sekchek for windows report web viewsekchek ® for windows v1.0.737, 10-nov-2013 (ref....
TRANSCRIPT
TESTBEDSekChek for Windows Security ReportSystem: PUFFADDER (Snake.com)10 November 2013
SekChek [email protected]
www.sekchek.com
DeclarationThe provided observations and recommendations are in response to a benchmarking analysis that compares the client’s information security features against industry.The recommendations are organised to identify possible implications to the company based on the gathered information, to identify an industry average rating of the controls and provide possible recommended actions.The benchmarking analysis and the related observations and recommendations should supplement management’s analysis but should not be and cannot be solely relied upon in any instance to identify and/or remediate information security deficiencies.Further, the observations and recommendations herein do not identify the cause of a possible deficiency or the cause of any previously unidentified deficiencies. The causes of the deficiencies must be determined and addressed by management for the recommendations selected to be relevant.
© 1996-2013 SekChek IPS. All rights reserved.SekChek is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.
Contents
SekChek Options 5
System Details 6
System Configuration 7
1. Report Summary 11
1.1 Comparisons Against Industry Average and Leading Practice 12
1.2 Answers to Common Questions 19
1.3 Summary of Changes since the Previous Analysis 23
2. Domain Structure 24
3. Domain Accounts Policy 28
4. Domain Controller Policy Settings (Local Policy) 31
4.1 Audit Policy Settings 31
4.2 Event log Settings 36
4.3 Security Option Settings 38
5. Group Policy Objects 42
5.1 Description and Properties for Group Policy Objects 42
5.2 Summary of GPOs defined on the system 44
5.3 Summary of GPOs and their Links to OUs 45
5.4 Summary of OUs and their Links to GPOs 46
5.5 GPOs Defined and their Details 47
5.6 GPO Version Discrepancies 58
6. Password Setting Objects (PSOs) 59
7. Customer-Selected Registry Key Values 61
8. User Accounts Defined In The Domain 62
9. Groups Defined In the Domain 65
10. Domain Local Groups and their Members 68
11. Domain Global Groups and their Members 72
12. Domain Universal Groups and their Members 75
13. Last Logons, 30 Days and Older 76
14. Passwords, 30 Days and Older 78
15. Passwords that Never Expire 80
16. Accounts not Requiring a Password 82
17. Invalid Logon Attempts Greater than 3 84
18. Users not Allowed to Change Passwords 85
19. Accounts with Expiry Date 86
20. Disabled Accounts 87
21. Locked Out Accounts 88
22. Accounts Whose Passwords Must Change at Next Logon 89
23. Accounts Created in the Last 90 Days 90
24. Rights and Privileges 92
24.1 Descriptions & General Recommendations for Rights 94
24.2 Rights Assigned to Local Groups 98
24.3 Rights Assigned to Universal Groups (Native mode only) 100
24.4 Rights Assigned to Global Groups 101
24.5 Rights Assigned to Users 102
24.6 Rights Assigned to Well-Known Objects 109
24.7 Rights Assigned to External Objects 110
25. Discretionary Access Controls (DACL) for Containers 111
26. Trusted and Trusting Domains 112
27. Servers and Workstations 114
28. Domain Controllers in the Domain 115
29. Accounts Allowed to Dial In through RAS 117
30. Services and Drivers on the Machine 119
31. Server Roles and Features 140
32. Task Scheduler 142
33. Security Updates, Patches and Hot-Fixes 143
34. Products Installed 144
35. Current Network Connections 146
36. Logical Drives 148
37. Network Shares 149
38. Home Directories, Logon Scripts and Profiles 150
39. File Permissions and Auditing 152
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
SekChek Options
Reference Number 1201250012
Requester Internal Audit
Telephone Number +44 (20) 123 4567
City London
Client Country UK
Charge Code Snake - Windows
Client Code SEK001
Client Industry Type Manufacturing
Host Country Belize
Security Standards Template 0 - SekChek Default
Evaluate Against Industry Type Manufacturing
Compare Against Previous Analysis Not Selected
Scan All DCs for Last Logon Times Yes (scanned 2 of 2 DCs)
Report Format Word 2007
Paper Size A4 (21 x 29.7 cms)
Spelling English UK
Large Report Format MS-Excel spreadsheet
Large Report (Max Lines in Word Tables) 1500
Summary Document Requested Yes
Scan Software Version Used Version 5.1.0
Scan Software Release Date 08-Nov-2013
Your SekChek report was produced using the above options and parameters.
You can change these settings for all files you send to us for processing via the Options menu in the SekChek Client software on your PC. You can also tailor them (i.e. temporarily override your default options) for a specific file via the Enter Client Details screen. This screen is displayed:
For SekChek for NetWare and Windows - during the Scan process on the target Host system;
For SekChek for AS/400 and UNIX - during the file encryption process in the SekChek Client software.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 5 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System Details
Domain Name Snake.com (SNAKE)
Domain Sid *S-1-5-21-601740674-2353673397-942277617
Forest Snake.com
DC Functionality Windows Server 2008 R2 Mode
Domain Functionality** Windows Server 2003 Domain Mode
Forest Functionality** Windows 2000 Forest Mode
Computer Domain Controllers/PUFFADDER
Site Name Default-First-Site-Name
Windows Version 6.1 (Windows 2008 R2)
Build / Service Pack 7601/Service Pack 1
System Locale Id 2052 (x804)
Scan Time 08-Nov-2013 15:47
Scanned By Users/ Administrator
Report Date: 10 November, 2013
** Functional Levels (available from SekChek V5.0.4 / Windows Server 2003) DC Functionality: The functional level of the Domain Controller (DC) Domain Functionality: The functional level of the domain Forest Functionality: The functional level of the forest
General NoteIn Active Directory domains, objects, such as user accounts belong to a container object (e.g. an Organizational Unit in a domain or the domain object itself). In this report the path of objects are usually listed. The format of the path is, for example, Orgunit x/Orgunit y. The “/” character separates the containers in the path.
Paths are listed from the highest level down. A path can contain a domain name as the first container, for example, abc.xyz.com as a domain name. When the domain name is listed in the path, it means that the containers and object in that path belong to a domain other than the one being analysed.
If a path is not listed for an object, it means that the object was defined at the domain level container and not in any container object of the domain..
