SekChek for Windows Report · Nbr of Processors 1 Total Memory 1.000 GB ... Processor 6172 Family AMD Opteron 6172 Description AMD64 Family 16 Model 9 Stepping 1 Processor Id 1F8BFBFF000106A5

TESTBED

SekChek for Windows Security Report

System: PUFFADDER (Snake.com)

10 November 2013

SekChek IPS [email protected]

www.sekchek.com

mailto:[email protected]

http://www.sekchek.com/

Declaration

The provided observations and recommendations are in response to a benchmarking analysis that compares the client’s information

security features against industry.

The recommendations are organised to identify possible implications to the company based on the gathered information, to identify

an industry average rating of the controls and provide possible recommended actions.

The benchmarking analysis and the related observations and recommendations should supplement management’s analysis but

should not be and cannot be solely relied upon in any instance to identify and/or remediate information security deficiencies.

Further, the observations and recommendations herein do not identify the cause of a possible deficiency or the cause of any

previously unidentified deficiencies. The causes of the deficiencies must be determined and addressed by management for the

recommendations selected to be relevant.

© 1996-2013 SekChek IPS. All rights reserved.

SekChek is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.

Contents

SekChek Options 5

System Details 6

System Configuration 7

1. Report Summary 11

1.1 Comparisons Against Industry Average and Leading Practice 12

1.2 Answers to Common Questions 19

1.3 Summary of Changes since the Previous Analysis 23

2. Domain Structure 24

3. Domain Accounts Policy 28

4. Domain Controller Policy Settings (Local Policy) 31

4.1 Audit Policy Settings 31

4.2 Event log Settings 36

4.3 Security Option Settings 38

5. Group Policy Objects 42

5.1 Description and Properties for Group Policy Objects 42

5.2 Summary of GPOs defined on the system 44

5.3 Summary of GPOs and their Links to OUs 45

5.4 Summary of OUs and their Links to GPOs 46

5.5 GPOs Defined and their Details 47

5.6 GPO Version Discrepancies 58

6. Password Setting Objects (PSOs) 59

7. Customer-Selected Registry Key Values 61

8. User Accounts Defined In The Domain 62

9. Groups Defined In the Domain 65

10. Domain Local Groups and their Members 68

11. Domain Global Groups and their Members 72

12. Domain Universal Groups and their Members 75

13. Last Logons, 30 Days and Older 76

14. Passwords, 30 Days and Older 78

15. Passwords that Never Expire 80

16. Accounts not Requiring a Password 82

17. Invalid Logon Attempts Greater than 3 84

18. Users not Allowed to Change Passwords 85

19. Accounts with Expiry Date 86

20. Disabled Accounts 87

21. Locked Out Accounts 88

22. Accounts Whose Passwords Must Change at Next Logon 89

23. Accounts Created in the Last 90 Days 90

24. Rights and Privileges 92

24.1 Descriptions & General Recommendations for Rights 94

24.2 Rights Assigned to Local Groups 98

24.3 Rights Assigned to Universal Groups (Native mode only) 100

24.4 Rights Assigned to Global Groups 101

24.5 Rights Assigned to Users 102

24.6 Rights Assigned to Well-Known Objects 109

24.7 Rights Assigned to External Objects 110

25. Discretionary Access Controls (DACL) for Containers 111

26. Trusted and Trusting Domains 112

27. Servers and Workstations 114

28. Domain Controllers in the Domain 115

29. Accounts Allowed to Dial In through RAS 117

30. Services and Drivers on the Machine 119

31. Server Roles and Features 140

32. Task Scheduler 142

33. Security Updates, Patches and Hot-Fixes 143

34. Products Installed 144

35. Current Network Connections 146

36. Logical Drives 148

37. Network Shares 149

38. Home Directories, Logon Scripts and Profiles 150

39. File Permissions and Auditing 152

Security Analysis: TESTBED


Analysis Date: 08-Nov-2013 CONFIDENTIAL

Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 5 of 154

SekChek Options

Reference Number 1201250012

Requester Internal Audit

Telephone Number +44 (20) 123 4567

City London

Client Country UK

Charge Code Snake - Windows

Client Code SEK001

Client Industry Type Manufacturing

Host Country Belize

Security Standards Template 0 - SekChek Default

Evaluate Against Industry Type Manufacturing

Compare Against Previous Analysis Not Selected

Scan All DCs for Last Logon Times Yes (scanned 2 of 2 DCs)

Report Format Word 2007

Paper Size A4 (21 x 29.7 cms)

Spelling English UK

Large Report Format MS-Excel spreadsheet

Large Report (Max Lines in Word Tables) 1500

Summary Document Requested Yes

Scan Software Version Used Version 5.1.0

Scan Software Release Date 08-Nov-2013

Your SekChek report was produced using the above options and parameters.

You can change these settings for all files you send to us for processing via the Options menu in the SekChek Client software on your PC. You can also tailor them (i.e. temporarily override your default options) for a specific file via the Enter Client Details screen. This screen is displayed:

For SekChek for NetWare and Windows - during the Scan process on the target Host system;

For SekChek for AS/400 and UNIX - during the file encryption process in the SekChek Client software.





System Details

Domain Name Snake.com (SNAKE)

Domain Sid *S-1-5-21-601740674-2353673397-942277617

Forest Snake.com

DC Functionality Windows Server 2008 R2 Mode

Domain Functionality** Windows Server 2003 Domain Mode

Forest Functionality** Windows 2000 Forest Mode

Computer Domain Controllers/PUFFADDER

Site Name Default-First-Site-Name

Windows Version 6.1 (Windows 2008 R2)

Build / Service Pack 7601/Service Pack 1

System Locale Id 2052 (x804)

Scan Time 08-Nov-2013 15:47

Scanned By Users/ Administrator

Report Date: 10 November, 2013

** Functional Levels (available from SekChek V5.0.4 / Windows Server 2003)

DC Functionality: The functional level of the Domain Controller (DC)

Domain Functionality: The functional level of the domain

Forest Functionality: The functional level of the forest

General Note

In Active Directory domains, objects, such as user accounts belong to a container object (e.g. an Organizational Unit in a domain or the domain object itself). In this report the path of objects are usually listed. The format of the path is, for example, Orgunit x/Orgunit y. The “/” character separates the containers in the path.

Paths are listed from the highest level down. A path can contain a domain name as the first container, for example, abc.xyz.com as a domain name. When the domain name is listed in the path, it means that the containers and object in that path belong to a domain other than the one being analysed.

If a path is not listed for an object, it means that the object was defined at the domain level container and not in any container object of the domain. .





System Configuration

Operating System

OS Name Microsoft Windows Server 2008 R2 Enterprise

OS Version, Build 6.1.7601

OS Architecture 64-bit

OS Locale Id x0804

OS Serial Number 12345-6789-5183281-84887

OS Installed 2012-08-29

Last BootUp 2013-11-06

Country Code 86

Time Zone GMT +02:00

Boot Device \Device\HarddiskVolume1

System Drive C:

Windows Directory C:\Windows

System Directory C:\Windows\system32

PAE Enabled No

Visible Memory 1.000 GB

Free Memory 0.247 GB

Encryption Level 256 bits

OS Language English - United States

OS Stock Keeping Unit Name Enterprise Server Edition

Maximum Number of Processes Unknown

Number of Licensed Users Unlimited

Number of Current Users 3

Registered User Windows User

Data Execution Prevention (DEP)...

DEP Available Yes

DEP Enabled for 32-bit Appls Yes

DEP Enabled for Drivers Yes

DEP Policy Opt Out

System Recovery Options

Write an event to the system log Yes

Send an administrative alert No

Automatically restart Yes

Write debugging information Kernel memory dump

Dump file %SystemRoot%\MEMORY.DMP

Overwrite any existing file Yes

BIOS

Manufacturer American Megatrends Inc.

BIOS 080002

Version 2.3

Release Date 2010-05-05





Base Board (Motherboard)

Manufacturer Microsoft Corporation

Product Virtual Machine

Serial Number 1234-5678-6758-7771-5390-6277-74

Version 7.0

Page Files

Number of Page Files 1

Name of Page File #1 C:\pagefile.sys

Temporary Page File No

Create Date 2011-08-29

Allocated Size 1.000 GB

Current Usage 0.179 GB

Peak Usage 0.199 GB

Computer

Manufacturer Microsoft Corporation

Model Virtual Machine

System Type x64-based PC

Remote Desktop Enabled Unknown

Nbr of Processors 1

Total Memory 1.000 GB

System Registry Size Current = 100.3 MB; Max allowed = 2,048.0 MB

Screen Resolution 1680 x 1050 pixels

BootUp State Normal boot

Wake-up Type Power Switch

Boot ROM Supported Yes

Infrared (IR) Supported No

Power Management Supported No

Computer Role Primary Domain Controller

Computer Name PUFFADDER

Computer Sid *S-1-5-21-601740674-2353673397-942277617-1106

Domain Name (short) SNAKE

Domain Name (DNS) Snake.com

Processors

Number of Processors 1

Processor #1...

Manufacturer AuthenticAMD

Name AMD Opteron(tm) Processor 6172

Family AMD Opteron 6172

Description AMD64 Family 16 Model 9 Stepping 1

Processor Id 1F8BFBFF000106A5

Clock Speed 3,108 MHz

External Clock Speed 200 MHz

Address Width 64 bits

Data Width 64 bits





Level 2 Cache Size 512 KB

Level 2 Cache Speed Unknown MHz

Number of Cores 1

Nbr of Logical Processors 1

Chip Socket None

Availability Running/Full Power

Network Adapters (IP enabled)

Connection Id Local Area Connection

Connection Status Connected

Name Microsoft Hyper-V Network Adapter #2

Service Name netvsc

Manufacturer Microsoft

Adapter Type Ethernet 802.3

Speed (Mbs) 10,000 Mbs

Last Reset 2013-11-08 14:13:38

IP Enabled Yes

IP Address 200.200.100.234

IP Subnet 255.255.255.0

Default Gateway

MAC Address 00:15:5D:64:2F:1A

DHCP Enabled No

DHCP Lease Expires

DHCP Lease Obtained

DHCP Server

DNS Search Order 200.200.100.235, 127.0.0.1

Windows Firewall

Domain Profile…

Firewall State On (recommended)

Inbound Connections Block, allow exceptions (default)

Outbound Connections Allow (default)

Display Notifications No

Allow Unicast Response Yes (default)

Private Profile…






Public Profile…










Region & Language Options

Current Format English (South Africa)

Time Format 08:46:32

Short Date 08-Nov-2013

Long Date 08 November 2013

Short Date Format dd-MMM-yyyy

Long Date Format dd MMMM yyyy

Currency Symbol R

Currency (International) ZAR

System Locale English (South Africa)

Screen Saver Policy

Scan Account Users/ Administrator

Screen Saver Enabled Yes

Screen Saver Timeout 600 seconds

Screen Saver Secure Yes

User Access Control (UAC)

UAC Enabled Yes





1. Report Summary

The following two charts illustrate the diversity of regions and industries that make up the population of systems running Active Directory in our statistics database. The remaining graphs in the Report Summary section evaluate

security on your system against this broad base of real-life security averages.

SekChek is used by the Big Four audit firms, IS professionals, internal auditors, security consultants & general management in more than 130 countries.

Statistics Population by Region

As new reviews are processed, summaries of the results (excluding client identification) are automatically added to a unique statistics database containing more than 70,000 assessments.

Statistics Population by Industry Type





1.1 Comparisons Against Industry Average and Leading Practice

Summary of Domain Accounts Policy Values

This graph compares the Domain Accounts Policy values against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = <All>

This and the following summary reports are of most value when they are used to compare ‘snapshots’ of your security measures at different points in time. Used in this way, they provide a fairly clear picture of whether your security measures are improving or becoming weaker.

Industry Average is a dynamic, calculated average for all Active Directory domains analysed by SekChek using the above criteria. It indicates how your security measures compare with those of other organisations using Microsoft Windows systems.

Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.

Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). This is an approximation and should be used as a guide only.

For more information and details, see the report sections Domain Accounts Policy.





Comparisons Against Industry Average and Leading Practice (continued)

Summary of Domain User Accounts

This graph compares against the industry average using the following criteria: Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small

Above the industry average; About average; Below average

Total number of user accounts defined to your domain: 16

This summary report presents the number of user accounts, with the listed characteristics, as a percentage of the total number of accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.

The graph is sorted in order of importance. This is an approximation and should be used as a guide only.






Summary of Effective Rights for the Domain Controller



This summary report presents the number of user accounts, with the listed rights, as a percentage of the total number of accounts defined to the domain controller. These rights are applied via the Local Policy of the domain controller being analysed. Other domain controllers may have different rights defined. For more details of rights assigned, refer to the Rights Assigned to Users sections in the main body of the report.

The graph is sorted in alphabetical sequence.






Summary of Domain User Accounts (excluding disabled accounts)



Total number of user accounts defined to your system: 16

This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.







Summary of Effective Rights for the Domain Controller (excl. disabled accounts)



This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or

accounts that are locked) with the listed rights, as a percentage of the total number of accounts defined to your system. For more details, refer to the Rights Assigned to Users sections in the main body of the report.

The graph is sorted in alphabetical sequence.






Summary of Domain Administrator Accounts



Total number of user accounts with administrative privileges defined to your domain: 2

This summary report presents the number of administrator accounts (i.e. accounts that have administrative privileges), with the listed characteristics, as a percentage of the total number of administrator accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.







Summary of Domain Administrator Accounts (excluding disabled accounts)



Total number of user accounts with administrative privileges defined to your system: 2

This summary report presents the number of enabled administrator accounts (i.e. accounts that have administrative privileges, excluding those accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of administrator accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.






1.2 Answers to Common Questions

The following charts are intended to provide quick answers to the most common questions regarding security of a system.

The diagrams highlight the relative numbers of objects with the listed attributes. The total population used to plot each chart is included in brackets () after each chart title. Each section includes a link to more detailed information contained in other sections of this report.

When were the user accounts created?

The charts show when user accounts were created on your system. Grouped by all accounts and accounts with Administrative privileges. Includes active and disabled accounts.

More information: Accounts Created in the Last 90 Days

When were the group and computer accounts created?

The chart shows when the group and computer accounts were created on your system.

More information: Accounts Created in the Last 90 Days





What is the status of user accounts?

The charts analyse user accounts by their status: active or disabled. An account may be disabled because: its status has been set to disabled; the account has expired; or the account was locked by the system due to excessive password guessing attempts. Note that an account may be both locked and expired, or disabled and expired.

5 out of 16 accounts are disabled on this system.

More information: Disabled Accounts, Locked Accounts, Accounts with Expiry Date

How active are user accounts?

The charts indicate when accounts were last used to logon to the system. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.

SekChek queried 2 out of 2 domain controllers to obtain the information.

More information: Last Logons, 30 Days and Older

How frequently do users change their passwords?

The charts show when user login passwords were last changed. ‘Next Logon’ means that the password must be changed the next time the account is used to logon to the domain. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.

More information: Passwords, 30 Days and Older, Password Must Change at Next Logon





Are users forced to change their passwords?

The charts show the percentage of accounts with a password that is not required to be changed. Grouped by all accounts and accounts with Administratrative privileges. Excludes disabled accounts.

More information: Passwords that Never Expire

Are users allowed to change their passwords?

The charts show the percentage of accounts that are not allowed to change their passwords. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.

More information: User Accounts not Allowed to Change Password

Are users allowed to login without a password?

The charts show the percentage of accounts that may have their passwords set to zero length (blank) by an administrative account. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.

More information: Accounts not Requiring a Password





What privileges are assigned to user accounts?

The chart shows the percentage of user accounts with Administrative, User and Guest privileges. These privileges are determined by group memberships. Excludes disabled accounts.

More information: User Accounts Defined In The Domain

What are the types of group accounts?

The chart analyses security groups by group type. Excludes Distribution groups.

More information: Groups Defined In the Domain

What are the service types and their start types?

These charts summarise the types of services and drivers installed on the system and their start types. The charts include running and stopped services.

More information: Services and Drivers





1.3 Summary of Changes since the Previous Analysis Need to quickly highlight changes in security controls since your previous review? SekChek’s latest time-comparison graphs are just the solution!

Note: The above graph is provided for illustrative purposes only.

A collection of easy-to-read reports in a very familiar format provides you with visual indicators of:

Whether security has improved, weakened, or remained about the same since your previous analysis

The effectiveness of your measures to strengthen controls

Whether risk is increasing or decreasing

The degree of change, both positive and negative The applications are endless. Some of the practical benefits are:

Time savings. Reduced time spent poring over volumes of unconnected information

Objectivity. The results are guaranteed to be the same regardless of who performs the review

Compliance with legislation. Easier monitoring for compliance with statutory requirements imposed by SOX, HIPAA and other legislative changes relating to corporate governance

More powerful justifications. The ability to present more convincing arguments to senior, non-technical management who do not have the time, or the inclination, to understand masses of technical detail

Interested? Contact us at [email protected] to find out how to get started!

mailto:[email protected]





2. Domain Structure This report section lists the Container objects in the domain.

It summarises the Directory structure for your domain and may help you to understand the overall structure of the domain’s Directory structure, especially where it is large or complex.

Section Detail

Object Name Object Type

Snake.com domainDNS

--- Amazon organizationalUnit

--- Builtin builtinDomain

--- Computers container

--- Domain Controllers organizationalUnit

--- ForeignSecurityPrincipals container

--- Managed Service Accounts container

--- Program Data container

------ Microsoft container

--- System container

------ AdminSDHolder container

------ ComPartitions container

------ ComPartitionSets container

------ DomainUpdates container

--------- ActiveDirectoryUpdate container

--------- Operations container

------------ 0b7fb422-3609-4587-8c2e-94b10f67d1bf container

------------ 0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e container

------------ 10b3ad2a-6883-4fa7-90fc-6377cbdc1b26 container

------------ 13d15cf0-e6c8-11d6-9793-00c04f613221 container

------------ 231fb90b-c92a-40c9-9379-bacfc313a3e3 container

------------ 2416c60a-fe15-4d7a-a61e-dffd5df864d3 container

------------ 293f0798-ea5c-4455-9f5d-45f33a30703b container

------------ 3051c66f-b332-4a73-9a20-2d6a7d6e6a1c container

------------ 3c784009-1f57-4e2a-9b04-6915c9e71961 container

------------ 3e4f4182-ac5d-4378-b760-0eab2de593e2 container

------------ 446f24ea-cfd5-4c52-8346-96e170bcb912 container

------------ 4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0 container

------------ 4c93ad42-178a-4275-8600-16811d28f3aa container

------------ 4dfbb973-8a62-4310-a90c-776e00f83222 container

------------ 51cba88b-99cf-4e16-bef2-c427b38d0767 container

------------ 57428d75-bef7-43e1-938b-2e749f5a8d56 container

------------ 5c82b233-75fc-41b3-ac71-c69592e6bf15 container

------------ 5e1574f6-55df-493e-a671-aaeffca6a100 container

------------ 61b34cb0-55ee-4be9-b595-97810b92b017 container

------------ 6ada9ff7-c9df-45c1-908e-9fef2fab008a container






------------ 6bcd5678-8314-11d6-977b-00c04f613221 container


------------ 6bcd567a-8314-11d6-977b-00c04f613221 container

------------ 6bcd567b-8314-11d6-977b-00c04f613221 container

------------ 6bcd567c-8314-11d6-977b-00c04f613221 container

------------ 6bcd567d-8314-11d6-977b-00c04f613221 container

------------ 6bcd567e-8314-11d6-977b-00c04f613221 container

------------ 6bcd567f-8314-11d6-977b-00c04f613221 container











------------ 6bcd568a-8314-11d6-977b-00c04f613221 container

------------ 6bcd568b-8314-11d6-977b-00c04f613221 container

------------ 6bcd568c-8314-11d6-977b-00c04f613221 container

------------ 6bcd568d-8314-11d6-977b-00c04f613221 container

------------ 6E157EDF-4E72-4052-A82A-EC3F91021A22 container

------------ 6ff880d6-11e7-4ed1-a20f-aac45da48650 container

------------ 71482d49-8870-4cb3-a438-b6fc9ec35d70 container

------------ 7868d4c8-ac41-4e05-b401-776280e8e9f1 container

------------ 7cfb016c-4f87-4406-8166-bd9df943947f container

------------ 7ffef925-405b-440a-8d58-35e8cd6e98c3 container

------------ 82112ba0-7e4c-4a44-89d9-d46c9612bf91 container

------------ 8437C3D8-7689-4200-BF38-79E4AC33DFA0 container

------------ 860c36ed-5241-4c62-a18b-cf6ff9994173 container

------------ 8ca38317-13a4-4bd4-806f-ebed6acb5d0c container

------------ 8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c container

------------ 9738c400-7795-4d6e-b19d-c16cd6486166 container

------------ 98de1d3e-6611-443b-8b4e-f4337f1ded0b container

------------ 9cac1f66-2167-47ad-a472-2a13251310e4 container

------------ a1789bfb-e0a2-4739-8cc0-e77d892d080a container

------------ a3dac986-80e7-4e59-a059-54cb1ab43cb9 container

------------ a86fe12a-0f62-4e2a-b271-d27f601f8182 container

------------ ab402345-d3c3-455d-9ff7-40268a1099b6 container

------------ aed72870-bf16-4788-8ac7-22299c8207f1 container

------------ b96ed344-545a-4172-aa0c-68118202f125 container

------------ bab5f54d-06c8-48de-9b87-d78b796564e4 container






------------ c4f17608-e611-11d6-9793-00c04f613221 container

------------ c88227bc-fcca-4b58-8d8a-cd3d64528a02 container

------------ d262aae8-41f7-48ed-9f35-56bbb677573d container

------------ d85c0bfd-094f-4cad-a2b5-82ac9268475d container

------------ dda1d01d-4bd7-4c49-a184-46f9241b560e container

------------ de10d491-909f-4fb0-9abb-4b7865c0fe80 container

------------ f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5 container

------------ f58300d1-b71a-4db6-88a1-a8b9538beaca container

------------ f607fd87-80cf-45e2-890b-6cf97ec0e284 container

------------ f7ed4553-d82b-49ef-a839-2f38a36bb069 container

--------- Windows2003Update container

------ IP Security container

------ Meetings container

------ MicrosoftDNS container

------ Policies container

--------- {31B2F340-016D-11D2-945F-00C04FB984F9} groupPolicyContainer

------------ Machine container

------------ User container

--------- {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} groupPolicyContainer



--------- {5471F07B-E3BF-47E6-A2DF-40E55805852D} groupPolicyContainer



--------- {6AC1786C-016F-11D2-945F-00C04fB984F9} groupPolicyContainer



--------- {F754BFE4-52E2-45B3-9034-36D5C65E8700} groupPolicyContainer



--------- {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F} groupPolicyContainer



------ RAS and IAS Servers Access Check container

------ WinsockServices container

------ WMIPolicy container

--------- PolicyTemplate container

--------- PolicyType container

--------- SOM container

--------- WMIGPO container

--- TEST GPO PC organizationalUnit

--- Users container





Domain

In Active Directory a domain is a collection of computers defined by the administrator of a Windows 200x* Server network that shares a common directory database.

A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network.

A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all accounts within the domain.

Domains can be organised into parent-child relationships to form a hierarchy, which is called a domain tree. The domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships.

Organizational Unit

An Organizational Unit (OU) is a general-purpose container that can hold objects and other OUs to create a hierarchy within a domain. OUs can form logical administrative units for users, groups, and resource objects, such as printers, computers, applications, and file shares. In large domains, various administrative tasks (such as access rights specification) can be delegated to an administrator for a specific OU, thereby freeing domain administrators from having to support such changes by proxy.

Container

A Container is used for grouping different objects together.

Group Policy Container

A Group Policy Container contains Group Policy objects.

Active Directory Objects

Active Directory objects are either container objects (e.g. OUs and Containers) or leaf objects. A container object stores other objects, and, as such, occupies a specific level in a tree or sub tree hierarchy. A leaf object does not contain other objects.





