are defined without management’s knowledge or authorisation, they could be used to gain illegal access to
your domain and system resources with little fear of detection.
Risk Rating
High (if accounts are defined without appropriate management authorisation).
Recommended Action
You should ensure management authorisation was formally provided prior to defining new accounts. Supporting
documentation should minimally include: a reason for creating the account; the security groups the account should
belong to; and the system resources required by the account owner.
Before management gives an employee access to a user account they should ensure the employee is made aware of
the organisation’s security policies and the employee’s responsibilities for system security.
Independent audits of new accounts should be conducted on a regular basis to ensure management controls are
appropriate and are being applied in a consistent and effective manner.
Page 91 of 154
System:
Analysis Date:
24.
08-Nov-2013
CONFIDENTIAL
Rights and Privileges
The following seven subsections provide general recommendations regarding rights, and analyses of the Effective
rights assigned to Local, Global and Universal groups, user accounts, Well Known objects and external objects:







Notes
In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers
usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to
which the same policies apply. However, by having domain controllers, for example, in different Organizational Units,
different "local policies" can be applied to domain controllers.
This has important security implications as accounts can, for example, be granted powerful rights on one or more
domain controller while being denied the same rights on other domain controllers.
Implications
Rights and privileges allow users to perform certain actions on the system, such as the ability to Backup Files &
Directories. Rights/Privileges apply to the system as a whole and are different to permissions, which apply to specific
objects.
User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log
on to a computer and how they can log on. Privileges control access to system resources, and they can override the
permissions that are set on a particular object on the computer.
The special account LocalSystem has built-in capabilities that correspond to almost all privileges and logon rights.
Processes that are running as part of the operating system are associated with this account, and they require a
complete set of user rights. The system services that are supplied with Windows 200x* are configured automatically to
run as LocalSystem. Although other services can be configured to also run under this account, it is recommended that
this be done with care.
Logon rights control how security principals are allowed access to the computer, whether from the keyboard or
through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of
logon rights, one to allow logging on to the computer and another to deny logging on to the computer. A deny logon
right can be used to exclude groups or individual accounts that have been assigned an allow logon right. Deny rights
take precedence over allow rights.
Rights and privileges are assigned to specific accounts directly via the User Rights policy, or indirectly via group
membership.
Note that members of a Local, Global or Universal group automatically inherit all rights granted to that group. This
includes Global groups or users from other domains that are members of a Local or Universal group.
To ease the task of account administration, it is recommended that Rights are primarily assigned to groups rather than
to individual user accounts. When Rights are assigned to a group, the Rights are assigned automatically to each user
who is added to the group. This is easier than assigning Rights to individual user accounts as each account is
created.
If users are given inappropriate rights it can lead to a high security risk.
Risk Rating
Medium to high depending on the rights granted to groups and users.
Page 92 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Recommended Action
Rights should be justified according to the person’s job function.
In general, rights should be assigned by adding user accounts to one of the built-in groups that already has the
needed rights, rather than by administering the User Rights policy.
The recommendations on the following page serve as a guideline only. Powerful rights should only be granted to
users or special accounts (e.g. SMS account) when absolutely necessary. They should also be reviewed on a regular
basis.
Page 93 of 154
System:
Analysis Date:
24.1
08-Nov-2013
CONFIDENTIAL
Right
Description
Recommendation
Access this computer from the Allows a user to connect to the computer from the Initially granted to Administrators,
network
network. By default, this right is assigned to Everyone and Power Users. Restrict as
Administrators, Everyone, and Power Users.
required.
Act as part of the operating Allows a process to authenticate like a user and thus Grant to no one.
system
gain access to the same resources as a user. Only
low-level authentication services should require this
privilege. Note that potential access is not limited to
what is associated with the user by default; the calling
process might request that arbitrary additional
privileges be added to the access token. Note that the
calling process can also build an anonymous token
that does not provide a primary identity for tracking
events in the audit log. When a service requires this
privilege, configure the service to use the LocalSystem
account (which already includes the privilege), rather
than create a separate account and assign the
privilege to it.
Allows a user to add workstations to the domain. Grant to Administrators and Account
Adding a workstation to a domain enables the Operators.
workstation to recognize the domain's user and global
groups accounts. By default, members of a domain's
Administrators and Account Operators groups have the
right to add a workstation to a domain. This right
cannot be taken away. They can also grant this right to
other users.
Adjust memory quotas for a Allows a process that has Write Property access to Grant to no one.
process
another process to increase the processor quota that is
assigned to the other process. This privilege is useful
for system tuning, but it can be abused, as in a denialof-service attack. By default, this privilege is assigned
to Administrators.
Allows a user to log on locally at the computer’s For servers and domain controllers (I.e.
keyboard. For servers and domain controllers, by not
work
stations),
grant
to
default, this right is assigned to Administrators, Administrators and Operators only.
Account Operators, Backup Operators, Print
Operators, and Server Operators.
Allow log on through Terminal Windows XP (or later) only. Allows a user to log on to By default, this right is assigned to
Services
the computer by using a Remote Desktop connection. Administrators and Remote Desktop
Users.
Allows the user to circumvent file and directory Grant only to Administrator and Backup
permissions to back up the system. The privilege is Operator.
selected only when an application attempts access
through the NTFS backup application programming
interface (API). Otherwise, normal file and directory
permissions apply. By default, this privilege is assigned
to Administrators and Backup Operators. (See also
“Restore files and directories” in this table.)
Allows the user to pass through folders to which the Restrict as required. It is enabled by
user otherwise has no access while navigating an default for all users.
object path in any Microsoft® Windows® file system or
in the registry. This privilege does not allow the user to
list the contents of a folder; it allows the user only to
traverse its directories. By default, this privilege is
assigned to Administrators, Backup Operators, Power
Users, Users, and Everyone.
Allows the user to set the time for the internal clock of Grant to Administrators only.
the computer. By default, this privilege is assigned to
Administrators and Power Users.
Create a page file
Allows the user to create and change the size of a Grant to Administrators only.
pagefile. This is done by specifying a paging file size
for a particular drive under Performance Options on
the Advanced tab of System Properties. By default,
this privilege is assigned to Administrators.
Page 94 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Right
Description
Allows a process to create an access token by calling Grant to no one.
NtCreateToken() or other token-creating APIs. When a
process requires this privilege, use the LocalSystem
account (which already includes the privilege), rather
than create a separate user account and assign this
privilege to it.
Create global objects
Windows 2000 (SP4 or later) only. Allows a user
account to create global objects in a Terminal Services
session. Note that users can still create sessionspecific objects without being assigned this user right.
Create
objects
permanent
Recommendation
By
default,
members
of
the
Administrators group, the System
account, and Services that are started
by the Service Control Manager are
assigned the "Create global objects"
user right.
shared Allows a process to create a directory object in the Grant to no one or to Administrators
Windows object manager. This privilege is useful to only.
kernel-mode components that extend the Windows
object namespace. Components that are running in
kernel mode already have this privilege assigned to
them; it is not necessary to assign them the privilege.
Debug programs
Allows the user to attach a debugger to any process. Grant to no one unless required for
This privilege provides access to sensitive and critical development purposes.
operating system components. By default, this
privilege is assigned to Administrators.
Deny access to this computer Prohibits a user or group from connecting to the Grant as required.
from the network
computer from the network. By default, no one is
denied this right.
Prohibits a user or group from logging on through a Grant as required.
batch-queue facility. By default, no one is denied the
right to log on as a batch job.
Prohibits a user or group from logging on as a service. Grant as required.
By default, no one is denied the right to log on as a
service.
Deny log on locally
Prohibits a user or group from logging on locally at the Grant as required.
keyboard. By default, no one is denied this right.
Deny log on through Terminal Windows XP (or later) only. Prohibits a user from Grant as required.
Services
logging on to the computer using a Remote Desktop
connection.
Enable accounts to be trusted Allows the user to change the Trusted for Delegation
for delegation
setting on a user or computer object in Active
Directory. The user or computer that is granted this
privilege must also have write access to the account
control flags on the object. Delegation of authentication
is a capability that is used by multi-tier client/server
applications. It allows a front-end service to use the
credentials of a client in authenticating to a back-end
service.
Grant to Administrators only. Misuse of
this privilege could make the network
vulnerable to sophisticated attacks using
Trojan horse programs that impersonate
incoming clients and use their
credentials to gain access to network
resources.
Force shutdown from a remote Allows a user to shut down a computer from a remote Grant to Administrators only.
system
location on the network. (See also “Shut down the
system” in this table.) By default, this privilege is
assigned to Administrators.
Impersonate a
authentication
Client
Allows a process to generate entries in the security Give this right to secure servers.
log. The security log is used to trace unauthorized
system access. (See also “Manage auditing and
security log” in this table.)
after Windows 2000 (SP4 or later) only. Permits programs By
default,
members
of
the
that run on behalf of the user to impersonate a client. Administrators group and the System
This security setting helps to prevent unauthorized account are assigned the right.
servers from impersonating clients that connect to it
through methods such as remote procedure calls
(RPC) or named pipes.
Page 95 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Right
Description
Recommendation
Allows a process that has Write Property access to Grant to Administrators only.
another process to increase the execution priority of
the other process. A user with this privilege can
change the scheduling priority of a process in the Task
Manager dialog box. By default, this privilege is
Load and unload device drivers Allows a user to install and uninstall Plug and Play Grant to Administrators only.
device drivers. This privilege does not apply to device
drivers that are not Plug and Play; these device drivers
can be installed only by Administrators. Note that
device drivers run as trusted (highly privileged)
programs; a user can abuse this privilege by installing
hostile programs and giving them destructive access to
resources. By default, this privilege is assigned to
Administrators.
Allows a process to keep data in physical memory, Grant to no one.
which prevents the system from paging the data to
virtual memory on disk. Assigning this privilege can
result in significant degradation of system
performance. This privilege is obsolete and is therefore
never selected.
Allows a user to log on by using a batch-queue facility. Grant to no one.
By default, this right is assigned to Administrators.
Log on as a service
Allows a security principal to log on as a service. Grant to no one.
Services can be configured to run under the
LocalSystem account, which has a built-in right to log
on as a service. Any service that runs under a
separate account must be assigned the right. By
default, this right is not assigned to anyone.
Manage auditing and security Allows a user to specify object access auditing options Grant to Administrators only.
log
for individual resources such as files, Active Directory
objects, registry keys and other objects. Object access
auditing is not actually performed unless you have
enabled it in Audit Policy (under Security Settings,
Local Policies). A user who has this privilege also can
view and clear the security log from Event Viewer. By
default, this privilege is assigned to Administrators.
Modify firmware environment Allows modification of system environment variables Grant to Administrators only.
values
either by a process through an API or by a user
through System Properties. By default, this privilege is
Perform volume maintenance Windows XP (or later) only. Allows a non- By default, this right is assigned to
tasks
administrative or remote user to manage volumes or members of the Administrators group.
disks. The operating system checks for the privilege in
a user's access token when a process running in the
user's security context calls SetFileValidData().
Allows a user to run Microsoft® Windows NT® and Grant to Administrators only.
Windows 2000 performance-monitoring tools to
monitor the performance of nonsystem processes. By
default, this privilege is assigned to Administrators and
Power Users.
Allows a user to run Windows NT and Windows 2000 Grant to Administrators or Operators.
performance-monitoring
tools
to
monitor
the
performance of system processes. By default, this
privilege is assigned to Administrators.
Remove
computer
docking station
from Allows the user of a portable computer to undock the Grant as required.
computer by clicking Eject PC on the Start menu. By
default, this privilege is assigned to Administrators,
Power Users, and Users.
Allows a parent process to replace the access token Grant to no one. This is a powerful right
that is associated with a child process.
used only by the system.
Page 96 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Right
Description
Recommendation
Allows a user to circumvent file and directory Grant to Administrators and Backup
permissions when restoring backed-up files and Operators only. This right overrides file
directories and to set any valid security principal as the and directory permissions.
owner of an object. (See also “Back up files and
directories” in this table.) By default, this privilege is
assigned to Administrators and Backup Operators.
Allows a user to shut down the local computer. At
domain level this applies to all domain controllers in
the domain. On a server or workstation, this applies to
that machine only.
Grant to Administrators and Operators
only. Especially for domain controllers or
servers. On workstations, this can be
granted to all users.
Synchronize directory service Allows a process to provide directory synchronization Grant to Administrators only.
data
services. This privilege is relevant only on domain
controllers. By default, this privilege is assigned to the
Administrator and LocalSystem accounts on domain
controllers.
Take ownership of files or other Allows a user to take ownership of any securable Grant to Administrators only. This right
objects
object in the system, including Active Directory objects, overrides permissions protecting the
files and folders, printers, registry keys, processes, and object(s).
threads. At domain level this applies to all domain
controllers in the domain. On a server or workstation,
this applies to that machine only.
Page 97 of 154
System:
Analysis Date:
24.2
08-Nov-2013
CONFIDENTIAL
Local groups can acquire rights indirectly via membership of another group or groups (the column Group Account
Name) or by direct assignment (the column Group Account Name is empty). E.g.
Local
Group
has
Right
via
membership
of
Local1*Local2*Local3
 In Native Mode domains, a Local Security Group can be a member of other Local Security Groups. Rights can
propagate through nested security groups. In those cases, the Group Account Name will be written in the format of:
Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.
 In Mixed Mode domains, a Local Security Group cannot be a member of another Local Security Group.
For a complete list of groups see report section Groups Defined in the Domain .
Local Group
Right
Via Groups
Account Operators
Administrators
Allow log on through Terminal Services
Create a page file
Debug programs
Enable accounts
delegation
to
be
trusted
for
Impersonate a Client after authentication
Perform volume maintenance tasks
Backup Operators
Page 98 of 154
System:
Analysis Date:
08-Nov-2013
Local Group
CONFIDENTIAL
Right
Via Groups
Print Operators
Server Operators
SQLServer2005SQLBrowserUser$PUFFADDE
R
Log on as a service
Page 99 of 154
System:
Analysis Date:
24.3
08-Nov-2013
CONFIDENTIAL
Universal groups can acquire rights indirectly via membership of another Universal or Local security group or groups
(the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.
Universal
Group
has
Right
via
membership
of
Local1*Local2*Universal1*Universal2
or
Universal1*Universal2*Universal3
 In Native Mode domains, a Universal Security Group can be a member of other Universal or Local Security Groups.
Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in
the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the
right.
 In Mixed Mode domains, Universal Security Groups cannot be created.
** No data found **
Page 100 of 154
System:
Analysis Date:
24.4
08-Nov-2013
CONFIDENTIAL
Global groups can acquire rights indirectly via membership of another group or groups (the column Group Account
Name) or by direct assignment (the column Group Account Name is empty). E.g.
Global
Group
has
Right
via
membership
of
LocalGroup
or
Local1*Local2*Universal1*Global1
or
Universal1*Universal2*Global1
or
Global1*Global2*Global3
 In Native Mode domains a Global Security Group can be a member of other Global, Universal or Local Security
Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be
written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group
acquires the right.
 In Mixed Mode domains a Global Security Group can be a member of Local Security Groups only.
Global Group
Right
Domain Admins Access this computer from the network
Via Groups
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Create a page file
Administrators
Administrators
Debug programs
Administrators
Enable accounts to be trusted for delegation Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Page 101 of 154
System:
Analysis Date:
24.5
08-Nov-2013
CONFIDENTIAL
The following two reports list all rights assigned to users, including rights assigned directly to users (the column Group
Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column
Group Account Name). The first report is Grouped by Right and the second is Grouped by User Account.
In cases of rights acquired indirectly, the Group Account Name will be written in the format of:
Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
User
Account
has
Right
via
membership
of
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only)
and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
Section Summary
12.5% (2) of user accounts have right 'Access this computer from the network'
6.3% (1) of user accounts have right 'Deny access to this computer from the network'
12.5% (2) of user accounts have right 'Access this computer from the network(Effective)'
0.0% (0) of user accounts have right 'Act as part of the operating system'
0.0% (0) of user accounts have right 'Add workstations to domain'
12.5% (2) of user accounts have right 'Adjust memory Quotas for a process'
12.5% (2) of user accounts have right 'Backup files and directories'
12.5% (2) of user accounts have right 'Bypass traverse checking'
12.5% (2) of user accounts have right 'Change the system time'
0.0% (0) of user accounts have right 'Create a token object'
12.5% (2) of user accounts have right 'Create global objects'
12.5% (2) of user accounts have right 'Create a page file'
0.0% (0) of user accounts have right 'Create permanent shared objects'
12.5% (2) of user accounts have right 'Debug programs'
12.5% (2) of user accounts have right 'Force shutdown from a remote system'
0.0% (0) of user accounts have right 'Generate security audits'
12.5% (2) of user accounts have right 'Impersonate a Client after authentication'
12.5% (2) of user accounts have right 'Increase scheduling priority'
12.5% (2) of user accounts have right 'Load and unload device drivers'
0.0% (0) of user accounts have right 'Lock pages in memory'
6.3% (1) of user accounts have right 'Log on as a batch job'
0.0% (0) of user accounts have right 'Deny logon as a batch job'
6.3% (1) of user accounts have right 'Logon as a batch job(Effective)'
6.3% (1) of user accounts have right 'Log on as a service'
0.0% (0) of user accounts have right 'Deny logon as a service'
6.3% (1) of user accounts have right 'Logon as a service(Effective)'
12.5% (2) of user accounts have right 'Log on locally'
12.5% (2) of user accounts have right 'Deny user from logging on locally'
12.5% (2) of user accounts have right 'Log on locally(Effective)'
12.5% (2) of user accounts have right 'Allow logon through Terminal Services'
0.0% (0) of user accounts have right 'Deny logon through Terminal Services'
12.5% (2) of user accounts have right 'Logon through Terminal Services(Effective)'
12.5% (2) of user accounts have right 'Manage auditing and security log'
12.5% (2) of user accounts have right 'Modify firmware environment values'
12.5% (2) of user accounts have right 'Perform volume maintenance tasks'
12.5% (2) of user accounts have right 'Profile single process'
12.5% (2) of user accounts have right 'Profile system performance'
0.0% (0) of user accounts have right 'Replace a process-level token'
12.5% (2) of user accounts have right 'Restore files and directories'
12.5% (2) of user accounts have right 'Shut down the system'
12.5% (2) of user accounts have right 'Take ownership of files or other objects'
12.5% (2) of user accounts have right 'Set the Trusted for Delegation setting'
12.5% (2) of user accounts have right 'Undock a laptop with the Windows 2000 interface'
0.0% (0) of user accounts have right 'Synchronize directory service data'
Page 102 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Grouped by Right
Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.
Right
Account Name
Via Groups
Administrator
Administrators
Administrator
Administrators*Domain Admins
Administrator
Administrators*Enterprise Admins
GpLinkTest
Administrators
Access this computer from the network (Effective) Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Create a page file
Page 103 of 154
System:
Analysis Date:
08-Nov-2013
Right
CONFIDENTIAL
Account Name
Via Groups
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Debug programs
SUPPORT_388945a0
Deny log on locally
SophosSAUPUFFADDER0
SUPPORT_388945a0
Deny log on through Terminal Services
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
SUPPORT_388945a0
Log on as a batch job (Effective)
SUPPORT_388945a0
Log on as a service
SophosSAUPUFFADDER0
Log on as a service (Effective)
SophosSAUPUFFADDER0
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Page 104 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Right
Account Name
Via Groups
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Administrator
Administrators
Administrator
Administrator
GpLinkTest
Administrators
Page 105 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Grouped by User Account
Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.
Account Name
Right
Via Groups
Deny log on through Terminal Services
Administrator
Administrators
Access this computer from the network (Effective) Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Create a page file
Administrators
Administrators
Page 106 of 154
System:
Analysis Date:
Account Name
08-Nov-2013
CONFIDENTIAL
Right
Via Groups
Debug programs
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Page 107 of 154
System:
Analysis Date:
08-Nov-2013
Account Name
Right
CONFIDENTIAL
Via Groups
GpLinkTest
Administrators
Access this computer from the network (Effective) Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Create a page file
Administrators
Administrators
Debug programs
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
SophosSAUPUFFADDER0 Deny log on locally
Log on as a service
Log on as a service (Effective)
SUPPORT_388945a0
Deny log on locally
Log on as a batch job (Effective)
Page 108 of 154
System:
Analysis Date:
24.6
08-Nov-2013
CONFIDENTIAL
Notes
Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local
System, Principal Self, Authenticated Users, Creator Owner, and so on.
The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group
Group Account Name).
WellKnown
Object
via
has
Right
membership
of
Account Name
Right
Authenticated Users
Via Groups
Enterprise Domain Controllers Access this computer from the network
Everyone
Service
SYSTEM
Log on as a service
Page 109 of 154
System:
Analysis Date:
24.7
08-Nov-2013
CONFIDENTIAL
Notes
The external objects are users, groups or computers that belong to other domains.
When “Unknown” is reflected, it means that the server/domain where the object is registered could not be reached to
obtain the information.
When a server/domain cannot be reached for information, the server/domain is either not available through the
network or the server/domain no longer exists in the domain.
The following report lists rights assigned to external objects, including rights assigned directly (the column Group
Group Account Name).
via
External
Object
has
Right
membership
of
** No data found **
Page 110 of 154
System:
Analysis Date:
25.
08-Nov-2013
CONFIDENTIAL
Discretionary Access Controls (DACL) for Containers
Section Summary
This report section analyses 4,572 DACLs defined on the following classes of container objects:

