WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet
Transcription
WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet
WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet Date: 2 July 2007 Student Name: Mark J. Hufford Student ID Number: Student Degree Program: BS ITNM Student Email: Four Digit Assessment/Project Code: CAPU Mentor Name: Dr. George Teston For Revisions Only Indicate Previous Grader: Submissions received with an altered, incomplete or missing cover sheet will be returned for resubmission. Submit to: Western Governors University Attn.: Assessment Delivery Department 4001 South 700 East, Suite 700 Salt Lake City, Utah 84107-2533 [email protected] Capstone Project Cover Sheet Capstone Project Title: Network Security & Efficiency Survey Student Name: Mark J. Hufford Degree Program: BS ITNM Mentor Name: Dr. George Teston Signature Block Student’s Signature Mentor’s Signature Table of Contents Introduction ............................................. Error! Bookmark not defined. Rational and Systems Analysis ............................................................... 3 Project Goals and Objectives .................................................................. 8 Project Timeline ................................................................................. 14 Project Development ........................................................................... 16 Actual and Potential Effects .................................................................. 17 Conclusions ....................................................................................... 18 References ........................................................................................ 20 Appendix 1: Competency Matrix ........................................................... 21 Appendix 2: Client Business Model Survey ............................................. 25 Appendix 3: Workstation Survey Spreadsheet ........................................ 25 Appendix 4: Server Survey Spreadsheet................................................ 25 Appendix 5: Sample MBSA Reports ....................................................... 26 Appendix 6: Network Upgrade Proposal ................................................. 50 Appendix 7: End User’s Security Manual ................................................ 50 Appendix 8: Capstone Proposal ............................................................ 50 Page 1 Introduction Poorly managed network infrastructures can have adverse effects on a company’s profitability. Likewise, a lack of network fidelity can damage a business’s credibility and can result in a loss of customers. This is most certainly the case with IT training companies. There is a certainly level of unacceptable irony found when a computer training facility has blaring security threats in its network. Whether because of a lack of funds or expertise, many businesses have serious network and computer security issues that affect the efficiency with which business processes are executed. So how do companies that find themselves in such situations get back in the game? Is it possible to recover from a network chokehold without dropping a load of dough? If you are willing to do a little homework, there most certainly is! With good intentions, IT professionals frequently dive right into similar situations and start fixing problems. All too often, however, this is not enough. Blindly attacking a network problem is be about as effective as changing the oil in your car to fix a problem with the brakes. In order to accurately resolve network issues and maximize network efficiency, a network survey must be performed. After which, an execution plan should be devised and closely followed. Real Planit Computer Training, Inc. is an information technologytraining institute in Fayetteville, Arkansas. In the past 5 years, the company Page 2 has experienced a lot of growth. As the business grew, the network grew with it. However, without a network engineer onboard or even a hired consultant, the network grew out of control. The owner states that the computers have become progressively slower which has affected the efficiency with which courses are taught. Likewise, the testing room computers and servers are prone to frequent crashes; which has a negative effect on their reputation. As a certified Thomson Prometric™ testing center and a Certiport™ testing center, there are certain network hardware and software metrics, they must meet in order to retain partnership status. I chose to perform a network security survey for Real PlanIT Computer Training, Inc. The comprehensive survey was designed to indentify vulnerabilities in their network servers and workstations so that an upgrade proposal could be delivered. The project began with a meeting with the client to discuss their business needs. It is imperative that one understands their client before attempting to make any changes to their network. An upgrade by any other means would certainly fail. The meeting with the client was a success and set the tone for the entire project. I learned a lot about their business practices, business needs and their information technology needs. Understanding how their business operates allowed me to plan a survey around their schedule. It also empowered me with information necessary to diagnosing the state of the network. As a computer training company, Real Page 3 PlanIT has many software needs for their student workstations. Each of these applications has its own list of minimum system requirements that must be analyzed as part of the survey. It could be possible that some latency was caused by a lack of hardware horsepower as opposed to a network security breach. Hence, all of the information gathered from the preliminary interview and planning meeting was used to develop an effect network survey that would minimize business impact. Rational & Systems Analysis It is worthwhile to research similar projects and industry case studies in preparation for any project. Two applications that aid in analyzing and maintaining network security are the Microsoft Baseline Security Analyzer (MBSA) and Windows Server Update Services (WSUS). According to Microsoft, “Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.” This priceless tool is available as a free download from Microsoft.com. IT professionals around the world have used it countless times. Once MBSA is installed and running, the user has the ability to scan one or multiple computers via the local network. When the scan is complete, the user is presented with an easy to follow security report. The Page 4 report highlights potential security threats with relation to missing operating system patches, missing application patches, whether or not “Automatic Updates” is enabled and whether or not the Windows Firewall is running. It will also examine the number of administrative accounts on a system and password complexity policies. See Figure A for example. Figure A With the rate at