3. Domain Accounts Policy This report lists the effective Domain Account Policies defined for your system and compares them with Leading Practice.

Policy Policy Value Leading Practice

Minimum Password Length 7 8 or greater

Effective Minimum Password Length 7 8 or greater

Maximum Password Age in Days 20 30 to 60

Minimum Password Age in Days 1 0

Password History Size 24 22 or greater

Password Complexity Enabled Enabled

Reversible Password Encryption Disabled Disabled

Lockout Threshold 3 3

Lockout Duration 0 0

Reset Lockout Counter in Minutes 30 1440

Force Logoff When Logon Time Expires Disabled Enabled

Rename Administrator Account Not Defined New Name

Rename Guest Account Not Defined New Name

Allow Lockout of Local Administrator Account Disabled Enabled

Disable Password Changes for Machine Accounts Disabled Disabled

Number of Password Setting Objects (PSOs) defined on the system: 1

Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.

Functions of Accounts Policy Values and Potential Exposures

Domain Accounts Policy values set the defaults for all accounts in a domain.

Note that certain account policies can be overridden by policies defined in Password Setting Objects (from Windows 2008) and settings defined at account level.

Appropriate policy values do not necessarily mean that security at account level is similarly appropriate. You should consult other sections of this report to confirm that security settings for individual accounts do not override your intended policy settings.

Minimum Password Length

Defines the minimum number of characters a password must contain. If it is zero then blank passwords are allowed. Allowing blank passwords is a very high security risk, as it could allow any person in possession of a valid User ID (Account Name) to gain access to your system if the account has a null password.

This policy can be overridden by the Password Complexity policy. See Effective Minimum Password Length for details.

The Leading Practice value is 8 or greater.

Effective Minimum Password Length

The effective minimum number of characters a password must contain when changing a user password. The value is calculated from the settings of the Minimum Password Length and Password Complexity parameters.

If the Password Complexity policy is enabled, the system will only accept user passwords with a minimum of 3 characters that comply with Password Complexity requirements.





For example:

If the Minimum Password Length is 0 and the Password Complexity policy is enabled then the Effective Minimum Password Length will be 3.

If the Minimum Password Length is 0 and the Password Complexity policy is disabled then the Effective Minimum Password Length will be 0.

If the Minimum Password Length policy is set to a value of 3 or greater then the Effective Minimum Password Length will be the same as the Minimum Password Length policy regardless of the setting of the Password Complexity policy.

Maximum Password Age in Days

The period of time a password can be used before the system forces the user to change it. The value can be between 1 and 999 days.

A value of 0 means that passwords never expire. Passwords that never expire are a security risk as they can be compromised over time.

Note that it is possible to override this value in individual user accounts via the Password Never Expires option. Consult the Passwords that Never Expire report section.

The Leading Practice value is 30 days.

Minimum Password Age in Days

The minimum number of days that must elapse between password changes. The value can be between 0 and 999 days. A value of ‘0’ allows a user to change her password immediately if she suspects it is known by someone else.

However, this setting can increase the risk of passwords remaining the same despite system-enforced changes. This is because a user could change her password several times in quick succession until it is set back to the original value. Setting the Password History Size to a sufficiently large value can reduce this risk.

The Leading Practice value is 0 (no restrictions).

Password History Size

Determines whether old passwords can be reused. It is the number of new passwords that must be used by a user account before an old password can be reused. For this to be fully effective, immediate changes should not be allowed under Minimum Password Age.

The Leading Practice value is 22 or greater.

Password Complexity

In order to meet the password complexity requirement, passwords must contain characters from (for example) at least three (3) of the following four (4) classes:

English Upper Case Letters (A, B, C, ... Z)

English Lower Case Letters (a, b, c, ... z)

Westernised Arabic Numerals (0, 1, 2, ... 9)

Non-alphanumeric ("Special characters") (E.g., punctuation symbols)

This policy has an effect on the Effective Minimum Password Length.

Reversible Password Encryption

Determines whether Windows 200x* will store passwords using reversible encryption.

This policy setting provides support for applications, which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should not be enabled unless application requirements outweigh the need to protect password information.

By default, this setting is disabled in the Default Domain Group Policy for domains and in the local security policy of workstations and servers.

Lockout Threshold, Lockout Duration and Reset Lockout Counter in Minutes

Lockout Threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The value can be 1 to 999 failed attempts. A value of 0 will allow an unlimited number of failed logon attempts.





Lockout Duration indicates the amount of time an account will remain locked out when the Lockout Threshold is exceeded. The value can be 1 to 99999 minutes; a value of 0 (forever) indicates that the account cannot log on until an administrator unlocks it. N/A is set when Lockout Threshold is set to 0.

Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts are monitored. I.e. if the number of failed logon attempts defined in Lockout Threshold is reached within the number of minutes defined for Reset Lockout Counter in Minutes the account is locked out for the period specified under Lockout Duration. The value for Reset Lockout Counter in Minutes can be 1 to 99999 minutes.

Allowing an excessive or unlimited number of invalid logon attempts can compromise security and allow intruders to log on to your system.

Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted of potential intruder attacks as only they can unlock accounts.

Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the effectiveness of the Lockout Threshold and administrators might not be alerted to potential intruder attacks.

If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase the risk of intruders gaining access to your system via repeated password guessing attempts. If the value is too high it may inconvenience genuine users by locking out their accounts when they enter incorrect passwords accidentally.

The Leading Practice values are:

Lockout Threshold = 3

Lockout Duration = 0 (Forever)

Reset Lockout Counter in Minutes = 1440 minutes

Force Logoff When Logon Time Expires

When enabled users will be forcibly disconnected from servers on the domain immediately after their valid logon hours are exceeded. Valid logon hours are defined at user account level.

This option enhances security by ensuring that users are disconnected if they exceed their valid logon hours or do not log off when leaving work. However, it could be disruptive to users who have to work after hours and could compromise data integrity etc.

This option should be used at the discretion of Management.

Rename Administrator, Rename Guest

It is good practice to ensure the Administrator and Guest built-in accounts are renamed via policy. This will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain.

Keep in mind that these accounts can also be renamed manually (for example, via the Active Directory Users and Computers interface). However, when compared to the irrevocable policy change method, the disadvantage of the manual approach is that administrative users can simply rename these accounts at a later stage (possibly back to Administrator and Guest).

Allow Lockout of Local Administrator Account

Allows the built-in administrator account to be locked out from network logons. This policy setting can be modified using the “passprop” command-line utility, which is included in the Windows 2000 Resource Kit.

Disable Password Changes for Machine Accounts

Removes the requirement that the machine account password be automatically changed every week. This value is ignored in Windows XP and later.





4. Domain Controller Policy Settings (Local Policy) The following 3 subsections relate to the Local Policy on the domain controller being analysed.

In Active Directory, each domain controller can have different local policy settings. domain controllers generally inherit the same local policy settings because they typically belong to the same OU (e.g. Domain Controllers) to which the same policies apply. However, if domain controllers belong to different OUs, then different policy settings can be applied to them.

This has important security implications as an account can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers. The policy for domain controllers can then be inconsistent and increase security risks.

This report provides policy settings for the domain controller where the SekChek Scan process was run.

4.1 Audit Policy Settings

Account Logon Audited Events

Credential Validation Success & Failure

Kerberos Authentication Service Failure

Kerberos Service Ticket Operations Failure

Other Account Logon Events Failure

Account Management Audited Events

Application Group Management Success

Computer Account Management Success

Distribution Group Management Success

Other Account Management Events Success

Security Group Management Success

User Account Management Success

Detailed Tracking Audited Events

DPAPI Activity Success

Process Creation Success & Failure

Process Termination Success

RPC Events Success

DS Access Audited Events

Detailed Directory Service Replication No Auditing

Directory Service Access No Auditing

Directory Service Changes Success

Directory Service Replication No Auditing

Logon / Logoff Audited Events

Account Lockout Success

Audit User / Device Claims ** Failure

IPsec Extended Mode Failure

IPsec Main Mode Success

IPsec Quick Mode Failure

Logoff Success

Logon Success & Failure





Network Policy Server Failure

Other Logon/Logoff Events Failure

Special Logon Failure

Object Access Audited Events

Application Generated Success & Failure

Central Access Policy Staging ** Failure

Certification Services No Auditing

Detailed File Share Failure

File Share Success & Failure

File System No Auditing

Filtering Platform Connection Success & Failure

Filtering Platform Packet Drop Success & Failure

Handle Manipulation Success & Failure

Kernel Object No Auditing

Other Object Access Events Failure

Registry Failure

Removable Storage ** Failure

SAM No Auditing

Policy Change Audited Events

Audit Policy Change Success & Failure

Authentication Policy Change Success & Failure

Authorization Policy Change Success

Filtering Platform Policy Change Success

MPSSVC Rule-Level Policy Change Success

Other Policy Change Events Success

Privilege Use Audited Events

Non Sensitive Privilege Use Failure

Other Privilege Use Events Failure

Sensitive Privilege Use Failure

System Audited Events

IPsec Driver Success

Other System Events Success

Security State Change Success & Failure

Security System Extension Success

System Integrity Success & Failure





Explanation of Audit Policy Settings

Account Logon Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller.

Credential Validation Audits events generated by validation tests on user account logon credentials.

Kerberos Authentication Service Audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests.

Kerberos Service Ticket Operations Audits events generated by Kerberos service ticket requests.

Other Account Logon Events Audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.

Account Management Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.

Application Group Management Audits events generated by changes to application groups.

Computer Account Management Audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted.

Distribution Group Management Audits events generated by changes to distribution groups.

Other Account Management Events Audits events generated by other user account changes that are not covered in this category.

Security Group Management Audits events generated by changes to security groups.

User Account Management Audits changes to user accounts.

Detailed Tracking Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.

DPAPI Activity Audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information.

Process Creation Audits events generated when a process is created or starts. The name of the application or user that created the process is also audited.

Process Termination Audits events generated when a process ends.

RPC Events Audits inbound remote procedure call (RPC) connections.

DS Access Audit attempts to access the directory service.

Detailed Directory Service Replication Audits events generated by detailed AD DS replication between domain controllers.

Directory Service Access Audits events generated when an AD DS object is accessed.

Only AD DS objects with a matching SACL are logged.

Directory Service Changes Audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted.

Directory Service Replication Audits replication between two AD DS domain controllers.

Logon / Logoff Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.

Account Lockout Audits events generated by a failed attempt to log on to an account that is locked out.

Audit User / Device Claims ** From Server 2012.

Audits user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.

User claims are added to a logon token when claims are included with a user's account attributes in Active Directory.

IPsec Extended Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.

IPsec Main Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.

IPsec Quick Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.

http://msdn.microsoft.com/en-gb/library/windows/desktop/ms721590(v=vs.85).aspx#_security_key_distribution_center_gly

http://msdn.microsoft.com/en-gb/library/43f5bde9-36cf-4d5a-af80-8c687cce8b60#ticket_granting_ticket

http://msdn.microsoft.com/en-gb/library/0e57a2df-f576-4f59-8c6e-9515567f9900#ad_ds





Logoff Audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to.

Logon Audits events generated by user account logon attempts on a computer.

Network Policy Server Audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.

Other Logon/Logoff Events Audits other events related to logon and logoff that are not included in the Logon/Logoff category.

Special Logon Audits events generated by special logons.

Object Access Audit attempts to access securable objects.

Application Generated Audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.

Central Access Policy Staging ** From Server 2012.

Audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object.

Certification Services Audits Active Directory Certificate Services (AD CS) operations.

Detailed File Share Audits every attempt to access objects in a shared folder.

File Share Audits attempts to access a shared folder.

File System Audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL.

Filtering Platform Connection Audits connections that are allowed or blocked by WFP.

Filtering Platform Packet Drop Audits packets that are dropped by Windows Filtering Platform (WFP).

Handle Manipulation Audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access".

Kernel Object Audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events.

Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.

Other Object Access Events Audits events generated by the management of Task Scheduler jobs or COM+ objects.

Registry Audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.

Removable Storage ** From Server 2012.

Audits user attempts to access file system objects on any Removable Storage device.

A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user’s machine.

SAM Audits events generated by attempts to access Security Accounts Manager (SAM) objects.

Policy Change Audit attempts to change Policy object rules.

Audit Policy Change Audits changes in security audit policy settings.

Authentication Policy Change Audits events generated by changes to the authorization policy.

Authorization Policy Change Audits events generated by changes to the authentication policy.

http://msdn.microsoft.com/en-gb/library/windows/desktop/ms722460(v=vs.85).aspx





Filtering Platform Policy Change Audits events generated by changes to Windows Filtering Platform (WFP).

MPSSVC Rule-Level Policy Change Audits events generated by changes in policy rules used by Windows Firewall.

Other Policy Change Events Audits events generated by other security policy changes that are not audited in the Policy Change category.

Privilege Use Audit attempts to use privileges.

Non Sensitive Privilege Use Audits events generated by the use of nonsensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station.

Other Privilege Use Events Audits other privilege use events.

Sensitive Privilege Use Audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits.

System Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.

IPsec Driver Audits events that are generated by the IPsec filter driver.

Other System Events Audits any of the following events:

Startup and shutdown of the Windows Firewall

Security policy processing by the Windows Firewall

Cryptography key file and migration operations

Security State Change Audits events generated by changes in the security state of the computer.

Security System Extension Audits events related to security system extensions or services.

System Integrity Audits events that violate the integrity of the security subsystem.

http://msdn.microsoft.com/en-gb/library/windows/desktop/ms721603(v=vs.85).aspx#_security_privilege_gly





4.2 Event log Settings

Policy Policy Value

Maximum Application Log Size 20480

Maximum Security Log Size 131072

Maximum System Log Size 20480

Restrict Guest Access to Application Log Enabled

Restrict Guest Access to Security Log Enabled

Restrict Guest Access to System Log Enabled

Retain Application Log N/A

Retain Security Log N/A

Retain System Log N/A

Retention Method for Application Log As Needed

Retention Method for Security Log As Needed

Retention Method for System Log As Needed

Shutdown Computer when Security Log is Full Disabled

Event Logs Features

Event logs contain all events logged by the system auditing controls (audit policy). In this way a wide variety of events can be monitored to track different activities. Information can also be gathered about hardware, software, and system problems.

Careful monitoring of event logs can help in predicting and identifying the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector is likely to go bad eventually.

Event logs can also confirm problems with software. If a program crashes, a program event log can provide a record of activity leading up to the event.

Windows records events in the following Event logs:

Application log

The application log contains events logged for programs/applications.

Security log

The security log contains valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you have enabled logon and logoff auditing, attempts to log on to the system are recorded in the security log.

System log

The system log contains events logged by Windows’ system components. For example, the failure of a driver or other system component to load during start up is recorded in the system log. The event types logged by system components are predetermined by Windows.

Log Size and Retention Method for Logs

The Log Size is in Kilobytes. When the Log Size Limit is reached the Retention Method for Logs defines the action that will be taken:

If Overwrite events as needed (As needed) is selected, the log will not be archived. This option is a good choice for

low-maintenance systems.

The Overwrite events older than and Retain Log (in days) options specify the appropriate number of days the log

will be archived at scheduled intervals. This strategy minimises the chance of losing important log entries and at the same time keeps log sizes reasonable.

If the Do not overwrite events (Manually) option is specified all the events will remain in the log. This option requires

that the log be cleared manually. When the maximum log size is reached, new events will be discarded.

If Overwrite events as needed (As needed) or Do not overwrite events (Manually) options are selected, the Retain Log (in days) option is not available (N/A).





Restrict Guest Access to Application, Security, System Logs

It is a good practice to enable this feature as it minimises the risks of unauthorised persons getting read access to logs.

The Shut down when Security Log is Full option ensures that no auditable activities, including security violations,

occur while the system is unable to log them. This option should be used at the discretion of Management, as the system will automatically shutdown when the security log is full.





4.3 Security Option Settings

Policy Description Policy Value

Allow server operators to schedule tasks

Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. By default, you must be an administrator in order to submit jobs by means of the AT scheduler. Enabling this security policy setting allows members of the Server Operators group to submit AT schedule jobs on Domain Controllers without having to make them Administrators. This policy is not defined by default.

Disabled

Allow system to be shut down without having to log on

Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right in order to perform a system shutdown. By default, this option is enabled on workstations and disabled on servers in Local Computer Policy.

Disabled

Amount of idle time required before disconnecting session (minutes)

Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. Administrators can use this policy to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This policy is defined for servers by default in Local Computer Policy with a default value of 15 minutes. This policy is not defined on workstations. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible.

15

Audit the access of global system objects

Determines whether access of global system objects will be audited.These objects are not generally visible to or known by a typical user. Enabling this option can introduce so many audit entries into the security log that locating real security problems becomes considerably more difficult. In some situations, this option can be useful. For example, where custom applications are being developed, the “users” are not just the people that interactively log on, but also the programmers who are developing applications. These programmers might be able to directly access these objects.

Disabled

Audit use of backup and restore privilege

When files are being backed up or restored, the system checks to ensure that the user performing the backup has the Backup or Restore right each time a file is copied to or being restored from backup media. By default, the system does not record these events, because this could flood the security log. This option should be enabled only in special cases of auditing of high-level security installations.

Disabled

Clear virtual memory page file when system shuts down

A paging file is a system file, so it cannot be encrypted. The file system security for paging files prevents any user from gaining access to and reading these files, and these security settings cannot be changed. However, someone other than the authorized user might start the computer under a different operating system to read a Windows 2000 paging file. To prevent others from reading the contents of paging files that might contain plaintext of encrypted files, enabling this option will clear the paging files every time the computer shuts down.

Disabled

Digitally sign client communication (always)

Enabling this option ensures that the Client communicates with only those Servers that are enabled for SMB (Server Message Block) message signing.

Disabled

Digitally sign client communication (when possible)

This option enables the Server Message Block (SMB) authentication protocol on the client. SMB places a digital security signature into each message block. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions and clients that are not enabled for SMB signing will use the older SMB protocol.

Enabled

Digitally sign server communication (always)

Enabling this option ensures that the Server communicates with only those clients that are enabled for SMB (Server Message Block) message signing.

Enabled






Digitally sign server communication (when possible)

This option enables the Server Message Block (SMB) authentication protocol on the server. SMB places a digital security signature into each message block. If SMB signing is enabled on the client, then the server that is also enabled for SMB signing will use the new protocol during all subsequent sessions and the server that is not enabled for SMB signing will use the older SMB protocol.

Enabled

Disable CTRL+ALT+DEL requirement for logon

By default, users are required to press CTRL+ALT+DEL before logging on. This is because programs can be designed to appear as a logon screen and collect account passwords. By pressing CTRL+ALT+DEL these programs can be foiled. Disabling CTRL+ALT+DEL is a potential security risk.

Disabled

Do not display last user name in logon screen

By default, Windows 2000 places the username of the last user to log on the computer in the Username text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep usernames secret, you can enable this option. This is especially useful if a computer that is generally accessible is being used, for example, for the (renamed) built-in Administrator account.

Disabled

Message text for users attempting to logon

Windows 2000 can display a message box with the caption and text of your choice before a user logs on. Many organizations use this message box to display a warning message that notifies potential users that they can be held legally liable if they attempt to use the computer without having been properly authorized to do so. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system.

Message title for users attempting to logon

This is the title for the message box above.

Prevent system maintenance of computer account password

Determines whether the computer account password should be prevented from being reset every week. As a part of Windows 2000 security, computer account passwords are changed automatically every seven days. If this policy is enabled, the machine is prevented from requesting a weekly password change. If this policy is disabled, a new password for the computer account will be generated every week. This policy is defined by default in Local Computer Policy where it is disabled by default.

Disabled

Prevent users from installing printer drivers

Determines whether members of the Users group are prevented from installing print drivers. If this policy is enabled, it prevents users from installing printer drivers on the local machine. This prevents users from "Adding Printers" when the device driver does not exist on the local machine. If this policy is disabled, then a member of the Users group can install printer drivers on the computer. By default, this setting is enabled on servers and disabled on workstations.

Enabled

Prompt user to change password before expiration (days)

Determines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password. By default, this value is set to 14 days.

0

Recovery Console: Allow automatic administrative logon

By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system. If this option is set, the Recovery Console does not require you to provide a password and will automatically log on to the system. Activating this policy eliminates a security barrier used to protect your computer against intruders. You should only enable this policy on systems that have controlled access to the console, such as those in rooms that can be locked.

Disabled

Recovery Console: Allow floppy copy and access to all drives and all folders

This policy allows a floppy/stiffy drive copy and access to all drives and all folders during a Recovery Console session (a text-mode command interpreter that allows the system administrator to gain access to the hard disk of a computer running Windows 2000, regardless of the file format used, for basic troubleshooting and system maintenance).

Disabled

Restrict CD-ROM access to locally logged-on users only

By default, Windows 2000 allows any program to access files on CDs. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices.

Disabled






Restrict floppy access to locally logged-on users only

By default, Windows 2000 allows any program to access files on floppy/stiffy disks. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices.

Disabled

Secure channel: Digitally encrypt or sign secure channel data (always)

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. If this policy is disabled, signing and encryption are negotiated with the domain controller. By default, this policy is disabled. This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.

Enabled

Secure channel: Digitally encrypt secure channel data (when possible)

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be encrypted. If this policy is disabled, outgoing secure channel traffic will not be encrypted. By default, this option is enabled.

Enabled

Secure channel: Digitally sign secure channel data (when possible)

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be signed. If this policy is disabled, no outgoing secure channel traffic will be signed. By default, this option is enabled.

Enabled

Secure channel: Require strong (Windows 2000 or later) session key

If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the Domain Controller (DC). This option should only be enabled if all of the DCs in all trusted domains support strong keys. By default, this value is disabled.

Enabled

Send unencrypted password to connect to third-party SMB servers

If this policy is enabled, the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-Microsoft SMB servers which do not support password encryption during authentication. By default, this option is disabled. This setting can weaken the overall security of an environment and should only be used after careful consideration of the consequences of plain text passwords in your specific environment.

Disabled

Shut down system immediately if unable to log security audits

Determines whether the system should shut down if it is unable to log security events. If this policy is enabled, it causes the system to halt if a security audit cannot be logged for any reason. Typically, an event will fail to be logged when the security audit log is full and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error will occur: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired. By default, this policy is disabled.

Disabled






Strengthen default permissions of global system objects

Determines the strength of the default discretionary access control list (DACL) for objects. Windows 2000 maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create. By default, this option is enabled.

Enabled

Unsigned driver installation behavior

Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation.

Silently succeed

Unsigned non-driver installation behavior

Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation.

Warn, but allow installation

Implications

The correct Security Option settings will enhance security, auditing and management.

Enabling some of these policies can strengthen security but undermine the performance, operational ease of use, or connectivity with clients using third party or earlier versions of authentication protocols. On the other hand, enabling others, will decrease security, but enhance performance, functionality, and connectivity.

Risk Rating

Low to high. (Dependant on the security setting being considered).

Recommended Action

Ensure that Security Option settings are set to appropriate values as required.





5. Group Policy Objects The following five sub-sections list important properties of all the Group Policy Objects (GPOs) defined on your system. This includes their status, their links to Organizational Units (OUs), account permissions over the GPOs and the various policies defined by them.

Description and Properties for Group Policy Objects

Summary of GPOs defined on the system

Summary of GPOs and their Links to OUs

Summary of OUs and their Links to GPOs

Detailed listing of GPOs defined on the system

GPO Version Discrepancies

5.1 Description and Properties for Group Policy Objects GPOs are applied in a hierarchical fashion starting with GPOs linked to Containers at the top of the tree and ending with GPO-links at the bottom of the tree. The sequence in which GPOs are applied is:

The Local GPO on the machine used to login to the system

GPOs linked to Sites

Domain-linked GPOs

GPOs linked to Organizational Units In general, policies applied later override those defined earlier. However, this can be altered by the ‘No Override’ and ‘Block Inheritance’ options, by disabling a GPO-link or a Policy Configuration segment, or by removing ‘Read’ or ‘Apply Policy’ access from accounts. Explanation of Common Terms

What follows is an explanation of the common terms used in this sub-section:

GPO Display Name. The user-friendly name for the GPO.