Containers: 4,366 DACLs

Domains: 51 DACLs

Organizational Units: 129 DACLs

Sites: 26 DACLs
Notes
A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the
permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known
object) and specifies a set of permissions allowed or denied for that account.
Key:
Permission
The permission(s) the trustee has over the object.
Type
Allow = Allow permission to trustee
Deny = Deny Permission to trustee
The account to which the permission is assigned for the specified object.
(G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer;
(?) = The account is from an external domain and we cannot resolve the account type
The object on which the account has the permission.
(D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site
Specifies where the permissions are applied:
 This object only
 This object and all child objects
 Child objects only
 Computer objects
 Group objects
 GroupPolicyContainer objects
 Organizational Unit objects
 Site objects
 Trusted Domain objects
 User objects
P -The permission applies to objects within the container specified (object the permission
applies to) only.
If omitted, the permission will propagate to all child objects of the container within the tree.
I - The permission is inherited from the parent object.
If omitted, the permission is defined directly on the specified object.
PI – Both Options
Trustee
Object
Permission
Applies To
Bhvr
(Behaviour)
Section Detail
For details see worksheet DACLs in the MS-Excel workbook.
Implications
Some of the permissions are very powerful and they should be carefully assigned to users and groups.
Risk Rating
Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.)
Recommended Action
You should check that the listed permissions over objects are appropriate and in line with users’ job functions.
Page 111 of 154
System:
Analysis Date:
26.
08-Nov-2013
CONFIDENTIAL
Trusted and Trusting Domains
Section Summary
The domain being analysed has trust relationships with 2 other domains
 50.0% (1) are trusted domains
 50.0% (1) are trusting domains
 0.0% (0) are both trusted and trusting domains
Section Detail
Domain Name Trust Type
Attributes
Trusted Trusting
SnakeNY
MIT Kerberos realm Disallow transitivity
SnakeWP
MIT Kerberos realm Disallow transitivity Yes
Yes
Implications
A trust relationship is a link between two domains where the trusting domain honours logon authentications of the
trusted domain.
Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way,
transitive trusts.
In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A.
In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A
does not automatically trust Domain C.
Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust
relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a
Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust
relationships.
Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains
and to allow the configuration of trust relationships with domains in other domain trees.
A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the
top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are
established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which
provides for distributed authentication and authorization in Windows 200x*.
In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust
relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore
in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA
trusts DomainC and DomainC trusts DomainA.
If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to
user and group accounts in the other domain, and vice versa.
Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a
domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship
with every other domain in the tree. As a result, users in one domain can access resources to which they have been
granted permission in all other domains in a tree.
Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has
rights and permissions in all domains.
The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the
trusted domain.
Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards
applied in trusted domains can undermine security on the trusting domains.
Risk Rating
Medium to High (dependant on the quality of security standards applied in trusted domains).
Page 112 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Recommended Action
You should satisfy yourself that security in domains trusted by your domain is implemented and administered to
appropriate standards. You should consider running SekChek on domain controllers for all trusted domains.
Page 113 of 154
System:
Analysis Date:
27.
08-Nov-2013
CONFIDENTIAL
Servers and Workstations
Notes
Role: DC = Domain Controller, S = Server, WS = Workstation
When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that
the object does not refer to an actual machine.
Section Summary
There are 4 computer accounts defined in your domain:

50.0% (2) are Domain Controllers

0.0% (0) are Servers

50.0% (2) are Workstations

0.0% (0) of computer accounts are protected against accidental deletion
Breakdown of Operating Systems:

25.0% (1) are running Windows 7 Enterprise

25.0% (1) are running Windows Server 2003

25.0% (1) are running Windows Server 2008 R2 Enterprise

25.0% (1) are running Windows Vista? Enterprise
Section Detail
Common Name Path
OS & Version
Role
BEOWOLF
Computers
Windows Vista? Enterprise 6.0 (6002)
WS
BOOMSLANG
Domain Controllers Windows Server 2003 5.2 (3790)
PUFFADDER
Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601) DC
REDWOLF
Computers
Windows 7 Enterprise 6.1 (7601)
DC
WS
Implications
Every server and workstation will provide various services to users within the domain.
Servers normally offer services such as SQL databases, business applications, Active Directory, Email and remote
access services.
Workstations are normally used by end users to logon to thedomain and make use of domain resources and services
as required.
Resources and services can be shared, with varying access permission settings, on all servers and workstations.
Every server and workstation is a potential security risk because they provide an access path to domain resources.
Risk Rating
Medium to High (Depending on the type of servers, their configuration and security setting standards applied).
Recommended Action
You should ensure that:





Configurations and security settings are defined to appropriate standards
Services and resources are appropriately restricted on servers and workstations
Accounts databases have the appropriate security settings to help prevent illegal access
The rights assigned to accounts and groups are effectively controlled
Effective virus detection and prevention services are installed, running and started automatically at system startup time
Page 114 of 154
System:
Analysis Date:
28.
08-Nov-2013
CONFIDENTIAL
Domain Controllers in the Domain
Section Summary
There are 2 Domain Controllers (DCs) defined in your domain.