which technology changes, it becomes a challenge for any IT professionals to stay on the cutting edge. The MBSA application is necessary for analyzing the security of Windows networks. Scott Lowe (2004), a Microsoft Certified Systems Engineer, said the following regarding the Microsoft Baseline Security Analyzer: Page 5 “Supporting a huge number of Microsoft applications, MBSA can serve you in two ways. First, it will help you keep your servers protected from problems; second, with powerful reporting capabilities, it can help you actually learn why you need to do the things that are suggested so you can make an educated decision as to whether something is an acceptable risk in your environment.” In 2006, Microsoft performed a case study of a network upgrade that took place in Stratford, Ontario Canada. The scenario was not far off from that of Real Planit Computer Training, Inc’s. Running legacy operating systems and applications, City of Stratford found itself in dire need of a security analysis and network upgrade. The survey and upgrade concentrated on the following areas for improvement: Server operating systems & security Workstation operating systems & security Patch management (WSUS) Firewall configuration Disaster recovery planning Business benefits The upgrade was highly successful because the consultants did their homework. Page 6 According to a recent study performed by Keystone Strategy, Inc. (2005), the bottom line concerning the need for information technology is that it “is critical to firm growth because it enables firms to scale – an ability to manage increases the complexity of their business processes, organization and business model.” Wise investments in information technology enable profitable business growth. The most compelling piece of evidence on the validity and necessity of this project concern the vitality of Real Planit Computer Training, Inc. Preliminary interviews were conducted in which the feasibility of project objectives was discussed. The business needs of the company were also discussed during the interviews. As a result of the interviews, it was learned that the business model in terms of services offered is two-fold: Provide high-quality computer training and certification paths for professional adults Maintain partnership status with Thomson Prometric™ and Certiport™ in provide testing/certification services to clients Another discovery was that clients had complained in the recent past of the speed of the network. Complaints were raised with regard to the stability of the testing center as well. On occasion, the lagging computers and network have brought the classroom to a halt; demanding resolution before training Page 7 could continue. Meanwhile, in the testing center, the workstations and testproviding server would intermittently lock up or even crash all together. There is a certain level of unacceptable irony had when a computertraining company’s workstations and servers frequently crash. Such experiences lead to lost business and fewer return customers. Additionally, frequent computer stability issues lead one to question the credibility of the company. Ultimately, it could cost the company their partnership with Thomson Prometric™ or Certiport™. It was suspected that poor system configuration, missing security updates, malware and missing anti-virus updates are at the root of their network woes. They do not want their network operating more efficiently because it would be nice; they need an overhaul to stay competitive in business! Erik Sherman (2007) reports that “organizations with IT strategies tightly integrated with key business processes typically grow faster, with more profit, than those lacking real technical savvy.” It enables them to grow revenue and profit faster than the competition. In Real Planit’s case, the complete lack of an IT department and IT consultants helps to make Sherman’s case. Page 8 Project Goals and Objectives The most important objective of this project was to provide Real Planit Computer Training, Inc. with a network upgrade plan to improve the efficiency with which their business operates. The bottleneck holding back the growth of the business had been the poor state of the network for some time. Regardless of the amount of business growth, the computer network could no longer meet their needs. When computer training is the main service offered by a service provider, the provider’s computer MUST operate without any hitches. Dissecting this objective revealed several underlying goals and objectives. The goals for this project were as follows: Provide the client with a current network security snapshot o Document a workstation survey o Document a server survey o Run the Microsoft Baseline Security Analyzer tool and save the report for each workstation and server Provide the client with a scheduled plan for regaining network stability and improving the overall efficiency and performance of the network Provide the client with a plan for ongoing preventive maintenance and upkeep Page 9 Provide the client with an end-user manual for managing Windows Server Update Services and server based antivirus maintenance Provide the client with a return on investment estimate Before any of these deliverables could be provided, a solid understanding of what the client hoped to get out this was needed. It was necessary to acquire a firm understanding of how Real Planit Computer Training, Inc.’s business processes overlap with their network and computer systems. It would be foolish to attempt to provide a solution without having a solid understanding of the background of the problem. Pre-Survey Client Meeting The first objective was to schedule a meeting to discuss the client’s business processes and how they relate to their computer systems. As a computer training company, the client had specific software application needs for its classroom computers. These applications had a set of minimum system requirements. In the meeting, we discussed their business model and needs. We discussed how their objectives lined up with computer systems. We also discussed their hours of operation and set a schedule for performing the actual survey. At the end of the meeting, the client was presented with a survey designed to gather information necessary to calculate the return on investment at the completion of the network security Page 10 survey (see Appendix 2). The meeting went well and objective number one was complete! Once the survey is complete, I will be able to provide the client with an execution plan that lays out an upgrade plan as well as an ongoing preventive maintenance plan. Though the execution of this plan will take place outside of the Capstone project, it will be the key to a successful upgrade and improved business efficiency. Network Security Survey Prior to the performing the survey, I created two spreadsheets for capturing data (see Appendix 3 and Appendix 4). The first spreadsheet targeted workstations and the second targeted servers. I