GPO Exists on Disk. Indicates whether the GPO physically exists in the SYSVOL directory. If it does not exist it

has probably been deleted directly, rather than through the appropriate Group Policy maintenance functions.

Computer Configuration Disabled. Indicates the status of the Computer Configuration part of the GPO. If

disabled, the various policies (e.g. Rights definitions) defined in the Computer segment of the GPO are ignored when the system applies policy on the system.

User Configuration Disabled. Indicates the status of the User Configuration part of the GPO. If disabled, the

various policies defined in the User segment of the GPO are ignored when the system applies policy on the system. This does not affect the policies in the Computer segment of the GPO.

Container. The name of the Container (OU) objects to which the GPO is linked.

Type. The type of the Container object. This can be a Domain, ‘OU’ (Organizational Unit) or Site.

No Override. Indicates whether the policies defined in the GPO can be overridden by conflicting policies linked to

other Container at lower levels in the Active Directory tree. If ‘Yes’, policies defined in this GPO cannot be overridden by GPOs linked at lower levels.

Link Disabled. Indicates the status of the GPO-link to the specified Container. If ‘Yes’, the GPO is not applied to

that Container. This does not affect links that the GPO may have to other Container objects.

Block Inheritance. Indicates whether policies from higher-level Container are inherited by this Container. If ‘Yes’,

policies flowing down from higher-level Container objects are not inherited. If ‘No Override’ and ‘Block Inheritance’ options conflict with each other (i.e. they are both set) the ‘No Override’ option will always take precedence.





Policies Reported On

The following policy definitions are listed for each GPO on your system:

GPO Permissions. Lists the permissions that user accounts and groups have over the GPO. The GPO will not

be applied to the account (or members of the group) if it does not have ‘Read’ or ‘Extended Rights’ (Apply Group Policy) access to the GPO.

Rights Policies. Lists the various Rights defined in the GPO. An empty space in the Account Name column

indicates that the Right is defined, but is not assigned to anyone. Rights not listed under ‘Rights Defined’ are not defined in the GPO. Rights policies can only be defined in the Computer Configuration part of the GPO.

Event Audit. Lists the various Event Audit settings defined in the GPO. Several events such as when users are

logged on, when they access resources, or when they attempt to use special privileges can be configured for the GPO audit. Audited events can only be defined in the Computer Configuration part of the GPO.

Event Logging. This lists the control settings such as size and retention method for the Application, Security and

System event logs. Event logging can only be defined in the Computer Configuration part of the GPO.

System Access. Lists the security control settings for the password and lockout policy in Windows 200x*

domains. System access can only be defined in the Computer Configuration part of the GPO.

Kerberos Policy. Lists the Kerberos settings defined in the GPO. Kerberos policy can only be defined in the

Computer Configuration part of the GPO.

Registry Keys. Lists the various Registry keys used to configure security settings for the GPO, including access control, audit, and ownership. Registry keys can only be defined in the Computer Configuration part of

the GPO.





5.2 Summary of GPOs defined on the system There are a total of 6 GPOs defined on your system:

0% (0) exist on disk, but are not linked to any container

50% (3) do not exist on disk

0% (0) have the Computer Configuration Disabled

0% (0) have the User Configuration Disabled

50% (3) are not linked to a container

Policy GUID Display Name GPO Exists on Disk

Computer Config Disabled

User Config Disabled

Nbr Links

{31B2F340-016D-11D2-945F-00C04FB984F9}

Default Domain Policy No No No 0

{4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}

Regional Settings workstations No No No 0

{5471F07B-E3BF-47E6-A2DF-40E55805852D}

New Group Policy Object No No No 0

{6AC1786C-016F-11D2-945F-00C04fB984F9}

Default Domain Controllers Policy Yes No No 1

{F754BFE4-52E2-45B3-9034-36D5C65E8700}

Snake GPO test Yes No No 1

{F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}

Regional and Language Yes No No 1

For details of all GPO properties see worksheet GPOs_Summary in the MS-Excel workbook.

sample-report-appendix-active-directory.xlsx#GPOs_Summary





5.3 Summary of GPOs and their Links to OUs

Policy GUID Object Object Type

No O/Ride

Link Disabled

Block Inh at OU Level

GPO Exists on Disk



{6AC1786C-016F-11D2-945F-00C04fB984F9}

Domain Controllers OU No No No Yes No No

{F754BFE4-52E2-45B3-9034-36D5C65E8700}

TEST GPO PC OU No No No Yes No No

{F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}

TEST GPO PC OU Yes No No Yes No No





5.4 Summary of OUs and their Links to GPOs Note: GPOs are listed in order of precedence.

Object Object Type

Policy GUID No O/Ride

Link Disabled

Block Inh at OU Level

GPO Exists on Disk



Domain Controllers OU {6AC1786C-016F-11D2-945F-00C04fB984F9}

No No No Yes No No

TEST GPO PC OU {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}

Yes No No Yes No No

OU {F754BFE4-52E2-45B3-9034-36D5C65E8700}

No No No Yes No No





5.5 GPOs Defined and their Details

System/ Policies/ {31B2F340-016D-11D2-945F-00C04FB984F9}

GPO Display Name: Default Domain Policy

GPO Exists on Disk: No

Computer Configuration Disabled: No

User Configuration Disabled: No

GPO Links:

** No data found **

GPO Permissions:

Account Name Type Permission Allow/Deny

Authenticated Users well-known All Extended Rights Allow

Authenticated Users well-known Read All Properties Allow

CREATOR OWNER well-known Read All Properties Allow

Domain Admins group Read All Properties Allow


Domain Users group All Extended Rights Allow

Domain Users group Read All Properties Allow

Enterprise Admins group Read All Properties Allow

ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow

SYSTEM well-known Read All Properties Allow

User4 user All Extended Rights Allow

User4 user Read All Properties Allow

Rights Policies:

** No data found **

Event Audit:

** No data found **

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **





Registry Keys:

** No data found **





System/ Policies/ {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}

GPO Display Name: Regional Settings workstations




GPO Links:

** No data found **

GPO Permissions:







Domain Users group All Extended Rights Allow

Domain Users group Read All Properties Allow




User4 user All Extended Rights Allow

User4 user Read All Properties Allow

Users group All Extended Rights Allow

Users group Read All Properties Allow

Rights Policies:

** No data found **

Event Audit:

** No data found **

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **





Registry Keys:

** No data found **





System/ Policies/ {5471F07B-E3BF-47E6-A2DF-40E55805852D}

GPO Display Name: New Group Policy Object




GPO Links:

** No data found **

GPO Permissions:










Rights Policies:

** No data found **

Event Audit:

** No data found **

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **

Registry Keys:

** No data found **





System/ Policies/ {6AC1786C-016F-11D2-945F-00C04fB984F9}

GPO Display Name: Default Domain Controllers Policy

GPO Exists on Disk: Yes



GPO Links:

Object Type No O/Ride

Link Disabled

Block Inheritance at OU Level

Domain Controllers OU No No No

GPO Permissions:










Rights Policies:

Right Account Name Type

Access this computer from the network Administrators group

Authenticated Users well-known

Enterprise Domain Controllers well-known

Everyone well-known

Pre-Windows 2000 Compatible Access group

Act as part of the operating system

Add workstations to domain Authenticated Users well-known

Adjust memory quotas for a process *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466

unknown

*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996

unknown

Administrators group

Local Service well-known

Network Service well-known

Allow log on locally Account Operators group


Backup Operators group

Print Operators group






Server Operators group

Backup files and directories Administrators group



Bypass traverse checking *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466

unknown

*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996

unknown


Authenticated Users well-known

Everyone well-known

Pre-Windows 2000 Compatible Access group

Change the system time Administrators group



Create a page file Administrators group

Create a token object

Create permanent shared objects

Debug programs Administrators group

Deny access to this computer from the network SUPPORT_388945a0 user

Deny log on as a batch job

Deny log on as a service

Deny log on locally SophosSAUPUFFADDER0 user

SUPPORT_388945a0 user

Enable accounts to be trusted for delegation Administrators group

Force shutdown from a remote system Administrators group


Generate security audits Local Service well-known


Increase scheduling priority Administrators group

Load and unload device drivers Administrators group


Lock pages in memory

Log on as a batch job Local Service well-known


Log on as a service *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466

unknown

*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996

unknown


SophosSAUPUFFADDER0 user

SQLServer2005SQLBrowserUser$PUFFADDER group

SYSTEM well-known

Manage auditing and security log Administrators group

Modify firmware environment values Administrators group






Profile single process Administrators group

Profile system performance Administrators group

Remove computer from docking station Administrators group

Replace a process-level token *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466

unknown

*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996

unknown



Restore files and directories Administrators group



Shut down the system Administrators group




Synchronize directory service data

Take ownership of files or other objects Administrators group

Event Audit:

Policy Name Policy Value

Audit Account Logon Events Success

Audit Account Management Success

Audit Directory Service Access Success

Audit Logon Events Success

Audit Object Access No Auditing

Audit Policy Change Success

Audit Privilege Use No Auditing

Audit Process Tracking No Auditing

Audit System Events Success

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **

Registry Keys:

Registry Key Registry Value

HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel 2





Registry Key Registry Value

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature 1

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature 1

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal 1

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity 1





System/ Policies/ {F754BFE4-52E2-45B3-9034-36D5C65E8700}

GPO Display Name: Snake GPO test




GPO Links:


Link Disabled


TEST GPO PC OU No No No

GPO Permissions:










Rights Policies:

** No data found **

Event Audit:

** No data found **

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **

Registry Keys:

** No data found **





System/ Policies/ {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}

GPO Display Name: Regional and Language




GPO Links:


Link Disabled


TEST GPO PC OU Yes No No

GPO Permissions:










Rights Policies:

** No data found **

Event Audit:

** No data found **

Event Logging:

** No data found **

System Access:

** No data found **

Kerberos Policy:

** No data found **

Registry Keys:

** No data found **





5.6 GPO Version Discrepancies

Section Summary

SekChek found 0 discrepancies between the versions of GPOs in AD and SYSVOL.

Section Detail

** No data found **

Implications

The versions of Group Policy Objects (GPOs) defined in Active Directory and in SYSVOL should normally be identical.

If the GPO versions differ it may indicate a replication problem. This will cause unintended differences between the policies that are defined and those that are actually applied on the system.

Risk Rating

Low to high (dependent on the nature of the GPO).

Recommended Action

Ensure you understand the reason for any discrepancies between the versions of GPO objects.

Where appropriate, ensure you take the necessary action to address the cause of the problem.





6. Password Setting Objects (PSOs)

Section Summary

There is one PSO defined on your system:

0% (0) are not linked to any user or group objects.

Section Detail

PSO: Snake PSO test

Property Value

PSO Precedence 1

PSO Description Test PSO 1

PSO DisplayName Test PSO 1

Lockout Duration (never) (D:HH:MM:SS)

Lockout Observation Window 1:00:00:00 (D:HH:MM:SS)

Lockout Threshold 5

Maximum Password Age 35:00:00:00 (D:HH:MM:SS)

Minimum Password Age (none) (D:HH:MM:SS)

Minimum Password Length 10

Password Complexity Enabled Y

Password History Length 12

Reversible Password Encryption N

When Changed (not replicated) 25-Jan-2013 13:34:00

When Created 25-Jan-2013 13:34:00

PSO Applies To... CN=TestGroup3, CN=Users, DC=Snake, DC=com (Object Type= Group, Members= 0)

CN=Cloud 2, OU=Amazon, DC=Snake, DC=com (Object Type= Group, Members= 1)

Notes

Password Setting Objects (PSOs) were introduced in Microsoft Windows Server 2008, and only apply to domains where the domain functional level is set to Windows Server 2008 or higher.

PSOs can only be applied to User / inetOrgPerson objects and global security groups.

PSO Precedence: Establishes the PSO’s precedence in situations where a user is a member of multiple groups with different password policies.

Account Policies (Lockout Duration etc): Refer Domain Accounts Policy for a definition of each policy setting.

PSO Applies To: The users and groups to which the Account Policies in the PSO are applied.

Implications

PSOs allow you to define multiple Account Policies per Active Directory domain, which was not permitted prior to Windows 2008. The main benefit of PSOs is that they allow you to control Account Policies at a more granular level by applying different Account Policies to selected users and groups.

Note that the Account Policies defined in a PSO will always override the settings defined in the Domain Accounts Policy for the users and groups to which the PSO is linked.

For more information, see SekChek’s white paper MS-Windows Password Settings Objects (PSOs) at: www.sekchek.com/White-Papers.htm.

http://www.sekchek.com/White-Papers.htm





Risk Rating

Medium to high depending on the policies in effect over groups and users.

Recommended Action

If PSOs are employed, you should ensure that the Account Policies defined in the PSOs are set to appropriate values.





7. Customer-Selected Registry Key Values

Section Summary

The following subsection lists the 2 registry keys that were selected during the extract.

Section Detail

Registry Key Key Value

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\Installer - ServiceControl 601

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos - EEServer v2

Implications

The correct settings of certain registry keys will enhance security, auditing and management on the system.

For example, having appropriate values for “remote access” will decrease the risk of intruders gaining illegal access to the system.

For many registry keys a value of ‘0’ means that the feature is not enabled and a value of ‘1’ or greater means enabled.

Risk Rating

Low to high. (Dependant on the registry setting being considered).

Recommended Action

Ensure that registry values are set to appropriate values where applicable.





8. User Accounts Defined In The Domain

Section Summary

There are 16 user accounts defined in your domain:

12.5% (2) of user accounts have Administrator privileges

6.3% (1) of user accounts have Guest privileges

81.3% (13) of user accounts have User privileges

0.0% (0) of user accounts are protected against accidental deletion

Section Detail

Common Name Path Privilege Member of Group

Type/ Scope

Administrator Users Administrator Administrators SLB

Domain Admins SG

Domain Users SG

Enterprise Admins SU

Group Policy Creator Owners SG

Schema Admins SU

Sophos Console Administrators

SL

Sophos DB Admins SL

Sophos Full Administrators SL

SophosAdministrator SL

Bradley test TEST GPO PC User Domain Users SG

GpLink Test Users Administrator Administrators SLB

Domain Users SG


SL

Sophos DB Admins SL



Guest Users Guest Domain Guests SG

Guests SLB

krbtgt Users User Denied RODC Password Replication Group

SL

Domain Users SG

SekTest User4 Users User Domain Users SG

Utilisateurs EPM Sharepoint SG





SL

Sophos DB Admins SL









Common Name Path Privilege Member of Group

Type/ Scope




SophosSAUPUFFADDER0 Users User Domain Users SG

SophosUpdateMgr Users User Domain Users SG

Sun user Amazon User Domain Users SG

Nature SG

SUPPORT_388945a0 Users User Domain Users SG

HelpServicesGroup SL

Virtual1 Cloud Amazon User Cloud 1 SG

Domain Users SG

Virtual2 Cloud Amazon User Cloud 2 SG

Domain Users SG

For details of all user properties see worksheet _All_User_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms. For details of internal system accounts see worksheet System_Accounts in the MS-Excel workbook.

Note. The above is a list of user accounts, which have been defined in the domain. It does not include user accounts

from other domains or servers that are members of this domain’s groups. For those other accounts, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members. Account Name: This name is unique in the domain.

Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different

container for another user with a different Account Name (above). This is the name under which the user is listed in the Active Directory MMC Console under the container it belongs to.

Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System

Details section for a general explanation on paths.

Group Type / Scope:

SG – Security Global SL – Security Local SLB – Security Local - Builtin SU – Security Universal

Note. The list only shows memberships of Security groups. I.e. memberships of Distribution groups are excluded from the list.

For a more detailed description of group types refer to report section Groups Defined in the Domain .

Implications

Varying levels of control (rights) over the domain, domain containers and domain organizational units can be delegated to users and/or groups of the domain or other domains.

If users belong to groups with permissions and rights greater than they need, they will have access to resources and system functions not in line with their job functions.

The Administrator privilege is the most powerful privilege in the domain and can perform all actions on the domain. Users with Administrator privilege have full control over the domain resources.

Members of groups such as Print Operators, Account Operators, Server Operators and Backup Operators also acquire special privileges. Consult the report section titled: Domain Local Groups and their Members, for a more detailed analysis.

sample-report-appendix-active-directory.xlsx#_All_User_Accounts

http://www.sekchek.com/sekchek-ad-glossary-all-user-accounts.htm

sample-report-appendix-active-directory.xlsx#System_Accounts





Risk Rating

Medium to high (dependent on users’ job functions and the number of accounts with special privileges).

Recommended Action

Ensure that user accounts are defined in containers or organizational units where the controls over them are appropriate.

Users’ rights and group memberships should be checked to ensure they are not granted unnecessary privileges or rights.

Most users should be assigned to the built-in global group Domain Users and the built-in local group Users.

The number of accounts with Administrator privilege should be kept to a minimum. These accounts should only be used for administrative functions. Users with administrative privileges should use a separate account for normal day-to-day use.

You should consider renaming the built-in Administrator account to a less obvious name to lessen the possibility of hackers guessing the password, as they would have to guess the account name also. This account can never be locked out due to failed logon attempts. The account cannot be disabled or deleted.

You should consider renaming the built-in Guest account to a less obvious name. Hackers trying to obtain illegal access often target this account.





9. Groups Defined In the Domain

Section Summary

All Group Types

There are a total of 57 group accounts defined on your domain:

64.9% (37) of groups are Local Groups

29.8% (17) of groups are Global Groups

5.3% (3) of groups are Universal Groups

0.0% (0) of groups are Application Basic Groups

0.0% (0) of groups are Application Query Groups

0.0% (0) of groups are protected against accidental deletion Security Groups Only

There are 57 security groups defined on your domain:

64.9% (37) of these are Local security Groups

29.8% (17) of these are Global security Groups

5.3% (3) of these are Universal security Groups

Section Detail

Common Name Path Type/ Scope

Account Operators Builtin SLB

Administrators Builtin SLB

Allowed RODC Password Replication Group Users SL

Backup Operators Builtin SLB

Cert Publishers Users SL

Certificate Service DCOM Access Builtin SLB

Cloud 1 Amazon SG

Cloud 2 Amazon SG

Cryptographic Operators Builtin SLB

Denied RODC Password Replication Group Users SL

Distributed COM Users Builtin SLB

DnsAdmins Users SL

DnsUpdateProxy Users SG

Domain Admins Users SG

Domain Computers Users SG

Domain Controllers Users SG

Domain Guests Users SG

Domain Users Users SG

Enterprise Admins Users SU

Enterprise Read-only Domain Controllers Users SU

Event Log Readers Builtin SLB

Group Policy Creator Owners Users SG

Guests Builtin SLB

HelpServicesGroup Users SL

IIS_IUSRS Builtin SLB

Incoming Forest Trust Builders Builtin SLB

Nature Amazon SG

Network Configuration Operators Builtin SLB





Common Name Path Type/ Scope

Performance Log Users Builtin SLB

Performance Monitor Users Builtin SLB

Pre-Windows 2000 Compatible Access Builtin SLB

Print Operators Builtin SLB

RAS and IAS Servers Users SL

Read-only Domain Controllers Users SG

Remote Desktop Users Builtin SLB

Replicator Builtin SLB

Schema Admins Users SU

Server Operators Builtin SLB

Sophos Console Administrators Users SL

Sophos DB Admins Users SL

Sophos Full Administrators Users SL

SophosAdministrator Users SL

SophosDomainAdministrator Users SG

SophosDomainPowerUser Users SG

SophosDomainUser Users SG

SophosOnAccess Users SL

SophosPowerUser Users SL

SophosUser Users SL

SQLServer2005SQLBrowserUser$PUFFADDER

Users SL

SQLServerMSSQLServerADHelperUser$PUFFADDER

Users SL

TelnetClients Users SL

Terminal Server License Servers Builtin SLB

TestGroup3 Users SG

TestGroup4 Users SG

Users Builtin SLB

Utilisateurs EPM Sharepoint Users SG

Windows Authorization Access Group Builtin SLB

For details of all properties see worksheet Group_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms.

NOTE: The above is a list of groups, which have been defined in the domain. It does not include groups, from other

domains or servers that are members of this domain’s groups. Account Name: This name is unique in the domain.

Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different

container for another group with a different Account Name (above). This is the name under which the group is listed in the Active Directory MMC Console under the container it belongs to.

Path: Container or Organizational Unit the group belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System


sample-report-appendix-active-directory.xlsx#Group_Accounts

http://www.sekchek.com/sekchek-ad-glossary-group-accounts.htm





Group Type/Scope:

AB Application Basic AQ Application Query DG Distribution Global DL Distribution Local DU Distribution Universal SG Security Global SL Security Local SLB Security Local - Builtin SU Security Universal

There are 3 types of groups in Windows 200x* domains:

Security groups

Distribution groups

Application groups Security groups can define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to the individual users. The permissions are assigned once to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network.

Distribution groups are not security-enabled. Distribution groups can be used, for example, with e-mail applications (such as Exchange), to send e-mail to collections of users.

Application groups are not security enabled and include basic application groups and LDAP query groups. Application groups are specific to Authorization Manager role-based administration. An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

Membership of an Application Query group is dynamically calculated from LDAP queries.

Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three different group scopes: universal, global, and local.

Built-in Local Security groups are defined by the Windows 200x* security system. They cannot be moved or deleted from their original container (Builtin). Those groups cannot be members of other groups.

For membership of groups and more details on group scope, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members.

Implications

Varying levels of control (rights) over the domain; domain containers and domain organizational units can be delegated to groups of the domain or other domains.

Risk Rating

Medium to high (dependent on groups’ functions and what controls are granted over the groups).

Recommended Action

Ensure that groups are defined in containers or organizational units where the controls over them are appropriate.





10. Domain Local Groups and their Members

Section Summary

There are a total of 37 Local Security groups, containing the following 47 members, defined on your domain:

59.5% (22) of these groups are empty / have no members

2.1% (1) of the members are defined in other domains

Section Detail

Group Name Member Member Domain

Mbr Class

Account Operators

Administrators Administrator user

Domain Admins group

Enterprise Admins group

GpLinkTest user

Allowed RODC Password Replication Group

Backup Operators

Cert Publishers

Certificate Service DCOM Access

Cryptographic Operators

Denied RODC Password Replication Group

Cert Publishers group

Domain Admins group

Domain Controllers group


Group Policy Creator Owners group

krbtgt user

Read-only Domain Controllers group

Schema Admins group

Distributed COM Users

DnsAdmins

Event Log Readers

Guests Domain Guests group

Guest user

HelpServicesGroup SUPPORT_388945a0 user

IIS_IUSRS IUSR Unknown Domain (NT AUTHORITY)

unknown

Incoming Forest Trust Builders

Network Configuration Operators

Performance Log Users

Performance Monitor Users

Pre-Windows 2000 Compatible Access Authenticated Users well-known

Print Operators

RAS and IAS Servers






Mbr Class

Remote Desktop Users Cloud 1 group

Cloud 2 group

Replicator

Server Operators

Sophos Console Administrators Administrator user

Domain Admins group


GpLinkTest user

User6 user

Sophos DB Admins Administrator user

Domain Admins group


GpLinkTest user

User6 user

Sophos Full Administrators Administrator user

Domain Admins group


GpLinkTest user

User6 user

SophosAdministrator Administrator user

Domain Admins group


GpLinkTest user

SophosDomainAdministrator group

User6 user

SophosOnAccess

SophosPowerUser SophosDomainPowerUser group

SophosUser Domain Users group

SophosDomainUser group


SQLServerMSSQLServerADHelperUser$PUFFADDER

TelnetClients

Terminal Server License Servers

Users Authenticated Users well-known

Domain Users group

Interactive well-known

Windows Authorization Access Group Enterprise Domain Controllers well-known





Notes

Members of Local Distribution groups are not listed here, as there is no security implication on these groups.