0 DCs are configured as Read Only Domain Controllers (RODC)

100.0% (2) were scanned for users' last logon times.
Section Detail
Common Name Path
BOOMSLANG
Scanned for RODC FSMO/GC Role
Last Logons
Domain Controllers Yes
No
Domain Naming Master
Global Catalog
Schema Master
PUFFADDER
Domain Controllers Yes
No
Global Catalog
Infrastructure Master
PDC Emulator
RID Master
Domain Controller
A domain controller (DC) is a computer running Windows 200x* Server that holds a copy of Active Directory.
DCs authenticate domain logons and track changes made to accounts, groups, and policy and trust relationships in a
domain. A domain can contain more than one DC.
Windows 200x* Server domain controllers provide an extension of the capabilities and features provided by Windows
NT Server 4.0 domain controllers. For example, domain controllers in Windows 200x* support multimaster replication,
synchronizing data on each domain controller and ensuring consistency of information over time. Multimaster
replication is an evolution of the primary and backup domain controller of Windows NT Server 4.0, in which only one
server, the primary domain controller, had a read and write copy of the directory.
Read Only Domain Controller (RODC)
A read-only domain controller (RODC) was introduced in the Windows Server 2008 operating system.
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain
controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be
made on a writable domain controller and then replicated back to the RODC.
Flexible Single Master Operation (FSMO) Roles
FSMO Roles are roles assigned to Domain Controllers on a domain running Active Directory, and include:

Domain Naming Master:
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide
domain name space of the directory. This DC is the only one that can add or remove a domain from the directory.
Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain.

Infrastructure Master:
When an object in Domain A is referenced by another object in Domain B, it represents the reference by the
GUID, the SID (for references to security principals), and the DN of the Active Directory object being referenced.
The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in
a cross-domain object reference. Unique per domain.

PDC Emulator:
In a Windows 200x domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.
Unique per domain.
Page 115 of 154
System:
Analysis Date:

08-Nov-2013
CONFIDENTIAL
RID Master:
The RID (Relative ID) Master is responsible for assigning pools of RIDs to other DCs on the domain. Each DC on
a domain is allowed to create new security principal objects. The RID Master issues each DC with a pool of RIDs
to assign to these newly created objects. Naturally, as new objects are created, this pool diminishes. Once the
pool falls below a threshold, the DC issues a request to the RID Master for an additional pool of RIDs. Unique per
domain.

Schema Master:
The DC holding the role of Schema Master is responsible for processing updates to the AD schema. Once the
Schema Master updates the AD schema, these changes are then replicated to other DCs on the domain. Unique
per enterprise; as such, it is possible that this role is not held by a DC on this domain.
Global Catalog (GC)
A DC can also hold a copy of the global catalog.
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in
every domain in an Active Directory forest. The global catalog is stored on DCs that have been designated as global
catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are
faster because they do not involve referrals to different DCs.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A
global catalog server is a DC that, in addition to its full, writable domain directory partition replica, also stores a partial,
read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are
partial because only a limited set of attributes is included for each object. By including only the attributes that are most
used for searching, every object in every domain in even the largest forest can be represented in the database of a
single global catalog server.
Risk Rating
Low to medium depending on the security standards applied to all Domain Controllers in the Domain.
Recommended Action
You should confirm that the security standards applied to all Domain Controllers conform to the expected security
standards.
Page 116 of 154
System:
Analysis Date:
29.
08-Nov-2013
CONFIDENTIAL
Accounts Allowed to Dial In through RAS
Section Summary
SekChek could not determine whether there are any RAS servers on the network because the host system's
Computer Browser service was not running during the Scan.
All Acounts
12.5% (2) of users have permission to dial-in to your domain through RAS

0.0% (0) of these users are not called back by RAS

100.0% (2) of these users can set their own RAS Call-back Number

0.0% (0) of these users have their RAS Call-back Number set by the Administrator
12.5% (2) of users have permission to dial-in to your domain through RAS

0.0% (0) of these users are not called back by RAS

100.0% (2) of these users can set their own RAS Call-back Number

0.0% (0) of these users have their RAS Call-back Number set by the Administrator
All Administrator Acounts
0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS
0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS
Section Detail
SekChek could not determine whether there are any RAS servers on the network because the host system's
Computer Browser service was not running during the Scan.
** No data found **
The following profiles have permission to dial-in to your domain through RAS:
Account Name Callback Callback Nbr Phone Service
Set By
Number Type
Privilege Account
State
Virtual1
Yes
Caller
Callback Framed User
Virtual2
Yes
Caller
Callback Framed User
LEGEND:
Call Back = Yes
Callback Number Set By = Administrator
Callback Number Set By = Caller
Phone Number
Account State
:
:
:
:
The Server will call back the user before log on is allowed.
The call back number is pre set.
The user provides a call back number every time.
Reflects the pre set phone number for call back.
Account is Disabled (D), Locked (L), Expired (E), or a
combination of them. Eg. (DL) (DE).
If there are accounts listed with RAS privileges and no RAS servers found, it means that the accounts have been
granted RAS privileges but that either:


No RAS servers were visible when this analysis was done; or
There was a RAS service installed at some stage but it has been discontinued.
0 ports listed in RAS servers indicates that the server has the RAS service configured but not active (started).
Page 117 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Implications
RAS (Remote Access Service) allows users to access your system remotely via modems, ISDN etc.
RAS increases the risk of unauthorised access to your system because your system is visible to a much larger
number of potential intruders via the public telephone network. The risk is greater if privileged users, such as
Administrators, are allowed access through RAS.
In general, multiple RAS servers also increase security risks simply because the number of external access points,
which all require securing, is obviously greater. The strength of general security and RAS security on those servers is
an important factor in controlling the risks.
You will obtain the most comprehensive view of RAS privileges by running SekChek on the domain controller,
selected RAS servers, and domain controllers for each trusted domain and on their RAS servers.
When servers and workstations are members of a domain, they will usually allow users to logon to the domain. For
workstations and servers that are not domain members (i.e. Standalone machines), domain logon is normally not
available to users.
Inappropriate security settings in RAS can create significant security exposures.
Risk Rating
Medium to high (dependent on settings for RAS users, RAS parameters and the strength of password controls.).
Recommended Action
You should only grant dial in (RAS) access to those users who require it for their job functions. Ensure that RAS
access is not granted to all user accounts by default.
In general, you should ensure that the call back feature is enabled for all RAS users and that a pre-set phone number
is used.
Do not grant RAS access to privileged accounts (e.g. Administrators) unless absolutely necessary.
If possible, restrict the log-on hours for RAS users. This feature can be set for individual user accounts.
Ensure that the option to prevent clear-text passwords being negotiated is utilised. This is a setting within RAS.
Review the RAS settings on all RAS servers on a regular basis and ensure that appropriate security standards are
applied on all of these machines.
Page 118 of 154
System:
Analysis Date:
30.
08-Nov-2013
CONFIDENTIAL
Services and Drivers on the Machine
Section Summary
There are a total of 367 Services installed.
These Services include the following types:






53.1% (195) are Kernel Drivers
7.4% (27) are File System Drivers
12.5% (46) are Own Process
26.4% (97) are Shared Process
0.5% (2) are Own Process (Interactive)
0.0% (0) are Shared Process (Interactive)
The Services start types are:





8.2% (30) System Boot
7.1% (26) System
18.5% (68) Automatic
62.7% (230) Manual
3.5% (13) Disabled
Their current states are:







52.3% (192) Stopped
0.0% (0) Starting
0.0% (0) Stopping
47.7% (175) Running
0.0% (0) Continuing
0.0% (0) Pausing
0.0% (0) Paused
Following are two reports. The first enumerates services, their state and start type. The second enumerates
services with their logon account and path name containing the executable. The services listed are on the
machine being analysed and do not reflect services installed on other machines.
Section Detail
Service Name
Display Name
State
1394ohci
1394 OHCI Compliant Host Controller
Stopped Kernel Driver
Manual
ACPI
Microsoft ACPI Driver
Running Kernel Driver
Boot
AcpiPmi
ACPI Power Meter Driver
Manual
adp94xx
adp94xx
Manual
adpahci
adpahci
Manual
adpu320
adpu320
Manual
ADWS
Active Directory Web Services
Running Own Process
Automatic
AeLookupSvc
Application Experience
Running Shared Process
Manual
AFD
Ancillary Function Driver for Winsock
System
agp440
Intel AGP Bus Filter
Manual
ALG
Application Layer Gateway Service
Stopped Own Process
Manual
aliide
aliide
Manual
amdide
amdide
Manual
AmdK8
AMD K8 Processor Driver
Manual
AmdPPM
AMD Processor Driver
Manual
Service Type
Start
Type
Page 119 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
amdsata
amdsata
Manual
amdsbs
amdsbs
Manual
amdxata
amdxata
Boot
AppID
AppID Driver
Manual
AppIDSvc
Application Identity
Stopped Shared Process
Manual
Appinfo
Application Information
Manual
AppMgmt
Application Management
Manual
arc
arc
Manual
arcsas
arcsas
Manual
AsyncMac
RAS Asynchronous Media Driver
Manual
atapi
IDE Channel
Boot
AudioEndpointBuilder
Windows Audio Endpoint Builder
Manual
AudioSrv
Windows Audio
Manual
b06bdrv
Broadcom NetXtreme II VBD
Manual
b57nd60a
Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
Manual
BDESVC
BitLocker Drive Encryption Service
Manual
Beep
Beep
Manual
BFE
Base Filtering Engine
Automatic
BITS
Background Intelligent Transfer Service
Manual
blbdrive
blbdrive
System
bowser
Browser Support Driver
Running File System Driver
Manual
BrFiltLo
Brother USB Mass-Storage Lower Filter Driver
Manual
BrFiltUp
Brother USB Mass-Storage Upper Filter Driver
Manual
Browser
Computer Browser
Disabled
Brserid
Brother MFC Serial Port Interface Driver (WDM)
Manual
BrSerWdm
Brother WDM Serial driver
Manual
BrUsbMdm
Brother MFC USB Fax Only Modem
Manual
BrUsbSer
Brother MFC USB Serial WDM Driver
Manual
cdfs
CD/DVD File System Reader
Disabled
cdrom
CD-ROM Driver
System
CertPropSvc
Certificate Propagation
Manual
CLFS
Common Log (CLFS)
Boot
clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86
Running Own Process
Automatic
clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64
Running Own Process
Automatic
CmBatt
Microsoft ACPI Control Method Battery Driver
Manual
cmdide
cmdide
Manual
CNG
CNG
Boot
Compbatt
Compbatt
Manual
CompositeBus
Composite Bus Enumerator Driver
Manual
COMSysApp
COM+ System Application
Stopped Own Process
Manual
crcdisk
Crcdisk Filter Driver
Disabled
CryptSvc
Cryptographic Services
Automatic
DcomLaunch
DCOM Server Process Launcher
Automatic
Service Type
Start
Type
Page 120 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
defragsvc
Disk Defragmenter
Stopped Own Process
Manual
Dfs
DFS Namespace
Running Own Process
Automatic
DfsC
DFS Namespace Client Driver
System
DfsDriver
DFS Namespace Server Filter Driver
System
DFSR
DFS Replication
Running Own Process
Automatic
DfsrRo
DFS Replication ReadOnly Driver
Boot
Dhcp
DHCP Client
Automatic
discache
System Attribute Cache
System
Disk
Disk Driver
Boot
DNS
DNS Server
Running Own Process
Automatic
Dnscache
DNS Client
Automatic
dot3svc
Wired AutoConfig
Manual
DPS
Diagnostic Policy Service
Automatic
DXGKrnl
LDDM Graphics Subsystem
Manual
EapHost
Extensible Authentication Protocol
Manual
ebdrv
Broadcom NetXtreme II 10 GigE VBD
Manual
EFS
Encrypting File System (EFS)
Manual
elxstor
elxstor
Manual
ErrDev
Microsoft Hardware Error Device Driver
Manual
eventlog
Windows Event Log
Automatic
EventSystem
COM+ Event System
Automatic
exfat
exFAT File System Driver
Stopped File System Driver
Manual
fastfat
FAT12/16/32 File System Driver
Manual
FCRegSvc
Microsoft Fibre Channel Platform Registration Service Stopped Shared Process
Manual
fdc
Floppy Disk Controller Driver
Manual
fdPHost
Function Discovery Provider Host
Manual
FDResPub
Function Discovery Resource Publication
Manual
FileInfo
File Information FS MiniFilter
Manual
Filetrace
Filetrace
Manual
flpydisk
Floppy Disk Driver
Manual
FltMgr
FltMgr
Boot
FontCache
Windows Font Cache Service
Automatic
FontCache3.0.0.0
Windows Presentation Foundation Font Cache 3.0.0.0 Stopped Own Process
Manual
FsDepends
File System Dependency Minifilter
Manual
fvevol
Bitlocker Drive Encryption Filter Driver
Boot
gagp30kx
Microsoft Generic AGPv3.0 Filter for K8 Processor Stopped Kernel Driver
Platforms
Manual
gpsvc
Group Policy Client
Automatic
HDAudBus
Microsoft UAA Bus Driver for High Definition Audio
Manual
HidBatt
HID UPS Battery Driver
Manual
hidserv
Human Interface Device Access
Manual
HidUsb
Microsoft HID Class Driver
Manual
hkmsvc
Health Key and Certificate Management
Manual
Service Type
Start
Type
Page 121 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
HpSAMD
HpSAMD
Manual
HTTP
HTTP
Manual
hwpolicy
Hardware Policy Driver
Boot
i8042prt
i8042 Keyboard and PS/2 Mouse Port Driver
Manual
iaStorV
Intel RAID Controller Windows 7
Manual
idsvc
Windows CardSpace
Manual
iirsp
iirsp
Manual
IKEEXT
IKE and AuthIP IPsec Keying Modules
Manual
intelide
intelide
Boot
intelppm
Intel Processor Driver
Manual
ioatdma
Intel(R) QuickData Technology Device
Manual
IPBusEnum
PnP-X IP Bus Enumerator
Disabled
IpFilterDriver
IP Traffic Filter Driver
Manual
iphlpsvc
IP Helper
Automatic
IPMIDRV
IPMIDRV
Manual
IPNAT
IP Network Address Translator
Manual
isapnp
isapnp
Manual
iScsiPrt
iScsiPort Driver
Manual
IsmServ
Intersite Messaging
Running Own Process
Automatic
kbdclass
Keyboard Class Driver
Manual
kbdhid
Keyboard HID Driver
Manual
kdc
Kerberos Key Distribution Center
Automatic
KeyIso
CNG Key Isolation
Manual
KSecDD
KSecDD
Boot
KSecPkg
KSecPkg
Boot
ksthunk
Kernel Streaming Thunks
Manual
KtmRm
KtmRm for Distributed Transaction Coordinator
Manual
LanmanServer
Server
Automatic
LanmanWorkstation
Workstation
Automatic
lltdio
Link-Layer Topology Discovery Mapper I/O Driver
Automatic
lltdsvc
Link-Layer Topology Discovery Mapper
Manual
lmhosts
TCP/IP NetBIOS Helper
Automatic
LSI_FC
LSI_FC
Manual
LSI_SAS
LSI_SAS
Manual
LSI_SAS2
LSI_SAS2
Manual
LSI_SCSI
LSI_SCSI
Manual
luafv
UAC File Virtualization
Automatic
megasas
megasas
Manual
MegaSR
MegaSR
Manual
Microsoft
SharePoint Microsoft SharePoint Workspace Audit Service
Workspace Audit Service
Stopped Own Process
Manual
MMCSS
Multimedia Class Scheduler
Manual
Modem
Modem
Manual
Service Type
Start
Type
Page 122 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
monitor
Microsoft Monitor Class Function Driver Service
Manual
mouclass
Mouse Class Driver
Manual
mouhid
Mouse HID Driver
Manual
mountmgr
Mount Point Manager
Boot
mpio
Microsoft Multi-Path Bus Driver
Manual
mpsdrv
Windows Firewall Authorization Driver
Manual
MpsSvc
Windows Firewall
Automatic
mrxsmb
SMB MiniRedirector Wrapper and Engine
Manual
mrxsmb10
SMB 1.x MiniRedirector
Manual
mrxsmb20
SMB 2.0 MiniRedirector
Manual
msahci
msahci
Manual
msdsm
Microsoft Multi-Path Device Specific Module
Manual
MSDTC
Distributed Transaction Coordinator
Running Own Process
Automatic
Msfs
Msfs
System
mshidkmdf
Pass-through HID to KMDF Filter Driver
Manual
msisadrv
msisadrv
Boot
MSiSCSI
Microsoft iSCSI Initiator Service
Manual
msiserver
Windows Installer
Stopped Own Process
Manual
MsRPC
MsRPC
Manual
mssmbios
Microsoft System Management BIOS Driver
System
MSSQL$SOPHOS
SQL Server (SOPHOS)
Running Own Process
Automatic
MSSQLServerADHelper100
SQL Active Directory Helper Service
Stopped Own Process
Disabled
MTConfig
Microsoft Input Configuration Driver
Manual
Mup
Mup
Boot
napagent
Network Access Protection Agent
Manual
NDIS
NDIS System Driver
Boot
NdisCap
NDIS Capture LightWeight Filter
Manual
NdisTapi
Remote Access NDIS TAPI Driver
Manual
Ndisuio
NDIS Usermode I/O Protocol
Manual
NdisWan
Remote Access NDIS WAN Driver
Manual
NDProxy
NDIS Proxy
Manual
NetBIOS
NetBIOS Interface
System
NetBT
NetBT
System
Netlogon
Netlogon
Automatic
Netman
Network Connections
Manual
netprofm
Network List Service
Manual
NetTcpPortSharing
Net.Tcp Port Sharing Service
Disabled
netvsc
netvsc
Manual
nfrd960
nfrd960
Manual
NlaSvc
Network Location Awareness
Automatic
Npfs
Npfs
System
nsi
Network Store Interface Service
Automatic
nsiproxy
NSI proxy service driver.
System
Service Type
Start
Type
Page 123 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
NTDS
Active Directory Domain Services
Automatic
NtFrs
File Replication Service
Running Own Process
Automatic
Ntfs
Ntfs
Manual
Null
Null
System
nv_agp
NVIDIA nForce AGP Bus Filter
Manual
nvraid
nvraid
Manual
nvstor
nvstor
Manual
ohci1394
1394 OHCI Compliant Host Controller (Legacy)
Manual
ose
Office Source Engine
Stopped Own Process
Manual
osppsvc
Office Software Protection Platform
Stopped Own Process
Manual
Parport
Parallel port driver
Manual
partmgr
Partition Manager
Boot
pci
PCI Bus Driver
Boot
pciide
pciide
Manual
pcmcia
pcmcia
Manual
pcw
Performance Counters for Windows Driver
Boot
PEAUTH
PEAUTH
Automatic
PerfHost
Performance Counter DLL Host
Stopped Own Process
Manual
pla
Performance Logs & Alerts
Manual
PlugPlay
Plug and Play
Automatic
PolicyAgent
IPsec Policy Agent
Manual
Power
Power
Automatic
PptpMiniport
WAN Miniport (PPTP)
Manual
Processor
Processor Driver
Manual
ProfSvc
User Profile Service
Automatic
ProtectedStorage
Protected Storage
Manual
Psched
QoS Packet Scheduler
System
ql2300
ql2300
Manual
ql40xx
ql40xx
Manual
RasAcd
Remote Access Auto Connection Driver
Manual
RasAgileVpn
WAN Miniport (IKEv2)
Manual
RasAuto
Remote Access Auto Connection Manager
Manual
Rasl2tp
WAN Miniport (L2TP)
Manual
RasMan
Remote Access Connection Manager
Manual
RasPppoe
Remote Access PPPOE Driver
Manual
RasSstp
WAN Miniport (SSTP)
Manual
rdbss
Redirected Buffering Sub Sysytem
System
rdpbus
Remote Desktop Device Redirector Bus Driver
Manual
RDPCDD
RDPCDD
System
RDPDR
Terminal Server Device Redirector Driver
Manual
RDPENCDD
RDP Encoder Mirror Driver
System
RDPREFMP
Reflector Display Driver used to gain access to Running Kernel Driver
graphics data
System
Service Type
Start
Type
Page 124 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
RDPWD
RDP Winstation Driver
Manual
RemoteAccess
Routing and Remote Access
Disabled
RemoteRegistry
Remote Registry
Automatic
RpcEptMapper
RPC Endpoint Mapper
Automatic
RpcLocator
Remote Procedure Call (RPC) Locator
Stopped Own Process
Manual
RpcSs
Remote Procedure Call (RPC)
Automatic
RSoPProv
Resultant Set of Policy Provider
Manual
rspndr
Link-Layer Topology Discovery Responder
Automatic
s3cap
s3cap
Manual
sacdrv
sacdrv
Boot
sacsvr
Special Administration Console Helper
Manual
SamSs
Security Accounts Manager
Automatic
SAVAdminService
Sophos Anti-Virus status reporter
Running Own Process
Automatic
SAVOnAccess
SAVOnAccess
System
SAVService
Sophos Anti-Virus
Running Own Process
Automatic
sbp2port
SBP-2 Transport/Protocol Bus Driver
Manual
SCardSvr
Smart Card
Manual
scfilter
Smart card PnP Class Filter Driver
Manual
Schedule
Task Scheduler
Automatic
SCPolicySvc
Smart Card Removal Policy
Manual
secdrv
Security Driver
Automatic
seclogon
Secondary Logon
Manual
SENS
System Event Notification Service
Automatic
Serenum
Serenum Filter Driver
Manual
Serial
Serial port driver
System
sermouse
Serial Mouse Driver
Manual
SessionEnv
Remote Desktop Configuration
Manual
sffdisk
SFF Storage Class Driver
Manual
sffp_mmc
SFF Storage Protocol Driver for MMC
Manual
sffp_sd
SFF Storage Protocol Driver for SDBus
Manual
sfloppy
High-Capacity Floppy Disk Drive
Manual
SharedAccess
Internet Connection Sharing (ICS)
Disabled
ShellHWDetection
Shell Hardware Detection
Automatic
SiSRaid2
SiSRaid2
Manual
SiSRaid4
SiSRaid4
Manual
Smb
Message-oriented TCP/IP and TCP/IPv6 Protocol Stopped Kernel Driver
(SMB session)
Manual
SNMPTRAP
SNMP Trap
Stopped Own Process
Manual
Sophos Agent
Sophos Agent
Running Own Process
Automatic
Sophos AutoUpdate Service
Running Own Process
Automatic
Sophos Certification Manager
Running Own Process
Automatic
Sophos Management Service
Running Own Process
Automatic
Sophos Message Router
Running Own Process
Automatic
Service Type
Start
Type
Page 125 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
SophosBootDriver
SophosBootDriver
Disabled
spldr
Security Processor Loader Driver
Boot
Spooler
Print Spooler
Running Own Process(I)
Automatic
sppsvc
Software Protection
Stopped Own Process
Automatic
sppuinotify
SPP Notification Service
Manual
SQLAgent$SOPHOS
SQL Server Agent (SOPHOS)
Stopped Own Process
Disabled
SQLBrowser
SQL Server Browser
Running Own Process
Automatic
SQLWriter
SQL Server VSS Writer
Running Own Process
Automatic
srv
Server SMB 1.xxx Driver
Manual
srv2
Server SMB 2.xxx Driver
Manual
srvnet
srvnet
Manual
SSDPSRV
SSDP Discovery
Disabled
SstpSvc
Secure Socket Tunneling Protocol Service
Manual
stexstor
stexstor
Manual
storflt
Disk Virtual Machine Bus Acceleration Filter Driver
Boot
storvsc
storvsc
Manual
storvsp
storvsp
Manual
SUM
Sophos Update Manager
Running Own Process
Automatic
swenum
Software Bus Driver
Manual
swi_service
Sophos Web Intelligence Service
Running Own Process
Automatic
swprv
Microsoft Software Shadow Copy Provider
Stopped Own Process
Manual
SynthVid
SynthVid
Manual
TapiSrv
Telephony
Stopped Own Process
Manual
TBS
TPM Base Services
Manual
Tcpip
TCP/IP Protocol Driver
Boot
TCPIP6
Microsoft IPv6 Protocol Driver
Manual
tcpipreg
TCP/IP Registry Compatibility
Automatic
TDPIPE
TDPIPE
Manual
TDTCP
TDTCP
Manual
tdx
NetIO Legacy TDI Support Driver
System
TermDD
Terminal Device Driver
System
TermService
Remote Desktop Services
Manual
THREADORDER
Thread Ordering Server
Manual
TrkWks
Distributed Link Tracking Client
Manual
TrustedInstaller
Windows Modules Installer
Running Own Process
Manual
tssecsrv
Remote Desktop Services Security Filter Driver
Manual
TsUsbFlt
TsUsbFlt
Manual
tunnel
Microsoft Tunnel Miniport Adapter Driver
Manual
uagp35
Microsoft AGPv3.5 Filter
Manual
udfs
udfs
Disabled
UI0Detect
Interactive Services Detection
Stopped Own Process(I)
Manual
uliagpkx
Uli AGP Bus Filter
Manual
umbus
UMBus Enumerator Driver
Manual
Service Type
Start
Type
Page 126 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
UmPass
Microsoft UMPass Driver
Manual
UmRdpService
Remote Desktop Services UserMode Port Redirector
Manual
upnphost
UPnP Device Host
Disabled
usbccgp
Microsoft USB Generic Parent Driver
Manual
usbehci
Microsoft USB 2.0 Enhanced Host Controller Miniport Stopped Kernel Driver
Driver
Manual
usbhub
Microsoft USB Standard Hub Driver
Manual
usbohci
Microsoft USB Open Host Controller Miniport Driver
Manual
usbprint
Microsoft USB PRINTER Class
Manual
USBSTOR
USB Mass Storage Driver
Manual
usbuhci
Microsoft USB Universal Host Controller Miniport Stopped Kernel Driver
Driver
Manual
UxSms
Desktop Window Manager Session Manager
Automatic
VaultSvc
Credential Manager
Manual
vdrvroot
Microsoft Virtual Drive Enumerator Driver
Boot
vds
Virtual Disk
Running Own Process
Manual
vga
vga
Manual
VgaSave
VgaSave
System
vhdmp
vhdmp
Manual
viaide
viaide
Manual
Vid
Vid
Manual
vmbus
Virtual Machine Bus
Boot
VMBusHID
VMBusHID
Manual
vmicheartbeat
Hyper-V Heartbeat Service
Running Own Process
Automatic
vmickvpexchange
Hyper-V Data Exchange Service
Running Own Process
Automatic
vmicshutdown
Hyper-V Guest Shutdown Service
Running Own Process
Automatic
vmictimesync
Hyper-V Time Synchronization Service
Running Own Process
Automatic
vmicvss
Hyper-V Volume Shadow Copy Requestor
Running Own Process
Automatic
volmgr
Volume Manager Driver
Boot
volmgrx
Dynamic Volume Manager
Boot
volsnap
Storage volumes
Boot
vsmraid
vsmraid
Manual
VSS
Volume Shadow Copy
Stopped Own Process
Manual
W32Time
Windows Time
Manual
WacomPen
Wacom Serial Pen HID Driver
Manual
WANARP
Remote Access IP ARP Driver
Manual
Wanarpv6
Remote Access IPv6 ARP Driver
System
WcsPlugInService
Windows Color System
Manual
Wd
Wd
Manual
Wdf01000
Kernel Mode Driver Frameworks service
Boot
WdiServiceHost
Diagnostic Service Host
Manual
WdiSystemHost
Diagnostic System Host
Manual
Wecsvc
Windows Event Collector
Manual
wercplsupport
Problem Reports and Solutions Control Panel Support Stopped Shared Process
Manual
Service Type
Start
Type
Page 127 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Display Name
State
WerSvc
Windows Error Reporting Service
Manual
WfpLwf
WFP Lightweight Filter
System
WIMMount
WIMMount
Manual
WinHttpAutoProxySvc
WinHTTP Web Proxy Auto-Discovery Service
Manual
Winmgmt
Windows Management Instrumentation
Automatic
WinRM
Windows Remote Management (WS-Management)
Automatic
WmiAcpi
Microsoft Windows Management Interface for ACPI
Manual
wmiApSrv
WMI Performance Adapter
Stopped Own Process
Manual
WPDBusEnum
Portable Device Enumerator Service
Manual
ws2ifsl
Windows Socket 2.0 Non-IFS Service Provider Running Kernel Driver
Support Environment
System
wuauserv
Windows Update
Automatic
WudfPf
User Mode Driver Frameworks Platform Driver
Manual
wudfsvc
Windows Driver Foundation - User-mode Driver Stopped Shared Process
Framework
Service Type
Start
Type
Manual
Page 128 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Section Detail
Service Name
Logon Name
Path Name
1394ohci
\SystemRoot\system32\drivers\1394ohci.sys
ACPI
\SystemRoot\system32\drivers\ACPI.sys
AcpiPmi
\SystemRoot\system32\drivers\acpipmi.sys
adp94xx
\SystemRoot\system32\DRIVERS\adp94xx.sys
adpahci
\SystemRoot\system32\DRIVERS\adpahci.sys
adpu320
\SystemRoot\system32\DRIVERS\adpu320.sys
ADWS
LocalSystem
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
AeLookupSvc
localSystem
C:\Windows\system32\svchost.exe -k netsvcs
AFD
\SystemRoot\system32\drivers\afd.sys
agp440
\SystemRoot\system32\drivers\agp440.sys
ALG
NT AUTHORITY\ LocalService
C:\Windows\System32\alg.exe
aliide
\SystemRoot\system32\drivers\aliide.sys
amdide
\SystemRoot\system32\drivers\amdide.sys
AmdK8
\SystemRoot\system32\DRIVERS\amdk8.sys
AmdPPM
\SystemRoot\system32\DRIVERS\amdppm.sys
amdsata
\SystemRoot\system32\drivers\amdsata.sys
amdsbs
\SystemRoot\system32\DRIVERS\amdsbs.sys
amdxata
\SystemRoot\system32\drivers\amdxata.sys
AppID
\SystemRoot\system32\drivers\appid.sys
AppIDSvc
NT Authority\ LocalService
C:\Windows\system32\svchost.exe
LocalServiceAndNoImpersonation
Appinfo
LocalSystem
AppMgmt
LocalSystem
arc
\SystemRoot\system32\DRIVERS\arc.sys
arcsas
\SystemRoot\system32\DRIVERS\arcsas.sys
AsyncMac
system32\DRIVERS\asyncmac.sys
atapi
-k
\SystemRoot\system32\drivers\atapi.sys
AudioEndpointBuilder
LocalSystem
C:\Windows\System32\svchost.exe
LocalSystemNetworkRestricted
-k
AudioSrv
LocalServiceNetworkRestricted
-k
b06bdrv
\SystemRoot\system32\DRIVERS\bxvbda.sys
b57nd60a
BDESVC
system32\DRIVERS\b57nd60a.sys
localSystem
C:\Windows\System32\svchost.exe -k netsvcs
BFE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