also acquired a thumb drive to store the results of the MBSA scans for each computer. When I arrived to perform the survey, the client notified me that there would be some others working on computers that night. Therefore, the first thing that went wrong in this goal was my failure to follow-up after the meeting with a phone call. Had I followed up with a phone call to remind them that I would be coming, then we could possibly have avoided the problem. Luckily, there were plenty of computers to survey. Therefore, I began to survey the workstations that were not in use. Each computer took about 2 minutes to survey and 10 minutes to run the Microsoft Baseline Security Analyzer utility. I had failed to get an estimated number of Page 11 workstations that I would be surveying in our preliminary meeting. Hence, the survey took a little longer than expected. Fortunately, the users working on the other computers were finished by the time I got to them, so it was a blessing in disguise. The survey of the workstations went according to plan, but when I began to survey the servers, I ran into a problem. The password list provided by the client did not include the correct password for logging onto the domain controller. Since the owner had left for the night, I was unable to survey the domain controller as originally planned. After contacting the owner the following day, we scheduled a return visit to survey the domain controller. Once I surveyed the domain controller, my network security survey was complete. Despite the two minor drawbacks of users in the building and not having the domain controller’s admin password, the survey went very well. If I had to do it over again, I would have followed up the meeting with a phone call to confirm the survey schedule. I would also ensure that all the username and passwords worked properly before the owner left the premises. Overall, the goal was achieved as all necessary data was captured so that an upgrade proposal could be completed. Page 12 Upgrade Proposal Preparation I slated one day to complete the upgrade proposal. This proved to be too little time to complete a fair proposal. The proposal was originally slotted to contain the following upgrade suggestions: Domain controller configuration General server configuration General workstation configuration Antivirus / Malware suggestions ROI Report End User’s Security Guide Upgrade timeline However, I made assumptions about the configuration of their network. I unknowingly assumed that their domain controller would also be their default gateway, DHCP and DNS server. However, their network was divided into four subnets. An ISA server was between the internet service provider and the internal network and acted as a NAT, RRAS, DNS and DHCP server. Though their domain controller was also a default gateway, DNS and DHCP server, it offered up these services within the internal network. I had failed to anticipate the possibility of a perimeter network. I was able to complete each of the items listed above and prepare them for presentation to the client. So this goal was achieved, though not within the originally slotted timeframe. Page 13 Proposal Presentation Once the proposal was complete, a meeting with the client was scheduled. The meeting’s agenda was as follows: 1. Discuss the results of the survey (state of the network address) 2. Discuss hardware / software upgrade suggestions 3. Discuss projected costs and ROI 4. Question & Answer 5. Discuss implementation schedule The presentation lasted roughly two hours and was largely successful. I believe the success was a result of proper planning and a thorough network survey. As a result of sufficient planning, the network survey was very smooth and comprehensive. As a result of the successful survey, the proposal was straightforward and meaningful to the client. With this goal complete and all deliverables in the hands of the client, the project goals were all complete! Each goal was completed and all deliverables were handed over to the client. They were very satisfied with the proposal. Therefore, they decided to move forward with a selected portion of the upgrade. Page 14 Project Timeline The project timeline was created as a Gantt chart using Microsoft ® Office Project 2003. Details from the original project plan are listed in Figure B. Figure B Project Plan & Timeline As can be seen in Figure B, the original project plan was estimated to take 23 hours to complete and span a total of 7 days. The project actually took about 40 person-hours to complete, although it was completed within 7 days. Page 15 Two areas took longer than expected to complete. The first was the network survey. As previously mentioned, I failed to follow-up after our preliminary meeting and the client inadvertently had scheduled students to be in the building during the survey. Luckily, there were so many workstations to survey that the students were gone by the time I got to that area. I also forgot to ask for a workstation count in our preliminary meeting. This would have allowed me to better gauge the time it would take to perform the survey. The only survey related problem that resulted in a timeline set back was the result of missing administrative passwords for the domain controller. I forgot to ask for this information and as a result, had to reschedule the rest of the survey for another night. This resulted in a oneday setback from the original timeline. The second timeline task that took longer than expected was drafting the proposal. This happened because I miscalculated the amount of time it would take to draft each area of the proposal. However, I was still able to complete the task in a single day to keep the project on schedule. All other items on the timeline went as scheduled as a result of planning on the front end and hard work on the back. The client was very patient throughout the process and I am grateful for this. I do not expect that every situation in such a project would go as smoothly without the patience and support of the client as was had by me. I Page 16 believe if I were to write the timeline again, I would plan in a larger margin for error and take a slightly less aggressive approach. Project Development Prior to the development of this project, Real PlanIT Computer Training, Inc. was up a creak without a paddle. With their computer network in security shambles, their workstations were getting slower at an exponential rate. As a result, students and testers were losing confidence in the company. The state of their network was affecting their business and profit opportunities. My project was developed around building up a business by securing its network and bringing the network to a new level of efficiency. More specifically, the project concentrated on building a current network snapshot and then basing an upgrade proposal plan off that snapshot. Though the project concentrated on best practices for network security, the business model was the ultimate recipient of