Group Account Name or Member Account Name: This name is unique in the domain.

Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analysed, this field will be empty.

Member Class: When = Unknown, it means that the account or group is a member of the local group but that the

server/domain where the account or group is registered could not be reached to obtain the account information. The local groups showing these accounts as members should be checked to establish the origin and details of these accounts.

When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.

Domain Local Groups

Groups with domain local scope can have as their members groups and accounts from Windows 200x* or Windows NT domains and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as Local Groups.

In native-mode Windows 200x* domains, Local Groups can have accounts, global groups, and universal groups from any domain, as well as local groups from the same domain, as members.

In mixed-mode Windows 200x* domains, Local Groups can have accounts and global groups from any domain as members but cannot have local groups as members.

Groups with domain local scope are typically used to define and manage access to resources within a single domain.

Built-in Local Groups are installed in the domain. These groups are security groups and represent common sets of rights and permissions that can be used to grant certain roles, rights, and permissions to the accounts and groups that are placed into these default groups. Default groups with domain local scope are located in the ‘Builtin’ container.

The default (built-in) Local Groups are:

Account Operators

Administrators

Backup Operators

Guests

Pre-Windows 2000 Compatible Access

Print Operators

Replicator

Server Operators

Users

These built-in groups have domain local scope and are primarily used to assign default sets of permissions to users who may have some administrative control in that domain. For example, the Administrators group in a domain has a broad set of administrative authority over all accounts and resources in the domain.

The following shows the default rights held by some of these groups.

Administrators: Members of the Administrators group have full control over the computer. It is the only built-in group

that is automatically granted every built-in right and ability in the system.

Backup Operators: Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log onto the computer and shut it down, but they cannot change security settings.

Replicator: The Replicator group supports directory replication functions. The only member of the Replicator group

should be a domain user account used to log on the Replicator services of the domain controller. Do not add the user accounts of actual users to this group.

Implications

If users or groups belong to Local Groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the Local Groups.

The built-in Local Group, which has normal default user rights and permissions, is the Users group. Another built-in Local Group with limited default privileges is Guests.

Built-in Local Groups cannot be deleted.





New Local Groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) can be assigned to them.

Risk Rating

Medium to high (dependent on users’ job functions and groups’ roles).

Recommended Action

Privileges and rights acquired by users and groups via their membership of Local Groups should be checked to ensure they are consistent with the users’ job functions and groups’ roles.

Most users or groups should be assigned to the Users Local Group.

Users or groups assigned to privileged Local Groups should be kept to a minimum and their membership fully justified. As a rule, only individual users and not groups, should be added to privileged Local Groups as this affords better control.

Those accounts or groups from other domains, which are members of privileged Local Groups, should be carefully checked and fully justified.

If it can be avoided, users and groups from other domains should not be members of privileged Local Groups.





11. Domain Global Groups and their Members

Section Summary

There are a total of 17 Global Security groups, containing the following 30 members, defined on your domain:


Section Detail

Group Name Member Member Class

Cloud 1 Virtual1 user

Cloud 2 Virtual2 user

DnsUpdateProxy

Domain Admins Administrator user

Domain Computers BEOWOLF Computer

REDWOLF Computer

Domain Controllers BOOMSLANG Computer

PUFFADDER Computer

Domain Guests Guest user

Domain Users Administrator user

bradley user

GpLinkTest user

krbtgt user

SophosSAUPUFFADDER0 user

SophosUpdateMgr user

Sun user


User4 user

User5 user

User6 user

User7 user

User9 user

Virtual1 user

Virtual2 user

Group Policy Creator Owners Administrator user

Nature Sun user

Read-only Domain Controllers

SophosDomainAdministrator

SophosDomainPowerUser

SophosDomainUser

TestGroup3

TestGroup4

Utilisateurs EPM Sharepoint User4 user

User5 user

User6 user

User7 user

User9 user





Notes


Global Group

Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in a domain tree or forest. Groups with a global scope are referred to as Global Groups.

In native-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain and global groups from the same domain.

In mixed-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain but cannot have groups as members.

Default predefined groups with global scope are normally located in the Users container.

The predefined Global Groups placed in the Users container are:

Cert Publishers

Domain Admins

Domain Computers

Domain Controllers

Domain Guests

Domain Users

Enterprise Admins

Group Policy Admins

Schema Admins

These groups with global scope can be used to collect the various types of user accounts in the domain (regular users, administrators, and guests) into groups. These groups can then be placed in Local Groups.

By default, any user account created in a domain is automatically added to the Domain Users group and any computer account created is automatically added to the Domain Computers group.

The Domain Users and Domain Computers groups can be used to represent all the accounts created in the domain.

For example, if all the users in this domain need to have access to a printer, permissions for the printer can be assigned to the Domain Users group (or the Domain Users group can be placed into a local group that has permissions for the printer).

Groups with global scope are normally used to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside their own domain, accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog.

Global groups cannot be created or maintained on Windows NT/200x* Workstations or Windows NT/200x* Servers, which are not Domain Controllers. However, for Windows NT/200x* Workstations or NT/200x* Server computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers, and can be members of local groups at those workstations or servers.

Implications

If users are assigned to global groups with permissions and rights greater than they need, they will have access to unnecessary system resources and functions via the permissions and rights associated with the global groups.

Global groups can be members of local groups in the domain and other domains or members of other global groups in the domain, thus acquiring their rights and granting those rights to users belonging to the global groups.

New global groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) assigned to them.

Risk Rating

Medium to high (dependent on users’ job functions and groups’ functions).





Recommended Action

Privileges and rights assigned to global groups and their membership of other groups should be checked to ensure that they are justified.

Most users should only be assigned to the Domain Users global group.

Users assigned to privileged global groups (such as Domain Admins) should be kept to a minimum and their membership fully justified.





12. Domain Universal Groups and their Members

Section Summary

There are a total of 3 Universal Security groups, containing the following 2 members, defined in your domain:


0.0% (0) of these members are defined in other domains

Section Detail


Mbr Class

Enterprise Admins Administrator user

Enterprise Read-only Domain Controllers

Schema Admins Administrator user

Notes


Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analyzed, this field will be empty.

Member Class: When = Unknown, it means that the account or group is a member of the universal group but that the server/domain where the account or group is registered could not be reached to obtain the account information. The universal groups showing these accounts as members should be checked to establish the origin and details of these accounts.

When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.

Universal Groups

Groups with universal scope can have as members groups and accounts from any Windows 200x* domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with a universal scope are referred to as Universal Groups.

In native-mode Windows 200x* domains, Universal Groups can have, as their members, accounts from any domain, global groups from any domain and universal groups from any domain.

In mixed-mode Windows 200x* domains, groups with universal scope cannot be created.

Groups with universal scope can be used to consolidate groups that span domains. For example, global groups from different domains can be nested in universal groups. Using this strategy, any membership changes in the groups having global scope do not affect the group with universal scope.

Implications

If users or groups are assigned to universal groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the universal groups.

Risk Rating

Medium to high (dependent on users’ job functions and groups’ functions).

Recommended Action

Privileges and rights assigned to universal groups and their membership of other groups should be checked to ensure that they are justified.





13. Last Logons, 30 Days and Older

Section Summary

All Accounts

50.0% (8) of the user accounts on your domain have not logged-on in the last 30 days:

43.8% (7) have not logged-on in the last 60 days




37.5% (6) have not logged-on in the last 2 years

37.5% (6) have never been used, or their last logon date is unknown Excluding Disabled Accounts

25.0% (4) of the user accounts on your domain have not logged-on in the last 30 days:






18.8% (3) have never been used, or their last logon date is unknown All Administrator Accounts

0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days:






0.0% (0) have never been used, or their last logon date is unknown Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days:






0.0% (0) have never been used, or their last logon date is unknown Domain Controllers (DCs) Scanned

SekChek scanned 2 out of 2 DCs for users' last logon times. See Domain Controllers in the Domain for more information. The last logon for the builtin Administrator account was 0 days ago. Industry Average Comparison (> 30 days)

Note: This is an exception report, so only lists accounts that have not logged on in the last 30 days. I.e. if an account logged in 29 days ago (or more recently) it will not be listed in the report section.

Section Detail

Last Logon Account Name Path State Privilege

Guest Users D Guest

krbtgt Users D User





Last Logon Account Name Path State Privilege

SophosSAUPUFFADDER0 Users User

SophosUpdateMgr Users User

Sun Amazon User

SUPPORT_388945a0 Users D User

02-Aug-2013 User6 Users E User

24-Sep-2013 User4 Users User

Notes

Account Name: This name is unique in the domain.

Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are

written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.

Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).

Implications

Some of these user accounts may no longer be required. Inactive user accounts are a prime target for intruders. If their passwords are compromised, they can be used with little fear of detection.

Risk Rating

Low to Medium.

Recommended Action

The list of accounts should be reviewed and redundant ones should be deleted.

Accounts that will be required later (longer term), should be disabled until required.





14. Passwords, 30 Days and Older

Section Summary

All Accounts

50.0% (8) of the user accounts on your domain have not had their passwords changed in the last 30 days:

43.8% (7) have not had their passwords changed in the last 60 days




12.5% (2) have not had their passwords changed in the last 2 years Excluding Disabled Accounts

25.0% (4) of the user accounts on your domain have not had their passwords changed in the last 30 days:





6.3% (1) have not had their passwords changed in the last 2 years All Administrator Accounts

50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days:





50.0% (1) have not had their passwords changed in the last 2 years Administrator Accounts (Excluding Disabled Accounts)

50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days:





50.0% (1) have not had their passwords changed in the last 2 years The password for the builtin Administrator account was last changed 1556 days ago. Industry Average Comparison (> 30 days)

Note: This is an exception report, so only lists accounts whose passwords have not changed in the last 30 days. I.e. if an account's password was changed 29 days ago (or more recently) it will not be listed in the report section.

Section Detail

Password Age (days)

Account Name Path State Privilege

1556 Administrator Users Administrator

1556 SUPPORT_388945a0 Users D User

436 krbtgt Users D User

436 User5 Users User

337 User6 Users E User

292 User9 Users LE User





Password Age (days)


270 User7 Users User

51 User4 Users User

Notes


Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.

Account State:

L Locked An account is automatically locked by the system once the number of invalid login attempts, as defined by the security policy, has been reached.

D Disabled A disabled account has been manually disabled by the administrator.

E Expired An account expires once the expiry date, which has been set by the administrator is reached.

DE Disabled & Expired An expired account which has also been manually disabled by the administrator.

DL Disabled & Locked A locked account which has also been manually disabled by the administrator.

Implications

This could indicate that these users are not required to change their passwords on a regular basis or that the accounts are inactive and redundant. A password that is not changed on a frequent basis increases the risk of it being compromised over time.

Risk Rating

Medium. If password controls are weak (e.g. Password Never Expires set in user accounts) the risk is high.

Recommended Action

The accounts should be reviewed and deleted if they are no longer required. Otherwise, their password change interval should be brought in line with installation standards.

The Leading Practice is to force users to change their passwords every 30 to 60 days.

Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess.





15. Passwords that Never Expire

Section Summary

All Accounts

87.5% (14) of users are never required to change their passwords due to security settings in individual user accounts. Excluding Disabled Accounts

62.5% (10) of users are never required to change their passwords due to security settings in individual user accounts. All Administrator Accounts

50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts. Administrator Accounts (Excluding Disabled Accounts)

50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts. Industry Average Comparison

Section Detail


Administrator Users Administrator

bradley TEST GPO PC User

Guest Users D Guest



Sun Amazon User


User4 Users User

User5 Users User

User6 Users E User

User7 Users User

User9 Users LE User

Virtual1 Amazon User


Notes








Implications

If users are not required to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the real user changes the password to a new one.

The password change interval is set in the Password Policies. However, the system default can be overridden via the Password Never Expires parameter at user account level.

Risk Rating

Medium to High.

Recommended Action

Password change intervals for these user accounts should be brought in-line with the installation standard.

The Leading Practice for a password change interval is between 30 and 60 days.

You should also check the Accounts Policy to confirm that the Maximum Password Change Interval is set to an acceptable value.






16. Accounts not Requiring a Password

Section Summary

All Accounts

6.3% (1) of users are allowed to logon with a zero length password due to security settings in individual user accounts. Excluding Disabled Accounts

0.0% (0) of users are allowed to logon with a zero length password due to security settings in individual user accounts. All Administrator Accounts

0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts. Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts. Industry Average Comparison

Section Detail


Guest Users D Guest

Notes


Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See the General Note in the

System Details section for a general explanation of paths.


Implications

The setting that allows zero-length (null) passwords to be defined at user account level is one of the values that cannot be displayed via the standard Windows 'Active Directory Users and Computers' interface. It can only be displayed (or set) via a special programmatic interface.

An Administrator can set passwords for the listed accounts to null regardless of domain-level security settings. The accounts could then be used to login to the system without a password, despite the security policy settings defined at domain-level. However, the system will not allow users to change their own passwords to null provided that domain-level security settings prevent it. This can only be done by an Administrator via the 'Reset Password' function or via a programmatic interface.

Because SekChek for Windows does not analyse user passwords it is not possible to determine which of the listed accounts actually have null passwords assigned to them.

For more information, see SekChek’s white paper MS-Windows Accounts not Requiring a Password at: www.sekchek.com/White-Papers.htm.

Risk Rating

Low to High. (Dependant on the privileges assigned to the user account)

In general, allowing the use of null passwords is a very high security risk, because it will allow any person in possession of a valid account name to gain access to your system and information resources. However, there may be

http://www.sekchek.com/White-Papers.htm





some special situations where it is appropriate for null passwords to be assigned to some special accounts (e.g. anonymous access with minimal privileges).

Recommended Action

In general, you should ensure strong passwords are assigned to all user accounts defined on your system. The Leading Practice for a minimum password length is 7 characters.

You should also ensure that all accounts allowed null passwords are fully justified.





17. Invalid Logon Attempts Greater than 3

Section Summary

All Accounts

0.0% (0) of user accounts have invalid logon attempts greater than 3. Excluding Disabled Accounts

0.0% (0) of user accounts have invalid logon attempts greater than 3. All Administrator Accounts

0.0% (0) of administrator accounts have invalid logon attempts greater than 3. Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of administrator accounts have invalid logon attempts greater than 3. Industry Average Comparison

Section Detail

** No data found **

Notes





Implications

Invalid logon attempts indicate the number of unsuccessful attempts at signing on to your system with the listed accounts. The value is reset to ‘0’ after a successful sign-on to the system.

Consistently high values could indicate that an intruder is attempting to guess user passwords to gain access to your system.

The Lockout Threshold parameter in the Account Lockout Policies determines the number of failed logon attempts for user accounts before accounts are locked out.

Risk Rating

Low to Medium. (Dependent on the value assigned to the Lockout Threshold parameter in the Account Lockout Policies)

Recommended Action

You should ensure that the Lockout Threshold in the Accounts Policy is set to a reasonable value. A value of 3 is the Leading Practice.

Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by Administrators.





18. Users not Allowed to Change Passwords

Section Summary

All Accounts

56.3% (9) of the users defined to your system are not allowed to change their passwords. Excluding Disabled Accounts

37.5% (6) of the users defined to your system are not allowed to change their passwords. All Administrator Accounts

0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords. Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords. Industry Average Comparison

Section Detail


Guest Users D Guest



Sun Amazon User


User7 Users User

User9 Users LE User



Implications

If users are not permitted to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the password is changed to a new one.

The password change interval is set in the Accounts Policy. However, individual accounts can have the User Cannot Change Password parameter set which overrides the policy standard.

A value of Yes in the Account Disabled column indicates that the account has been disabled by a security administrator, is locked due to excessive failed login attempts, or has expired. See Disabled Accounts for details.

Risk Rating

Medium to High.

Recommended Action

The User Cannot Change Password parameter in user accounts should only be set for those accounts where a common sign on is required (The “built in” Guest account is an example of a “common” account). The privileges and group membership of these accounts should be carefully monitored.






19. Accounts with Expiry Date

Section Summary

All Accounts

12.5% (2) of user accounts are set to expire on a certain date.

12.5% (2) of accounts have expired All Administrator Accounts

0.0% (0) of administrator accounts are set to expire on a certain date.

0.0% (0) of administrator accounts have expired

Section Detail:

Account Name Path Account Expires

Privilege

User6 Users 06-Oct-2011 User

User9 Users 01-Oct-2011 User

Notes




Implications

The Account Expires parameter allows you to ensure the account is automatically disabled on the assigned date. When an account expires, a user who is logged on remains logged on but cannot establish new network connections. After logging off, that user cannot log on again unless the expiration date is reset or cleared.

Risk Rating

Low to Medium.

Recommended Action

It is good practice to set an expiration date for temporary accounts or accounts assigned to contractors and part-time workers.

For added security and to help ensure that accounts are disabled when no longer used, you could consider setting expiration dates for all user accounts. Note however, that this will add to the administrative workload and may inconvenience genuine users when their accounts expire and need to be reset by an administrator.





20. Disabled Accounts

Section Summary

All Accounts

18.8% (3) of user accounts have been disabled. All Administrator Accounts

0.0% (0) of administrator accounts have been disabled. Industry Average Comparison

Section Detail

Account Name Path Last Logon Privilege

Guest Users Guest

krbtgt Users User

SUPPORT_388945a0 Users User

Notes



Implications

No security risks. A housekeeping issue only.

Accounts are disabled because they have reached the expiration date or have been disabled by the administrator.

Risk Rating

None.

Recommended Action

These accounts should be checked and deleted if no longer required.





21. Locked Out Accounts

Section Summary

All Accounts

6.3% (1) of user accounts are 'locked out'. All Administrator Accounts

0.0% (0) of administrator accounts are 'locked out'. Industry Average Comparison

Section Detail

Account Name Path Last Logon Privilege

User9 Users 07-Nov-2013 User

Notes


Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System


Implications

These accounts are locked due to an excessive number of failed logon attempts. This could be an indication that intruders are attempting to access your system.

Lockout Threshold in the accounts policy defines the number of failed logon attempts for user accounts before accounts are locked out.

Risk Rating

Medium to High.

Recommended Action

The reason these accounts have been “locked out” should be investigated and appropriate action taken.

You should ensure that the Lockout Threshold is set to a reasonable value. A value of 3 is the Leading Practice.

Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by Administrators.





22. Accounts Whose Passwords Must Change at Next Logon

Section Summary

All Accounts

6.3% (1) of user accounts must change their password at next logon. Excluding Disabled Accounts

0.0% (0) of user accounts must change their password at next logon. All Administrator Accounts

0.0% (0) of administrator accounts must change their password at next logon. Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of administrator accounts must change their password at next logon.

Section Detail


krbtgt Users D User

Notes




Implications

The list details those accounts that must change their password at next logon. This can be as a result of a new account or as a result of the account password having been reset by an administrator with the indicator User Must Change Password At Next Logon turned on.

If the chosen passwords are default passwords known to most persons, those accounts could be used by anybody to gain illegal access to the domain with the rights/privileges of the account.

Risk Rating

Low to Medium (depending on the password assigned by the administrator).

Recommended Action

It is good practice to set the User Must Change Password At Next Logon indicator for new user accounts or when administrators reset passwords. This will force the user to change the initial or new password allocated at the first or next logon.

The password chosen by the administrator should be unique and not a default password known to most persons.





23. Accounts Created in the Last 90 Days

Section Summary

All Accounts

68.8% (11) of user accounts were created in the last 360 days:

18.8% (3) were created in the last 30 days





31.3% (5) were created more than a year ago All Administrator Accounts

50.0% (1) of administrator accounts were created in the last 360 days:






50.0% (1) were created more than a year ago Group Accounts

19.3% (11) of group accounts were created in the last 360 days:






80.7% (46) were created more than a year ago Computer Accounts

25.0% (1) of computer accounts were created in the last 360 days:






75.0% (3) were created more than a year ago Note: This is an exception report, so it only lists accounts created in the last 90 days. For details of accounts created more than 90 days ago, see column 'Created' in worksheets _All_User_Accounts and Group_Accounts in the MS-Excel workbook.

Section Detail

Create Date Account Name Path Account Type

Privilege

07-Nov-2013 Cloud 1 Amazon Group -

07-Nov-2013 Cloud 2 Amazon Group -

07-Nov-2013 Nature Amazon Group -

07-Nov-2013 Sun Amazon User User

07-Nov-2013 Virtual1 Amazon User User

07-Nov-2013 Virtual2 Amazon User User

29-Aug-2013 User5 Users User User



SekChek_Win2000_Report%20TESTBED-PUFFADDER%2025012012.xlsx#_All_User_Accounts

SekChek_Win2000_Report%20TESTBED-PUFFADDER%2025012012.xlsx#Group_Accounts





Create Date Account Name Path Account Type

Privilege


Notes


Path: Container or Organizational Unit the account belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.

Account Type: User or Group.

Implications

The authorisation of new accounts, as well as changes to existing accounts, are key management controls that underpin the security of system and information resources.

If accounts are defined without management’s knowledge or authorisation, they could be used to gain illegal access to your domain and system resources with little fear of detection.

Risk Rating

High (if accounts are defined without appropriate management authorisation).

Recommended Action

You should ensure management authorisation was formally provided prior to defining new accounts. Supporting documentation should minimally include: a reason for creating the account; the security groups the account should belong to; and the system resources required by the account owner.

Before management gives an employee access to a user account they should ensure the employee is made aware of the organisation’s security policies and the employee’s responsibilities for system security.

Independent audits of new accounts should be conducted on a regular basis to ensure management controls are appropriate and are being applied in a consistent and effective manner.





24. Rights and Privileges The following seven subsections provide general recommendations regarding rights, and analyses of the Effective

rights assigned to Local, Global and Universal groups, user accounts, Well Known objects and external objects:

Descriptions & General Recommendations for Rights

Rights Assigned to Local Groups

Rights Assigned to Universal Groups (Native mode only)

Rights Assigned to Global Groups

Rights Assigned to Users

Rights Assigned to Well-Known Objects

Rights Assigned to External Objects

Notes

In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies apply. However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers.

This has important security implications as accounts can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers.

Implications

Rights and privileges allow users to perform certain actions on the system, such as the ability to Backup Files & Directories. Rights/Privileges apply to the system as a whole and are different to permissions, which apply to specific objects.

User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system resources, and they can override the permissions that are set on a particular object on the computer.

The special account LocalSystem has built-in capabilities that correspond to almost all privileges and logon rights. Processes that are running as part of the operating system are associated with this account, and they require a complete set of user rights. The system services that are supplied with Windows 200x* are configured automatically to run as LocalSystem. Although other services can be configured to also run under this account, it is recommended that this be done with care.

Logon rights control how security principals are allowed access to the computer, whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights, one to allow logging on to the computer and another to deny logging on to the computer. A deny logon right can be used to exclude groups or individual accounts that have been assigned an allow logon right. Deny rights take precedence over allow rights.

Rights and privileges are assigned to specific accounts directly via the User Rights policy, or indirectly via group membership.

Note that members of a Local, Global or Universal group automatically inherit all rights granted to that group. This includes Global groups or users from other domains that are members of a Local or Universal group.

To ease the task of account administration, it is recommended that Rights are primarily assigned to groups rather than to individual user accounts. When Rights are assigned to a group, the Rights are assigned automatically to each user who is added to the group. This is easier than assigning Rights to individual user accounts as each account is created.

If users are given inappropriate rights it can lead to a high security risk.

Risk Rating

Medium to high depending on the rights granted to groups and users.





Recommended Action

Rights should be justified according to the person’s job function.

In general, rights should be assigned by adding user accounts to one of the built-in groups that already has the needed rights, rather than by administering the User Rights policy.

The recommendations on the following page serve as a guideline only. Powerful rights should only be granted to users or special accounts (e.g. SMS account) when absolutely necessary. They should also be reviewed on a regular basis.