BITS
LocalSystem
Beep
blbdrive
system32\DRIVERS\blbdrive.sys
bowser
system32\DRIVERS\bowser.sys
BrFiltLo
\SystemRoot\system32\DRIVERS\BrFiltLo.sys
BrFiltUp
\SystemRoot\system32\DRIVERS\BrFiltUp.sys
Browser
Brserid
LocalSystem
\SystemRoot\System32\Drivers\Brserid.sys
Page 129 of 154
System:
Analysis Date:
Service Name
08-Nov-2013
CONFIDENTIAL
Logon Name
Path Name
BrSerWdm
\SystemRoot\System32\Drivers\BrSerWdm.sys
BrUsbMdm
\SystemRoot\System32\Drivers\BrUsbMdm.sys
BrUsbSer
\SystemRoot\System32\Drivers\BrUsbSer.sys
cdfs
system32\DRIVERS\cdfs.sys
cdrom
CertPropSvc
\SystemRoot\system32\drivers\cdrom.sys
LocalSystem
CLFS
\SystemRoot\System32\CLFS.sys
clr_optimization_v2.0.50727_32 LocalSystem
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.e
xe
clr_optimization_v2.0.50727_64 LocalSystem
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw
.exe
CmBatt
\SystemRoot\system32\DRIVERS\CmBatt.sys
cmdide
\SystemRoot\system32\drivers\cmdide.sys
CNG
\SystemRoot\System32\Drivers\cng.sys
Compbatt
\SystemRoot\system32\DRIVERS\compbatt.sys
CompositeBus
\SystemRoot\system32\drivers\CompositeBus.sys
COMSysApp
LocalSystem
C:\Windows\system32\dllhost.exe
FD88-11D1-960D-00805FC79235}
crcdisk
/Processid:{02D4B3F1-
\SystemRoot\system32\DRIVERS\crcdisk.sys
CryptSvc
NT Authority\ NetworkService
C:\Windows\system32\svchost.exe -k NetworkService
DcomLaunch
LocalSystem
C:\Windows\system32\svchost.exe -k DcomLaunch
defragsvc
localSystem
C:\Windows\system32\svchost.exe -k defragsvc
Dfs
LocalSystem
C:\Windows\system32\dfssvc.exe
DfsC
System32\Drivers\dfsc.sys
DfsDriver
system32\drivers\dfs.sys
DFSR
LocalSystem
C:\Windows\system32\DFSRs.exe
DfsrRo
Dhcp
\SystemRoot\system32\drivers\dfsrro.sys
discache
-k
System32\drivers\discache.sys
Disk
\SystemRoot\system32\DRIVERS\disk.sys
DNS
LocalSystem
C:\Windows\system32\dns.exe
Dnscache
NT
NetworkService
dot3svc
localSystem
DPS
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
AUTHORITY\ C:\Windows\system32\svchost.exe -k NetworkService
DXGKrnl
EapHost
\SystemRoot\System32\drivers\dxgkrnl.sys
localSystem
ebdrv
EFS
-k
\SystemRoot\system32\DRIVERS\evbda.sys
LocalSystem
elxstor
C:\Windows\System32\lsass.exe
\SystemRoot\system32\DRIVERS\elxstor.sys
ErrDev
\SystemRoot\system32\drivers\errdev.sys
eventlog
EventSystem
C:\Windows\system32\svchost.exe -k LocalService
-k
Page 130 of 154
System:
Analysis Date:
Service Name
08-Nov-2013
CONFIDENTIAL
Logon Name
Path Name
exfat
fastfat
FCRegSvc
fdc
-k
system32\DRIVERS\fdc.sys
fdPHost
FDResPub
FileInfo
system32\drivers\fileinfo.sys
Filetrace
system32\drivers\filetrace.sys
flpydisk
system32\DRIVERS\flpydisk.sys
FltMgr
\SystemRoot\system32\drivers\fltmgr.sys
-k
FontCache
-k
FontCache3.0.0.0
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\Presentatio
nFontCache.exe
FsDepends
System32\drivers\FsDepends.sys
fvevol
\SystemRoot\System32\DRIVERS\fvevol.sys
gagp30kx
\SystemRoot\system32\DRIVERS\gagp30kx.sys
gpsvc
LocalSystem
HDAudBus
\SystemRoot\system32\drivers\HDAudBus.sys
HidBatt
\SystemRoot\system32\DRIVERS\HidBatt.sys
hidserv
LocalSystem
HidUsb
hkmsvc
\SystemRoot\system32\drivers\hidusb.sys
localSystem
HpSAMD
\SystemRoot\system32\drivers\HpSAMD.sys
HTTP
system32\drivers\HTTP.sys
hwpolicy
\SystemRoot\System32\drivers\hwpolicy.sys
i8042prt
\SystemRoot\system32\drivers\i8042prt.sys
iaStorV
\SystemRoot\system32\drivers\iaStorV.sys
idsvc
LocalSystem
iirsp
IKEEXT
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows
Communication Foundation\infocard.exe
\SystemRoot\system32\DRIVERS\iirsp.sys
LocalSystem
intelide
\SystemRoot\system32\drivers\intelide.sys
intelppm
system32\DRIVERS\intelppm.sys
ioatdma
\SystemRoot\System32\Drivers\qd260x64.sys
IPBusEnum
LocalSystem
IpFilterDriver
iphlpsvc
-k
-k
system32\DRIVERS\ipfltdrv.sys
LocalSystem
C:\Windows\System32\svchost.exe -k NetSvcs
IPMIDRV
\SystemRoot\system32\drivers\IPMIDrv.sys
IPNAT
System32\drivers\ipnat.sys
isapnp
\SystemRoot\system32\drivers\isapnp.sys
iScsiPrt
\SystemRoot\system32\drivers\msiscsi.sys
Page 131 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Logon Name
Path Name
IsmServ
LocalSystem
C:\Windows\System32\ismserv.exe
kbdclass
\SystemRoot\system32\drivers\kbdclass.sys
kbdhid
\SystemRoot\system32\drivers\kbdhid.sys
kdc
LocalSystem
KeyIso
LocalSystem
C:\Windows\system32\lsass.exe
KSecDD
\SystemRoot\System32\Drivers\ksecdd.sys
KSecPkg
\SystemRoot\System32\Drivers\ksecpkg.sys
ksthunk
\SystemRoot\system32\drivers\ksthunk.sys
KtmRm
NT
NetworkService
LanmanServer
LocalSystem
LanmanWorkstation
NT
NetworkService
AUTHORITY\ C:\Windows\System32\svchost.exe
NetworkServiceAndNoImpersonation
-k
AUTHORITY\ C:\Windows\System32\svchost.exe -k NetworkService
lltdio
system32\DRIVERS\lltdio.sys
lltdsvc
C:\Windows\System32\svchost.exe -k LocalService
lmhosts
LSI_FC
\SystemRoot\system32\DRIVERS\lsi_fc.sys
LSI_SAS
\SystemRoot\system32\DRIVERS\lsi_sas.sys
LSI_SAS2
\SystemRoot\system32\DRIVERS\lsi_sas2.sys
LSI_SCSI
\SystemRoot\system32\DRIVERS\lsi_scsi.sys
luafv
\SystemRoot\system32\drivers\luafv.sys
megasas
\SystemRoot\system32\DRIVERS\megasas.sys
MegaSR
\SystemRoot\system32\DRIVERS\MegaSR.sys
Microsoft
SharePoint NT AUTHORITY\ LocalService
Workspace Audit Service
C:\Program
Files
Office\Office14\GROOVE.EXE'' /auditservice
MMCSS
LocalSystem
Modem
system32\drivers\modem.sys
monitor
system32\DRIVERS\monitor.sys
mouclass
\SystemRoot\system32\drivers\mouclass.sys
mouhid
system32\DRIVERS\mouhid.sys
mountmgr
\SystemRoot\System32\drivers\mountmgr.sys
mpio
\SystemRoot\system32\drivers\mpio.sys
mpsdrv
System32\drivers\mpsdrv.sys
MpsSvc
system32\DRIVERS\mrxsmb.sys
mrxsmb10
system32\DRIVERS\mrxsmb10.sys
mrxsmb20
system32\DRIVERS\mrxsmb20.sys
msahci
\SystemRoot\system32\drivers\msahci.sys
msdsm
\SystemRoot\system32\drivers\msdsm.sys
NT
NetworkService
(x86)\Microsoft
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
mrxsmb
MSDTC
-k
AUTHORITY\ C:\Windows\System32\msdtc.exe
Msfs
mshidkmdf
\SystemRoot\System32\drivers\mshidkmdf.sys
msisadrv
\SystemRoot\system32\drivers\msisadrv.sys
Page 132 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Logon Name
Path Name
MSiSCSI
LocalSystem
msiserver
LocalSystem
C:\Windows\system32\msiexec.exe /V
MsRPC
mssmbios
\SystemRoot\system32\drivers\mssmbios.sys
MSSQL$SOPHOS
LocalSystem
C:\Program
Files
(x86)\Microsoft
Server\MSSQL10.SOPHOS\MSSQL\Binn\sqlservr.exe''
sSOPHOS
SQL
-
MSSQLServerADHelper100
LocalSystem
C:\Program
Files
(x86)\Microsoft
Server\100\Shared\SQLADHLP.EXE
SQL
MTConfig
\SystemRoot\system32\DRIVERS\MTConfig.sys
Mup
\SystemRoot\System32\Drivers\mup.sys
napagent
NT
NetworkService
NDIS
\SystemRoot\system32\drivers\ndis.sys
NdisCap
system32\DRIVERS\ndiscap.sys
NdisTapi
system32\DRIVERS\ndistapi.sys
Ndisuio
system32\DRIVERS\ndisuio.sys
NdisWan
system32\DRIVERS\ndiswan.sys
NDProxy
NetBIOS
system32\DRIVERS\netbios.sys
NetBT
System32\DRIVERS\netbt.sys
Netlogon
LocalSystem
Netman
LocalSystem
netprofm
NetTcpPortSharing
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows
Communication Foundation\SMSvcHost.exe
netvsc
\SystemRoot\system32\drivers\netvsc60.sys
nfrd960
\SystemRoot\system32\DRIVERS\nfrd960.sys
NlaSvc
NT
NetworkService
-k
Npfs
nsi
nsiproxy
system32\drivers\nsiproxy.sys
NTDS
LocalSystem
NtFrs
LocalSystem
C:\Windows\system32\ntfrs.exe
Ntfs
Null
nv_agp
\SystemRoot\system32\drivers\nv_agp.sys
nvraid
\SystemRoot\system32\drivers\nvraid.sys
nvstor
\SystemRoot\system32\drivers\nvstor.sys
ohci1394
\SystemRoot\system32\drivers\ohci1394.sys
ose
LocalSystem
osppsvc
NT
NetworkService
Parport
C:\Program Files (x86)\Common Files\Microsoft Shared\Source
Engine\OSE.EXE
AUTHORITY\ C:\Program
Files\Common
Files\Microsoft
Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
\SystemRoot\system32\DRIVERS\parport.sys
Page 133 of 154
System:
Analysis Date:
Service Name
08-Nov-2013
CONFIDENTIAL
Logon Name
Path Name
partmgr
\SystemRoot\System32\drivers\partmgr.sys
pci
\SystemRoot\system32\drivers\pci.sys
pciide
\SystemRoot\system32\drivers\pciide.sys
pcmcia
\SystemRoot\system32\DRIVERS\pcmcia.sys
pcw
\SystemRoot\System32\drivers\pcw.sys
PEAUTH
system32\drivers\peauth.sys
PerfHost
C:\Windows\SysWow64\perfhost.exe
pla
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
PlugPlay
LocalSystem
PolicyAgent
NetworkServiceNetworkRestricted
Power
LocalSystem
PptpMiniport
system32\DRIVERS\raspptp.sys
Processor
\SystemRoot\system32\DRIVERS\processr.sys
ProfSvc
LocalSystem
ProtectedStorage
LocalSystem
Psched
system32\DRIVERS\pacer.sys
ql2300
\SystemRoot\system32\DRIVERS\ql2300.sys
ql40xx
\SystemRoot\system32\DRIVERS\ql40xx.sys
RasAcd
System32\DRIVERS\rasacd.sys
RasAgileVpn
system32\DRIVERS\AgileVpn.sys
RasAuto
localSystem
Rasl2tp
RasMan
-k
system32\DRIVERS\rasl2tp.sys
localSystem
RasPppoe
system32\DRIVERS\raspppoe.sys
RasSstp
system32\DRIVERS\rassstp.sys
rdbss
system32\DRIVERS\rdbss.sys
rdpbus
system32\DRIVERS\rdpbus.sys
RDPCDD
System32\DRIVERS\RDPCDD.sys
RDPDR
System32\drivers\rdpdr.sys
RDPENCDD
system32\drivers\rdpencdd.sys
RDPREFMP
system32\drivers\rdprefmp.sys
RDPWD
RemoteAccess
localSystem
RemoteRegistry
RpcEptMapper
NT
NetworkService
AUTHORITY\ C:\Windows\system32\svchost.exe -k RPCSS
RpcLocator
NT
NetworkService
AUTHORITY\ C:\Windows\system32\locator.exe
RpcSs
NT
NetworkService
AUTHORITY\ C:\Windows\system32\svchost.exe -k rpcss
RSoPProv
LocalSystem
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\RSoPProv.exe
rspndr
system32\DRIVERS\rspndr.sys
s3cap
\SystemRoot\system32\drivers\vms3cap.sys
sacdrv
\SystemRoot\system32\DRIVERS\sacdrv.sys
Page 134 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Logon Name
Path Name
sacsvr
LocalSystem
SamSs
LocalSystem
SAVAdminService
LocalSystem
C:\Program
Files
(x86)\Sophos\Sophos
Virus\SAVAdminService.exe
SAVOnAccess
SAVService
system32\DRIVERS\savonaccess.sys
sbp2port
SCardSvr
Anti-
C:\Program
Files
Virus\SavService.exe
(x86)\Sophos\Sophos
Anti-
\SystemRoot\system32\drivers\sbp2port.sys
scfilter
-k
System32\DRIVERS\scfilter.sys
Schedule
LocalSystem
SCPolicySvc
LocalSystem
seclogon
LocalSystem
SENS
LocalSystem
secdrv
Serenum
system32\DRIVERS\serenum.sys
Serial
system32\DRIVERS\serial.sys
sermouse
\SystemRoot\system32\DRIVERS\sermouse.sys
SessionEnv
localSystem
sffdisk
\SystemRoot\system32\drivers\sffdisk.sys
sffp_mmc
\SystemRoot\system32\drivers\sffp_mmc.sys
sffp_sd
\SystemRoot\system32\drivers\sffp_sd.sys
sfloppy
\SystemRoot\system32\DRIVERS\sfloppy.sys
SharedAccess
LocalSystem
ShellHWDetection
LocalSystem
SiSRaid2
\SystemRoot\system32\DRIVERS\SiSRaid2.sys
SiSRaid4
\SystemRoot\system32\DRIVERS\sisraid4.sys
Smb
system32\DRIVERS\smb.sys
SNMPTRAP
C:\Windows\System32\snmptrap.exe
Sophos Agent
LocalSystem
C:\Program Files (x86)\Sophos\Enterprise Console\Remote
Management System\ManagementAgentNT.exe'' -service name Agent
LocalSystem
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe''
LocalSystem
C:\Program
Files
(x86)\Sophos\Enterprise
Console\CertificationManagerServiceNT.exe'' -background ORBSvcConf ''C:\Program Files (x86)\Sophos\Enterprise
Console\svc.conf
LocalSystem
C:\Program
Files
Console\MgntSvc.exe''
LocalSystem
C:\Program Files (x86)\Sophos\Enterprise Console\Remote
Management System\RouterNT.exe'' -service -name Router ORBListenEndpoints iiop://:8193/ssl_port=8194
SophosBootDriver
system32\DRIVERS\SophosBootDriver.sys
spldr
Spooler
LocalSystem
sppsvc
NT
NetworkService
C:\Windows\System32\spoolsv.exe
AUTHORITY\ C:\Windows\system32\sppsvc.exe
Page 135 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Logon Name
Path Name
sppuinotify
SQLAgent$SOPHOS
NT AUTHORITY\ NETWORK C:\Program
Files
(x86)\Microsoft
SQL
SERVICE
Server\MSSQL10.SOPHOS\MSSQL\Binn\SQLAGENT.EXE'' -i
SOPHOS
SQLBrowser
NT
AUTHORITY\
SERVICE
SQLWriter
LocalSystem
LOCAL C:\Program
Files
(x86)\Microsoft
Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
srv
System32\DRIVERS\srv.sys
srv2
System32\DRIVERS\srv2.sys
srvnet
System32\DRIVERS\srvnet.sys
SSDPSRV
SstpSvc
-k
stexstor
\SystemRoot\system32\DRIVERS\stexstor.sys
storflt
\SystemRoot\system32\drivers\vmstorfl.sys
storvsc
\SystemRoot\system32\drivers\storvsc.sys
storvsp
SUM
\SystemRoot\system32\drivers\storvsp.sys
LocalSystem
C:\Program
Files
Console\SUM\SUMService.exe
swenum
\SystemRoot\system32\drivers\swenum.sys
swi_service
C:\Program
Files
(x86)\Sophos\Sophos
Intelligence\swi_service.exe
swprv
LocalSystem
C:\Windows\System32\svchost.exe -k swprv
SynthVid
Anti-Virus\Web
\SystemRoot\system32\drivers\VMBusVideoM.sys
TapiSrv
NT
NetworkService
TBS
AUTHORITY\ C:\Windows\System32\svchost.exe -k tapisrv
Tcpip
\SystemRoot\System32\drivers\tcpip.sys
TCPIP6
system32\DRIVERS\tcpip.sys
tcpipreg
System32\drivers\tcpipreg.sys
TDPIPE
system32\drivers\tdpipe.sys
TDTCP
system32\drivers\tdtcp.sys
tdx
system32\DRIVERS\tdx.sys
TermDD
\SystemRoot\system32\drivers\termdd.sys
-k
TermService
C:\Windows\System32\svchost.exe -k termsvcs
THREADORDER
TrkWks
LocalSystem
TrustedInstaller
localSystem
C:\Windows\servicing\TrustedInstaller.exe
tssecsrv
System32\DRIVERS\tssecsrv.sys
TsUsbFlt
system32\drivers\tsusbflt.sys
tunnel
system32\DRIVERS\tunnel.sys
uagp35
\SystemRoot\system32\DRIVERS\uagp35.sys
udfs
system32\DRIVERS\udfs.sys
UI0Detect
uliagpkx
SQL
LocalSystem
-k
C:\Windows\system32\UI0Detect.exe
\SystemRoot\system32\drivers\uliagpkx.sys
Page 136 of 154
System:
Analysis Date:
Service Name
08-Nov-2013
CONFIDENTIAL
Logon Name
Path Name
umbus
system32\DRIVERS\umbus.sys
UmPass
\SystemRoot\system32\DRIVERS\umpass.sys
UmRdpService
localSystem
-k
upnphost
-k
usbccgp
\SystemRoot\system32\drivers\usbccgp.sys
usbehci
\SystemRoot\system32\DRIVERS\usbehci.sys
usbhub
\SystemRoot\system32\drivers\usbhub.sys
usbohci
\SystemRoot\system32\DRIVERS\usbohci.sys
usbprint
\SystemRoot\system32\DRIVERS\usbprint.sys
USBSTOR
\SystemRoot\system32\drivers\USBSTOR.SYS
usbuhci
\SystemRoot\system32\DRIVERS\usbuhci.sys
UxSms
localSystem
VaultSvc
LocalSystem
vdrvroot
vds
-k
\SystemRoot\system32\drivers\vdrvroot.sys
LocalSystem
C:\Windows\System32\vds.exe
vga
system32\DRIVERS\vgapnp.sys
VgaSave
\SystemRoot\System32\drivers\vga.sys
vhdmp
\SystemRoot\system32\drivers\vhdmp.sys
viaide
\SystemRoot\system32\drivers\viaide.sys
Vid
\SystemRoot\system32\drivers\Vid.sys
vmbus
\SystemRoot\system32\drivers\vmbus.sys
VMBusHID
\SystemRoot\system32\drivers\VMBusHID.sys
vmicheartbeat
NT
NetworkService
AUTHORITY\ C:\Windows\system32\vmicsvc.exe -feature Heartbeat
vmickvpexchange
C:\Windows\system32\vmicsvc.exe -feature KvpExchange
vmicshutdown
LocalSystem
C:\Windows\system32\vmicsvc.exe -feature Shutdown
vmictimesync
C:\Windows\system32\vmicsvc.exe -feature TimeSync
vmicvss
LocalSystem
C:\Windows\system32\vmicsvc.exe -feature VSS
volmgr
\SystemRoot\system32\drivers\volmgr.sys
volmgrx
\SystemRoot\System32\drivers\volmgrx.sys
volsnap
\SystemRoot\system32\drivers\volsnap.sys
vsmraid
\SystemRoot\system32\DRIVERS\vsmraid.sys
VSS
LocalSystem
C:\Windows\system32\vssvc.exe
W32Time
WacomPen
\SystemRoot\system32\DRIVERS\wacompen.sys
WANARP
system32\DRIVERS\wanarp.sys
Wanarpv6
system32\DRIVERS\wanarp.sys
WcsPlugInService
C:\Windows\system32\svchost.exe -k wcssvc
Wd
\SystemRoot\system32\DRIVERS\wd.sys
Wdf01000
\SystemRoot\system32\drivers\Wdf01000.sys
WdiServiceHost
Page 137 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service Name
Logon Name
Path Name
WdiSystemHost
LocalSystem
Wecsvc
NT
NetworkService
wercplsupport
localSystem
WerSvc
localSystem
C:\Windows\System32\svchost.exe -k WerSvcGroup
-k
AUTHORITY\ C:\Windows\system32\svchost.exe -k NetworkService
WfpLwf
system32\DRIVERS\wfplwf.sys
WIMMount
system32\drivers\wimmount.sys
WinHttpAutoProxySvc
Winmgmt
localSystem
WinRM
NT
NetworkService
WmiAcpi
\SystemRoot\system32\drivers\wmiacpi.sys
wmiApSrv
localSystem
C:\Windows\system32\wbem\WmiApSrv.exe
WPDBusEnum
LocalSystem
ws2ifsl
-k
\SystemRoot\system32\drivers\ws2ifsl.sys
wuauserv
LocalSystem
WudfPf
system32\drivers\WudfPf.sys
wudfsvc
LocalSystem
-k
Services and Drivers
A service is an executable object that is installed in a registry database maintained by the Service Control Manager.
The executable file associated with a service can be started at boot time by a boot program or by the system, or the
Service Control Manager can start it on demand. The two types of service are Win32 services and driver services.
A Win32 service is a service that conforms to the interface rules of the Service Control Manger. This enables the
Service Control Manager to start the service at system start-up or on demand and enables communication between
the service and service control programs. A Win32 service can execute in its own process, or it can share a process
with other Win32 services.
A driver service is a service that follows the device driver protocols for Microsoft Windows rather than using the
Service Control Manager interface.
Implications
Having inappropriate or unnecessary services installed can create security risks and provide potential access paths or
tools to intruders.
There are a great number of services that can be installed and it would require volumes to document the security
implications attached to each one. Some of them will increase security risks if not appropriately configured, controlled
and secured. Examples are; Remote Access Services (RAS), Internet related services and network services.
Some of the more common services are:
Service
Function
Comments
NetDDE, NetDDEdsdm
Services for creating a communication
Shares (directories, files and printers) should be
channel or a trusted share for Windows managed to ensure that sensitive information is
applications to share data over a network. not made available unnecessarily via this
channel.
EventLog, SENS
Event Log Service and System Event
Notification Service.
Ensure these services are started to enable the
capturing of event messages to the logs.
Page 138 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Service
Function
Comments
SNMP, SNMPTRAP
Simple Network Management Protocol to Manage access to information via this protocol,
manage devices on a network.
as it can supply valuable information about your
network and network devices.
W3SVC, IISADMIN, IAS
Internet Information Server, World Wide
Web Publishing Service and Internet
Authentication Service.
Ensure correct configuration of these services
as misconfiguration of these can compromise
security.
RemoteAccess,
Rasman, RasAcd,
RasAuto, RasArp
Remote Access services.
Ensure correct configuration of these services
as misconfiguration of these can compromise
security.
NdisTapi, NdisWan,
NetBIOS, NwlnkSpx,
Tcpip
Network Protocol and Transport layer
services/drivers.
Ensure that these protocols/drivers are
configured correctly as incorrect configuration
can leave the network open to penetration.
Attaching unsecured logon accounts to services can create significant security exposures.
Installing service executables in unsecured directories can also create significant security exposures.
Risk Rating
Medium to High (Depending on the type of services installed, their configuration and security settings).
Recommended Action