services. As with any project, problems arose that needed addressing. One of these problems was a scheduling problem during the server. The client scheduled students to be in the building during the survey. At first, I thought this might be a problem. However, I decided to start my survey in a different classroom. There were so many workstations that by the time I got back to the students’ classroom, they were done. By rearranging the order in which the workstation surveys were performed, this problem was averted. Page 17 Another problem I faced during the development of this project happened when I realized I did not have the administrative passwords to the servers. Without this information, I would be unable to perform the surveys for the client’s server computers. As a result, I had to schedule a revisit to survey the remaining servers. Because a return trip was necessary to complete the survey, the timeline was pushed back a day. I anticipated the network would be configured with the domain controller as the lone default gateway. I had it in my head that the configuration suggestions would be rather simple because of this. However, since there was an ISA server in their perimeter network, I had to make changes to the configuration suggestions in my proposal. Another unanticipated requirement related to developing the ROI report for the client. It was difficult to offer a monetary estimate for operating under the current network conditions versus the proposed network conditions. Consequently, I had to change some of the questions on the customer business survey to help me calculate these figures. The client was gracious enough to comply. Actual and Potential Effects Since this project was in the form of a proposal, the majority of this section will concentrate on potential effects. Page 18 The actual effects of this project can be summed up by saying that the client now has a clear understanding of the importance of network maintenance and network security. They have seen the bad side of network security and were provided with a roadmap to the good side. They have been empowered with information to bring their operation to a new level of efficiency. The potential positive effects of this project go are many. When the client follows through with the upgrade plan, they will have a highly efficient operating network. As a result of the network operating more efficiently, their business processes will be able to run more smoothly. There will be fewer classroom interruptions as a result of computer related problems. There will be fewer testers that are frustrated with crashing test servers and workstations. As a result, customers’ confidence in Real PlanIT Computer Training will increase. The project has the potential to help grow the client’s business. Without having to worry so much about the network and whether or not the computers are going to work, they can concentrate on sales, finances, teaching and so on. Conclusions My capstone project proved to be extremely challenging and every bit as much rewarding. I believe it was highly successful in terms of the original goals and objectives. Each goal and object was met and customer expectations were exceeded. Why was it so successful? Why was it so Page 19 effective? It was in part because of methodical planning on the front end. I cannot say enough about the necessity of planning. Building the project plan gave me a roadmap to success that would not have been possible without it. This project was also successful because of communication. The client did a marvelous job expressing their needs and current business model. I did my best at communicating the advantages had by those who operate on a secure and efficient network. Together we formulated a plan to upgrade their network while meeting their business needs and minimizing business impact. Communication was a vital component in this project and helped bring about the success thereof. Finally, flexibility played a winning part in this project. Every project will have its hiccups. The ability to be flexible, think on your feet and come up with alternate solutions is a necessity for successful project management. It was my pleasure to have successfully led and completed this project as the project manager. Best of all, the client is ecstatic about the proposal and cannot wait to implement the changes. They are ready for a new level of business efficiency. Page 20 References Keystone Strategy, Inc Study (2005). Why IT Matters in Midsized Firms. Retrieved January 31, 2007 from http://www.keyinc.com/it_matters.shtml. Lowe, Scott (2004). Verify security settings on Windows XP using Microsoft Baseline Security Analyzer 1.2. Retrieved June 23, 2007 from http://articles.techrepublic.com.com/5100-1035_11-5221961.html. Microsoft (2007). City of Stratford Brings Down the Curtain on its Legacy System with Server Upgrade. Retrieved June 23, 2007 from http://www.microsoft.com/canada/casestudies/cityofstratford.mspx. Microsoft (2007). Microsoft Baseline Security Analyzer. Retrieved June 23, 2007 from http://www.microsoft.com/technet/Security/tools/mbsahome.mspx. Microsoft (2007). Windows Vista Capable and Premium Ready PCs. Retrieved January 31, 2007 from http://www.microsoft.com/windows/products/windowsvista/buyorupgr ade/capable.mspx. Sherman, Erik (2007). Investing in IT for a Competitive Edge. Retrieved January 31, 2007, from http://www.microsoft.com/business/momentum/content/article.aspx?c ontentId=1065. Page 21 Appendix 1: Competency Matrix Domain/Subdomain Competency Explanation LPO1 Identify and apply leadership behaviors including: providing direction and enlisting others in a shared vision; searching out challenging opportunities for change, growth, and improvement; fostering collaboration and building effective teams; and coaching, mentoring, counseling and facilitating professional development. My project required collaboration with the client. The project was certainly challenging and very rewarding for all parties involved. It required a lot of planning and scheduling to ensure that everything went off without a hitch. The opportunity was all about change and preparation for future growth. Ultimately, I coached the client how to maintain their network moving forward. RUA1 & RUA2 Describe in your own words the question/problem to be addressed. My project allowed me to communicate the problem with the current state of the client’s network as well as how it was affecting profitability within the company. RUA1 & RUA2 Divide a question/problem into related sub-questions or sub-problems. The root problem was that the network was insecure and it was affecting business efficiency. My project allowed me to break this down further into many sub-problems with regard to anti-virus, group policy, passwords, firewall configuration, hardware problems, server configuration, etc. Page 22 RUA1 & RUA2 Interpret the results of quantitative and qualitative analyses of information related to a question/problem. After the initial