24.1 Descriptions & General Recommendations for Rights

Right Description Recommendation

Access this computer from the network

Allows a user to connect to the computer from the network. By default, this right is assigned to Administrators, Everyone, and Power Users.

Initially granted to Administrators, Everyone and Power Users. Restrict as required.


Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. Note that the calling process can also build an anonymous token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to use the LocalSystem account (which already includes the privilege), rather than create a separate account and assign the privilege to it.

Grant to no one.

Add workstations to domain Allows a user to add workstations to the domain. Adding a workstation to a domain enables the workstation to recognize the domain's user and global groups accounts. By default, members of a domain's Administrators and Account Operators groups have the right to add a workstation to a domain. This right cannot be taken away. They can also grant this right to other users.

Grant to Administrators and Account Operators.

Adjust memory quotas for a process

Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial-of-service attack. By default, this privilege is assigned to Administrators.

Grant to no one.

Allow log on locally Allows a user to log on locally at the computer’s keyboard. For servers and domain controllers, by default, this right is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.

For servers and domain controllers (I.e. not work stations), grant to Administrators and Operators only.

Allow log on through Terminal Services

Windows XP (or later) only. Allows a user to log on to the computer by using a Remote Desktop connection.

By default, this right is assigned to Administrators and Remote Desktop Users.

Backup files and directories Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. By default, this privilege is assigned to Administrators and Backup Operators. (See also “Restore files and directories” in this table.)

Grant only to Administrator and Backup Operator.

Bypass traverse checking Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft® Windows® file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.

Restrict as required. It is enabled by default for all users.

Change the system time Allows the user to set the time for the internal clock of the computer. By default, this privilege is assigned to Administrators and Power Users.

Grant to Administrators only.

Create a page file Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties. By default, this privilege is assigned to Administrators.







Create a token object Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. When a process requires this privilege, use the LocalSystem account (which already includes the privilege), rather than create a separate user account and assign this privilege to it.

Grant to no one.

Create global objects Windows 2000 (SP4 or later) only. Allows a user account to create global objects in a Terminal Services session. Note that users can still create session-specific objects without being assigned this user right.

By default, members of the Administrators group, the System account, and Services that are started by the Service Control Manager are assigned the "Create global objects" user right.


Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that extend the Windows object namespace. Components that are running in kernel mode already have this privilege assigned to them; it is not necessary to assign them the privilege.

Grant to no one or to Administrators only.

Debug programs Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. By default, this privilege is assigned to Administrators.

Grant to no one unless required for development purposes.

Deny access to this computer from the network

Prohibits a user or group from connecting to the computer from the network. By default, no one is denied this right.

Grant as required.

Deny log on as a batch job Prohibits a user or group from logging on through a batch-queue facility. By default, no one is denied the right to log on as a batch job.

Grant as required.

Deny log on as a service Prohibits a user or group from logging on as a service. By default, no one is denied the right to log on as a service.

Grant as required.

Deny log on locally Prohibits a user or group from logging on locally at the keyboard. By default, no one is denied this right.

Grant as required.

Deny log on through Terminal Services

Windows XP (or later) only. Prohibits a user from logging on to the computer using a Remote Desktop connection.

Grant as required.

Enable accounts to be trusted for delegation

Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service.

Grant to Administrators only. Misuse of this privilege could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

Force shutdown from a remote system

Allows a user to shut down a computer from a remote location on the network. (See also “Shut down the system” in this table.) By default, this privilege is assigned to Administrators.


Generate security audits Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. (See also “Manage auditing and security log” in this table.)

Give this right to secure servers.

Impersonate a Client after authentication

Windows 2000 (SP4 or later) only. Permits programs that run on behalf of the user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

By default, members of the Administrators group and the System account are assigned the right.






Increase scheduling priority Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box. By default, this privilege is assigned to Administrators.


Load and unload device drivers Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; these device drivers can be installed only by Administrators. Note that device drivers run as trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. By default, this privilege is assigned to Administrators.


Lock pages in memory Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. This privilege is obsolete and is therefore never selected.

Grant to no one.

Log on as a batch job Allows a user to log on by using a batch-queue facility. By default, this right is assigned to Administrators.

Grant to no one.

Log on as a service Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. By default, this right is not assigned to anyone.

Grant to no one.

Manage auditing and security log

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, registry keys and other objects. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer. By default, this privilege is assigned to Administrators.


Modify firmware environment values

Allows modification of system environment variables either by a process through an API or by a user through System Properties. By default, this privilege is assigned to Administrators.


Perform volume maintenance tasks

Windows XP (or later) only. Allows a non-administrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user's access token when a process running in the user's security context calls SetFileValidData().

By default, this right is assigned to members of the Administrators group.

Profile single process Allows a user to run Microsoft® Windows NT® and Windows 2000 performance-monitoring tools to monitor the performance of nonsystem processes. By default, this privilege is assigned to Administrators and Power Users.


Profile system performance Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes. By default, this privilege is assigned to Administrators.

Grant to Administrators or Operators.

Remove computer from docking station

Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. By default, this privilege is assigned to Administrators, Power Users, and Users.

Grant as required.

Replace a process-level token Allows a parent process to replace the access token that is associated with a child process.

Grant to no one. This is a powerful right used only by the system.






Restore files and directories Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. (See also “Back up files and directories” in this table.) By default, this privilege is assigned to Administrators and Backup Operators.

Grant to Administrators and Backup Operators only. This right overrides file and directory permissions.

Shut down the system Allows a user to shut down the local computer. At domain level this applies to all domain controllers in the domain. On a server or workstation, this applies to that machine only.

Grant to Administrators and Operators only. Especially for domain controllers or servers. On workstations, this can be granted to all users.


Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers. By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers.


Take ownership of files or other objects

Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. At domain level this applies to all domain controllers in the domain. On a server or workstation, this applies to that machine only.

Grant to Administrators only. This right overrides permissions protecting the object(s).





24.2 Rights Assigned to Local Groups Local groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.

Local Group

has Right via

membership of

Local1*Local2*Local3

In Native Mode domains, a Local Security Group can be a member of other Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of:

Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.

In Mixed Mode domains, a Local Security Group cannot be a member of another Local Security Group.

For a complete list of groups see report section Groups Defined in the Domain .

Local Group Right Via Groups

Account Operators Allow log on locally

Administrators Access this computer from the network

Adjust memory quotas for a process

Allow log on locally

Allow log on through Terminal Services

Backup files and directories

Bypass traverse checking

Change the system time

Create a page file

Create global objects

Debug programs

Enable accounts to be trusted for delegation



Increase scheduling priority

Load and unload device drivers

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Backup Operators Allow log on locally




Pre-Windows 2000 Compatible Access Access this computer from the network





Local Group Right Via Groups


Print Operators Allow log on locally

Load and unload device drivers


Server Operators Allow log on locally


Change the system time





Log on as a service





24.3 Rights Assigned to Universal Groups (Native mode only) Universal groups can acquire rights indirectly via membership of another Universal or Local security group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.

Universal Group

has Right

via membership

of

Local1*Local2*Universal1*Universal2 or

Universal1*Universal2*Universal3

In Native Mode domains, a Universal Security Group can be a member of other Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.

In Mixed Mode domains, Universal Security Groups cannot be created.

For a complete list of groups see report section Groups Defined in the Domain . ** No data found **





24.4 Rights Assigned to Global Groups Global groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.

Global Group

has Right

via membership

of

LocalGroup or

Local1*Local2*Universal1*Global1 or

Universal1*Universal2*Global1 or

Global1*Global2*Global3

In Native Mode domains a Global Security Group can be a member of other Global, Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.

In Mixed Mode domains a Global Security Group can be a member of Local Security Groups only.


Global Group Right Via Groups

Domain Admins Access this computer from the network Administrators

Adjust memory quotas for a process Administrators

Allow log on locally Administrators

Allow log on through Terminal Services Administrators

Backup files and directories Administrators

Bypass traverse checking Administrators

Change the system time Administrators

Create a page file Administrators

Create global objects Administrators

Debug programs Administrators

Enable accounts to be trusted for delegation Administrators

Force shutdown from a remote system Administrators

Impersonate a Client after authentication Administrators

Increase scheduling priority Administrators

Load and unload device drivers Administrators

Manage auditing and security log Administrators

Modify firmware environment values Administrators

Perform volume maintenance tasks Administrators

Profile single process Administrators

Profile system performance Administrators

Remove computer from docking station Administrators

Restore files and directories Administrators

Shut down the system Administrators

Take ownership of files or other objects Administrators





24.5 Rights Assigned to Users The following two reports list all rights assigned to users, including rights assigned directly to users (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name). The first report is Grouped by Right and the second is Grouped by User Account.

In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.

User Account

has Right

via membership

of Group1*Group2*Group3

Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.


Section Summary

12.5% (2) of user accounts have right 'Access this computer from the network' 6.3% (1) of user accounts have right 'Deny access to this computer from the network' 12.5% (2) of user accounts have right 'Access this computer from the network(Effective)' 0.0% (0) of user accounts have right 'Act as part of the operating system' 0.0% (0) of user accounts have right 'Add workstations to domain' 12.5% (2) of user accounts have right 'Adjust memory Quotas for a process' 12.5% (2) of user accounts have right 'Backup files and directories' 12.5% (2) of user accounts have right 'Bypass traverse checking' 12.5% (2) of user accounts have right 'Change the system time' 0.0% (0) of user accounts have right 'Create a token object' 12.5% (2) of user accounts have right 'Create global objects' 12.5% (2) of user accounts have right 'Create a page file' 0.0% (0) of user accounts have right 'Create permanent shared objects' 12.5% (2) of user accounts have right 'Debug programs' 12.5% (2) of user accounts have right 'Force shutdown from a remote system' 0.0% (0) of user accounts have right 'Generate security audits' 12.5% (2) of user accounts have right 'Impersonate a Client after authentication' 12.5% (2) of user accounts have right 'Increase scheduling priority' 12.5% (2) of user accounts have right 'Load and unload device drivers' 0.0% (0) of user accounts have right 'Lock pages in memory' 6.3% (1) of user accounts have right 'Log on as a batch job' 0.0% (0) of user accounts have right 'Deny logon as a batch job' 6.3% (1) of user accounts have right 'Logon as a batch job(Effective)' 6.3% (1) of user accounts have right 'Log on as a service' 0.0% (0) of user accounts have right 'Deny logon as a service' 6.3% (1) of user accounts have right 'Logon as a service(Effective)' 12.5% (2) of user accounts have right 'Log on locally' 12.5% (2) of user accounts have right 'Deny user from logging on locally' 12.5% (2) of user accounts have right 'Log on locally(Effective)' 12.5% (2) of user accounts have right 'Allow logon through Terminal Services' 0.0% (0) of user accounts have right 'Deny logon through Terminal Services' 12.5% (2) of user accounts have right 'Logon through Terminal Services(Effective)' 12.5% (2) of user accounts have right 'Manage auditing and security log' 12.5% (2) of user accounts have right 'Modify firmware environment values' 12.5% (2) of user accounts have right 'Perform volume maintenance tasks' 12.5% (2) of user accounts have right 'Profile single process' 12.5% (2) of user accounts have right 'Profile system performance' 0.0% (0) of user accounts have right 'Replace a process-level token' 12.5% (2) of user accounts have right 'Restore files and directories' 12.5% (2) of user accounts have right 'Shut down the system' 12.5% (2) of user accounts have right 'Take ownership of files or other objects' 12.5% (2) of user accounts have right 'Set the Trusted for Delegation setting' 12.5% (2) of user accounts have right 'Undock a laptop with the Windows 2000 interface' 0.0% (0) of user accounts have right 'Synchronize directory service data'





Grouped by Right

Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.

Right Account Name Via Groups

Access this computer from the network Administrator Administrators

Administrator Administrators*Domain Admins

Administrator Administrators*Enterprise Admins

GpLinkTest Administrators

Access this computer from the network (Effective) Administrator Administrators





Adjust memory quotas for a process Administrator Administrators




Allow log on locally Administrator Administrators




Allow log on through Terminal Services Administrator Administrators




Backup files and directories Administrator Administrators




Bypass traverse checking Administrator Administrators




Change the system time Administrator Administrators




Create a page file Administrator Administrators





Create global objects Administrator Administrators










Debug programs Administrator Administrators




Deny access to this computer from the network SUPPORT_388945a0



Deny log on locally SophosSAUPUFFADDER0

SUPPORT_388945a0


Enable accounts to be trusted for delegation Administrator Administrators




Force shutdown from a remote system Administrator Administrators




Generate security audits

Impersonate a Client after authentication Administrator Administrators




Increase scheduling priority Administrator Administrators




Load and unload device drivers Administrator Administrators





Log on as a batch job SUPPORT_388945a0

Log on as a batch job (Effective) SUPPORT_388945a0

Log on as a service SophosSAUPUFFADDER0

Log on as a service (Effective) SophosSAUPUFFADDER0

Manage auditing and security log Administrator Administrators









Modify firmware environment values Administrator Administrators




Perform volume maintenance tasks Administrator Administrators




Profile single process Administrator Administrators




Profile system performance Administrator Administrators




Remove computer from docking station Administrator Administrators




Replace a process-level token

Restore files and directories Administrator Administrators




Shut down the system Administrator Administrators





Take ownership of files or other objects Administrator Administrators








Grouped by User Account

Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.

Account Name Right Via Groups







Generate security audits


Replace a process-level token


Administrator Access this computer from the network Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Access this computer from the network (Effective) Administrators


















































































GpLinkTest Access this computer from the network Administrators

Access this computer from the network (Effective) Administrators
























SophosSAUPUFFADDER0 Deny log on locally

Log on as a service

Log on as a service (Effective)

SUPPORT_388945a0 Deny access to this computer from the network

Deny log on locally

Log on as a batch job

Log on as a batch job (Effective)





24.6 Rights Assigned to Well-Known Objects

Notes

Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local System, Principal Self, Authenticated Users, Creator Owner, and so on.

The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).


Well-Known Object

has Right

via

membership

of

Group1*Group2*Group3




Authenticated Users Access this computer from the network

Access this computer from the network Pre-Windows 2000 Compatible Access

Add workstations to domain


Bypass traverse checking Pre-Windows 2000 Compatible Access

Enterprise Domain Controllers Access this computer from the network

Everyone Access this computer from the network


Service Create global objects


SYSTEM Log on as a service





24.7 Rights Assigned to External Objects

Notes

The external objects are users, groups or computers that belong to other domains.

When “Unknown” is reflected, it means that the server/domain where the object is registered could not be reached to obtain the information.

When a server/domain cannot be reached for information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.

The following report lists rights assigned to external objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).


External Object

has Right

via

membership

of

Group1*Group2*Group3



** No data found **





25. Discretionary Access Controls (DACL) for Containers

Section Summary

This report section analyses 4,572 DACLs defined on the following classes of container objects:

Containers: 4,366 DACLs

Domains: 51 DACLs

Organizational Units: 129 DACLs

Sites: 26 DACLs

Notes

A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known object) and specifies a set of permissions allowed or denied for that account.

Key:

Permission The permission(s) the trustee has over the object.

Type Allow = Allow permission to trustee Deny = Deny Permission to trustee

Trustee The account to which the permission is assigned for the specified object. (G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer; (?) = The account is from an external domain and we cannot resolve the account type

Object The object on which the account has the permission. (D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site

Permission Applies To

Specifies where the permissions are applied:

This object only

This object and all child objects

Child objects only

Computer objects

Group objects

GroupPolicyContainer objects

Organizational Unit objects

Site objects

Trusted Domain objects

User objects Bhvr (Behaviour)

P -The permission applies to objects within the container specified (object the permission

applies to) only. If omitted, the permission will propagate to all child objects of the container within the tree. I - The permission is inherited from the parent object.

If omitted, the permission is defined directly on the specified object. PI – Both Options

Section Detail

For details see worksheet DACLs in the MS-Excel workbook.

Implications

Some of the permissions are very powerful and they should be carefully assigned to users and groups.

Risk Rating

Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.)

Recommended Action

You should check that the listed permissions over objects are appropriate and in line with users’ job functions.

sample-report-appendix-active-directory.xlsx#DACLs





26. Trusted and Trusting Domains

Section Summary

The domain being analysed has trust relationships with 2 other domains

50.0% (1) are trusted domains

50.0% (1) are trusting domains

0.0% (0) are both trusted and trusting domains

Section Detail

Domain Name Trust Type Attributes Trusted Trusting

SnakeNY MIT Kerberos realm Disallow transitivity Yes

SnakeWP MIT Kerberos realm Disallow transitivity Yes

Implications

A trust relationship is a link between two domains where the trusting domain honours logon authentications of the trusted domain.

Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts.

In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A.

In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C.

Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships.

Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other domain trees.

A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides for distributed authentication and authorization in Windows 200x*.

In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA.

If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa.

Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.

Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains.

The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain.

Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in trusted domains can undermine security on the trusting domains.

Risk Rating

Medium to High (dependant on the quality of security standards applied in trusted domains).





Recommended Action

You should satisfy yourself that security in domains trusted by your domain is implemented and administered to appropriate standards. You should consider running SekChek on domain controllers for all trusted domains.





27. Servers and Workstations

Notes

Role: DC = Domain Controller, S = Server, WS = Workstation

When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that

the object does not refer to an actual machine.

Section Summary

There are 4 computer accounts defined in your domain:

50.0% (2) are Domain Controllers

0.0% (0) are Servers

50.0% (2) are Workstations

0.0% (0) of computer accounts are protected against accidental deletion Breakdown of Operating Systems:

25.0% (1) are running Windows 7 Enterprise

25.0% (1) are running Windows Server 2003

25.0% (1) are running Windows Server 2008 R2 Enterprise

25.0% (1) are running Windows Vista? Enterprise

Section Detail

Common Name Path OS & Version Role

BEOWOLF Computers Windows Vista? Enterprise 6.0 (6002) WS

BOOMSLANG Domain Controllers Windows Server 2003 5.2 (3790) DC

PUFFADDER Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601) DC

REDWOLF Computers Windows 7 Enterprise 6.1 (7601) WS

Implications

Every server and workstation will provide various services to users within the domain.

Servers normally offer services such as SQL databases, business applications, Active Directory, Email and remote access services.

Workstations are normally used by end users to logon to thedomain and make use of domain resources and services as required.

Resources and services can be shared, with varying access permission settings, on all servers and workstations.

Every server and workstation is a potential security risk because they provide an access path to domain resources.

Risk Rating

Medium to High (Depending on the type of servers, their configuration and security setting standards applied).

Recommended Action

You should ensure that:

Configurations and security settings are defined to appropriate standards

Services and resources are appropriately restricted on servers and workstations

Accounts databases have the appropriate security settings to help prevent illegal access

The rights assigned to accounts and groups are effectively controlled

Effective virus detection and prevention services are installed, running and started automatically at system start-up time





28. Domain Controllers in the Domain

Section Summary

There are 2 Domain Controllers (DCs) defined in your domain.

0 DCs are configured as Read Only Domain Controllers (RODC)

100.0% (2) were scanned for users' last logon times.

Section Detail

Common Name Path Scanned for Last Logons

RODC FSMO/GC Role

BOOMSLANG Domain Controllers Yes No Domain Naming Master

Global Catalog

Schema Master

PUFFADDER Domain Controllers Yes No Global Catalog

Infrastructure Master

PDC Emulator

RID Master

Domain Controller

A domain controller (DC) is a computer running Windows 200x* Server that holds a copy of Active Directory.

DCs authenticate domain logons and track changes made to accounts, groups, and policy and trust relationships in a domain. A domain can contain more than one DC.

Windows 200x* Server domain controllers provide an extension of the capabilities and features provided by Windows NT Server 4.0 domain controllers. For example, domain controllers in Windows 200x* support multimaster replication, synchronizing data on each domain controller and ensuring consistency of information over time. Multimaster replication is an evolution of the primary and backup domain controller of Windows NT Server 4.0, in which only one server, the primary domain controller, had a read and write copy of the directory.

Read Only Domain Controller (RODC)

A read-only domain controller (RODC) was introduced in the Windows Server 2008 operating system.

Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

Flexible Single Master Operation (FSMO) Roles

FSMO Roles are roles assigned to Domain Controllers on a domain running Active Directory, and include:

Domain Naming Master:

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain.

Infrastructure Master:

When an object in Domain A is referenced by another object in Domain B, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the Active Directory object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. Unique per domain.

PDC Emulator:

In a Windows 200x domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator. Unique per domain.





RID Master:

The RID (Relative ID) Master is responsible for assigning pools of RIDs to other DCs on the domain. Each DC on a domain is allowed to create new security principal objects. The RID Master issues each DC with a pool of RIDs to assign to these newly created objects. Naturally, as new objects are created, this pool diminishes. Once the pool falls below a threshold, the DC issues a request to the RID Master for an additional pool of RIDs. Unique per domain.

Schema Master:

The DC holding the role of Schema Master is responsible for processing updates to the AD schema. Once the Schema Master updates the AD schema, these changes are then replicated to other DCs on the domain. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain.

Global Catalog (GC)

A DC can also hold a copy of the global catalog.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in an Active Directory forest. The global catalog is stored on DCs that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different DCs.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a DC that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

Risk Rating

Low to medium depending on the security standards applied to all Domain Controllers in the Domain.

Recommended Action

You should confirm that the security standards applied to all Domain Controllers conform to the expected security standards.





29. Accounts Allowed to Dial In through RAS

Section Summary

SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan. All Acounts

12.5% (2) of users have permission to dial-in to your domain through RAS

0.0% (0) of these users are not called back by RAS

100.0% (2) of these users can set their own RAS Call-back Number

0.0% (0) of these users have their RAS Call-back Number set by the Administrator Excluding Disabled Accounts

12.5% (2) of users have permission to dial-in to your domain through RAS

0.0% (0) of these users are not called back by RAS

100.0% (2) of these users can set their own RAS Call-back Number

0.0% (0) of these users have their RAS Call-back Number set by the Administrator All Administrator Acounts

0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS Administrator Accounts (Excluding Disabled Accounts)

0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS

Section Detail

SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan. ** No data found ** The following profiles have permission to dial-in to your domain through RAS:

Account Name Callback Callback Nbr Set By

Phone Number

Service Type

Privilege Account State

Virtual1 Yes Caller Callback Framed User

Virtual2 Yes Caller Callback Framed User

LEGEND:

Call Back = Yes : The Server will call back the user before log on is allowed. Callback Number Set By = Administrator : The call back number is pre set. Callback Number Set By = Caller : The user provides a call back number every time. Phone Number Reflects the pre set phone number for call back. Account State : Account is Disabled (D), Locked (L), Expired (E), or a

combination of them. Eg. (DL) (DE). If there are accounts listed with RAS privileges and no RAS servers found, it means that the accounts have been granted RAS privileges but that either:

No RAS servers were visible when this analysis was done; or

There was a RAS service installed at some stage but it has been discontinued. 0 ports listed in RAS servers indicates that the server has the RAS service configured but not active (started).





Implications

RAS (Remote Access Service) allows users to access your system remotely via modems, ISDN etc.

RAS increases the risk of unauthorised access to your system because your system is visible to a much larger number of potential intruders via the public telephone network. The risk is greater if privileged users, such as Administrators, are allowed access through RAS.

In general, multiple RAS servers also increase security risks simply because the number of external access points, which all require securing, is obviously greater. The strength of general security and RAS security on those servers is an important factor in controlling the risks.

You will obtain the most comprehensive view of RAS privileges by running SekChek on the domain controller, selected RAS servers, and domain controllers for each trusted domain and on their RAS servers.

When servers and workstations are members of a domain, they will usually allow users to logon to the domain. For workstations and servers that are not domain members (i.e. Standalone machines), domain logon is normally not available to users.

Inappropriate security settings in RAS can create significant security exposures.

Risk Rating

Medium to high (dependent on settings for RAS users, RAS parameters and the strength of password controls.).