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 6 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System Configuration
Operating SystemOS Name Microsoft Windows Server 2008 R2 Enterprise OS Version, Build 6.1.7601OS Architecture 64-bitOS Locale Id x0804OS Serial Number 12345-6789-5183281-84887OS Installed 2012-08-29Last BootUp 2013-11-06Country Code 86Time Zone GMT +02:00Boot Device \Device\HarddiskVolume1System Drive C:Windows Directory C:\WindowsSystem Directory C:\Windows\system32PAE Enabled NoVisible Memory 1.000 GBFree Memory 0.247 GBEncryption Level 256 bitsOS Language English - United StatesOS Stock Keeping Unit Name Enterprise Server EditionMaximum Number of Processes UnknownNumber of Licensed Users UnlimitedNumber of Current Users 3Registered User Windows UserData Execution Prevention (DEP)...DEP Available YesDEP Enabled for 32-bit Appls YesDEP Enabled for Drivers YesDEP Policy Opt Out
System Recovery OptionsWrite an event to the system log YesSend an administrative alert NoAutomatically restart YesWrite debugging information Kernel memory dumpDump file %SystemRoot%\MEMORY.DMPOverwrite any existing file Yes
BIOSManufacturer American Megatrends Inc.BIOS 080002 Version 2.3Release Date 2010-05-05
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 7 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Base Board (Motherboard)Manufacturer Microsoft CorporationProduct Virtual MachineSerial Number 1234-5678-6758-7771-5390-6277-74Version 7.0
Page FilesNumber of Page Files 1Name of Page File #1 C:\pagefile.sysTemporary Page File NoCreate Date 2011-08-29Allocated Size 1.000 GBCurrent Usage 0.179 GBPeak Usage 0.199 GB
ComputerManufacturer Microsoft CorporationModel Virtual MachineSystem Type x64-based PCRemote Desktop Enabled UnknownNbr of Processors 1Total Memory 1.000 GBSystem Registry Size Current = 100.3 MB; Max allowed = 2,048.0 MBScreen Resolution 1680 x 1050 pixelsBootUp State Normal bootWake-up Type Power SwitchBoot ROM Supported YesInfrared (IR) Supported NoPower Management Supported NoComputer Role Primary Domain ControllerComputer Name PUFFADDERComputer Sid *S-1-5-21-601740674-2353673397-942277617-1106Domain Name (short) SNAKEDomain Name (DNS) Snake.com
ProcessorsNumber of Processors 1Processor #1...Manufacturer AuthenticAMDName AMD Opteron(tm) Processor 6172Family AMD Opteron 6172Description AMD64 Family 16 Model 9 Stepping 1Processor Id 1F8BFBFF000106A5Clock Speed 3,108 MHzExternal Clock Speed 200 MHzAddress Width 64 bitsData Width 64 bits
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 8 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Level 2 Cache Size 512 KBLevel 2 Cache Speed Unknown MHzNumber of Cores 1Nbr of Logical Processors 1Chip Socket NoneAvailability Running/Full Power
Network Adapters (IP enabled)Connection Id Local Area ConnectionConnection Status ConnectedName Microsoft Hyper-V Network Adapter #2Service Name netvscManufacturer MicrosoftAdapter Type Ethernet 802.3Speed (Mbs) 10,000 MbsLast Reset 2013-11-08 14:13:38IP Enabled YesIP Address 200.200.100.234IP Subnet 255.255.255.0Default GatewayMAC Address 00:15:5D:64:2F:1ADHCP Enabled NoDHCP Lease ExpiresDHCP Lease ObtainedDHCP ServerDNS Search Order 200.200.100.235, 127.0.0.1
Windows FirewallDomain Profile…Firewall State On (recommended)Inbound Connections Block, allow exceptions (default)Outbound Connections Allow (default)Display Notifications NoAllow Unicast Response Yes (default)Private Profile…Firewall State On (recommended)Inbound Connections Block, allow exceptions (default)Outbound Connections Allow (default)Display Notifications NoAllow Unicast Response Yes (default)Public Profile…Firewall State On (recommended)Inbound Connections Block, allow exceptions (default)Outbound Connections Allow (default)Display Notifications NoAllow Unicast Response Yes (default)
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 9 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Region & Language OptionsCurrent Format English (South Africa)Time Format 08:46:32Short Date 08-Nov-2013Long Date 08 November 2013Short Date Format dd-MMM-yyyyLong Date Format dd MMMM yyyyCurrency Symbol RCurrency (International) ZARSystem Locale English (South Africa)
Screen Saver PolicyScan Account Users/ AdministratorScreen Saver Enabled YesScreen Saver Timeout 600 secondsScreen Saver Secure Yes
User Access Control (UAC)UAC Enabled Yes
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 10 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
1. Report SummaryThe following two charts illustrate the diversity of regions and industries that make up the population of systems running Active Directory in our statistics database. The remaining graphs in the Report Summary section evaluate security on your system against this broad base of real-life security averages.
SekChek is used by the Big Four audit firms, IS professionals, internal auditors, security consultants & general management in more than 130 countries.
Statistics Population by Region
As new reviews are processed, summaries of the results (excluding client identification) are automatically added to a unique statistics database containing more than 70,000 assessments.
Statistics Population by Industry Type
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 11 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
1.1 Comparisons Against Industry Average and Leading Practice
Summary of Domain Accounts Policy Values
This graph compares the Domain Accounts Policy values against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = <All>
This and the following summary reports are of most value when they are used to compare ‘snapshots’ of your security measures at different points in time. Used in this way, they provide a fairly clear picture of whether your security measures are improving or becoming weaker.
Industry Average is a dynamic, calculated average for all Active Directory domains analysed by SekChek using the above criteria. It indicates how your security measures compare with those of other organisations using Microsoft Windows systems.
Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.
Asterisks (*) after Policy Values indicate their relative importance and individual contribution towards security of your system. I.e. Policy Values followed by 3 asterisks (***) are considered more important, and to have a greater impact on security than those followed by 1 asterisk (*). This is an approximation and should be used as a guide only.
For more information and details, see the report sections Domain Accounts Policy.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 12 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Domain User Accounts
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
Total number of user accounts defined to your domain: 16
This summary report presents the number of user accounts, with the listed characteristics, as a percentage of the total number of accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.
The graph is sorted in order of importance. This is an approximation and should be used as a guide only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 13 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Effective Rights for the Domain Controller
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
This summary report presents the number of user accounts, with the listed rights, as a percentage of the total number of accounts defined to the domain controller. These rights are applied via the Local Policy of the domain controller being analysed. Other domain controllers may have different rights defined. For more details of rights assigned, refer to the Rights Assigned to Users sections in the main body of the report.
The graph is sorted in alphabetical sequence.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 14 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Domain User Accounts (excluding disabled accounts)
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
Total number of user accounts defined to your system: 16
This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.
The graph is sorted in order of importance. This is an approximation and should be used as a guide only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 15 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Effective Rights for the Domain Controller (excl. disabled accounts)
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
This summary report presents the number of enabled accounts (i.e. excluding accounts with a status of disabled or accounts that are locked) with the listed rights, as a percentage of the total number of accounts defined to your system. For more details, refer to the Rights Assigned to Users sections in the main body of the report.
The graph is sorted in alphabetical sequence.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 16 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Domain Administrator Accounts
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
Total number of user accounts with administrative privileges defined to your domain: 2
This summary report presents the number of administrator accounts (i.e. accounts that have administrative privileges), with the listed characteristics, as a percentage of the total number of administrator accounts defined to your domain. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.
The graph is sorted in order of importance. This is an approximation and should be used as a guide only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 17 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Comparisons Against Industry Average and Leading Practice (continued)
Summary of Domain Administrator Accounts (excluding disabled accounts)
This graph compares against the industry average using the following criteria:Country = <All>; Industry Type = Manufacturing; Machine Size (Nbr of Accounts) = Very Small
Above the industry average; About average; Below average
Total number of user accounts with administrative privileges defined to your system: 2
This summary report presents the number of enabled administrator accounts (i.e. accounts that have administrative privileges, excluding those accounts with a status of disabled or accounts that are locked) with the listed characteristics, as a percentage of the total number of administrator accounts defined to your system. In general, longer bars highlight potential weaknesses in your security measures and should be investigated. For more details, refer to the relevant sections in the main body of the report.