survey was complete, I will provided a report that summarized the current state of the network. The results of the survey were interpreted so that a proposal for bringing the network up to current standards was developed and presented to the client. LCO1 Speak clearly and audibly and use appropriate language and gestures. Communication was the key to success in this project. There were multiple meetings to communicate problems, scheduling information, project plans, etc. These meetings allowed me to demonstrate this competency. LCO1 Write instructions for a particular task or procedure. An end-user preventive maintenance manual was provided as part of the Capstone project. The document included instructions and general guidelines for keeping one’s computer and computer network secure. QLO1 Communicate mathematical reasoning, mathematical equations, and calculated results orally and in writing, explaining why a formula, conclusion or inference makes sense and why the mathematical reasoning is valid. A return on investment (ROI) report was included in the proposal. Calculated costs were used in conjunction with operating costs to estimate the amount of time it will take the client to recoup the upgrade investment money and start turning a profit. Page 23 I290 Plan and implement server roles and server security. Server roles were evaluated during the survey and new roles and security measures were suggested in the proposal. I290 Plan, implement, and maintain a network infrastructure. A new network infrastructure plan was presented as part of the proposal. I290 Manage and maintain an Active Directory infrastructure. Suggested Active Directory changes were presented as part of the proposal. I290 Plan and implement group policy. Group Policy settings were proposed and presented to the client to maximize business efficiency and security. I290 Maintain a network infrastructure. A preventive maintenance plan was presented to the client for ongoing maintenance of the network infrastructure. I270 Configure, manage, and troubleshoot security The client’s network had many security holes prior to the project. These issues were identified and addressed with a resolution strategy in the proposal. The execution of the proposal will solve these security problems. I270 Create the conceptual design by gathering and analyzing business and technical requirements. Based on the client’s current operating procedures, I created a new design for workstation security. I also gathered technical hardware/software needs of specific applications to ensure the network would support Page 24 them. I270 Implement, manage, monitor, and troubleshoot hardware devices and drivers. All workstation and server hardware devices and drivers were tested. Necessary upgrades, changes, etc. were suggested in the proposal. Page 25 Appendix 2: Client Business Model Survey See file “55427 Hufford Mark BS ITNM CAPU Appendix 2.doc”. Appendix 3: Workstation Survey Spreadsheet See file “55427 Hufford Mark BS ITNM CAPU Appendix 3.xls”. Appendix 4: Server Survey Spreadsheet See file “55427 Hufford Mark BS ITNM CAPU Appendix 4.xls”. Page 26 Appendix 5: Sample MBSA Reports Computer name: IP address: Security report name: Scan date: Catalog synchronization date: Security update catalog: Security assessment: WORKGROUP\FAY-TRAIN55 192.168.3.35 WORKGROUP - FAY-TRAIN55 (6-19-2007 8-45 PM) 6/19/2007 8:45 PM Microsoft Update Severe Risk Security Updates Score Issue Result Office 9 security updates are missing. 2 service packs or update Security rollups are missing. Updates Security Updates Score ID Description Maximum Severity Missing MS05-023 Security Update for Critical Word 2003 (KB887979) Missing MS06-039 Security Update for Office 2003 (KB914455) Moderate Missing MS06-054 Security Update for Publisher 2003 (KB894542) Important Missing MS06-058 Security Update for PowerPoint 2003 (KB923091) Important Page 27 Missing MS06-059 Security Update for Important Excel 2003 (KB923088) Missing MS06-062 Security Update for Office 2003 (KB923272) Important Missing MS06-060 Security Update for Important Word 2003 (KB923094) Missing MS06-061 Security Update for Office 2003 (KB924424) Critical Missing MS07-003 Security Update for Outlook 2003 (KB924085) Important Update Rollups and Service Packs Score ID Description Missing 887620 Project 2003 Service Pack 2 Missing 887616 Office 2003 Service Pack 2 Current Update Compliance Score ID Description Installed 842532 Office 2003 Service Pack 1 Installed 902848 Outlook Live 2003 Service Pack 2 Installed 887622 Visio 2003 Service Pack 2 Installed 887619 OneNote 2003 Service Pack 2 Maximum Severity Page 28 Installed 887618 Office 2003 Service Pack 2 for Proofing Tools Installed 920115 Service Pack 3 for Business Contact Manager Update and Small Business Accounting Windows 67 security updates are missing. 3 service packs or Security update rollups are missing. Updates Security Updates Score ID Description Maximum Severity Missing MS04-043 Security Update for Windows XP (KB873339) Important Missing MS04-041 Security Update for Windows XP (KB885836) Important Missing MS05-007 Security Update for Windows XP (KB888302) Important Missing MS05-009 Security Update for Windows Messenger (KB887472) Moderate Missing MS05-013 Security Update for Windows XP (KB891781) Important Missing MS04-044 Security Update for Windows XP (KB885835) Important Page 29 Missing MS05-033 Security Update for Windows XP (KB896428) Moderate Missing MS05-036 Security Update for Windows XP (KB901214) Critical Missing MS05-018 Security Update for Windows XP (KB890859) Important Missing MS05-040 Security Update for Windows XP (KB893756) Important Missing MS05-041 Security Update for Windows XP (KB899591) Moderate Missing MS05-042 Security Update for Windows XP (KB899587) Moderate Missing MS05-043 Security Update for Windows XP (KB896423) Critical Missing MS05-051 Security Update for Windows XP (KB902400) Important Missing MS05-048 Security Update for Windows XP (KB901017) Important Missing MS05-045 Security Update for Windows XP (KB905414) Moderate Missing MS05-047 Security Update for Windows XP (KB905749) Important Page 30 Missing MS05-049 Security Update for Windows XP (KB900725) Important Missing MS05-050 Security Update for Windows XP (KB904706) Critical Missing MS06-002 Security Update for Windows XP (KB908519) Critical Missing MS06-008 Security Update for Windows XP (KB911927) Important Missing MS06-006 Security Update for Windows Media Player Plug-in (KB911564) Important Missing MS06-014 Security Update for Windows XP (KB911562) Critical Missing MS06-015 Security Update for Windows XP (KB908531) Critical Missing MS06-024 Security Update for Windows Media Player 9 (KB917734) Critical Missing MS06-030 Security Update for Windows XP (KB914389) Important Missing MS06-023 Security Update for Windows XP (KB917344) Critical Missing MS06-022 Security Update for Windows XP (KB918439) Critical Page 31 Missing MS06-018 Security Update for Windows XP (KB913580) Low Missing