Recommended Action

You should only grant dial in (RAS) access to those users who require it for their job functions. Ensure that RAS access is not granted to all user accounts by default.

In general, you should ensure that the call back feature is enabled for all RAS users and that a pre-set phone number is used.

Do not grant RAS access to privileged accounts (e.g. Administrators) unless absolutely necessary.

If possible, restrict the log-on hours for RAS users. This feature can be set for individual user accounts.

Ensure that the option to prevent clear-text passwords being negotiated is utilised. This is a setting within RAS.

Review the RAS settings on all RAS servers on a regular basis and ensure that appropriate security standards are applied on all of these machines.





30. Services and Drivers on the Machine

Section Summary

There are a total of 367 Services installed. These Services include the following types:

53.1% (195) are Kernel Drivers

7.4% (27) are File System Drivers

12.5% (46) are Own Process

26.4% (97) are Shared Process

0.5% (2) are Own Process (Interactive)

0.0% (0) are Shared Process (Interactive) The Services start types are:

8.2% (30) System Boot

7.1% (26) System

18.5% (68) Automatic

62.7% (230) Manual

3.5% (13) Disabled Their current states are:

52.3% (192) Stopped

0.0% (0) Starting

0.0% (0) Stopping

47.7% (175) Running

0.0% (0) Continuing

0.0% (0) Pausing

0.0% (0) Paused Following are two reports. The first enumerates services, their state and start type. The second enumerates services with their logon account and path name containing the executable. The services listed are on the machine being analysed and do not reflect services installed on other machines.

Section Detail

Service Name Display Name State Service Type Start Type

1394ohci 1394 OHCI Compliant Host Controller Stopped Kernel Driver Manual

ACPI Microsoft ACPI Driver Running Kernel Driver Boot

AcpiPmi ACPI Power Meter Driver Stopped Kernel Driver Manual

adp94xx adp94xx Stopped Kernel Driver Manual

adpahci adpahci Stopped Kernel Driver Manual

adpu320 adpu320 Stopped Kernel Driver Manual

ADWS Active Directory Web Services Running Own Process Automatic

AeLookupSvc Application Experience Running Shared Process Manual

AFD Ancillary Function Driver for Winsock Running Kernel Driver System

agp440 Intel AGP Bus Filter Stopped Kernel Driver Manual

ALG Application Layer Gateway Service Stopped Own Process Manual

aliide aliide Stopped Kernel Driver Manual

amdide amdide Stopped Kernel Driver Manual

AmdK8 AMD K8 Processor Driver Stopped Kernel Driver Manual

AmdPPM AMD Processor Driver Stopped Kernel Driver Manual






amdsata amdsata Stopped Kernel Driver Manual

amdsbs amdsbs Stopped Kernel Driver Manual

amdxata amdxata Running Kernel Driver Boot

AppID AppID Driver Stopped Kernel Driver Manual

AppIDSvc Application Identity Stopped Shared Process Manual

Appinfo Application Information Stopped Shared Process Manual

AppMgmt Application Management Running Shared Process Manual

arc arc Stopped Kernel Driver Manual

arcsas arcsas Stopped Kernel Driver Manual

AsyncMac RAS Asynchronous Media Driver Running Kernel Driver Manual

atapi IDE Channel Running Kernel Driver Boot

AudioEndpointBuilder Windows Audio Endpoint Builder Stopped Shared Process Manual

AudioSrv Windows Audio Stopped Shared Process Manual

b06bdrv Broadcom NetXtreme II VBD Stopped Kernel Driver Manual

b57nd60a Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 Stopped Kernel Driver Manual

BDESVC BitLocker Drive Encryption Service Stopped Shared Process Manual

Beep Beep Stopped Kernel Driver Manual

BFE Base Filtering Engine Running Shared Process Automatic

BITS Background Intelligent Transfer Service Stopped Shared Process Manual

blbdrive blbdrive Running Kernel Driver System

bowser Browser Support Driver Running File System Driver Manual

BrFiltLo Brother USB Mass-Storage Lower Filter Driver Stopped Kernel Driver Manual

BrFiltUp Brother USB Mass-Storage Upper Filter Driver Stopped Kernel Driver Manual

Browser Computer Browser Stopped Shared Process Disabled

Brserid Brother MFC Serial Port Interface Driver (WDM) Stopped Kernel Driver Manual

BrSerWdm Brother WDM Serial driver Stopped Kernel Driver Manual

BrUsbMdm Brother MFC USB Fax Only Modem Stopped Kernel Driver Manual

BrUsbSer Brother MFC USB Serial WDM Driver Stopped Kernel Driver Manual

cdfs CD/DVD File System Reader Running File System Driver Disabled

cdrom CD-ROM Driver Running Kernel Driver System

CertPropSvc Certificate Propagation Running Shared Process Manual

CLFS Common Log (CLFS) Running Kernel Driver Boot

clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86 Running Own Process Automatic

clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64 Running Own Process Automatic

CmBatt Microsoft ACPI Control Method Battery Driver Stopped Kernel Driver Manual

cmdide cmdide Stopped Kernel Driver Manual

CNG CNG Running Kernel Driver Boot

Compbatt Compbatt Stopped Kernel Driver Manual

CompositeBus Composite Bus Enumerator Driver Running Kernel Driver Manual

COMSysApp COM+ System Application Stopped Own Process Manual

crcdisk Crcdisk Filter Driver Stopped Kernel Driver Disabled

CryptSvc Cryptographic Services Running Shared Process Automatic

DcomLaunch DCOM Server Process Launcher Running Shared Process Automatic






defragsvc Disk Defragmenter Stopped Own Process Manual

Dfs DFS Namespace Running Own Process Automatic

DfsC DFS Namespace Client Driver Running File System Driver System

DfsDriver DFS Namespace Server Filter Driver Running File System Driver System

DFSR DFS Replication Running Own Process Automatic

DfsrRo DFS Replication ReadOnly Driver Running File System Driver Boot

Dhcp DHCP Client Running Shared Process Automatic

discache System Attribute Cache Running Kernel Driver System

Disk Disk Driver Running Kernel Driver Boot

DNS DNS Server Running Own Process Automatic

Dnscache DNS Client Running Shared Process Automatic

dot3svc Wired AutoConfig Stopped Shared Process Manual

DPS Diagnostic Policy Service Running Shared Process Automatic

DXGKrnl LDDM Graphics Subsystem Stopped Kernel Driver Manual

EapHost Extensible Authentication Protocol Stopped Shared Process Manual

ebdrv Broadcom NetXtreme II 10 GigE VBD Stopped Kernel Driver Manual

EFS Encrypting File System (EFS) Stopped Shared Process Manual

elxstor elxstor Stopped Kernel Driver Manual

ErrDev Microsoft Hardware Error Device Driver Stopped Kernel Driver Manual

eventlog Windows Event Log Running Shared Process Automatic

EventSystem COM+ Event System Running Shared Process Automatic

exfat exFAT File System Driver Stopped File System Driver Manual

fastfat FAT12/16/32 File System Driver Stopped File System Driver Manual

FCRegSvc Microsoft Fibre Channel Platform Registration Service Stopped Shared Process Manual

fdc Floppy Disk Controller Driver Running Kernel Driver Manual

fdPHost Function Discovery Provider Host Running Shared Process Manual

FDResPub Function Discovery Resource Publication Stopped Shared Process Manual

FileInfo File Information FS MiniFilter Stopped File System Driver Manual

Filetrace Filetrace Stopped File System Driver Manual

flpydisk Floppy Disk Driver Running Kernel Driver Manual

FltMgr FltMgr Running File System Driver Boot

FontCache Windows Font Cache Service Running Shared Process Automatic

FontCache3.0.0.0 Windows Presentation Foundation Font Cache 3.0.0.0 Stopped Own Process Manual

FsDepends File System Dependency Minifilter Stopped File System Driver Manual

fvevol Bitlocker Drive Encryption Filter Driver Running Kernel Driver Boot

gagp30kx Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms

Stopped Kernel Driver Manual

gpsvc Group Policy Client Running Shared Process Automatic

HDAudBus Microsoft UAA Bus Driver for High Definition Audio Stopped Kernel Driver Manual

HidBatt HID UPS Battery Driver Stopped Kernel Driver Manual

hidserv Human Interface Device Access Stopped Shared Process Manual

HidUsb Microsoft HID Class Driver Stopped Kernel Driver Manual

hkmsvc Health Key and Certificate Management Stopped Shared Process Manual






HpSAMD HpSAMD Stopped Kernel Driver Manual

HTTP HTTP Running Kernel Driver Manual

hwpolicy Hardware Policy Driver Running Kernel Driver Boot

i8042prt i8042 Keyboard and PS/2 Mouse Port Driver Running Kernel Driver Manual

iaStorV Intel RAID Controller Windows 7 Stopped Kernel Driver Manual

idsvc Windows CardSpace Stopped Shared Process Manual

iirsp iirsp Stopped Kernel Driver Manual

IKEEXT IKE and AuthIP IPsec Keying Modules Stopped Shared Process Manual

intelide intelide Running Kernel Driver Boot

intelppm Intel Processor Driver Running Kernel Driver Manual

ioatdma Intel(R) QuickData Technology Device Stopped Kernel Driver Manual

IPBusEnum PnP-X IP Bus Enumerator Stopped Shared Process Disabled

IpFilterDriver IP Traffic Filter Driver Stopped Kernel Driver Manual

iphlpsvc IP Helper Running Shared Process Automatic

IPMIDRV IPMIDRV Stopped Kernel Driver Manual

IPNAT IP Network Address Translator Stopped Kernel Driver Manual

isapnp isapnp Stopped Kernel Driver Manual

iScsiPrt iScsiPort Driver Stopped Kernel Driver Manual

IsmServ Intersite Messaging Running Own Process Automatic

kbdclass Keyboard Class Driver Running Kernel Driver Manual

kbdhid Keyboard HID Driver Stopped Kernel Driver Manual

kdc Kerberos Key Distribution Center Running Shared Process Automatic

KeyIso CNG Key Isolation Stopped Shared Process Manual

KSecDD KSecDD Running Kernel Driver Boot

KSecPkg KSecPkg Running Kernel Driver Boot

ksthunk Kernel Streaming Thunks Stopped Kernel Driver Manual

KtmRm KtmRm for Distributed Transaction Coordinator Stopped Shared Process Manual

LanmanServer Server Running Shared Process Automatic

LanmanWorkstation Workstation Running Shared Process Automatic

lltdio Link-Layer Topology Discovery Mapper I/O Driver Running Kernel Driver Automatic

lltdsvc Link-Layer Topology Discovery Mapper Stopped Shared Process Manual

lmhosts TCP/IP NetBIOS Helper Running Shared Process Automatic

LSI_FC LSI_FC Stopped Kernel Driver Manual

LSI_SAS LSI_SAS Stopped Kernel Driver Manual

LSI_SAS2 LSI_SAS2 Stopped Kernel Driver Manual

LSI_SCSI LSI_SCSI Stopped Kernel Driver Manual

luafv UAC File Virtualization Running File System Driver Automatic

megasas megasas Stopped Kernel Driver Manual

MegaSR MegaSR Stopped Kernel Driver Manual

Microsoft SharePoint Workspace Audit Service

Microsoft SharePoint Workspace Audit Service Stopped Own Process Manual

MMCSS Multimedia Class Scheduler Stopped Shared Process Manual

Modem Modem Stopped Kernel Driver Manual






monitor Microsoft Monitor Class Function Driver Service Stopped Kernel Driver Manual

mouclass Mouse Class Driver Running Kernel Driver Manual

mouhid Mouse HID Driver Running Kernel Driver Manual

mountmgr Mount Point Manager Running Kernel Driver Boot

mpio Microsoft Multi-Path Bus Driver Stopped Kernel Driver Manual

mpsdrv Windows Firewall Authorization Driver Running Kernel Driver Manual

MpsSvc Windows Firewall Running Shared Process Automatic

mrxsmb SMB MiniRedirector Wrapper and Engine Running File System Driver Manual

mrxsmb10 SMB 1.x MiniRedirector Running File System Driver Manual

mrxsmb20 SMB 2.0 MiniRedirector Running File System Driver Manual

msahci msahci Stopped Kernel Driver Manual

msdsm Microsoft Multi-Path Device Specific Module Stopped Kernel Driver Manual

MSDTC Distributed Transaction Coordinator Running Own Process Automatic

Msfs Msfs Running File System Driver System

mshidkmdf Pass-through HID to KMDF Filter Driver Stopped Kernel Driver Manual

msisadrv msisadrv Running Kernel Driver Boot

MSiSCSI Microsoft iSCSI Initiator Service Stopped Shared Process Manual

msiserver Windows Installer Stopped Own Process Manual

MsRPC MsRPC Stopped Kernel Driver Manual

mssmbios Microsoft System Management BIOS Driver Running Kernel Driver System

MSSQL$SOPHOS SQL Server (SOPHOS) Running Own Process Automatic

MSSQLServerADHelper100 SQL Active Directory Helper Service Stopped Own Process Disabled

MTConfig Microsoft Input Configuration Driver Stopped Kernel Driver Manual

Mup Mup Running File System Driver Boot

napagent Network Access Protection Agent Stopped Shared Process Manual

NDIS NDIS System Driver Running Kernel Driver Boot

NdisCap NDIS Capture LightWeight Filter Stopped Kernel Driver Manual

NdisTapi Remote Access NDIS TAPI Driver Running Kernel Driver Manual

Ndisuio NDIS Usermode I/O Protocol Stopped Kernel Driver Manual

NdisWan Remote Access NDIS WAN Driver Running Kernel Driver Manual

NDProxy NDIS Proxy Running Kernel Driver Manual

NetBIOS NetBIOS Interface Running File System Driver System

NetBT NetBT Running Kernel Driver System

Netlogon Netlogon Running Shared Process Automatic

Netman Network Connections Running Shared Process Manual

netprofm Network List Service Running Shared Process Manual

NetTcpPortSharing Net.Tcp Port Sharing Service Stopped Shared Process Disabled

netvsc netvsc Running Kernel Driver Manual

nfrd960 nfrd960 Stopped Kernel Driver Manual

NlaSvc Network Location Awareness Running Shared Process Automatic

Npfs Npfs Running File System Driver System

nsi Network Store Interface Service Running Shared Process Automatic

nsiproxy NSI proxy service driver. Running Kernel Driver System






NTDS Active Directory Domain Services Running Shared Process Automatic

NtFrs File Replication Service Running Own Process Automatic

Ntfs Ntfs Running File System Driver Manual

Null Null Running Kernel Driver System

nv_agp NVIDIA nForce AGP Bus Filter Stopped Kernel Driver Manual

nvraid nvraid Stopped Kernel Driver Manual

nvstor nvstor Stopped Kernel Driver Manual

ohci1394 1394 OHCI Compliant Host Controller (Legacy) Stopped Kernel Driver Manual

ose Office Source Engine Stopped Own Process Manual

osppsvc Office Software Protection Platform Stopped Own Process Manual

Parport Parallel port driver Stopped Kernel Driver Manual

partmgr Partition Manager Running Kernel Driver Boot

pci PCI Bus Driver Running Kernel Driver Boot

pciide pciide Stopped Kernel Driver Manual

pcmcia pcmcia Stopped Kernel Driver Manual

pcw Performance Counters for Windows Driver Running Kernel Driver Boot

PEAUTH PEAUTH Running Kernel Driver Automatic

PerfHost Performance Counter DLL Host Stopped Own Process Manual

pla Performance Logs & Alerts Stopped Shared Process Manual

PlugPlay Plug and Play Running Shared Process Automatic

PolicyAgent IPsec Policy Agent Stopped Shared Process Manual

Power Power Running Shared Process Automatic

PptpMiniport WAN Miniport (PPTP) Running Kernel Driver Manual

Processor Processor Driver Stopped Kernel Driver Manual

ProfSvc User Profile Service Running Shared Process Automatic

ProtectedStorage Protected Storage Stopped Shared Process Manual

Psched QoS Packet Scheduler Running Kernel Driver System

ql2300 ql2300 Stopped Kernel Driver Manual

ql40xx ql40xx Stopped Kernel Driver Manual

RasAcd Remote Access Auto Connection Driver Stopped Kernel Driver Manual

RasAgileVpn WAN Miniport (IKEv2) Running Kernel Driver Manual

RasAuto Remote Access Auto Connection Manager Stopped Shared Process Manual

Rasl2tp WAN Miniport (L2TP) Running Kernel Driver Manual

RasMan Remote Access Connection Manager Stopped Shared Process Manual

RasPppoe Remote Access PPPOE Driver Running Kernel Driver Manual

RasSstp WAN Miniport (SSTP) Running Kernel Driver Manual

rdbss Redirected Buffering Sub Sysytem Running File System Driver System

rdpbus Remote Desktop Device Redirector Bus Driver Running Kernel Driver Manual

RDPCDD RDPCDD Running Kernel Driver System

RDPDR Terminal Server Device Redirector Driver Running Kernel Driver Manual

RDPENCDD RDP Encoder Mirror Driver Running Kernel Driver System

RDPREFMP Reflector Display Driver used to gain access to graphics data

Running Kernel Driver System






RDPWD RDP Winstation Driver Running Kernel Driver Manual

RemoteAccess Routing and Remote Access Stopped Shared Process Disabled

RemoteRegistry Remote Registry Running Shared Process Automatic

RpcEptMapper RPC Endpoint Mapper Running Shared Process Automatic

RpcLocator Remote Procedure Call (RPC) Locator Stopped Own Process Manual

RpcSs Remote Procedure Call (RPC) Running Shared Process Automatic

RSoPProv Resultant Set of Policy Provider Stopped Shared Process Manual

rspndr Link-Layer Topology Discovery Responder Running Kernel Driver Automatic

s3cap s3cap Running Kernel Driver Manual

sacdrv sacdrv Stopped Kernel Driver Boot

sacsvr Special Administration Console Helper Stopped Shared Process Manual

SamSs Security Accounts Manager Running Shared Process Automatic

SAVAdminService Sophos Anti-Virus status reporter Running Own Process Automatic

SAVOnAccess SAVOnAccess Running File System Driver System

SAVService Sophos Anti-Virus Running Own Process Automatic

sbp2port SBP-2 Transport/Protocol Bus Driver Stopped Kernel Driver Manual

SCardSvr Smart Card Stopped Shared Process Manual

scfilter Smart card PnP Class Filter Driver Stopped Kernel Driver Manual

Schedule Task Scheduler Running Shared Process Automatic

SCPolicySvc Smart Card Removal Policy Stopped Shared Process Manual

secdrv Security Driver Running Kernel Driver Automatic

seclogon Secondary Logon Stopped Shared Process Manual

SENS System Event Notification Service Running Shared Process Automatic

Serenum Serenum Filter Driver Running Kernel Driver Manual

Serial Serial port driver Running Kernel Driver System

sermouse Serial Mouse Driver Stopped Kernel Driver Manual

SessionEnv Remote Desktop Configuration Running Shared Process Manual

sffdisk SFF Storage Class Driver Stopped Kernel Driver Manual

sffp_mmc SFF Storage Protocol Driver for MMC Stopped Kernel Driver Manual

sffp_sd SFF Storage Protocol Driver for SDBus Stopped Kernel Driver Manual

sfloppy High-Capacity Floppy Disk Drive Stopped Kernel Driver Manual

SharedAccess Internet Connection Sharing (ICS) Stopped Shared Process Disabled

ShellHWDetection Shell Hardware Detection Running Shared Process Automatic

SiSRaid2 SiSRaid2 Stopped Kernel Driver Manual

SiSRaid4 SiSRaid4 Stopped Kernel Driver Manual

Smb Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)


SNMPTRAP SNMP Trap Stopped Own Process Manual

Sophos Agent Sophos Agent Running Own Process Automatic

Sophos AutoUpdate Service Sophos AutoUpdate Service Running Own Process Automatic

Sophos Certification Manager Sophos Certification Manager Running Own Process Automatic

Sophos Management Service Sophos Management Service Running Own Process Automatic

Sophos Message Router Sophos Message Router Running Own Process Automatic






SophosBootDriver SophosBootDriver Stopped Kernel Driver Disabled

spldr Security Processor Loader Driver Running Kernel Driver Boot

Spooler Print Spooler Running Own Process(I) Automatic

sppsvc Software Protection Stopped Own Process Automatic

sppuinotify SPP Notification Service Stopped Shared Process Manual

SQLAgent$SOPHOS SQL Server Agent (SOPHOS) Stopped Own Process Disabled

SQLBrowser SQL Server Browser Running Own Process Automatic

SQLWriter SQL Server VSS Writer Running Own Process Automatic

srv Server SMB 1.xxx Driver Running File System Driver Manual

srv2 Server SMB 2.xxx Driver Running File System Driver Manual

srvnet srvnet Running File System Driver Manual

SSDPSRV SSDP Discovery Stopped Shared Process Disabled

SstpSvc Secure Socket Tunneling Protocol Service Stopped Shared Process Manual

stexstor stexstor Stopped Kernel Driver Manual

storflt Disk Virtual Machine Bus Acceleration Filter Driver Running Kernel Driver Boot

storvsc storvsc Stopped Kernel Driver Manual

storvsp storvsp Stopped Kernel Driver Manual

SUM Sophos Update Manager Running Own Process Automatic

swenum Software Bus Driver Running Kernel Driver Manual

swi_service Sophos Web Intelligence Service Running Own Process Automatic

swprv Microsoft Software Shadow Copy Provider Stopped Own Process Manual

SynthVid SynthVid Running Kernel Driver Manual

TapiSrv Telephony Stopped Own Process Manual

TBS TPM Base Services Stopped Shared Process Manual

Tcpip TCP/IP Protocol Driver Running Kernel Driver Boot

TCPIP6 Microsoft IPv6 Protocol Driver Stopped Kernel Driver Manual

tcpipreg TCP/IP Registry Compatibility Running Kernel Driver Automatic

TDPIPE TDPIPE Stopped Kernel Driver Manual

TDTCP TDTCP Running Kernel Driver Manual

tdx NetIO Legacy TDI Support Driver Running Kernel Driver System

TermDD Terminal Device Driver Running Kernel Driver System

TermService Remote Desktop Services Running Shared Process Manual

THREADORDER Thread Ordering Server Stopped Shared Process Manual

TrkWks Distributed Link Tracking Client Stopped Shared Process Manual

TrustedInstaller Windows Modules Installer Running Own Process Manual

tssecsrv Remote Desktop Services Security Filter Driver Running Kernel Driver Manual