The graph is sorted in order of importance. This is an approximation and should be used as a guide only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 18 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
1.2 Answers to Common Questions
The following charts are intended to provide quick answers to the most common questions regarding security of a system.
The diagrams highlight the relative numbers of objects with the listed attributes. The total population used to plot each chart is included in brackets () after each chart title. Each section includes a link to more detailed information contained in other sections of this report.
When were the user accounts created?The charts show when user accounts were created on your system. Grouped by all accounts and accounts with Administrative privileges. Includes active and disabled accounts.
More information: Accounts Created in the Last 90 Days
When were the group and computer accounts created?The chart shows when the group and computer accounts were created on your system.
More information: Accounts Created in the Last 90 Days
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 19 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
What is the status of user accounts?The charts analyse user accounts by their status: active or disabled. An account may be disabled because: its status has been set to disabled; the account has expired; or the account was locked by the system due to excessive password guessing attempts. Note that an account may be both locked and expired, or disabled and expired.
5 out of 16 accounts are disabled on this system.
More information: Disabled Accounts, Locked Accounts, Accounts with Expiry Date
How active are user accounts?The charts indicate when accounts were last used to logon to the system. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.
SekChek queried 2 out of 2 domain controllers to obtain the information.
More information: Last Logons, 30 Days and Older
How frequently do users change their passwords?The charts show when user login passwords were last changed. ‘Next Logon’ means that the password must be changed the next time the account is used to logon to the domain. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.
More information: Passwords, 30 Days and Older, Password Must Change at Next Logon
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 20 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Are users forced to change their passwords?The charts show the percentage of accounts with a password that is not required to be changed. Grouped by all accounts and accounts with Administratrative privileges. Excludes disabled accounts.
More information: Passwords that Never Expire
Are users allowed to change their passwords?The charts show the percentage of accounts that are not allowed to change their passwords. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.
More information: User Accounts not Allowed to Change Password
Are users allowed to login without a password?The charts show the percentage of accounts that may have their passwords set to zero length (blank) by an administrative account. Grouped by all accounts and accounts with Administrative privileges. Excludes disabled accounts.
More information: Accounts not Requiring a Password
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 21 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
What privileges are assigned to user accounts?The chart shows the percentage of user accounts with Administrative, User and Guest privileges. These privileges are determined by group memberships. Excludes disabled accounts.
More information: User Accounts Defined In The Domain
What are the types of group accounts?The chart analyses security groups by group type. Excludes Distribution groups.
More information: Groups Defined In the Domain
What are the service types and their start types?These charts summarise the types of services and drivers installed on the system and their start types. The charts include running and stopped services.
More information: Services and Drivers
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 22 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
1.3 Summary of Changes since the Previous Analysis
Need to quickly highlight changes in security controls since your previous review?
SekChek’s latest time-comparison graphs are just the solution!
Note: The above graph is provided for illustrative purposes only.
A collection of easy-to-read reports in a very familiar format provides you with visual indicators of:
Whether security has improved, weakened, or remained about the same since your previous analysis
The effectiveness of your measures to strengthen controls
Whether risk is increasing or decreasing
The degree of change, both positive and negative
The applications are endless. Some of the practical benefits are:
Time savings. Reduced time spent poring over volumes of unconnected information
Objectivity. The results are guaranteed to be the same regardless of who performs the review
Compliance with legislation. Easier monitoring for compliance with statutory requirements imposed by SOX, HIPAA and other legislative changes relating to corporate governance
More powerful justifications. The ability to present more convincing arguments to senior, non-technical management who do not have the time, or the inclination, to understand masses of technical detail
Interested?
Contact us at [email protected] to find out how to get started!
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 23 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
2. Domain Structure
This report section lists the Container objects in the domain.
It summarises the Directory structure for your domain and may help you to understand the overall structure of the domain’s Directory structure, especially where it is large or complex.
Section Detail
Object Name Object Type
Snake.com domainDNS
--- Amazon organizationalUnit
--- Builtin builtinDomain
--- Computers container
--- Domain Controllers organizationalUnit
--- ForeignSecurityPrincipals container
--- Managed Service Accounts container
--- Program Data container
------ Microsoft container
--- System container
------ AdminSDHolder container
------ ComPartitions container
------ ComPartitionSets container
------ DomainUpdates container
--------- ActiveDirectoryUpdate container
--------- Operations container
------------ 0b7fb422-3609-4587-8c2e-94b10f67d1bf container
------------ 0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e container
------------ 10b3ad2a-6883-4fa7-90fc-6377cbdc1b26 container
------------ 13d15cf0-e6c8-11d6-9793-00c04f613221 container
------------ 231fb90b-c92a-40c9-9379-bacfc313a3e3 container
------------ 2416c60a-fe15-4d7a-a61e-dffd5df864d3 container
------------ 293f0798-ea5c-4455-9f5d-45f33a30703b container
------------ 3051c66f-b332-4a73-9a20-2d6a7d6e6a1c container
------------ 3c784009-1f57-4e2a-9b04-6915c9e71961 container
------------ 3e4f4182-ac5d-4378-b760-0eab2de593e2 container
------------ 446f24ea-cfd5-4c52-8346-96e170bcb912 container
------------ 4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0 container
------------ 4c93ad42-178a-4275-8600-16811d28f3aa container
------------ 4dfbb973-8a62-4310-a90c-776e00f83222 container
------------ 51cba88b-99cf-4e16-bef2-c427b38d0767 container
------------ 57428d75-bef7-43e1-938b-2e749f5a8d56 container
------------ 5c82b233-75fc-41b3-ac71-c69592e6bf15 container
------------ 5e1574f6-55df-493e-a671-aaeffca6a100 container
------------ 61b34cb0-55ee-4be9-b595-97810b92b017 container
------------ 6ada9ff7-c9df-45c1-908e-9fef2fab008a container
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 24 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Object Name Object Type
------------ 6bcd5678-8314-11d6-977b-00c04f613221 container
------------ 6bcd5679-8314-11d6-977b-00c04f613221 container
------------ 6bcd567a-8314-11d6-977b-00c04f613221 container
------------ 6bcd567b-8314-11d6-977b-00c04f613221 container
------------ 6bcd567c-8314-11d6-977b-00c04f613221 container
------------ 6bcd567d-8314-11d6-977b-00c04f613221 container