MS06-032 Security Update for Windows XP (KB917953) Important Missing MS06-025 Security Update for Windows XP (KB911280) Important Missing MS06-036 Security Update for Windows XP (KB914388) Critical Missing MS06-050 Security Update for Windows XP (KB920670) Important Missing MS06-041 Security Update for Windows XP (KB920683) Critical Missing MS06-052 Security Update for Windows XP (KB919007) Important Missing MS06-053 Security Update for Windows XP (KB920685) Moderate Missing MS06-063 Security Update for Windows XP (KB923414) Important Missing MS06-065 Security Update for Windows XP (KB924496) Moderate Missing MS06-057 Security Update for Windows XP (KB923191) Critical Page 32 Missing MS06-061 Security Update for Windows XP (KB924191) Critical Missing MS06-064 Security Update for Windows XP (KB922819) Low Missing MS06-070 Security Update for Windows XP (KB924270) Low Missing MS06-066 Security Update for Windows XP (KB923980) Important Missing MS06-075 Security Update for Windows XP (KB926255) Important Missing MS06-078 Security Update for Windows Media Player 6.4 (KB925398) Critical Missing MS06-078 Security Update for Windows XP (KB923689) Critical Missing MS07-004 Security Update for Windows XP (KB929969) Critical Missing MS07-006 Security Update for Windows XP (KB928255) Important Missing MS07-008 Security Update for Windows XP (KB928843) Critical Missing MS07-007 Security Update for Windows XP (KB927802) Important Page 33 Missing MS07-012 Security Update for Windows XP (KB924667) Important Missing MS07-009 Security Update for Windows XP (KB927779) Critical Missing MS07-013 Security Update for Windows XP (KB918118) Important Missing MS07-011 Security Update for Windows XP (KB926436) Important Missing MS07-017 Security Update for Windows XP (KB925902) Critical Missing MS06-071 MSXML 4.0 SP2 Security Update (KB927978) Critical Missing MS07-022 Security Update for Windows XP (KB931784) Important Missing MS07-021 Security Update for Windows XP (KB930178) Critical Missing MS07-019 Security Update for Windows XP (KB931261) Critical Missing MS07-020 Security Update for Windows XP (KB932168) Critical Missing MS05-004 Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 Important Page 34 (KB886903) Missing MS05-032 Security Update for Windows XP (KB890046) Moderate Missing MS06-068 Security Update for Windows XP (KB920213) Critical Missing MS07-033 Cumulative Security Critical Update for Internet Explorer 6 for Windows XP (KB933566) Missing MS07-034 Cumulative Security Update for Outlook Express for Windows XP (KB929123) Important Missing MS07-031 Security Update for Windows XP (KB935840) Critical Missing MS07-035 Security Update for Windows XP (KB935839) Critical Update Rollups and Service Packs Score ID Description Missing 931836 Update for Windows XP (KB931836) Missing 926874 Windows Internet Explorer 7.0 for Windows XP Missing 890830 Windows Malicious Software Removal Tool - June 2007 (KB890830) Current Update Compliance Page 35 Score ID Description Installed MS03-011 816093: Security Update Microsoft Virtual Machine (Microsoft VM) Installed 867460 Maximum Severity Critical Microsoft .NET Framework 1.1 Service Pack 1 Installed MS05-027 Security Update for Windows XP (KB896422) Critical Installed MS05-025 Cumulative Security Update for Internet Explorer for Windows XP Service Pack 2 (KB883939) Important Installed MS05-026 Security Update for Windows XP (KB896358) Critical Installed MS06-009 Security Update for Windows XP (KB901190) Important Windows Scan Results Administrative Vulnerabilities Scor Issue e Result Administrat More than 2 Administrators were found on this computer. ors User Page 36 Administrator S-1-5-21-2074873108-628170394-480669845-40114 Student Automatic The Automatic Updates feature is disabled on this Updates computer. Windows Firewall is enabled and has exceptions configured. Windows Firewall is enabled on all network connections. Windows Firewall Connection Name Firewall Exceptions All Connections On Programs, Services Local Area Connection 2 On Programs*, Services* Incomplete No incomplete software update installations were found. Updates No user accounts have simple passwords. Local Account Password Test User Weak Password Locked Out Disable d Guest - - Disable d HelpAssistant - - Disable d SUPPORT_3889 45a0 - - Disable d ASPNET - - - Administrator - - - Page 37 Student - - - All hard drives (1) are using the NTFS file system. File System Guest Account Drive Letter File System C: NTFS The Guest account is disabled on this computer. Restrict Anonymou Computer is properly restricting anonymous access. s Password This check was skipped because the computer is not Expiration joined to a domain. Autologon This check was skipped because the computer is not joined to a domain. Additional System Information Score Issue Result Windo ws Computer is running Windows 2000 or greater. Version Auditin This check was skipped because the computer is not joined g to a domain. 2 share(s) are present on your computer. Shares Share Directory Share ACL Directory ACL Page 38 ADMIN $ C:\WINDO WS Admin Share BUILTIN\Users - RX, BUILTIN\Power Users - RWXD, BUILTIN\Administrat ors - F, NT AUTHORITY\SYSTEM -F C$ C:\ Admin Share BUILTIN\Administrat ors - F, NT AUTHORITY\SYSTEM - F, BUILTIN\Users RX, Everyone - RX Some potentially unnecessary services are installed. Service s Service State Telnet Stopped Internet Information Services (IIS) Scan Results Score Issue Result IIS Status IIS is not running on this computer. SQL Server Scan Results Score Issue Result SQL Server/MSDE SQL Server and/or MSDE is not installed on this computer. Status Desktop Application Scan Results Administrative Vulnerabilities Score Issue Result Page 39 4 Microsoft Office product(s) are installed. Some issues were found. Macro Security Issue User Advice Microsoft Office Excel 2003 FAY-TRAIN55\Student Macro security is set to low, which is not secure. Microsoft Office Outlook 2003 FAY-TRAIN55\Student Macro security is set to medium, which will allow you to choose whether or not to run potentially unsafe macros. Microsoft Office Outlook 2003 FAYTRAIN55\Administrator Macro security is set to medium, which will allow you to choose whether or not to run potentially unsafe macros. Microsoft Office Word 2003 FAY-TRAIN55\Student Macro security is set to medium, which will allow you to choose whether or not to run potentially Page 40 unsafe macros. Microsoft Office Word 2003 FAYTRAIN55\Administrator Macro security is set to medium, which will allow you to choose whether or not to run potentially unsafe macros. Microsoft Office PowerPoint 2003 All Users No security issues were found. IE Zones Internet Explorer zones have secure settings for all users. Computer name: PROMETRIC\TESTSERVER IP address: 192.168.4.1 Security report name: PROMETRIC - TESTSERVER (6-19-2007 8-39 PM) Scan date: 6/19/2007 8:39 PM Scanned with MBSA version: 2.0.6706.0 Security update catalog: Microsoft Update Catalog synchronization date: Security assessment: Severe Risk Security Updates Scan Results Issue: Scanning Requirements Score: Check failed (non-critical) Result: 1 scanning requirements are missing. A complete scan could not be performed. Update Rollups and Service Packs | MSI | Missing | Windows Installer is required for scanning products installed on the computer | | Page 41 Issue: Windows Security Updates Score: Check failed (critical) Result: 56 security updates are missing. 