TsUsbFlt TsUsbFlt Stopped Kernel Driver Manual

tunnel Microsoft Tunnel Miniport Adapter Driver Running Kernel Driver Manual

uagp35 Microsoft AGPv3.5 Filter Stopped Kernel Driver Manual

udfs udfs Stopped File System Driver Disabled

UI0Detect Interactive Services Detection Stopped Own Process(I) Manual

uliagpkx Uli AGP Bus Filter Stopped Kernel Driver Manual

umbus UMBus Enumerator Driver Running Kernel Driver Manual






UmPass Microsoft UMPass Driver Stopped Kernel Driver Manual

UmRdpService Remote Desktop Services UserMode Port Redirector Running Shared Process Manual

upnphost UPnP Device Host Stopped Shared Process Disabled

usbccgp Microsoft USB Generic Parent Driver Stopped Kernel Driver Manual

usbehci Microsoft USB 2.0 Enhanced Host Controller Miniport Driver


usbhub Microsoft USB Standard Hub Driver Stopped Kernel Driver Manual

usbohci Microsoft USB Open Host Controller Miniport Driver Stopped Kernel Driver Manual

usbprint Microsoft USB PRINTER Class Stopped Kernel Driver Manual

USBSTOR USB Mass Storage Driver Stopped Kernel Driver Manual

usbuhci Microsoft USB Universal Host Controller Miniport Driver


UxSms Desktop Window Manager Session Manager Running Shared Process Automatic

VaultSvc Credential Manager Stopped Shared Process Manual

vdrvroot Microsoft Virtual Drive Enumerator Driver Running Kernel Driver Boot

vds Virtual Disk Running Own Process Manual

vga vga Stopped Kernel Driver Manual

VgaSave VgaSave Running Kernel Driver System

vhdmp vhdmp Stopped Kernel Driver Manual

viaide viaide Stopped Kernel Driver Manual

Vid Vid Stopped Kernel Driver Manual

vmbus Virtual Machine Bus Running Kernel Driver Boot

VMBusHID VMBusHID Running Kernel Driver Manual

vmicheartbeat Hyper-V Heartbeat Service Running Own Process Automatic

vmickvpexchange Hyper-V Data Exchange Service Running Own Process Automatic

vmicshutdown Hyper-V Guest Shutdown Service Running Own Process Automatic

vmictimesync Hyper-V Time Synchronization Service Running Own Process Automatic

vmicvss Hyper-V Volume Shadow Copy Requestor Running Own Process Automatic

volmgr Volume Manager Driver Running Kernel Driver Boot

volmgrx Dynamic Volume Manager Running Kernel Driver Boot

volsnap Storage volumes Running Kernel Driver Boot

vsmraid vsmraid Stopped Kernel Driver Manual

VSS Volume Shadow Copy Stopped Own Process Manual

W32Time Windows Time Running Shared Process Manual

WacomPen Wacom Serial Pen HID Driver Stopped Kernel Driver Manual

WANARP Remote Access IP ARP Driver Stopped Kernel Driver Manual

Wanarpv6 Remote Access IPv6 ARP Driver Running Kernel Driver System

WcsPlugInService Windows Color System Stopped Shared Process Manual

Wd Wd Stopped Kernel Driver Manual

Wdf01000 Kernel Mode Driver Frameworks service Running Kernel Driver Boot

WdiServiceHost Diagnostic Service Host Stopped Shared Process Manual

WdiSystemHost Diagnostic System Host Stopped Shared Process Manual

Wecsvc Windows Event Collector Stopped Shared Process Manual

wercplsupport Problem Reports and Solutions Control Panel Support Stopped Shared Process Manual






WerSvc Windows Error Reporting Service Stopped Shared Process Manual

WfpLwf WFP Lightweight Filter Running Kernel Driver System

WIMMount WIMMount Stopped File System Driver Manual

WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service Stopped Shared Process Manual

Winmgmt Windows Management Instrumentation Running Shared Process Automatic

WinRM Windows Remote Management (WS-Management) Running Shared Process Automatic

WmiAcpi Microsoft Windows Management Interface for ACPI Stopped Kernel Driver Manual

wmiApSrv WMI Performance Adapter Stopped Own Process Manual

WPDBusEnum Portable Device Enumerator Service Stopped Shared Process Manual

ws2ifsl Windows Socket 2.0 Non-IFS Service Provider Support Environment

Running Kernel Driver System

wuauserv Windows Update Running Shared Process Automatic

WudfPf User Mode Driver Frameworks Platform Driver Stopped Kernel Driver Manual

wudfsvc Windows Driver Foundation - User-mode Driver Framework

Stopped Shared Process Manual





Section Detail

Service Name Logon Name Path Name

1394ohci \SystemRoot\system32\drivers\1394ohci.sys

ACPI \SystemRoot\system32\drivers\ACPI.sys

AcpiPmi \SystemRoot\system32\drivers\acpipmi.sys

adp94xx \SystemRoot\system32\DRIVERS\adp94xx.sys

adpahci \SystemRoot\system32\DRIVERS\adpahci.sys

adpu320 \SystemRoot\system32\DRIVERS\adpu320.sys

ADWS LocalSystem C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe

AeLookupSvc localSystem C:\Windows\system32\svchost.exe -k netsvcs

AFD \SystemRoot\system32\drivers\afd.sys

agp440 \SystemRoot\system32\drivers\agp440.sys

ALG NT AUTHORITY\ LocalService C:\Windows\System32\alg.exe

aliide \SystemRoot\system32\drivers\aliide.sys

amdide \SystemRoot\system32\drivers\amdide.sys

AmdK8 \SystemRoot\system32\DRIVERS\amdk8.sys

AmdPPM \SystemRoot\system32\DRIVERS\amdppm.sys

amdsata \SystemRoot\system32\drivers\amdsata.sys

amdsbs \SystemRoot\system32\DRIVERS\amdsbs.sys

amdxata \SystemRoot\system32\drivers\amdxata.sys

AppID \SystemRoot\system32\drivers\appid.sys

AppIDSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

Appinfo LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

AppMgmt LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

arc \SystemRoot\system32\DRIVERS\arc.sys

arcsas \SystemRoot\system32\DRIVERS\arcsas.sys

AsyncMac system32\DRIVERS\asyncmac.sys

atapi \SystemRoot\system32\drivers\atapi.sys

AudioEndpointBuilder LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

AudioSrv NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

b06bdrv \SystemRoot\system32\DRIVERS\bxvbda.sys

b57nd60a system32\DRIVERS\b57nd60a.sys

BDESVC localSystem C:\Windows\System32\svchost.exe -k netsvcs

Beep

BFE NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

BITS LocalSystem C:\Windows\System32\svchost.exe -k netsvcs

blbdrive system32\DRIVERS\blbdrive.sys

bowser system32\DRIVERS\bowser.sys

BrFiltLo \SystemRoot\system32\DRIVERS\BrFiltLo.sys

BrFiltUp \SystemRoot\system32\DRIVERS\BrFiltUp.sys

Browser LocalSystem C:\Windows\System32\svchost.exe -k netsvcs

Brserid \SystemRoot\System32\Drivers\Brserid.sys






BrSerWdm \SystemRoot\System32\Drivers\BrSerWdm.sys

BrUsbMdm \SystemRoot\System32\Drivers\BrUsbMdm.sys

BrUsbSer \SystemRoot\System32\Drivers\BrUsbSer.sys

cdfs system32\DRIVERS\cdfs.sys

cdrom \SystemRoot\system32\drivers\cdrom.sys

CertPropSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

CLFS \SystemRoot\System32\CLFS.sys

clr_optimization_v2.0.50727_32 LocalSystem C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

clr_optimization_v2.0.50727_64 LocalSystem C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

CmBatt \SystemRoot\system32\DRIVERS\CmBatt.sys

cmdide \SystemRoot\system32\drivers\cmdide.sys

CNG \SystemRoot\System32\Drivers\cng.sys

Compbatt \SystemRoot\system32\DRIVERS\compbatt.sys

CompositeBus \SystemRoot\system32\drivers\CompositeBus.sys

COMSysApp LocalSystem C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

crcdisk \SystemRoot\system32\DRIVERS\crcdisk.sys

CryptSvc NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkService

DcomLaunch LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch

defragsvc localSystem C:\Windows\system32\svchost.exe -k defragsvc

Dfs LocalSystem C:\Windows\system32\dfssvc.exe

DfsC System32\Drivers\dfsc.sys

DfsDriver system32\drivers\dfs.sys

DFSR LocalSystem C:\Windows\system32\DFSRs.exe

DfsrRo \SystemRoot\system32\drivers\dfsrro.sys

Dhcp NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

discache System32\drivers\discache.sys

Disk \SystemRoot\system32\DRIVERS\disk.sys

DNS LocalSystem C:\Windows\system32\dns.exe

Dnscache NT AUTHORITY\ NetworkService

C:\Windows\system32\svchost.exe -k NetworkService

dot3svc localSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

DPS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

DXGKrnl \SystemRoot\System32\drivers\dxgkrnl.sys

EapHost localSystem C:\Windows\System32\svchost.exe -k netsvcs

ebdrv \SystemRoot\system32\DRIVERS\evbda.sys

EFS LocalSystem C:\Windows\System32\lsass.exe

elxstor \SystemRoot\system32\DRIVERS\elxstor.sys

ErrDev \SystemRoot\system32\drivers\errdev.sys

eventlog NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

EventSystem NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService






exfat

fastfat

FCRegSvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

fdc system32\DRIVERS\fdc.sys

fdPHost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService

FDResPub NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

FileInfo system32\drivers\fileinfo.sys

Filetrace system32\drivers\filetrace.sys

flpydisk system32\DRIVERS\flpydisk.sys

FltMgr \SystemRoot\system32\drivers\fltmgr.sys

FontCache NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

FontCache3.0.0.0 NT Authority\ LocalService C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

FsDepends System32\drivers\FsDepends.sys

fvevol \SystemRoot\System32\DRIVERS\fvevol.sys

gagp30kx \SystemRoot\system32\DRIVERS\gagp30kx.sys

gpsvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

HDAudBus \SystemRoot\system32\drivers\HDAudBus.sys

HidBatt \SystemRoot\system32\DRIVERS\HidBatt.sys

hidserv LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

HidUsb \SystemRoot\system32\drivers\hidusb.sys

hkmsvc localSystem C:\Windows\System32\svchost.exe -k netsvcs

HpSAMD \SystemRoot\system32\drivers\HpSAMD.sys

HTTP system32\drivers\HTTP.sys

hwpolicy \SystemRoot\System32\drivers\hwpolicy.sys

i8042prt \SystemRoot\system32\drivers\i8042prt.sys

iaStorV \SystemRoot\system32\drivers\iaStorV.sys

idsvc LocalSystem C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

iirsp \SystemRoot\system32\DRIVERS\iirsp.sys

IKEEXT LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

intelide \SystemRoot\system32\drivers\intelide.sys

intelppm system32\DRIVERS\intelppm.sys

ioatdma \SystemRoot\System32\Drivers\qd260x64.sys

IPBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

IpFilterDriver system32\DRIVERS\ipfltdrv.sys

iphlpsvc LocalSystem C:\Windows\System32\svchost.exe -k NetSvcs

IPMIDRV \SystemRoot\system32\drivers\IPMIDrv.sys

IPNAT System32\drivers\ipnat.sys

isapnp \SystemRoot\system32\drivers\isapnp.sys

iScsiPrt \SystemRoot\system32\drivers\msiscsi.sys






IsmServ LocalSystem C:\Windows\System32\ismserv.exe

kbdclass \SystemRoot\system32\drivers\kbdclass.sys

kbdhid \SystemRoot\system32\drivers\kbdhid.sys

kdc LocalSystem C:\Windows\System32\lsass.exe

KeyIso LocalSystem C:\Windows\system32\lsass.exe

KSecDD \SystemRoot\System32\Drivers\ksecdd.sys

KSecPkg \SystemRoot\System32\Drivers\ksecpkg.sys

ksthunk \SystemRoot\system32\drivers\ksthunk.sys

KtmRm NT AUTHORITY\ NetworkService

C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation

LanmanServer LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

LanmanWorkstation NT AUTHORITY\ NetworkService

C:\Windows\System32\svchost.exe -k NetworkService

lltdio system32\DRIVERS\lltdio.sys

lltdsvc NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService

lmhosts NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

LSI_FC \SystemRoot\system32\DRIVERS\lsi_fc.sys

LSI_SAS \SystemRoot\system32\DRIVERS\lsi_sas.sys

LSI_SAS2 \SystemRoot\system32\DRIVERS\lsi_sas2.sys

LSI_SCSI \SystemRoot\system32\DRIVERS\lsi_scsi.sys

luafv \SystemRoot\system32\drivers\luafv.sys

megasas \SystemRoot\system32\DRIVERS\megasas.sys

MegaSR \SystemRoot\system32\DRIVERS\MegaSR.sys

Microsoft SharePoint Workspace Audit Service

NT AUTHORITY\ LocalService C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE'' /auditservice

MMCSS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

Modem system32\drivers\modem.sys

monitor system32\DRIVERS\monitor.sys

mouclass \SystemRoot\system32\drivers\mouclass.sys

mouhid system32\DRIVERS\mouhid.sys

mountmgr \SystemRoot\System32\drivers\mountmgr.sys

mpio \SystemRoot\system32\drivers\mpio.sys

mpsdrv System32\drivers\mpsdrv.sys

MpsSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

mrxsmb system32\DRIVERS\mrxsmb.sys

mrxsmb10 system32\DRIVERS\mrxsmb10.sys

mrxsmb20 system32\DRIVERS\mrxsmb20.sys

msahci \SystemRoot\system32\drivers\msahci.sys

msdsm \SystemRoot\system32\drivers\msdsm.sys

MSDTC NT AUTHORITY\ NetworkService

C:\Windows\System32\msdtc.exe

Msfs

mshidkmdf \SystemRoot\System32\drivers\mshidkmdf.sys

msisadrv \SystemRoot\system32\drivers\msisadrv.sys






MSiSCSI LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

msiserver LocalSystem C:\Windows\system32\msiexec.exe /V

MsRPC

mssmbios \SystemRoot\system32\drivers\mssmbios.sys

MSSQL$SOPHOS LocalSystem C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\sqlservr.exe'' -sSOPHOS

MSSQLServerADHelper100 LocalSystem C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE

MTConfig \SystemRoot\system32\DRIVERS\MTConfig.sys

Mup \SystemRoot\System32\Drivers\mup.sys

napagent NT AUTHORITY\ NetworkService


NDIS \SystemRoot\system32\drivers\ndis.sys

NdisCap system32\DRIVERS\ndiscap.sys

NdisTapi system32\DRIVERS\ndistapi.sys

Ndisuio system32\DRIVERS\ndisuio.sys

NdisWan system32\DRIVERS\ndiswan.sys

NDProxy

NetBIOS system32\DRIVERS\netbios.sys

NetBT System32\DRIVERS\netbt.sys

Netlogon LocalSystem C:\Windows\system32\lsass.exe

Netman LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

netprofm NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService

NetTcpPortSharing NT AUTHORITY\ LocalService C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

netvsc \SystemRoot\system32\drivers\netvsc60.sys

nfrd960 \SystemRoot\system32\DRIVERS\nfrd960.sys

NlaSvc NT AUTHORITY\ NetworkService


Npfs

nsi NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService

nsiproxy system32\drivers\nsiproxy.sys

NTDS LocalSystem C:\Windows\System32\lsass.exe

NtFrs LocalSystem C:\Windows\system32\ntfrs.exe

Ntfs

Null

nv_agp \SystemRoot\system32\drivers\nv_agp.sys

nvraid \SystemRoot\system32\drivers\nvraid.sys

nvstor \SystemRoot\system32\drivers\nvstor.sys

ohci1394 \SystemRoot\system32\drivers\ohci1394.sys

ose LocalSystem C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

osppsvc NT AUTHORITY\ NetworkService

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Parport \SystemRoot\system32\DRIVERS\parport.sys






partmgr \SystemRoot\System32\drivers\partmgr.sys

pci \SystemRoot\system32\drivers\pci.sys

pciide \SystemRoot\system32\drivers\pciide.sys

pcmcia \SystemRoot\system32\DRIVERS\pcmcia.sys

pcw \SystemRoot\System32\drivers\pcw.sys

PEAUTH system32\drivers\peauth.sys

PerfHost NT AUTHORITY\ LocalService C:\Windows\SysWow64\perfhost.exe

pla NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

PlugPlay LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch

PolicyAgent NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

Power LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch

PptpMiniport system32\DRIVERS\raspptp.sys

Processor \SystemRoot\system32\DRIVERS\processr.sys

ProfSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

ProtectedStorage LocalSystem C:\Windows\system32\lsass.exe

Psched system32\DRIVERS\pacer.sys

ql2300 \SystemRoot\system32\DRIVERS\ql2300.sys

ql40xx \SystemRoot\system32\DRIVERS\ql40xx.sys

RasAcd System32\DRIVERS\rasacd.sys

RasAgileVpn system32\DRIVERS\AgileVpn.sys

RasAuto localSystem C:\Windows\System32\svchost.exe -k netsvcs

Rasl2tp system32\DRIVERS\rasl2tp.sys

RasMan localSystem C:\Windows\System32\svchost.exe -k netsvcs

RasPppoe system32\DRIVERS\raspppoe.sys

RasSstp system32\DRIVERS\rassstp.sys

rdbss system32\DRIVERS\rdbss.sys

rdpbus system32\DRIVERS\rdpbus.sys

RDPCDD System32\DRIVERS\RDPCDD.sys

RDPDR System32\drivers\rdpdr.sys

RDPENCDD system32\drivers\rdpencdd.sys

RDPREFMP system32\drivers\rdprefmp.sys

RDPWD

RemoteAccess localSystem C:\Windows\System32\svchost.exe -k netsvcs

RemoteRegistry NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k regsvc

RpcEptMapper NT AUTHORITY\ NetworkService

C:\Windows\system32\svchost.exe -k RPCSS

RpcLocator NT AUTHORITY\ NetworkService

C:\Windows\system32\locator.exe

RpcSs NT AUTHORITY\ NetworkService

C:\Windows\system32\svchost.exe -k rpcss

RSoPProv LocalSystem C:\Windows\system32\RSoPProv.exe

rspndr system32\DRIVERS\rspndr.sys

s3cap \SystemRoot\system32\drivers\vms3cap.sys

sacdrv \SystemRoot\system32\DRIVERS\sacdrv.sys






sacsvr LocalSystem C:\Windows\System32\svchost.exe -k netsvcs

SamSs LocalSystem C:\Windows\system32\lsass.exe

SAVAdminService LocalSystem C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe

SAVOnAccess system32\DRIVERS\savonaccess.sys

SAVService NT AUTHORITY\ LocalService C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe

sbp2port \SystemRoot\system32\drivers\sbp2port.sys

SCardSvr NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

scfilter System32\DRIVERS\scfilter.sys

Schedule LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

SCPolicySvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

secdrv

seclogon LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

SENS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

Serenum system32\DRIVERS\serenum.sys

Serial system32\DRIVERS\serial.sys

sermouse \SystemRoot\system32\DRIVERS\sermouse.sys

SessionEnv localSystem C:\Windows\System32\svchost.exe -k netsvcs

sffdisk \SystemRoot\system32\drivers\sffdisk.sys

sffp_mmc \SystemRoot\system32\drivers\sffp_mmc.sys

sffp_sd \SystemRoot\system32\drivers\sffp_sd.sys

sfloppy \SystemRoot\system32\DRIVERS\sfloppy.sys

SharedAccess LocalSystem C:\Windows\System32\svchost.exe -k netsvcs

ShellHWDetection LocalSystem C:\Windows\System32\svchost.exe -k netsvcs

SiSRaid2 \SystemRoot\system32\DRIVERS\SiSRaid2.sys

SiSRaid4 \SystemRoot\system32\DRIVERS\sisraid4.sys

Smb system32\DRIVERS\smb.sys

SNMPTRAP NT AUTHORITY\ LocalService C:\Windows\System32\snmptrap.exe

Sophos Agent LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\ManagementAgentNT.exe'' -service -name Agent

Sophos AutoUpdate Service LocalSystem C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe''

Sophos Certification Manager LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\CertificationManagerServiceNT.exe'' -background -ORBSvcConf ''C:\Program Files (x86)\Sophos\Enterprise Console\svc.conf

Sophos Management Service LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\MgntSvc.exe''

Sophos Message Router LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\RouterNT.exe'' -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194

SophosBootDriver system32\DRIVERS\SophosBootDriver.sys

spldr

Spooler LocalSystem C:\Windows\System32\spoolsv.exe

sppsvc NT AUTHORITY\ NetworkService

C:\Windows\system32\sppsvc.exe






sppuinotify NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService

SQLAgent$SOPHOS NT AUTHORITY\ NETWORK SERVICE

C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\SQLAGENT.EXE'' -i SOPHOS

SQLBrowser NT AUTHORITY\ LOCAL SERVICE

C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

SQLWriter LocalSystem C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

srv System32\DRIVERS\srv.sys

srv2 System32\DRIVERS\srv2.sys

srvnet System32\DRIVERS\srvnet.sys

SSDPSRV NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

SstpSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService

stexstor \SystemRoot\system32\DRIVERS\stexstor.sys

storflt \SystemRoot\system32\drivers\vmstorfl.sys

storvsc \SystemRoot\system32\drivers\storvsc.sys

storvsp \SystemRoot\system32\drivers\storvsp.sys

SUM LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\SUM\SUMService.exe

swenum \SystemRoot\system32\drivers\swenum.sys

swi_service NT AUTHORITY\ LocalService C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

swprv LocalSystem C:\Windows\System32\svchost.exe -k swprv

SynthVid \SystemRoot\system32\drivers\VMBusVideoM.sys

TapiSrv NT AUTHORITY\ NetworkService

C:\Windows\System32\svchost.exe -k tapisrv

TBS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation

Tcpip \SystemRoot\System32\drivers\tcpip.sys

TCPIP6 system32\DRIVERS\tcpip.sys

tcpipreg System32\drivers\tcpipreg.sys

TDPIPE system32\drivers\tdpipe.sys

TDTCP system32\drivers\tdtcp.sys

tdx system32\DRIVERS\tdx.sys

TermDD \SystemRoot\system32\drivers\termdd.sys

TermService NT Authority\ NetworkService C:\Windows\System32\svchost.exe -k termsvcs

THREADORDER NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService

TrkWks LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

TrustedInstaller localSystem C:\Windows\servicing\TrustedInstaller.exe

tssecsrv System32\DRIVERS\tssecsrv.sys

TsUsbFlt system32\drivers\tsusbflt.sys

tunnel system32\DRIVERS\tunnel.sys

uagp35 \SystemRoot\system32\DRIVERS\uagp35.sys

udfs system32\DRIVERS\udfs.sys

UI0Detect LocalSystem C:\Windows\system32\UI0Detect.exe

uliagpkx \SystemRoot\system32\drivers\uliagpkx.sys






umbus system32\DRIVERS\umbus.sys

UmPass \SystemRoot\system32\DRIVERS\umpass.sys

UmRdpService localSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

upnphost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

usbccgp \SystemRoot\system32\drivers\usbccgp.sys

usbehci \SystemRoot\system32\DRIVERS\usbehci.sys

usbhub \SystemRoot\system32\drivers\usbhub.sys

usbohci \SystemRoot\system32\DRIVERS\usbohci.sys

usbprint \SystemRoot\system32\DRIVERS\usbprint.sys

USBSTOR \SystemRoot\system32\drivers\USBSTOR.SYS

usbuhci \SystemRoot\system32\DRIVERS\usbuhci.sys

UxSms localSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

VaultSvc LocalSystem C:\Windows\system32\lsass.exe

vdrvroot \SystemRoot\system32\drivers\vdrvroot.sys

vds LocalSystem C:\Windows\System32\vds.exe

vga system32\DRIVERS\vgapnp.sys

VgaSave \SystemRoot\System32\drivers\vga.sys

vhdmp \SystemRoot\system32\drivers\vhdmp.sys

viaide \SystemRoot\system32\drivers\viaide.sys

Vid \SystemRoot\system32\drivers\Vid.sys

vmbus \SystemRoot\system32\drivers\vmbus.sys

VMBusHID \SystemRoot\system32\drivers\VMBusHID.sys

vmicheartbeat NT AUTHORITY\ NetworkService

C:\Windows\system32\vmicsvc.exe -feature Heartbeat

vmickvpexchange NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature KvpExchange

vmicshutdown LocalSystem C:\Windows\system32\vmicsvc.exe -feature Shutdown

vmictimesync NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature TimeSync

vmicvss LocalSystem C:\Windows\system32\vmicsvc.exe -feature VSS

volmgr \SystemRoot\system32\drivers\volmgr.sys

volmgrx \SystemRoot\System32\drivers\volmgrx.sys

volsnap \SystemRoot\system32\drivers\volsnap.sys

vsmraid \SystemRoot\system32\DRIVERS\vsmraid.sys

VSS LocalSystem C:\Windows\system32\vssvc.exe

W32Time NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService

WacomPen \SystemRoot\system32\DRIVERS\wacompen.sys

WANARP system32\DRIVERS\wanarp.sys

Wanarpv6 system32\DRIVERS\wanarp.sys

WcsPlugInService NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k wcssvc

Wd \SystemRoot\system32\DRIVERS\wd.sys

Wdf01000 \SystemRoot\system32\drivers\Wdf01000.sys

WdiServiceHost NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService






WdiSystemHost LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

Wecsvc NT AUTHORITY\ NetworkService

C:\Windows\system32\svchost.exe -k NetworkService

wercplsupport localSystem C:\Windows\System32\svchost.exe -k netsvcs

WerSvc localSystem C:\Windows\System32\svchost.exe -k WerSvcGroup

WfpLwf system32\DRIVERS\wfplwf.sys

WIMMount system32\drivers\wimmount.sys

WinHttpAutoProxySvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService

Winmgmt localSystem C:\Windows\system32\svchost.exe -k netsvcs

WinRM NT AUTHORITY\ NetworkService


WmiAcpi \SystemRoot\system32\drivers\wmiacpi.sys

wmiApSrv localSystem C:\Windows\system32\wbem\WmiApSrv.exe

WPDBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

ws2ifsl \SystemRoot\system32\drivers\ws2ifsl.sys

wuauserv LocalSystem C:\Windows\system32\svchost.exe -k netsvcs

WudfPf system32\drivers\WudfPf.sys

wudfsvc LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

Services and Drivers

A service is an executable object that is installed in a registry database maintained by the Service Control Manager. The executable file associated with a service can be started at boot time by a boot program or by the system, or the Service Control Manager can start it on demand. The two types of service are Win32 services and driver services.