------------ 6bcd567e-8314-11d6-977b-00c04f613221 container
------------ 6bcd567f-8314-11d6-977b-00c04f613221 container
------------ 6bcd5680-8314-11d6-977b-00c04f613221 container
------------ 6bcd5681-8314-11d6-977b-00c04f613221 container
------------ 6bcd5682-8314-11d6-977b-00c04f613221 container
------------ 6bcd5683-8314-11d6-977b-00c04f613221 container
------------ 6bcd5684-8314-11d6-977b-00c04f613221 container
------------ 6bcd5685-8314-11d6-977b-00c04f613221 container
------------ 6bcd5686-8314-11d6-977b-00c04f613221 container
------------ 6bcd5687-8314-11d6-977b-00c04f613221 container
------------ 6bcd5688-8314-11d6-977b-00c04f613221 container
------------ 6bcd5689-8314-11d6-977b-00c04f613221 container
------------ 6bcd568a-8314-11d6-977b-00c04f613221 container
------------ 6bcd568b-8314-11d6-977b-00c04f613221 container
------------ 6bcd568c-8314-11d6-977b-00c04f613221 container
------------ 6bcd568d-8314-11d6-977b-00c04f613221 container
------------ 6E157EDF-4E72-4052-A82A-EC3F91021A22 container
------------ 6ff880d6-11e7-4ed1-a20f-aac45da48650 container
------------ 71482d49-8870-4cb3-a438-b6fc9ec35d70 container
------------ 7868d4c8-ac41-4e05-b401-776280e8e9f1 container
------------ 7cfb016c-4f87-4406-8166-bd9df943947f container
------------ 7ffef925-405b-440a-8d58-35e8cd6e98c3 container
------------ 82112ba0-7e4c-4a44-89d9-d46c9612bf91 container
------------ 8437C3D8-7689-4200-BF38-79E4AC33DFA0 container
------------ 860c36ed-5241-4c62-a18b-cf6ff9994173 container
------------ 8ca38317-13a4-4bd4-806f-ebed6acb5d0c container
------------ 8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c container
------------ 9738c400-7795-4d6e-b19d-c16cd6486166 container
------------ 98de1d3e-6611-443b-8b4e-f4337f1ded0b container
------------ 9cac1f66-2167-47ad-a472-2a13251310e4 container
------------ a1789bfb-e0a2-4739-8cc0-e77d892d080a container
------------ a3dac986-80e7-4e59-a059-54cb1ab43cb9 container
------------ a86fe12a-0f62-4e2a-b271-d27f601f8182 container
------------ ab402345-d3c3-455d-9ff7-40268a1099b6 container
------------ aed72870-bf16-4788-8ac7-22299c8207f1 container
------------ b96ed344-545a-4172-aa0c-68118202f125 container
------------ bab5f54d-06c8-48de-9b87-d78b796564e4 container
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 25 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Object Name Object Type
------------ c4f17608-e611-11d6-9793-00c04f613221 container
------------ c88227bc-fcca-4b58-8d8a-cd3d64528a02 container
------------ d262aae8-41f7-48ed-9f35-56bbb677573d container
------------ d85c0bfd-094f-4cad-a2b5-82ac9268475d container
------------ dda1d01d-4bd7-4c49-a184-46f9241b560e container
------------ de10d491-909f-4fb0-9abb-4b7865c0fe80 container
------------ f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5 container
------------ f58300d1-b71a-4db6-88a1-a8b9538beaca container
------------ f607fd87-80cf-45e2-890b-6cf97ec0e284 container
------------ f7ed4553-d82b-49ef-a839-2f38a36bb069 container
--------- Windows2003Update container
------ IP Security container
------ Meetings container
------ MicrosoftDNS container
------ Policies container
--------- {31B2F340-016D-11D2-945F-00C04FB984F9} groupPolicyContainer
------------ Machine container
------------ User container
--------- {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A} groupPolicyContainer
------------ Machine container
------------ User container
--------- {5471F07B-E3BF-47E6-A2DF-40E55805852D} groupPolicyContainer
------------ Machine container
------------ User container
--------- {6AC1786C-016F-11D2-945F-00C04fB984F9} groupPolicyContainer
------------ Machine container
------------ User container
--------- {F754BFE4-52E2-45B3-9034-36D5C65E8700} groupPolicyContainer
------------ Machine container
------------ User container
--------- {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F} groupPolicyContainer
------------ Machine container
------------ User container
------ RAS and IAS Servers Access Check container
------ WinsockServices container
------ WMIPolicy container
--------- PolicyTemplate container
--------- PolicyType container
--------- SOM container
--------- WMIGPO container
--- TEST GPO PC organizationalUnit
--- Users container
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 26 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Domain
In Active Directory a domain is a collection of computers defined by the administrator of a Windows 200x* Server network that shares a common directory database.
A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network.
A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all accounts within the domain.
Domains can be organised into parent-child relationships to form a hierarchy, which is called a domain tree. The domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships.
Organizational Unit
An Organizational Unit (OU) is a general-purpose container that can hold objects and other OUs to create a hierarchy within a domain. OUs can form logical administrative units for users, groups, and resource objects, such as printers, computers, applications, and file shares. In large domains, various administrative tasks (such as access rights specification) can be delegated to an administrator for a specific OU, thereby freeing domain administrators from having to support such changes by proxy.
Container
A Container is used for grouping different objects together.
Group Policy Container
A Group Policy Container contains Group Policy objects.
Active Directory Objects
Active Directory objects are either container objects (e.g. OUs and Containers) or leaf objects. A container object stores other objects, and, as such, occupies a specific level in a tree or sub tree hierarchy. A leaf object does not contain other objects.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 27 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
3. Domain Accounts Policy
This report lists the effective Domain Account Policies defined for your system and compares them with Leading Practice.
Policy Policy Value Leading Practice
Minimum Password Length 7 8 or greater
Effective Minimum Password Length 7 8 or greater
Maximum Password Age in Days 20 30 to 60
Minimum Password Age in Days 1 0
Password History Size 24 22 or greater
Password Complexity Enabled Enabled
Reversible Password Encryption Disabled Disabled
Lockout Threshold 3 3
Lockout Duration 0 0
Reset Lockout Counter in Minutes 30 1440
Force Logoff When Logon Time Expires Disabled Enabled
Rename Administrator Account Not Defined New Name
Rename Guest Account Not Defined New Name
Allow Lockout of Local Administrator Account Disabled Enabled
Disable Password Changes for Machine Accounts Disabled Disabled
Number of Password Setting Objects (PSOs) defined on the system: 1
Leading Practice is the standard adopted by the top 10 to 20 percent of organisations.
Functions of Accounts Policy Values and Potential Exposures
Domain Accounts Policy values set the defaults for all accounts in a domain.
Note that certain account policies can be overridden by policies defined in Password Setting Objects (from Windows 2008) and settings defined at account level.
Appropriate policy values do not necessarily mean that security at account level is similarly appropriate. You should consult other sections of this report to confirm that security settings for individual accounts do not override your intended policy settings.
Minimum Password Length
Defines the minimum number of characters a password must contain. If it is zero then blank passwords are allowed. Allowing blank passwords is a very high security risk, as it could allow any person in possession of a valid User ID (Account Name) to gain access to your system if the account has a null password.
This policy can be overridden by the Password Complexity policy. See Effective Minimum Password Length for details.
The Leading Practice value is 8 or greater.
Effective Minimum Password Length
The effective minimum number of characters a password must contain when changing a user password. The value is calculated from the settings of the Minimum Password Length and Password Complexity parameters.