Only required and appropriate services are installed.
Their configuration and security settings are to appropriate standards.
Service executables are in secure directories.
Logon accounts attached to services have the appropriate security settings to help prevent illegal access.
The rights assigned to user accounts and groups are effectively controlled (consult report section titled Rights
and Privileges).
Effective virus detection and prevention services are installed, running and activated/started automatically at
system start-up time.
Page 139 of 154
System:
Analysis Date:
31.
08-Nov-2013
CONFIDENTIAL
Section Summary
There are 26 Server roles and features installed on the system.
Section Detail
.NET Framework 4.5 Features
--- .NET Framework 4.5
--- WCF Services
------ TCP Port Sharing
Active Directory Domain Services
DNS Server
File And Storage Services
--- File and iSCSI Services
------ File Server
--- Storage Services
Group Policy Management
Remote Server Administration Tools
--- Role Administration Tools
------ AD DS and AD LDS Tools
--------- Active Directory module for Windows PowerShell
--------- AD DS Tools
------------ Active Directory Administrative Center
------------ AD DS Snap-Ins and Command-Line Tools
------ DNS Server Tools
User Interfaces and Infrastructure
--- Graphical Management Tools and Infrastructure
--- Server Graphical Shell
Windows PowerShell
--- Windows PowerShell 3.0
--- Windows PowerShell ISE
WoW64 Support
Implications
All roles and features installed on your Server increase the attack surface of your system and present additional
opportunities for intruders to exploit any vulnerabilities that may exist. Your system is particularly vulnerable if
Windows features are incorrectly configured.
Unnecessary roles and features also consume system resources, such as disk space and CPU cycles. In addition,
they increase the frequency of Microsoft updates and associated system restarts.
Risk Rating
Medium to High (Depending on the role or feature).
Page 140 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Recommended Action