A Win32 service is a service that conforms to the interface rules of the Service Control Manger. This enables the Service Control Manager to start the service at system start-up or on demand and enables communication between the service and service control programs. A Win32 service can execute in its own process, or it can share a process with other Win32 services.

A driver service is a service that follows the device driver protocols for Microsoft Windows rather than using the Service Control Manager interface.

Implications

Having inappropriate or unnecessary services installed can create security risks and provide potential access paths or tools to intruders.

There are a great number of services that can be installed and it would require volumes to document the security implications attached to each one. Some of them will increase security risks if not appropriately configured, controlled and secured. Examples are; Remote Access Services (RAS), Internet related services and network services.

Some of the more common services are:

Service Function Comments

NetDDE, NetDDEdsdm Services for creating a communication channel or a trusted share for Windows applications to share data over a network.

Shares (directories, files and printers) should be managed to ensure that sensitive information is not made available unnecessarily via this channel.

EventLog, SENS Event Log Service and System Event Notification Service.

Ensure these services are started to enable the capturing of event messages to the logs.





Service Function Comments

SNMP, SNMPTRAP Simple Network Management Protocol to manage devices on a network.

Manage access to information via this protocol, as it can supply valuable information about your network and network devices.

W3SVC, IISADMIN, IAS Internet Information Server, World Wide Web Publishing Service and Internet Authentication Service.

Ensure correct configuration of these services as misconfiguration of these can compromise security.

RemoteAccess, Rasman, RasAcd, RasAuto, RasArp

Remote Access services. Ensure correct configuration of these services as misconfiguration of these can compromise security.

NdisTapi, NdisWan, NetBIOS, NwlnkSpx, Tcpip

Network Protocol and Transport layer services/drivers.

Ensure that these protocols/drivers are configured correctly as incorrect configuration can leave the network open to penetration.

Attaching unsecured logon accounts to services can create significant security exposures.

Installing service executables in unsecured directories can also create significant security exposures.

Risk Rating

Medium to High (Depending on the type of services installed, their configuration and security settings).

Recommended Action


Only required and appropriate services are installed.

Their configuration and security settings are to appropriate standards.

Service executables are in secure directories.

Logon accounts attached to services have the appropriate security settings to help prevent illegal access.

The rights assigned to user accounts and groups are effectively controlled (consult report section titled Rights and Privileges).

Effective virus detection and prevention services are installed, running and activated/started automatically at system start-up time.





31. Server Roles and Features

Section Summary

There are 26 Server roles and features installed on the system.

Section Detail

Server Roles and Features

.NET Framework 4.5 Features

--- .NET Framework 4.5

--- WCF Services

------ TCP Port Sharing

Active Directory Domain Services

DNS Server

File And Storage Services

--- File and iSCSI Services

------ File Server

--- Storage Services

Group Policy Management

Remote Server Administration Tools

--- Role Administration Tools

------ AD DS and AD LDS Tools

--------- Active Directory module for Windows PowerShell

--------- AD DS Tools

------------ Active Directory Administrative Center

------------ AD DS Snap-Ins and Command-Line Tools

------ DNS Server Tools

User Interfaces and Infrastructure

--- Graphical Management Tools and Infrastructure

--- Server Graphical Shell

Windows PowerShell

--- Windows PowerShell 3.0

--- Windows PowerShell ISE

WoW64 Support

Implications

All roles and features installed on your Server increase the attack surface of your system and present additional opportunities for intruders to exploit any vulnerabilities that may exist. Your system is particularly vulnerable if Windows features are incorrectly configured.

Unnecessary roles and features also consume system resources, such as disk space and CPU cycles. In addition, they increase the frequency of Microsoft updates and associated system restarts.

Risk Rating

Medium to High (Depending on the role or feature).





Recommended Action


All installed roles and features are appropriate and authorised

Windows roles and features are appropriately configured

You should also consider using a mimimal Server Core installation, rather than versions of Windows Server that installs the full GUI with unnecessary components, such as Windows Explorer, Internet Explorer and the Control Panel.

For more information about Server Core see: http://en.wikipedia.org/wiki/Windows_Server_2008#Server_Core.

http://en.wikipedia.org/wiki/Windows_Server_2008#Server_Core





32. Task Scheduler

Section Summary

There are 71 scheduled tasks defined in 52 task folders:

33.8% (24) of tasks are hidden

73.2% (52) of tasks are enabled

26.8% (19) of tasks are disabled

39.4% (28) of tasks have never executed

12.7% (9) of tasks returned a non-zero result (may have failed)

The registered tasks contain 69 event triggers

17.4% (12) of event triggers are disabled

Section Detail

For details see worksheet Scheduled_Tasks in the MS-Excel workbook.

Implications

The Task Scheduler ensures that important system maintenance and diagnostic functions are performed on a regular and consistent basis without the need for manual intervention.

Some examples of scheduled tasks are jobs that:

Create regular system protection points

Download and install anti-virus updates

Ensure digital certificates for users and machines are current and valid

Consolidate fragmented space on disk drives

Synchronise the system time

If certain tasks do not execute, or they fail to complete successfully, it could impact on the performance, stability or security of your system.

Risk Rating

Low to medium (Depending on the task and its status).

Recommended Action

You should ensure that important scheduled tasks:

Are configured in accordance with your requirements

Are not accidentally disabled

Execute successfully

sample-report-appendix-active-directory.xlsx#Scheduled_Tasks





33. Security Updates, Patches and Hot-Fixes

Section Summary

There are 2 Security Updates, Patches and Hot-Fixes installed on this system. Windows Update Settings

Windows Update status: OK

Important updates: Download updates but let me choose whether to install them

Install new updates: Every day at 03:00

Recommended updates: No

Allow all users to install: Yes

Configuration enforced: No

Updates were installed: 23-Sep-2013 10:09:13

Most recent check for updates: 25-Oct-2013 03:52:33

Section Detail

Update Reference

Install Date Installed By Service Pack Description

KB976902 10/14/2013 SNAKE\administrator Update

KB976932 10/14/2013 SNAKE\administrator Service Pack

Implications

This report section lists hot-fixes installed on the system by Microsoft’s hotfix.exe or update.exe utilities.

Note that hot-fixes and patches applied to third-party (non-Microsoft) software products are not included because they are typically not installed by these utilities. Examples of other exclusions are entries written by Shavlik (records are in a proprietary format) and records relating to uninstall routines, such as ServicePackUninstall.

A software patch or hot-fix is a program file that installs one or more files on your system to correct a software problem. A Windows hot-fix program file is typically named KB (or Q) nnnnnn.exe, where nnnnnn is a six-digit number assigned by Microsoft. You can obtain details of a hot-fix by searching Microsoft’s Knowledge Base (KB) on the unique hot-fix number.

Many hot-fixes address security vulnerabilities that are discovered in software components, such as Windows, Exchange, Internet Explorer, IIS and SQL.

If you lack a policy to ensure relevant hot-fixes are promptly identified and installed, your system will be exposed to an increased risk of being compromised, damaged or exploited.

Some examples of these security exposures are: unauthorised remote access to your system; illegal execution of code; elevation of privileges; and denial of service attacks.

Risk Rating

Medium to High (Depending on the vulnerability).

Recommended Action

You should implement policy to ensure you are aware of newly discovered security vulnerabilities. You should also ensure that appropriate hot-fixes are promptly evaluated and installed on your systems.

Microsoft offers several advisory services and tools that can assist you with the process. These include Technet, various notification services and security bulletins, and tools such as Hfnetchk, which checks computers for the absence of security patches / hot-fixes.





34. Products Installed

Section Summary

There are 39 MSI-installed software products on this system.

Section Detail

Product Name Version Install Date

Publisher

Acrobat.com 1.6.65 2012-01-24 Adobe Systems Incorporated

Adobe AIR 1.5.0.7220 2012-01-24 Adobe Systems Inc.

Adobe Reader 9.1 9.1.0 2012-01-24 Adobe Systems Incorporated

Microsoft Office Access MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Access Setup Metadata MUI (English) 2010

14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Excel MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Groove MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office InfoPath MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Office 64-bit Components 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office OneNote MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Outlook MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office PowerPoint MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Professional Plus 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Proof (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Proof (French) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Proof (Spanish) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Proofing (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Publisher MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Shared 64-bit MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010


Microsoft Office Shared MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft Office Shared Setup Metadata MUI (English) 2010


Microsoft Office Word MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 Browser 10.1.2531.0 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 Common Files 10.0.1600.22 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 Common Files 10.1.2531.0 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 Database Engine Services


Microsoft SQL Server 2008 Database Engine Services


Microsoft SQL Server 2008 Database Engine Shared


Microsoft SQL Server 2008 Database Engine Shared


Microsoft SQL Server 2008 Native Client 10.1.2531.0 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 RsFx Driver 10.1.2531.0 2012-01-24 Microsoft Corporation

Microsoft SQL Server 2008 Setup Support Files 10.1.2531.0 2012-01-24 Microsoft Corporation





Product Name Version Install Date

Publisher

Microsoft SQL Server VSS Writer 10.1.2531.0 2012-01-24 Microsoft Corporation

Sophos Anti-Virus 9.7.0 2012-01-24 Sophos Limited

Sophos AutoUpdate 2.5.8 2012-01-24 Sophos Limited

Sophos Enterprise Console 4.5.1 2012-01-24 Sophos Plc

Sophos Update Manager 1.1.1.141 2012-01-24 Sophos plc

Sql Server Customer Experience Improvement Program


For details of all properties see worksheet Products in the MS-Excel workbook.

Implications

This report section lists software products that were installed by Windows Installer (MSI). Unauthorised software installations could cause the following risks:

Compromised security, if the software does not originate from a reputable vendor or it has not been properly tested prior to implementation.

Legal action and penalties due to the use of unlicensed software on your systems.

Additional training and maintenance costs due to the need to support multiple versions of similar software.

Risk Rating

Medium / High (if unauthorised software is installed on your system).

Recommended Action

You should ensure that software policies define a list of approved software and prevent the installation of unauthorised software products. Policies should be consistently enforced and regularly monitored for compliance.

sample-report-appendix-active-directory.xlsx#Products





35. Current Network Connections

Section Summary

SekChek was unable to analyse active network connections because the required dll was not present on the system.

Section Detail

** No data found. ** Process ID The process identification number attached to the Current Network Connection. Local Address The address of the local end of the socket. Local Port

The port number of the local end of the socket. Remote Address The address of the remote end of the socket. Remote Port The port number of the remote end of the socket. State

Shows the connection state of the socket. This can be one of the following values:

CLOSE_WAIT The remote end has shut down, waiting for the socket to close CLOSED The socket is not being used CLOSING Both sockets are shut down but we still don’t have all our data sent ESTABLISHED The socket has an established connection FIN_WAIT1 The socket is closed and the connection is shutting down FIN_WAIT2 The connection is closed and the socket is waiting for a shutdown from the remote end IDLE Idle, opened but not bound LAST_ACK The remote end has shut down and the socket is closed. Waiting for acknowledgement LISTENING The socket is listening for incoming connections SYN_RECV A connection request has been received from the network SYN_SENT The socket is actively attempting to establish a connection TIME_WAIT The socket is waiting after close to handle packets still in the network UNKNOWN The state of the socket is unknown

Filename

The filename of the process that is attached to the Current Network Connection.

Implications

This report section lists all active network connections for TCP protocols, including the local and remote addresses, the ports in use and the state of each connection. It does not indicate which services are configured to use these ports.

The port numbers used by some of the most common network services are:

Port number Service

7 echo 20 ftp data 21 ftp 22 ssh 23 telnet 25 smtp 43 whois 53 DNS 69 tftp 79 finger 80 http 110 POP3





119 nntp 143 IMAP 161 snmp 443 https 512 exec 194 Irc

Network services and their associated ports provide several opportunities for intruders to exploit your system. Some examples are:

Services such as telnet (port 23) and ftp (port 21) transmit user passwords in clear text format, which makes them vulnerable to access via ‘sniffer’ software;

Older versions of services often contain security weaknesses, which can be exploited to gain access to your system using the account under which the service is run;

Services such as finger (port 79), provide intruders with useful information about your system, such as details of inactive user accounts, which can be used to gain access to your system.

Risk Rating

Medium to High. (If inappropriate network services are running)

Recommended Action

You should determine what services are configured to use these ports and:

Disable any unused or redundant services;

Limit the number of services that run under the ‘administrator’ account by running them under an account with less privileges;

Frequently check with your software vendor for security vulnerabilities in the services you are running and apply any relevant software patches;

Consider replacing services that transmit passwords in clear text format with more secure software;

Ensure that hosts running open services are located behind properly configured firewall machines;

Monitor open ports and connections for signs of unusual activity, particularly from addresses external to your organisation.





36. Logical Drives

Section Summary

There were a total of 4 logical drives defined to your domain controller when this analysis was run.

Section Detail

Drive Type Volume Name

Serial Number File System

Disk Size (MB)

Free Space (MB)

% Free Comment

A:\ Removable

C:\ Fixed 7CA7-6D3D NTFS 40857 24409 59.74%

D:\ CDROM 20120124_1531 C71C-CE20 CDFS 78 0.00%

Z:\ Remote New Volume 45BD-987 NTFS 2996 2977 99.35%

Disk Quotas Note that the free space displayed for a drive may exceed the disk size if disk quotas are used (indicated by **User Quotas** in the Comment field). This is because the Free Space column indicates the total amount of free space on the drive, while the Disk Size column indicates the space available to the user under the disk quota rules.

Implications

The NTFS file system provides more security features than the FAT system. It should be used whenever security is a concern. With NTFS, you can assign a variety of protections to files and directories.

Risk Rating

Medium to High (Depending on the sensitivity of files and directories).

Recommended Action

As a rule, you should ensure that sensitive files and directories are on NTFS partitions.





37. Network Shares

Section Summary

There were a total of 10 Network Shares defined to your domain controller when this analysis was run.

Section Detail

Share Name Path Type Max Uses Remark

ADMIN$ C:\Windows Special Share *unlimited* Remote Admin

BG temp C:\BG temp File Share *unlimited*

C$ C:\ Special Share *unlimited* Default share

IPC$ Interprocess communication (IPC)

*unlimited* Remote IPC

NETLOGON C:\Windows\SYSVOL\sysvol\Snake.com\SCRIPTS

File Share *unlimited* Logon server share

SophosUpdate C:\ProgramData\Sophos\Update Manager\Update Manager

File Share *unlimited*

SUMInstallSet C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller

File Share *unlimited* Sophos Update Manager Installer

SYSVOL C:\Windows\SYSVOL\sysvol File Share *unlimited* Logon server share

WolfSpace_2 C:\BG temp File Share *unlimited*

WolfSpace1 C:\DfsRoots\WolfSpace1 File Share *unlimited*

Implications

Windows Server enables you to designate resources you want to share with others. For example:

When a directory is shared, authorised users can make connections to the directory (and access its files) from their own workstations.

When a printer is shared, many users can print from it over the network.

Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user. With Windows Server, you create the appropriate level of network resources security with a combination of resource sharing and resource permissions.

Risk Rating

Medium to High (Depending on the sensitivity of the data stored in the shared directories).

Recommended Action

You should ensure that directories containing sensitive data files are not shared or are adequately secured via resource permissions.





38. Home Directories, Logon Scripts and Profiles

Section Summary

All Accounts

100.0% (16) of user accounts do not have a home directory.

100.0% (16) of user accounts do not have a logon script.

100.0% (16) of user accounts are not restricted to logging on from specific workstations.

100.0% (16) of user accounts do not have specific logon profiles. Excluding Disabled Accounts

68.8% (11) of user accounts do not have a home directory.

68.8% (11) of user accounts do not have a logon script.

68.8% (11) of user accounts are not restricted to logging on from specific workstations.

68.8% (11) of user accounts do not have specific logon profiles. All Administrator Accounts

100.0% (2) of administrator accounts do not have a home directory.

100.0% (2) of administrator accounts do not have a logon script.

100.0% (2) of administrator accounts are not restricted to logging on from specific workstations.

100.0% (2) of administrator accounts do not have specific logon profiles. Administrator Accounts (Excluding Disabled Accounts)

100.0% (2) of administrator accounts do not have a home directory.

100.0% (2) of administrator accounts do not have a logon script.

100.0% (2) of administrator accounts are not restricted to logging on from specific workstations.

100.0% (2) of administrator accounts do not have specific logon profiles. Industry Average Comparison (All Accounts)

Section Detail

Account Name Home Directory

Logon Script Path

Workstation Restrictions

Logon Profile

State Privilege

Administrator No No No No Administrator

bradley No No No No User

GpLinkTest No No No No Administrator

Guest No No No No D Guest

krbtgt No No No No D User

SophosSAUPUFFADDER0 No No No No User

SophosUpdateMgr No No No No User

Sun No No No No User

SUPPORT_388945a0 No No No No D User

User4 No No No No User


User6 No No No No E User


User9 No No No No LE User

Virtual1 No No No No User

Virtual2 No No No No User





Implications

A home directory is used as the user’s default directory for the “File Open” and “Save As” dialog boxes, for the command prompt, and for all applications that do not have a defined working directory.

Home directories make it easier for an administrator to back up user files and delete user accounts because they are grouped in one location.

The home directory can be a local directory on a user’s computer or a shared network directory, and can be assigned to a single user or many users.

A user’s logon script runs automatically every time the user logs on. It can be used to configure a user’s working environment at every logon, and allows an administrator to affect a user’s environment without managing all its aspects. A logon script can be assigned to one or more user accounts.

In Windows 200x* Server, Workstation Restrictions can be used to control the computers from which a user is allowed to log on. The alternative is to allow a user to logon from any computer.

Restricting the workstations a user can use to log on to your system can improve security and discourage potential hackers. This is especially true for sensitive accounts.

A user profile defines the Windows 200x* configuration for a specific user or group of users.

By default, and excepting Guest accounts, each Windows 200x* computer maintains a profile for each user who has logged on to the computer. A profile contains information about a user's Windows 200x* configuration. Much of this information controls options the user can set, such as colour scheme, screen savers, and mouse and keyboard layout.

Other information control options that can be set only by a Windows 200x* administrator include access to common program groups or network printers.

Risk Rating

Medium to Low.

Recommended Action

To minimise potential loss of data and ease administration, users should have defined home directories, which can be regularly backed up.

To ease administration and afford better control over user environments, each user should have a logon script.

You should consider the additional benefits in security that workstation restrictions can provide. It is particularly suited to those environments with high security needs or very sensitive systems and information.

You should consider the benefits of defining logon profiles for users. This can ease administration and enhance security.





39. File Permissions and Auditing

Section Summary

This report section details the permissions and audit settings for 5 predefined and 0 user selected directories/files on your system.

Section Detail

For details see worksheet Permissions in the MS-Excel workbook.

Implications

This report section lists the owner and access permissions (DACL) for selected files and directories. It also lists the audit settings (SACL) for files and directories.

More specifically, the report section lists the contents of each Access Control Entry (ACE) in the file or directory’s Discretionary Access Control List (DACL). A DACL contains one or more ACEs that control access to the associated resource.

An ACE in a DACL can Allow or Deny access to a resource. A Deny ACE always overrides an Allow ACE.

The report section also lists the contents of each Access Control Entry (ACE) in the file or directory’s System Access Control List (SACL). A SACL contains one or more ACEs that define what actions on the object are audited (e.g. deletion of a file and changes to a folder’s permissions). The event types are Success and Failure.

Legend:

Resource Name The name of the resource being analysed.

Resource Type The type of resource being analysed. At present the only resource types analysed by SekChek are files and directories.

ACL Type The type of ACL being analysed: a DACL or a SACL.

Owner The owner of the resource.

Owner Domain The resource owner’s domain.

Owner Account Type The owner’s account type. E.g. Alias, User.

Ace Nbr The sequential number of the ACE. Window’s reads ACEs in this order until it finds a Deny or Allow ACE that denies or permits access to the resource or an Audit ACE that

defines what is audited and the event type.

Account The name of the account to which this ACE applies.

Domain The account’s domain.

Account Type The type of the account. E.g. Alias, User, Group.

Ace Type Allow or Deny access to the resource in the case of an ACE in a DACL; Success or Failure events for a SACL.

Apply Onto Specifies where permissions or auditing are applied. These values are shown as they appear in the Windows’ property box. E.g.:

This folder / object only

This folder, subfolders & files

This folder & subfolders

This folder & files

Subfolders & files only

Subfolders only

Files only

Inherited Indicates whether the permissions or audit settings are inherited from a higher level.

Special Permissions (ACE in a DACL):

Traverse Folder / Execute File For folders: Traverse Folder allows or denies moving through folders to reach

other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the

sample-report-appendix-active-directory.xlsx#Permissions





Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.).

For files: Execute File allows or denies running program files (applies to files

only).

Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.

List Folder / Read Data List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. Applies to folders only.

Read Data allows or denies viewing data in files (applies to files only).

Read Attributes Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.

Read Extended Attributes Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

Create Files / Write Data Create Files allows or denies creating files within the folder (applies to folders only).

Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).

Create Folders / Append Data Create Folders allows or denies creating folders within the folder (applies to folders only).

Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).

Write Attributes Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

Write Extended Attributes Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.

The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.

Delete Subfolders And Files Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders)

Delete Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.

Read Permissions Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.

Change Permissions Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.

Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

File Synchronise Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs.

Windows’ special permissions are logically grouped to form generic permissions: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.





The following table illustrates how special permissions are grouped together into these higher-level generic permissions.

Special Permissions Full Control

Modify Read & Execute

List Folder Contents (folders only)

Read Write

Traverse Folder/Execute File x x x x

List Folder/Read Data x x x x x

Read Attributes x x x x x

Read Extended Attributes x x x x x

Create Files/Write Data x x x

Create Folders/Append Data x x x

Write Attributes x x x

Write Extended Attributes x x x

Delete Subfolders and Files x

Delete x x

Read Permissions x x x x x x

Change Permissions x

Take Ownership x

Synchronize x x x x x x

Risk Rating

High (if access permissions are inappropriate and allow unintended access to sensitive resources).

Recommended Action

You should:

Periodically check access permissions for sensitive files and directories to ensure they remain appropriate and reflect the requirements of a person’s job function.

Ensure that all changes to access permissions are properly authorised by management.

Consider logging audit events for sensitive files and directories. Note that large numbers of audit log entries may be generated for frequently accessed files and directories

Documents

SekChek for Windows Report · Nbr of Processors 1 Total Memory 1.000 GB ... Processor 6172 Family AMD Opteron 6172 Description AMD64 Family 16 Model 9 Stepping 1 Processor Id 1F8BFBFF000106A5