If the Password Complexity policy is enabled, the system will only accept user passwords with a minimum of 3 characters that comply with Password Complexity requirements.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 28 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
For example:
If the Minimum Password Length is 0 and the Password Complexity policy is enabled then the Effective Minimum Password Length will be 3.
If the Minimum Password Length is 0 and the Password Complexity policy is disabled then the Effective Minimum Password Length will be 0.
If the Minimum Password Length policy is set to a value of 3 or greater then the Effective Minimum Password Length will be the same as the Minimum Password Length policy regardless of the setting of the Password Complexity policy.
Maximum Password Age in Days
The period of time a password can be used before the system forces the user to change it. The value can be between 1 and 999 days.
A value of 0 means that passwords never expire. Passwords that never expire are a security risk as they can be compromised over time.
Note that it is possible to override this value in individual user accounts via the Password Never Expires option. Consult the Passwords that Never Expire report section.
The Leading Practice value is 30 days.
Minimum Password Age in Days
The minimum number of days that must elapse between password changes. The value can be between 0 and 999 days. A value of ‘0’ allows a user to change her password immediately if she suspects it is known by someone else.
However, this setting can increase the risk of passwords remaining the same despite system-enforced changes. This is because a user could change her password several times in quick succession until it is set back to the original value. Setting the Password History Size to a sufficiently large value can reduce this risk.
The Leading Practice value is 0 (no restrictions).
Passw ord History Size
Determines whether old passwords can be reused. It is the number of new passwords that must be used by a user account before an old password can be reused. For this to be fully effective, immediate changes should not be allowed under Minimum Password Age.
The Leading Practice value is 22 or greater.
Password Complexity
In order to meet the password complexity requirement, passwords must contain characters from (for example) at least three (3) of the following four (4) classes: English Upper Case Letters (A, B, C, ... Z) English Lower Case Letters (a, b, c, ... z) Westernised Arabic Numerals (0, 1, 2, ... 9) Non-alphanumeric ("Special characters") (E.g., punctuation symbols)
This policy has an effect on the Effective Minimum Password Length.
Reversible Password Encryption
Determines whether Windows 200x* will store passwords using reversible encryption.
This policy setting provides support for applications, which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should not be enabled unless application requirements outweigh the need to protect password information.
By default, this setting is disabled in the Default Domain Group Policy for domains and in the local security policy of workstations and servers.
Lockout Threshold, Lockout Duration and Reset Lockout Counter in Minutes
Lockout Threshold indicates the number of failed logon attempts for user accounts before accounts are locked out. The value can be 1 to 999 failed attempts. A value of 0 will allow an unlimited number of failed logon attempts.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 29 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Lockout Duration indicates the amount of time an account will remain locked out when the Lockout Threshold is exceeded. The value can be 1 to 99999 minutes; a value of 0 (forever) indicates that the account cannot log on until an administrator unlocks it. N/A is set when Lockout Threshold is set to 0.
Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts are monitored. I.e. if the number of failed logon attempts defined in Lockout Threshold is reached within the number of minutes defined for Reset Lockout Counter in Minutes the account is locked out for the period specified under Lockout Duration. The value for Reset Lockout Counter in Minutes can be 1 to 99999 minutes.
Allowing an excessive or unlimited number of invalid logon attempts can compromise security and allow intruders to log on to your system.
Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted of potential intruder attacks as only they can unlock accounts.
Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the effectiveness of the Lockout Threshold and administrators might not be alerted to potential intruder attacks.
If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase the risk of intruders gaining access to your system via repeated password guessing attempts. If the value is too high it may inconvenience genuine users by locking out their accounts when they enter incorrect passwords accidentally.
The Leading Practice values are: Lockout Threshold = 3 Lockout Duration = 0 (Forever) Reset Lockout Counter in Minutes = 1440 minutes
Force Logoff When Logon Time Expires
When enabled users will be forcibly disconnected from servers on the domain immediately after their valid logon hours are exceeded. Valid logon hours are defined at user account level.
This option enhances security by ensuring that users are disconnected if they exceed their valid logon hours or do not log off when leaving work. However, it could be disruptive to users who have to work after hours and could compromise data integrity etc.
This option should be used at the discretion of Management.
Rename Administrator, Rename Guest
It is good practice to ensure the Administrator and Guest built-in accounts are renamed via policy. This will minimise the risks of intruders using these well-known accounts when attempting to log on to the domain.
Keep in mind that these accounts can also be renamed manually (for example, via the Active Directory Users and Computers interface). However, when compared to the irrevocable policy change method, the disadvantage of the manual approach is that administrative users can simply rename these accounts at a later stage (possibly back to Administrator and Guest).
Allow Lockout of Local Administrator Account
Allows the built-in administrator account to be locked out from network logons. This policy setting can be modified using the “passprop” command-line utility, which is included in the Windows 2000 Resource Kit.
Disable Password Changes for Machine Accounts
Removes the requirement that the machine account password be automatically changed every week. This value is ignored in Windows XP and later.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 30 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
4. Domain Controller Policy Settings (Local Policy)
The following 3 subsections relate to the Local Policy on the domain controller being analysed.
In Active Directory, each domain controller can have different local policy settings. domain controllers generally inherit the same local policy settings because they typically belong to the same OU (e.g. Domain Controllers) to which the same policies apply. However, if domain controllers belong to different OUs, then different policy settings can be applied to them.
This has important security implications as an account can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers. The policy for domain controllers can then be inconsistent and increase security risks.
This report provides policy settings for the domain controller where the SekChek Scan process was run.
4.1 Audit Policy Settings
Account Logon Audited Events
Credential Validation Success & Failure
Kerberos Authentication Service Failure
Kerberos Service Ticket Operations Failure
Other Account Logon Events Failure
Account Management Audited Events
Application Group Management Success
Computer Account Management Success
Distribution Group Management Success
Other Account Management Events Success
Security Group Management Success
User Account Management Success
Detailed Tracking Audited Events
DPAPI Activity Success
Process Creation Success & Failure
Process Termination Success
RPC Events Success
DS Access Audited Events
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Directory Service Changes Success
Directory Service Replication No Auditing
Logon / Logoff Audited Events
Account Lockout Success
Audit User / Device Claims ** Failure
IPsec Extended Mode Failure
IPsec Main Mode Success
IPsec Quick Mode Failure
Logoff Success
Logon Success & Failure
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 31 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Network Policy Server Failure
Other Logon/Logoff Events Failure
Special Logon Failure
Object Access Audited Events
Application Generated Success & Failure
Central Access Policy Staging ** Failure
Certification Services No Auditing
Detailed File Share Failure
File Share Success & Failure
File System No Auditing
Filtering Platform Connection Success & Failure
Filtering Platform Packet Drop Success & Failure
Handle Manipulation Success & Failure
Kernel Object No Auditing
Other Object Access Events Failure
Registry Failure
Removable Storage ** Failure
SAM No Auditing
Policy Change Audited Events
Audit Policy Change Success & Failure
Authentication Policy Change Success & Failure
Authorization Policy Change Success
Filtering Platform Policy Change Success
MPSSVC Rule-Level Policy Change Success
Other Policy Change Events Success
Privilege Use Audited Events
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Sensitive Privilege Use Failure
System Audited Events
IPsec Driver Success
Other System Events Success
Security State Change Success & Failure
Security System Extension Success
System Integrity Success & Failure
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 32 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Explanation of Audit Policy Settings
Account Logon Audit logon attempts by privileged accounts that log on to the domain controller. These audit events are generated when the Kerberos Key Distribution Center (KDC) logs on to the domain controller.