2 service packs or update rollups are missing. Security Updates | MS06-053 | Missing | Security Update for Windows 2000 (KB920685) | Moderate | | MS05-044 | Missing | Security Update for Internet Explorer 6 Service Pack 1 for Windows 2000 (KB905495) | Moderate | | MS05-032 | Missing | Security Update for Windows 2000 (KB890046) | Important | | MS06-015 | Missing | Security Update for Windows 2000 (KB908531) | Critical | | MS06-036 | Missing | Security Update for Windows 2000 (KB914388) | Critical | | MS06-031 | Missing | Security Update for Windows 2000 (KB917736) | Moderate | | MS07-035 | Missing | Security Update for Windows 2000 (KB935839) | Critical | | MS06-025 | Missing | Security Update for Windows 2000 (KB911280) | Critical | | MS07-008 | Missing | Security Update for Windows 2000 (KB928843) | Critical | | MS06-068 | Missing | Security Update for Windows 2000 (KB920213) | Critical | | MS05-050 | Missing | Security Update for DirectX 9 for Windows 2000 (KB904706) | Critical | | MS06-044 | Missing | Security Update for Windows 2000 (KB917008) | Critical | | MS05-046 | Missing | Security Update for Windows 2000 (KB899589) | Important | | MS06-070 | Missing | Security Update for Windows 2000 (KB924270) | Critical | | MS06-018 | Missing | Security Update for Windows 2000 (KB913580) | Moderate | | MS07-011 | Missing | Security Update for Windows 2000 (KB926436) | Important | | MS06-041 | Missing | Security Update for Windows 2000 (KB920683) | Critical | | MS06-066 | Missing | Security Update for Windows 2000 (KB923980) | Important | Page 42 | MS05-049 | Missing | Security Update for Windows 2000 (KB900725) | Important | | MS06-076 | Missing | Cumulative Security Update for Outlook Express 5.5 Service Pack 2 (KB923694) | Important | | MS07-020 | Missing | Security Update for Windows 2000 (KB932168) | Critical | | MS05-018 | Missing | Security Update for Windows 2000 (KB890859) | Important | | MS05-019 | Missing | Security Update for Windows 2000 (KB893066) | Important | | MS05-027 | Missing | Security Update for Windows 2000 (KB896422) | Important | | MS05-042 | Missing | Security Update for Windows 2000 (KB899587) | Moderate | | MS06-002 | Missing | Security Update for Windows 2000 (KB908519) | Critical | | MS05-048 | Missing | Security Update for Windows 2000 (KB901017) | Important | | MS07-009 | Missing | Security Update for Microsoft Data Access Components 2.8 (KB927779) | Critical | | MS05-041 | Missing | Security Update for Windows 2000 (KB899591) | Moderate | | MS06-006 | Missing | Security Update for Windows Media Player Plug-in (KB911564) | Important | | MS07-033 | Missing | Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB933566) | Critical | | MS06-023 | Missing | Security update for (Jscript Version 5.6) for Windows 2000 (KB917344) | Critical | | MS06-061 | Missing | Security Update for Windows 2000 (KB924191) | Critical | | MS06-050 | Missing | Security Update for Windows 2000 (KB920670) | Important | | MS07-031 | Missing | Security Update for Windows 2000 (KB935840) | Moderate | | MS07-021 | Missing | Security Update for Windows 2000 (KB930178) | Critical | | MS07-004 | Missing | Security Update for Internet Explorer 6 Service Pack 1 (KB929969) | Critical | | MS05-043 | Missing | Security Update for Windows 2000 (KB896423) | Critical | | MS07-013 | Missing | Security Update for Windows 2000 (KB918118) | Important | | MS05-026 | Missing | Security Update for Windows 2000 (KB896358) | Important | Page 43 | MS06-030 | Missing (KB914389) | Important | | MS06-078 | Missing (KB923689) | Critical | | MS06-057 | Missing (KB923191) | Critical | | MS05-036 | Missing (KB901214) | Critical | | MS06-063 | Missing (KB923414) | Important | | MS06-078 | Missing Player 6.4 (KB925398) | Critical | | MS05-047 | Missing (KB905749) | Important | | MS07-022 | Missing (KB931784) | Important | | MS06-024 | Missing Player 9 (KB917734) | Critical | | MS05-045 | Missing (KB905414) | Moderate | | MS05-040 | Missing (KB893756) | Important | | MS06-032 | Missing (KB917953) | Important | | MS07-017 | Missing (KB925902) | Critical | | MS07-012 | Missing (KB924667) | Important | | MS06-061 | Missing (KB925672) | Critical | | MS06-045 | Missing (KB921398) | Moderate | | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows Media | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows Media | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | Security Update for Windows 2000 | MSXML 4.0 SP2 Security Update | Security Update for Windows 2000 Update Rollups and Service Packs | 890830 | Missing | Windows Malicious Software Removal Tool - June 2007 (KB890830) | | | 891861 | Missing | Update Rollup 1 for Windows 2000 Service Pack 4 (KB891861) | | Current Update Compliance | MS04-020 | Installed | Security Update for Microsoft Windows 2000 (KB841872) | Important | Page 44 | MS05-011 | Installed | Security Update for Windows 2000 (KB885250) | Critical | | MS05-012 | Installed | Security Update for Windows 2000 (KB873333) | Important | | MS05-010 | Installed | Security Update for Windows 2000 (KB885834) | Critical | | MS05-050 | Installed | Security Update for DirectX 8 for Windows 2000 (KB904706) | Critical | | MS04-028 | Installed | Security Update for Internet Explorer 6 Service Pack 1 (KB833989) | Moderate | | MS03-043 | Installed | Security Update for Microsoft Windows 2000 (KB828035) | | | MS03-044 | Installed | Security Update for Microsoft Windows 2000 (KB825119) | Important | | MS05-003 | Installed | Security Update for Windows 2000 (KB871250) | Important | | 867460 | Installed | Microsoft .NET Framework 1.1 Service Pack 1 | | | MS03-041 | Installed | Security Update for Windows 2000 (KB823182) | | | MS06-005 | Installed | Security Update for Windows Media Player 7.1 for Windows 2000 (KB911565) | Important | | MS03-008 | Installed | 814078: Security Update (Microsoft Jscript version 5.5, Windows 2000) | | | MS05-001 | Installed | Security Update for Windows 2000 (KB890175) | Critical | | MS02-008 | Installed | Security Update, February 13, 2002 (MSXML 4.0) | | | MS03-008 | Installed | 814078: Security Update (Microsoft Jscript version 5.1, Windows 2000) | | | MS04-037 | Installed | Security Update for Windows 2000 (KB841356) | Important | | MS04-012 | Installed | Security Update for Windows 2000 (KB828741) | Critical | | MS03-042 | Installed | Security Update for Microsoft Windows 2000 (KB826232) | Critical | | MS03-011 | Installed | 816093: Security Update Microsoft Virtual Machine (Microsoft VM) | Critical | | MS05-004 | Installed | Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903) | Important | | MS04-016 | Installed | Security Update for DirectX 9.0 (KB839643) | Moderate | | MS02-050 | Installed | Q329115: Security Update (Windows 2000) | | Page 45 | MS05-013 | Installed | Security Update for Windows 2000 (KB891781) | Important | | MS04-023 | Installed | Security Update for Windows 2000 (KB840315) | Critical | | MS04-043 | Installed | Security Update for Windows 2000 (KB873339) | Important | | MS04-016 | Installed | Security Update for DirectX 8.2 (KB839643) | Moderate | | MS05-014 | Installed | Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867282) | Critical | | MS02-009 | Installed | Security Update, February 14, 2002 (Internet Explorer 5.5) | | | MS04-031 | Installed | Security Update for Windows 2000 (KB841533) | Important | | MS03-023 | Installed | 823559: Security Update for Microsoft Windows | | | MS06-022 | Installed | Security Update for Internet Explorer 6 Service Pack 1 (KB918439) | Critical | | MS03-049 | Installed | Security Update for Microsoft Windows (KB828749) | | | MS03-008 | Installed | 814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) | | | MS04-014 | Installed | Security Update for Windows 2000 (KB837001) | Important | | MS04-028 | Installed | Security Update for Windows Journal Viewer (KB886179) | Important | | MS05-017 | Installed | Security Update for Windows 2000 (KB892944) | Important | | MS03-034 | Installed | Security Update for Microsoft Windows (KB824105) | | | MS04-041 | Installed | Security Update for Windows 2000 (KB885836) | Important | | MS05-015 | Installed | Security Update for Windows 2000 (KB888113) | Important | | MS05-008 | Installed | Security Update for Windows 2000 (KB890047) | Important | | MS05-050 | Installed | Security Update for Windows 2000 (KB904706) | Critical | | MS04-044 | Installed | Security Update for Windows 2000 (KB885835) | Important | | MS05-002 | Installed | Security Update for Windows 2000 (KB891711) | Critical | | MS04-011 | Installed | Security Update for Windows 2000 (KB835732) | Critical | Page 46 | MS04-022 2000 (KB841873) | Critical | | MS04-016 (KB839643) | Moderate | | MS04-016 (KB839643) | Moderate | | MS04-016 (KB839643) | Moderate | | Installed | Security Update for Windows | Installed | Security Update for DirectX 7.0 | Installed | Security Update for DirectX 8.0 | Installed | Security Update for DirectX 8.1 Operating System Scan Results Administrative Vulnerabilities Issue: Local Account Password Test Score: Check failed (critical) Result: Some user accounts (4 of 7) have blank or simple passwords, or could not be analyzed. Detail: | User | Weak Password | Locked Out | Disabled | | Guest | Weak | - | - | | dts1 | Weak | - | - | | dts2 | Weak | - | - | | dtsiso | Weak | - | - | | ASPNET | - | - | - | | Administrator | - | - | - | | TsInternetUser | - | - | - | Issue: File System Score: Check failed (critical) Result: Not all hard drives are using the NTFS file system. Detail: | Drive Letter | File System | | H: | FAT32 | | C: | NTFS | | E: | NTFS | | G: | NTFS | Issue: Password Expiration Score: Check failed (non-critical) Result: Some user accounts (4 of 7) have non-expiring passwords. Detail: | User | Page 47 | Administrator | | Guest | | dts1 | | dts2 | | ASPNET | | TsInternetUser | Issue: Guest Account Score: Check failed (critical) Result: The Guest account is not disabled on this computer. Issue: Autologon Score: Check passed Result: Autologon is not configured on this computer. Issue: Restrict Anonymous Score: Check failed (critical) Result: Computer is running with RestrictAnonymous = 0. This level allows basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. Issue: Administrators Score: Check passed Result: No more than 2 Administrators were found on this computer. Detail: | User | | Administrator | Issue: Windows Firewall Score: Best practice Result: Windows Firewall is not installed or configured properly, or is not available on this version of Windows. Issue: Automatic Updates Score: Check failed (non-critical) Result: Updates are not automatically downloaded or installed on this computer. Issue: Incomplete Updates Score: Best practice Result: No incomplete software update installations were found. Additional System Information Issue: Windows Version Page 48 Score: Best practice Result: Computer is running Windows 2000 or greater. Issue: Auditing Score: Best practice Result: Enable auditing for specific events like logon/logoff. Be sure to monitor your event log to watch for unauthorized access. Issue: Shares Score: Best practice Result: 11 share(s) are present on your computer. Detail: | Share | Directory | Share ACL | Directory ACL | | HPLaserJ | HP LaserJet 4L,LocalsplOnly | Print Queue Share | Directory ACL can not be read. | | testprinter | HP DeskJet,LocalsplOnly | Print Queue Share | Directory ACL can not be read. | | ADMIN$ | C:\WINNT | Admin Share | BUILTIN\Users RX, BUILTIN\Power Users - RWXD, BUILTIN\Administrators - F, NT AUTHORITY\SYSTEM - F, Everyone - RX | | C$ | C:\ | Admin Share | Everyone - F | | E$ | E:\ | Admin Share | Everyone - F | | G$ | G:\ | Admin Share | Everyone - F | | dts | C:\dts | Everyone - F | Everyone - F | | images | G:\images | Everyone - F | Everyone - F | | polaris share | C:\Documents and Settings\Administrator\Desktop\polaris share | Everyone - F | TESTSERVER\Administrator - F, NT AUTHORITY\SYSTEM - F, BUILTIN\Administrators - F | | print$ | C:\WINNT\system32\spool\drivers | Everyone R, Administrators - F, Power Users - F | Everyone - RX, BUILTIN\Users RX, BUILTIN\Power Users - RWXD, BUILTIN\Administrators - F, NT AUTHORITY\SYSTEM - F | | pulse share | C:\Documents and Settings\Administrator\Desktop\pulse share | Everyone - F | TESTSERVER\Administrator - F, NT AUTHORITY\SYSTEM - F, BUILTIN\Administrators - F | Issue: Services Score: Best practice Result: Some potentially unnecessary services are installed. Detail: | Service | State | Page 49 | Telnet | Stopped | Internet Information Services (IIS) Scan Results IIS is not running on this computer. SQL Server Scan Results SQL Server and/or MSDE is not installed on this computer. Desktop Application Scan Results Administrative Vulnerabilities Issue: IE Zones Score: Check failed (critical) Result: Internet Explorer zones do not have secure settings for some users. Detail: | User | Zone | Level | Recommended Level | | TESTSERVER\Administrator | Restricted sites | Custom | High | Sub-Detail: | Setting | Current | Recommended | | Script ActiveX controls marked safe for scripting | Enable | Disable | Issue: Macro Security Score: Check not performed Result: No Microsoft Office products are installed Page 50 Appendix 6: Network Upgrade Proposal See file “55427 Hufford Mark BS ITNM CAPU Appendix 6.doc”. Appendix 7: End User’s Security Manual See file “55427 Hufford Mark BS ITNM CAPU Appendix 7a.doc”. See file “55427 Hufford Mark BS ITNM CAPU Appendix 7b.doc”. See file “55427 Hufford Mark BS ITNM CAPU Appendix 7c.pdf”. Appendix 8: Capstone Proposal See file “55427 Hufford Mark BS ITNM CAPU Appendix 8.doc”.