All installed roles and features are appropriate and authorised
Windows roles and features are appropriately configured
You should also consider using a mimimal Server Core installation, rather than versions of Windows Server that
installs the full GUI with unnecessary components, such as Windows Explorer, Internet Explorer and the Control
Panel.
For more information about Server Core see: http://en.wikipedia.org/wiki/Windows_Server_2008#Server_Core.
Page 141 of 154
System:
Analysis Date:
32.
08-Nov-2013
CONFIDENTIAL
Task Scheduler
Section Summary
There are 71 scheduled tasks defined in 52 task folders:

33.8% (24) of tasks are hidden

73.2% (52) of tasks are enabled

26.8% (19) of tasks are disabled

39.4% (28) of tasks have never executed

12.7% (9) of tasks returned a non-zero result (may have failed)

The registered tasks contain 69 event triggers

17.4% (12) of event triggers are disabled
Section Detail
For details see worksheet Scheduled_Tasks in the MS-Excel workbook.
Implications
The Task Scheduler ensures that important system maintenance and diagnostic functions are performed on a regular
and consistent basis without the need for manual intervention.
Some examples of scheduled tasks are jobs that:

Create regular system protection points

Download and install anti-virus updates

Ensure digital certificates for users and machines are current and valid

Consolidate fragmented space on disk drives

Synchronise the system time
If certain tasks do not execute, or they fail to complete successfully, it could impact on the performance, stability or
security of your system.
Risk Rating
Low to medium (Depending on the task and its status).
Recommended Action
You should ensure that important scheduled tasks:

Are configured in accordance with your requirements

Are not accidentally disabled

Execute successfully
Page 142 of 154
System:
Analysis Date:
33.
08-Nov-2013
CONFIDENTIAL
Security Updates, Patches and Hot-Fixes
Section Summary
There are 2 Security Updates, Patches and Hot-Fixes installed on this system.
Windows Update Settings








Windows Update status: OK
Important updates: Download updates but let me choose whether to install them
Install new updates: Every day at 03:00
Recommended updates: No
Allow all users to install: Yes
Configuration enforced: No
Updates were installed: 23-Sep-2013 10:09:13
Most recent check for updates: 25-Oct-2013 03:52:33
Section Detail
Update
Install Date Installed By
Reference
Service Pack Description
KB976902 10/14/2013
SNAKE\administrator
Update
KB976932 10/14/2013
SNAKE\administrator
Service Pack
Implications
This report section lists hot-fixes installed on the system by Microsoft’s hotfix.exe or update.exe utilities.
Note that hot-fixes and patches applied to third-party (non-Microsoft) software products are not included because they
are typically not installed by these utilities. Examples of other exclusions are entries written by Shavlik (records are in
a proprietary format) and records relating to uninstall routines, such as ServicePackUninstall.
A software patch or hot-fix is a program file that installs one or more files on your system to correct a software
problem. A Windows hot-fix program file is typically named KB (or Q) nnnnnn.exe, where nnnnnn is a six-digit number
assigned by Microsoft. You can obtain details of a hot-fix by searching Microsoft’s Knowledge Base (KB) on the
unique hot-fix number.
Many hot-fixes address security vulnerabilities that are discovered in software components, such as Windows,
Exchange, Internet Explorer, IIS and SQL.
If you lack a policy to ensure relevant hot-fixes are promptly identified and installed, your system will be exposed to an
increased risk of being compromised, damaged or exploited.
Some examples of these security exposures are: unauthorised remote access to your system; illegal execution of
code; elevation of privileges; and denial of service attacks.
Risk Rating
Medium to High (Depending on the vulnerability).
Recommended Action
You should implement policy to ensure you are aware of newly discovered security vulnerabilities. You should also
ensure that appropriate hot-fixes are promptly evaluated and installed on your systems.
Microsoft offers several advisory services and tools that can assist you with the process. These include Technet,
various notification services and security bulletins, and tools such as Hfnetchk, which checks computers for the
absence of security patches / hot-fixes.
Page 143 of 154
System:
Analysis Date:
34.
08-Nov-2013
CONFIDENTIAL
Products Installed
Section Summary
There are 39 MSI-installed software products on this system.
Section Detail
Product Name
Version
Install
Date
Acrobat.com
1.6.65
2012-01-24 Adobe Systems Incorporated
Adobe AIR
1.5.0.7220
2012-01-24 Adobe Systems Inc.
Adobe Reader 9.1
9.1.0
2012-01-24 Adobe Systems Incorporated
Microsoft Office Access MUI (English) 2010
14.0.4763.1000
2012-01-24 Microsoft Corporation
Microsoft Office Access Setup Metadata MUI 14.0.4763.1000
(English) 2010
Microsoft Office Excel MUI (English) 2010
14.0.4763.1000
Microsoft Office Groove MUI (English) 2010
14.0.4763.1000
Microsoft Office InfoPath MUI (English) 2010
14.0.4763.1000
Microsoft Office Office 64-bit Components 2010
14.0.4763.1000
Microsoft Office OneNote MUI (English) 2010
14.0.4763.1000
Microsoft Office Outlook MUI (English) 2010
14.0.4763.1000
Microsoft Office PowerPoint MUI (English) 2010
14.0.4763.1000
Microsoft Office Professional Plus 2010
14.0.4763.1000
Microsoft Office Proof (English) 2010
14.0.4763.1000
Microsoft Office Proof (French) 2010
14.0.4763.1000
Microsoft Office Proof (Spanish) 2010
14.0.4763.1000
Microsoft Office Proofing (English) 2010
14.0.4763.1000
Microsoft Office Publisher MUI (English) 2010
14.0.4763.1000
Microsoft Office Shared 64-bit MUI (English) 2010
14.0.4763.1000
Microsoft Office Shared 64-bit Setup Metadata MUI 14.0.4763.1000
(English) 2010
Microsoft Office Shared MUI (English) 2010
14.0.4763.1000
Microsoft Office Shared Setup Metadata MUI 14.0.4763.1000
(English) 2010
Microsoft Office Word MUI (English) 2010
14.0.4763.1000
Microsoft SQL Server 2008 Browser
10.1.2531.0
Microsoft SQL Server 2008 Common Files
10.0.1600.22
Microsoft SQL Server 2008 Common Files
10.1.2531.0
Microsoft SQL Server 2008 Database Engine 10.1.2531.0
Services
Services
Shared
Shared
Microsoft SQL Server 2008 Native Client
10.1.2531.0
Microsoft SQL Server 2008 RsFx Driver
10.1.2531.0
Microsoft SQL Server 2008 Setup Support Files
10.1.2531.0
Publisher
Page 144 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Product Name
Version
Install
Date
Microsoft SQL Server VSS Writer
10.1.2531.0
Sophos Anti-Virus
9.7.0
2012-01-24 Sophos Limited
Sophos AutoUpdate
2.5.8
2012-01-24 Sophos Limited
Sophos Enterprise Console
4.5.1
2012-01-24 Sophos Plc
Sophos Update Manager
1.1.1.141
2012-01-24 Sophos plc
Sql Server Customer Experience Improvement 10.1.2531.0
Program
Publisher
For details of all properties see worksheet Products in the MS-Excel workbook.
Implications
This report section lists software products that were installed by Windows Installer (MSI). Unauthorised software
installations could cause the following risks:

Compromised security, if the software does not originate from a reputable vendor or it has not been properly
tested prior to implementation.

Legal action and penalties due to the use of unlicensed software on your systems.

Additional training and maintenance costs due to the need to support multiple versions of similar software.
Risk Rating
Medium / High (if unauthorised software is installed on your system).
Recommended Action
You should ensure that software policies define a list of approved software and prevent the installation of
unauthorised software products. Policies should be consistently enforced and regularly monitored for compliance.
Page 145 of 154
System:
Analysis Date:
35.
08-Nov-2013
CONFIDENTIAL
Current Network Connections
Section Summary
SekChek was unable to analyse active network connections because the required dll was not present on the system.
Section Detail
** No data found. **
Process ID
The process identification number attached to the Current Network Connection.
Local Address
The address of the local end of the socket.
Local Port
The port number of the local end of the socket.
Remote Address
The address of the remote end of the socket.
Remote Port
The port number of the remote end of the socket.
State
Shows the connection state of the socket. This can be one of the following values:
CLOSE_WAIT
CLOSED
CLOSING
ESTABLISHED
FIN_WAIT1
FIN_WAIT2
IDLE
LAST_ACK
LISTENING
SYN_RECV
SYN_SENT
TIME_WAIT
UNKNOWN
The remote end has shut down, waiting for the socket to close
The socket is not being used
Both sockets are shut down but we still don’t have all our data sent
The socket has an established connection
The socket is closed and the connection is shutting down
The connection is closed and the socket is waiting for a shutdown from the remote end
Idle, opened but not bound
The remote end has shut down and the socket is closed. Waiting for acknowledgement
The socket is listening for incoming connections
A connection request has been received from the network
The socket is actively attempting to establish a connection
The socket is waiting after close to handle packets still in the network
The state of the socket is unknown
Filename
The filename of the process that is attached to the Current Network Connection.
Implications
This report section lists all active network connections for TCP protocols, including the local and remote addresses,
the ports in use and the state of each connection. It does not indicate which services are configured to use these
ports.
The port numbers used by some of the most common network services are:
Port number
Service
7
20
21
22
23
25
43
53
69
79
80
110
echo
ftp data
ftp
ssh
telnet
smtp
whois
DNS
tftp
finger
http
POP3
Page 146 of 154
System:
Analysis Date:
119
143
161
443
512
194
08-Nov-2013
CONFIDENTIAL
nntp
IMAP
snmp
https
exec
Irc
Network services and their associated ports provide several opportunities for intruders to exploit your system. Some
examples are:



Services such as telnet (port 23) and ftp (port 21) transmit user passwords in clear text format, which makes them
vulnerable to access via ‘sniffer’ software;
Older versions of services often contain security weaknesses, which can be exploited to gain access to your
system using the account under which the service is run;
Services such as finger (port 79), provide intruders with useful information about your system, such as details of
inactive user accounts, which can be used to gain access to your system.
Risk Rating
Medium to High. (If inappropriate network services are running)
Recommended Action
You should determine what services are configured to use these ports and:






Disable any unused or redundant services;
Limit the number of services that run under the ‘administrator’ account by running them under an account with
less privileges;
Frequently check with your software vendor for security vulnerabilities in the services you are running and apply
any relevant software patches;
Consider replacing services that transmit passwords in clear text format with more secure software;
Ensure that hosts running open services are located behind properly configured firewall machines;
Monitor open ports and connections for signs of unusual activity, particularly from addresses external to your
organisation.
Page 147 of 154
System:
Analysis Date:
36.
08-Nov-2013
CONFIDENTIAL
Logical Drives
Section Summary
There were a total of 4 logical drives defined to your domain controller when this analysis was run.
Section Detail
Drive Type
Volume
Name
Serial Number File
Disk Size Free Space % Free Comment
System (MB)
(MB)
A:\
Removable
C:\
Fixed
7CA7-6D3D
NTFS
40857
D:\
CDROM
20120124_1531 C71C-CE20
CDFS
78
Z:\
Remote
New Volume
NTFS
2996
45BD-987
24409
59.74%
0.00%
2977
99.35%
Disk Quotas
Note that the free space displayed for a drive may exceed the disk size if disk quotas are used (indicated by **User
Quotas** in the Comment field). This is because the Free Space column indicates the total amount of free space on
the drive, while the Disk Size column indicates the space available to the user under the disk quota rules.
Implications
The NTFS file system provides more security features than the FAT system. It should be used whenever security is a
concern. With NTFS, you can assign a variety of protections to files and directories.
Risk Rating
Medium to High (Depending on the sensitivity of files and directories).
Recommended Action
As a rule, you should ensure that sensitive files and directories are on NTFS partitions.
Page 148 of 154
System:
Analysis Date:
37.
08-Nov-2013
CONFIDENTIAL
Network Shares
Section Summary
There were a total of 10 Network Shares defined to your domain controller when this analysis was run.
Section Detail
Share Name
Path
Type
Max Uses
ADMIN$
C:\Windows
Special Share
*unlimited* Remote Admin
BG temp
C:\BG temp
File Share
*unlimited*
C$
C:\
Special Share
*unlimited* Default share
Interprocess
communication (IPC)
*unlimited* Remote IPC
IPC$
Remark
NETLOGON
C:\Windows\SYSVOL\sysvol\Snake.co
m\SCRIPTS
File Share
*unlimited* Logon server share
SophosUpdate
C:\ProgramData\Sophos\Update
Manager\Update Manager
File Share
*unlimited*
SUMInstallSet
C:\Program
Console\SUMInstaller
SYSVOL
C:\Windows\SYSVOL\sysvol
File Share
*unlimited* Logon server share
WolfSpace_2
C:\BG temp
File Share
*unlimited*
WolfSpace1
C:\DfsRoots\WolfSpace1
File Share
*unlimited*
Files File Share
*unlimited* Sophos Update Manager
Installer
Implications
Windows Server enables you to designate resources you want to share with others. For example:


When a directory is shared, authorised users can make connections to the directory (and access its files) from
their own workstations.
When a printer is shared, many users can print from it over the network.
Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called
share permissions, can vary from user to user. With Windows Server, you create the appropriate level of network
resources security with a combination of resource sharing and resource permissions.
Risk Rating
Medium to High (Depending on the sensitivity of the data stored in the shared directories).
Recommended Action
You should ensure that directories containing sensitive data files are not shared or are adequately secured via
resource permissions.
Page 149 of 154
System:
Analysis Date:
38.
08-Nov-2013
CONFIDENTIAL
Home Directories, Logon Scripts and Profiles
Section Summary
All Accounts

100.0% (16) of user accounts do not have a home directory.

100.0% (16) of user accounts do not have a logon script.

100.0% (16) of user accounts are not restricted to logging on from specific workstations.

100.0% (16) of user accounts do not have specific logon profiles.

68.8% (11) of user accounts do not have a home directory.

68.8% (11) of user accounts do not have a logon script.

68.8% (11) of user accounts are not restricted to logging on from specific workstations.

68.8% (11) of user accounts do not have specific logon profiles.

100.0% (2) of administrator accounts do not have a home directory.

100.0% (2) of administrator accounts do not have a logon script.

100.0% (2) of administrator accounts are not restricted to logging on from specific workstations.

100.0% (2) of administrator accounts do not have specific logon profiles.

100.0% (2) of administrator accounts do not have a home directory.

100.0% (2) of administrator accounts do not have a logon script.

100.0% (2) of administrator accounts are not restricted to logging on from specific workstations.

100.0% (2) of administrator accounts do not have specific logon profiles.
Industry Average Comparison (All Accounts)
Section Detail
Account Name
Home
Logon
Workstation Logon State Privilege
Directory Script Path Restrictions Profile
Administrator
No
No
No
No
Administrator
bradley
No
No
No
No
User
GpLinkTest
No
No
No
No
Administrator
Guest
No
No
No
No
D
Guest
krbtgt
No
No
No
No
D
User
SophosSAUPUFFADDER0 No
No
No
No
User
SophosUpdateMgr
No
No
No
No
User
Sun
No
No
No
No
User
SUPPORT_388945a0
No
No
No
No
User4
No
No
No
No
User
User5
No
No
No
No
User
User6
No
No
No
No
User7
No
No
No
No
User9
No
No
No
No
Virtual1
No
No
No
No
User
Virtual2
No
No
No
No
User
D
E
User
User
User
LE
User
Page 150 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Implications
A home directory is used as the user’s default directory for the “File Open” and “Save As” dialog boxes, for the
command prompt, and for all applications that do not have a defined working directory.
Home directories make it easier for an administrator to back up user files and delete user accounts because they are
grouped in one location.
The home directory can be a local directory on a user’s computer or a shared network directory, and can be assigned
to a single user or many users.
A user’s logon script runs automatically every time the user logs on. It can be used to configure a user’s working
environment at every logon, and allows an administrator to affect a user’s environment without managing all its
aspects. A logon script can be assigned to one or more user accounts.
In Windows 200x* Server, Workstation Restrictions can be used to control the computers from which a user is allowed
to log on. The alternative is to allow a user to logon from any computer.
Restricting the workstations a user can use to log on to your system can improve security and discourage potential
hackers. This is especially true for sensitive accounts.
A user profile defines the Windows 200x* configuration for a specific user or group of users.
By default, and excepting Guest accounts, each Windows 200x* computer maintains a profile for each user who has
logged on to the computer. A profile contains information about a user's Windows 200x* configuration. Much of this
information controls options the user can set, such as colour scheme, screen savers, and mouse and keyboard layout.
Other information control options that can be set only by a Windows 200x* administrator include access to common
program groups or network printers.
Risk Rating
Medium to Low.
Recommended Action
To minimise potential loss of data and ease administration, users should have defined home directories, which can be
regularly backed up.
To ease administration and afford better control over user environments, each user should have a logon script.
You should consider the additional benefits in security that workstation restrictions can provide. It is particularly suited
to those environments with high security needs or very sensitive systems and information.
You should consider the benefits of defining logon profiles for users. This can ease administration and enhance
security.
Page 151 of 154
System:
Analysis Date:
39.
08-Nov-2013
CONFIDENTIAL
File Permissions and Auditing
Section Summary
This report section details the permissions and audit settings for 5 predefined and 0 user selected directories/files on
your system.
Section Detail
For details see worksheet Permissions in the MS-Excel workbook.
Implications
This report section lists the owner and access permissions (DACL) for selected files and directories. It also lists the
audit settings (SACL) for files and directories.
More specifically, the report section lists the contents of each Access Control Entry (ACE) in the file or directory’s
Discretionary Access Control List (DACL). A DACL contains one or more ACEs that control access to the associated
resource.
An ACE in a DACL can Allow or Deny access to a resource. A Deny ACE always overrides an Allow ACE.
The report section also lists the contents of each Access Control Entry (ACE) in the file or directory’s System Access
Control List (SACL). A SACL contains one or more ACEs that define what actions on the object are audited (e.g.
deletion of a file and changes to a folder’s permissions). The event types are Success and Failure.
Legend:
Resource Name
The name of the resource being analysed.
Resource Type
The type of resource being analysed. At present the only resource types analysed by
SekChek are files and directories.
ACL Type
The type of ACL being analysed: a DACL or a SACL.
Owner
The owner of the resource.
Owner Domain
The resource owner’s domain.
Owner Account Type
The owner’s account type. E.g. Alias, User.
Ace Nbr
The sequential number of the ACE. Window’s reads ACEs in this order until it finds a
Deny or Allow ACE that denies or permits access to the resource or an Audit ACE that
defines what is audited and the event type.
Account
The name of the account to which this ACE applies.
Domain
The account’s domain.
Account Type
The type of the account. E.g. Alias, User, Group.
Ace Type
Allow or Deny access to the resource in the case of an ACE in a DACL; Success or
Failure events for a SACL.
Apply Onto
Specifies where permissions or auditing are applied. These values are shown as they
appear in the Windows’ property box. E.g.:







Inherited
This folder / object only
This folder, subfolders & files
This folder & subfolders
This folder & files
Subfolders & files only
Subfolders only
Files only
Indicates whether the permissions or audit settings are inherited from a higher level.
Special Permissions (ACE in a DACL):
Traverse Folder / Execute File
For folders: Traverse Folder allows or denies moving through folders to reach
other files or folders, even if the user has no permissions for the traversed
folders (applies to folders only). Traverse folder takes effect only when the
group or user is not granted the Bypass traverse checking user right in the
Page 152 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
Group Policy snap-in. (By default, the Everyone group is given the Bypass
traverse checking user right.).
For files: Execute File allows or denies running program files (applies to files
only).
Setting the Traverse Folder permission on a folder does not automatically set
the Execute File permission on all files within that folder.
List Folder / Read Data
List Folder allows or denies viewing file names and subfolder names within the
folder. List Folder only affects the contents of that folder and does not affect
whether the folder you are setting the permission on will be listed. Applies to
folders only.
Read Data allows or denies viewing data in files (applies to files only).
Read Attributes
Allows or denies viewing the attributes of a file or folder, such as read-only and
hidden. Attributes are defined by NTFS.
Read Extended Attributes
Allows or denies viewing the extended attributes of a file or folder. Extended
attributes are defined by programs and may vary by program.
Create Files / Write Data
Create Files allows or denies creating files within the folder (applies to folders
only).
Write Data allows or denies making changes to the file and overwriting existing
content (applies to files only).
Create Folders / Append Data
Create Folders allows or denies creating folders within the folder (applies to
folders only).
Append Data allows or denies making changes to the end of the file but not
changing, deleting, or overwriting existing data (applies to files only).
Write Attributes
Allows or denies changing the attributes of a file or folder, such as read-only or
hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply creating or deleting files or
folders, it only includes the permission to make changes to the attributes of a
file or folder. In order to allow (or deny) create or delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete Subfolders and
Files, and Delete.
Write Extended Attributes
Allows or denies changing the extended attributes of a file or folder. Extended
attributes are defined by programs and may vary by program.
The Write Extended Attributes permission does not imply creating or deleting
files or folders, it only includes the permission to make changes to the
attributes of a file or folder. In order to allow (or deny) create or delete
operations, see Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete.
Delete Subfolders And Files
Allows or denies deleting subfolders and files, even if the Delete permission
has not been granted on the subfolder or file. (applies to folders)
Delete
Allows or denies deleting the file or folder. If you don't have Delete permission
on a file or folder, you can still delete it if you have been granted Delete
Subfolders and Files on the parent folder.
Read Permissions
Allows or denies reading permissions of the file or folder, such as Full Control,
Read, and Write.
Change Permissions
Allows or denies changing permissions of the file or folder, such as Full
Control, Read, and Write.
Take Ownership
Allows or denies taking ownership of the file or folder. The owner of a file or
folder can always change permissions on it, regardless of any existing
permissions that protect the file or folder.
File Synchronise
Allows or denies different threads to wait on the handle for the file or folder and
synchronize with another thread that may signal it. This permission applies
only to multithreaded, multiprocess programs.
Windows’ special permissions are logically grouped to form generic permissions: Full Control, Modify, Read &
Execute, List Folder Contents, Read, and Write.
Page 153 of 154
System:
Analysis Date:
08-Nov-2013
CONFIDENTIAL
The following table illustrates how special permissions are grouped together into these higher-level generic
permissions.
Special Permissions
Full
Control
Modify
Read &
Execute
List Folder Contents
(folders only)
Read
Write
Traverse Folder/Execute File
x
x
x
x
List Folder/Read Data
x
x
x
x
x
Read Attributes
x
x
x
x
x
Read Extended Attributes
x
x
x
x
x
Create Files/Write Data
x
x
x
Create Folders/Append Data
x
x
x
Write Attributes
x
x
x
Write Extended Attributes
x
x
x
Delete Subfolders and Files
x
Delete
x
x
Read Permissions
x
x
x
x
x
x
Change Permissions
x
Take Ownership
x
Synchronize
x
x
x
x
x
x
Risk Rating
High (if access permissions are inappropriate and allow unintended access to sensitive resources).
Recommended Action
You should:



Periodically check access permissions for sensitive files and directories to ensure they remain appropriate and
reflect the requirements of a person’s job function.
Ensure that all changes to access permissions are properly authorised by management.
Consider logging audit events for sensitive files and directories. Note that large numbers of audit log entries may
be generated for frequently accessed files and directories
Page 154 of 154

Active Directory report

Transcription

Similar documents

Teen Driver Contract

EFAS Wandtafel Mitte

nEar05 eXperience

Fiter: Greedy Bloggers for a Picky Audience Avner May, Augustin

2007 CADILLAC STS-V

driver protection screen

ekool esitlus 06_01_10.key

Class B CDL Training Program Flyer

Speaker Bios