Credential Validation Audits events generated by validation tests on user account logon credentials.
Kerberos Authentication Service Audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
Kerberos Service Ticket Operations Audits events generated by Kerberos service ticket requests.
Other Account Logon Events Audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Account Management Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
Application Group Management Audits events generated by changes to application groups.
Computer Account Management Audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted.
Distribution Group Management Audits events generated by changes to distribution groups.
Other Account Management Events Audits events generated by other user account changes that are not covered in this category.
Security Group Management Audits events generated by changes to security groups.
User Account Management Audits changes to user accounts.
Detailed Tracking Audit-specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.
DPAPI Activity Audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information.
Process Creation Audits events generated when a process is created or starts. The name of the application or user that created the process is also audited.
Process Termination Audits events generated when a process ends.
RPC Events Audits inbound remote procedure call (RPC) connections.
DS Access Audit attempts to access the directory service.
Detailed Directory Service Replication Audits events generated by detailed AD DS replication between domain controllers.
Directory Service Access Audits events generated when an AD DS object is accessed.Only AD DS objects with a matching SACL are logged.
Directory Service Changes Audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted.
Directory Service Replication Audits replication between two AD DS domain controllers.
Logon / Logoff Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Account Lockout Audits events generated by a failed attempt to log on to an account that is locked out.
Audit User / Device Claims ** From Server 2012.Audits user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.User claims are added to a logon token when claims are included with a user's account attributes in Active Directory.
IPsec Extended Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
IPsec Main Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
IPsec Quick Mode Audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 33 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Logoff Audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to.
Logon Audits events generated by user account logon attempts on a computer.
Network Policy Server Audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
Other Logon/Logoff Events Audits other events related to logon and logoff that are not included in the Logon/Logoff category.
Special Logon Audits events generated by special logons.
Object Access Audit attempts to access securable objects.
Application Generated Audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
Central Access Policy Staging ** From Server 2012.Audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object.
Certification Services Audits Active Directory Certificate Services (AD CS) operations.
Detailed File Share Audits every attempt to access objects in a shared folder.
File Share Audits attempts to access a shared folder.
File System Audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL.
Filtering Platform Connection Audits connections that are allowed or blocked by WFP.
Filtering Platform Packet Drop Audits packets that are dropped by Windows Filtering Platform (WFP).
Handle Manipulation Audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access".
Kernel Object Audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events.Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.
Other Object Access Events Audits events generated by the management of Task Scheduler jobs or COM+ objects.
Registry Audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
Removable Storage ** From Server 2012.Audits user attempts to access file system objects on any Removable Storage device.A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user’s machine.
SAM Audits events generated by attempts to access Security Accounts Manager (SAM) objects.
Policy Change Audit attempts to change Policy object rules.
Audit Policy Change Audits changes in security audit policy settings.
Authentication Policy Change Audits events generated by changes to the authorization policy.
Authorization Policy Change Audits events generated by changes to the authentication policy.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 34 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Filtering Platform Policy Change Audits events generated by changes to Windows Filtering Platform (WFP).
MPSSVC Rule-Level Policy Change Audits events generated by changes in policy rules used by Windows Firewall.
Other Policy Change Events Audits events generated by other security policy changes that are not audited in the Policy Change category.
Privilege Use Audit attempts to use privileges.
Non Sensitive Privilege Use Audits events generated by the use of nonsensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station.
Other Privilege Use Events Audits other privilege use events.
Sensitive Privilege Use Audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits.
System Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.
IPsec Driver Audits events that are generated by the IPsec filter driver.
Other System Events Audits any of the following events: Startup and shutdown of the Windows Firewall Security policy processing by the Windows Firewall Cryptography key file and migration operations
Security State Change Audits events generated by changes in the security state of the computer.
Security System Extension Audits events related to security system extensions or services.
System Integrity Audits events that violate the integrity of the security subsystem.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 35 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
4.2 Event log Settings
Policy Policy Value
Maximum Application Log Size 20480
Maximum Security Log Size 131072
Maximum System Log Size 20480
Restrict Guest Access to Application Log Enabled
Restrict Guest Access to Security Log Enabled
Restrict Guest Access to System Log Enabled
Retain Application Log N/A
Retain Security Log N/A
Retain System Log N/A
Retention Method for Application Log As Needed
Retention Method for Security Log As Needed
Retention Method for System Log As Needed
Shutdown Computer when Security Log is Full Disabled
Event Logs FeaturesEvent logs contain all events logged by the system auditing controls (audit policy). In this way a wide variety of events can be monitored to track different activities. Information can also be gathered about hardware, software, and system problems.Careful monitoring of event logs can help in predicting and identifying the sources of system problems. For example, if log warnings show that a disk driver can only read or write to a sector after several retries, the sector is likely to go bad eventually.Event logs can also confirm problems with software. If a program crashes, a program event log can provide a record of activity leading up to the event.Windows records events in the following Event logs: Application log
The application log contains events logged for programs/applications. Security log
The security log contains valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects. For example, if you have enabled logon and logoff auditing, attempts to log on to the system are recorded in the security log.
System log The system log contains events logged by Windows’ system components. For example, the failure of a driver or other system component to load during start up is recorded in the system log. The event types logged by system components are predetermined by Windows.
Log Size and Retention Method for LogsThe Log Size is in Kilobytes. When the Log Size Limit is reached the Retention Method for Logs defines the action that will be taken:If Overwrite events as needed (As needed) is selected, the log will not be archived. This option is a good choice for low-maintenance systems.The Overwrite events older than and Retain Log (in days) options specify the appropriate number of days the log will be archived at scheduled intervals. This strategy minimises the chance of losing important log entries and at the same time keeps log sizes reasonable.If the Do not overwrite events (Manually) option is specified all the events will remain in the log. This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded. If Overwrite events as needed (As needed) or Do not overwrite events (Manually) options are selected, the Retain Log (in days) option is not available (N/A).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 36 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Restrict Guest Access to Application, Security, System LogsIt is a good practice to enable this feature as it minimises the risks of unauthorised persons getting read access to logs.
The Shut down when Security Log is Full option ensures that no auditable activities, including security violations, occur while the system is unable to log them. This option should be used at the discretion of Management, as the system will automatically shutdown when the security log is full.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 37 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
4.3 Security Option Settings
Policy Description Policy Value
Allow server operators to schedule tasks
Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. By default, you must be an administrator in order to submit jobs by means of the AT scheduler. Enabling this security policy setting allows members of the Server Operators group to submit AT schedule jobs on Domain Controllers without having to make them Administrators. This policy is not defined by default.
Disabled
Allow system to be shut down without having to log on
Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right in order to perform a system shutdown. By default, this option is enabled on workstations and disabled on servers in Local Computer Policy.
Disabled
Amount of idle time required before disconnecting session (minutes)
Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. Administrators can use this policy to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This policy is defined for servers by default in Local Computer Policy with a default value of 15 minutes. This policy is not defined on workstations. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible.
15
Audit the access of global system objects
Determines whether access of global system objects will be audited.These objects are not generally visible to or known by a typical user. Enabling this option can introduce so many audit entries into the security log that locating real security problems becomes considerably more difficult. In some situations, this option can be useful. For example, where custom applications are being developed, the “users” are not just the people that interactively log on, but also the programmers who are developing applications. These programmers might be able to directly access these objects.
Disabled
Audit use of backup and restore privilege
When files are being backed up or restored, the system checks to ensure that the user performing the backup has the Backup or Restore right each time a file is copied to or being restored from backup media. By default, the system does not record these events, because this could flood the security log. This option should be enabled only in special cases of auditing of high-level security installations.
Disabled
Clear virtual memory page file when system shuts down
A paging file is a system file, so it cannot be encrypted. The file system security for paging files prevents any user from gaining access to and reading these files, and these security settings cannot be changed. However, someone other than the authorized user might start the computer under a different operating system to read a Windows 2000 paging file. To prevent others from reading the contents of paging files that might contain plaintext of encrypted files, enabling this option will clear the paging files every time the computer shuts down.
Disabled
Digitally sign client communication (always)
Enabling this option ensures that the Client communicates with only those Servers that are enabled for SMB (Server Message Block) message signing.
Disabled
Digitally sign client communication (when possible)
This option enables the Server Message Block (SMB) authentication protocol on the client. SMB places a digital security signature into each message block. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions and clients that are not enabled for SMB signing will use the older SMB protocol.
Enabled
Digitally sign server communication (always)
Enabling this option ensures that the Server communicates with only those clients that are enabled for SMB (Server Message Block) message signing.
Enabled
Digitally sign server This option enables the Server Message Block (SMB) Enabled
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 38 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Policy Description Policy Value
communication (when possible)
authentication protocol on the server. SMB places a digital security signature into each message block. If SMB signing is enabled on the client, then the server that is also enabled for SMB signing will use the new protocol during all subsequent sessions and the server that is not enabled for SMB signing will use the older SMB protocol.
Disable CTRL+ALT+DEL requirement for logon
By default, users are required to press CTRL+ALT+DEL before logging on. This is because programs can be designed to appear as a logon screen and collect account passwords. By pressing CTRL+ALT+DEL these programs can be foiled. Disabling CTRL+ALT+DEL is a potential security risk.
Disabled
Do not display last user name in logon screen
By default, Windows 2000 places the username of the last user to log on the computer in the Username text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep usernames secret, you can enable this option. This is especially useful if a computer that is generally accessible is being used, for example, for the (renamed) built-in Administrator account.
Disabled
Message text for users attempting to logon
Windows 2000 can display a message box with the caption and text of your choice before a user logs on. Many organizations use this message box to display a warning message that notifies potential users that they can be held legally liable if they attempt to use the computer without having been properly authorized to do so. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system.
Message title for users attempting to logon
This is the title for the message box above.
Prevent system maintenance of computer account password
Determines whether the computer account password should be prevented from being reset every week. As a part of Windows 2000 security, computer account passwords are changed automatically every seven days. If this policy is enabled, the machine is prevented from requesting a weekly password change. If this policy is disabled, a new password for the computer account will be generated every week. This policy is defined by default in Local Computer Policy where it is disabled by default.
Disabled
Prevent users from installing printer drivers
Determines whether members of the Users group are prevented from installing print drivers. If this policy is enabled, it prevents users from installing printer drivers on the local machine. This prevents users from "Adding Printers" when the device driver does not exist on the local machine. If this policy is disabled, then a member of the Users group can install printer drivers on the computer. By default, this setting is enabled on servers and disabled on workstations.
Enabled
Prompt user to change password before expiration (days)
Determines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password. By default, this value is set to 14 days.
0
Recovery Console: Allow automatic administrative logon
By default, the Recovery Console requires you to provide the password for the Administrator account before accessing the system. If this option is set, the Recovery Console does not require you to provide a password and will automatically log on to the system. Activating this policy eliminates a security barrier used to protect your computer against intruders. You should only enable this policy on systems that have controlled access to the console, such as those in rooms that can be locked.
Disabled
Recovery Console: Allow floppy copy and access to all drives and all folders
This policy allows a floppy/stiffy drive copy and access to all drives and all folders during a Recovery Console session (a text-mode command interpreter that allows the system administrator to gain access to the hard disk of a computer running Windows 2000, regardless of the file format used, for basic troubleshooting and system maintenance).
Disabled
Restrict CD-ROM access to locally logged-on users only
By default, Windows 2000 allows any program to access files on CDs. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices.
Disabled
Restrict floppy access to By default, Windows 2000 allows any program to access files on Disabled
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 39 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Policy Description Policy Value
locally logged-on users only floppy/stiffy disks. In a highly secure, multi-user environment, it can be useful to allow only the person locally logged on to access those devices.
Secure channel: Digitally encrypt or sign secure channel data (always)
Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. If this policy is disabled, signing and encryption are negotiated with the domain controller. By default, this policy is disabled. This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.
Enabled
Secure channel: Digitally encrypt secure channel data (when possible)
Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be encrypted. If this policy is disabled, outgoing secure channel traffic will not be encrypted. By default, this option is enabled.
Enabled
Secure channel: Digitally sign secure channel data (when possible)
Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted. If this policy is enabled, all outgoing secure channel traffic should be signed. If this policy is disabled, no outgoing secure channel traffic will be signed. By default, this option is enabled.
Enabled
Secure channel: Require strong (Windows 2000 or later) session key
If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the Domain Controller (DC). This option should only be enabled if all of the DCs in all trusted domains support strong keys. By default, this value is disabled.
Enabled
Send unencrypted password to connect to third-party SMB servers
If this policy is enabled, the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-Microsoft SMB servers which do not support password encryption during authentication. By default, this option is disabled. This setting can weaken the overall security of an environment and should only be used after careful consideration of the consequences of plain text passwords in your specific environment.
Disabled
Shut down system immediately if unable to log security audits
Determines whether the system should shut down if it is unable to log security events. If this policy is enabled, it causes the system to halt if a security audit cannot be logged for any reason. Typically, an event will fail to be logged when the security audit log is full and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error will occur: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired. By default, this policy is disabled.
Disabled
Strengthen default permissions of global system objects
Determines the strength of the default discretionary access control list (DACL) for objects. Windows 2000 maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared
Enabled
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 40 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Policy Description Policy Value
among processes. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create. By default, this option is enabled.
Unsigned driver installation behavior
Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation.
Silently succeed
Unsigned non-driver installation behavior
Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed, Warn but allow installation, Do not allow installation. The default setting is to Warn but allow installation.
Warn, but allow installation
Implications
The correct Security Option settings will enhance security, auditing and management.
Enabling some of these policies can strengthen security but undermine the performance, operational ease of use, or connectivity with clients using third party or earlier versions of authentication protocols. On the other hand, enabling others, will decrease security, but enhance performance, functionality, and connectivity.
Risk Rating
Low to high. (Dependant on the security setting being considered).
Recommended Action
Ensure that Security Option settings are set to appropriate values as required.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 41 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5. Group Policy Objects
The following five sub-sections list important properties of all the Group Policy Objects (GPOs) defined on your system. This includes their status, their links to Organizational Units (OUs), account permissions over the GPOs and the various policies defined by them.
Description and Properties for Group Policy Objects
Summary of GPOs defined on the system
Summary of GPOs and their Links to OUs
Summary of OUs and their Links to GPOs
Detailed listing of GPOs defined on the system
GPO Version Discrepancies
5.1 Description and Properties for Group Policy Objects
GPOs are applied in a hierarchical fashion starting with GPOs linked to Containers at the top of the tree and ending with GPO-links at the bottom of the tree. The sequence in which GPOs are applied is:
The Local GPO on the machine used to login to the system GPOs linked to Sites Domain-linked GPOs GPOs linked to Organizational Units
In general, policies applied later override those defined earlier. However, this can be altered by the ‘No Override’ and ‘Block Inheritance’ options, by disabling a GPO-link or a Policy Configuration segment, or by removing ‘Read’ or ‘Apply Policy’ access from accounts.
Explanation of Common Terms
What follows is an explanation of the common terms used in this sub-section:
GPO Display Name. The user-friendly name for the GPO.
GPO Exists on Disk. Indicates whether the GPO physically exists in the SYSVOL directory. If it does not exist it has probably been deleted directly, rather than through the appropriate Group Policy maintenance functions.
Computer Configuration Disabled. Indicates the status of the Computer Configuration part of the GPO. If disabled, the various policies (e.g. Rights definitions) defined in the Computer segment of the GPO are ignored when the system applies policy on the system.
User Configuration Disabled. Indicates the status of the User Configuration part of the GPO. If disabled, the various policies defined in the User segment of the GPO are ignored when the system applies policy on the system. This does not affect the policies in the Computer segment of the GPO.
Container. The name of the Container (OU) objects to which the GPO is linked.
Type. The type of the Container object. This can be a Domain, ‘OU’ (Organizational Unit) or Site.
No Override. Indicates whether the policies defined in the GPO can be overridden by conflicting policies linked to other Container at lower levels in the Active Directory tree. If ‘Yes’, policies defined in this GPO cannot be overridden by GPOs linked at lower levels.
Link Disabled. Indicates the status of the GPO-link to the specified Container. If ‘Yes’, the GPO is not applied to that Container. This does not affect links that the GPO may have to other Container objects.
Block Inheritance. Indicates whether policies from higher-level Container are inherited by this Container. If ‘Yes’, policies flowing down from higher-level Container objects are not inherited. If ‘No Override’ and ‘Block Inheritance’ options conflict with each other (i.e. they are both set) the ‘No Override’ option will always take precedence.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 42 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Policies Reported On
The following policy definitions are listed for each GPO on your system:
GPO Permissions. Lists the permissions that user accounts and groups have over the GPO. The GPO will not be applied to the account (or members of the group) if it does not have ‘Read’ or ‘Extended Rights’ (Apply Group Policy) access to the GPO.
Rights Policies. Lists the various Rights defined in the GPO. An empty space in the Account Name column indicates that the Right is defined, but is not assigned to anyone. Rights not listed under ‘Rights Defined’ are not defined in the GPO. Rights policies can only be defined in the Computer Configuration part of the GPO.
Event Audit. Lists the various Event Audit settings defined in the GPO. Several events such as when users are logged on, when they access resources, or when they attempt to use special privileges can be configured for the GPO audit. Audited events can only be defined in the Computer Configuration part of the GPO.
Event Logging. This lists the control settings such as size and retention method for the Application, Security and System event logs. Event logging can only be defined in the Computer Configuration part of the GPO.
System Access. Lists the security control settings for the password and lockout policy in Windows 200x* domains. System access can only be defined in the Computer Configuration part of the GPO.
Kerberos Policy. Lists the Kerberos settings defined in the GPO. Kerberos policy can only be defined in the Computer Configuration part of the GPO.
Registry Keys. Lists the various Registry keys used to configure security settings for the GPO, including access control, audit, and ownership. Registry keys can only be defined in the Computer Configuration part of the GPO.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 43 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5.2 Summary of GPOs defined on the system
There are a total of 6 GPOs defined on your system: 0% (0) exist on disk, but are not linked to any container 50% (3) do not exist on disk 0% (0) have the Computer Configuration Disabled 0% (0) have the User Configuration Disabled 50% (3) are not linked to a container
Policy GUID Display Name GPOExistson Disk
ComputerConfigDisabled
UserConfigDisabled
NbrLinks
{31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Policy No No No 0
{4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}
Regional Settings workstations No No No 0
{5471F07B-E3BF-47E6-A2DF-40E55805852D}
New Group Policy Object No No No 0
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Default Domain Controllers Policy Yes No No 1
{F754BFE4-52E2-45B3-9034-36D5C65E8700}
Snake GPO test Yes No No 1
{F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
Regional and Language Yes No No 1
For details of all GPO properties see worksheet GPOs_Summary in the MS-Excel workbook.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 44 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5.3 Summary of GPOs and their Links to OUs
Policy GUID Object ObjectType
NoO/Ride
LinkDisabled
BlockInh atOU Level
GPOExistson Disk
ComputerConfigDisabled
UserConfigDisabled
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Domain Controllers OU No No No Yes No No
{F754BFE4-52E2-45B3-9034-36D5C65E8700}
TEST GPO PC OU No No No Yes No No
{F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
TEST GPO PC OU Yes No No Yes No No
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 45 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5.4 Summary of OUs and their Links to GPOs
Note: GPOs are listed in order of precedence.
Object ObjectType
Policy GUID NoO/Ride
LinkDisabled
BlockInh atOU Level
GPOExistson Disk
ComputerConfigDisabled
UserConfigDisabled
Domain Controllers OU {6AC1786C-016F-11D2-945F-00C04fB984F9}
No No No Yes No No
TEST GPO PC OU {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
Yes No No Yes No No
OU {F754BFE4-52E2-45B3-9034-36D5C65E8700}
No No No Yes No No
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 46 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5.5 GPOs Defined and their Details
System/ Policies/ {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Display Name: Default Domain Policy
GPO Exists on Disk: No
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
** No data found **
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Users group All Extended Rights Allow
Domain Users group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
User4 user All Extended Rights Allow
User4 user Read All Properties Allow
Rights Policies:** No data found **
Event Audit:** No data found **
Event Logging:** No data found **
System Access:** No data found **
Kerberos Policy:** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 47 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Registry Keys:** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 48 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System/ Policies/ {4AFDCFC6-BAED-4E1D-A3F8-6D5DC846945A}
GPO Display Name: Regional Settings workstations
GPO Exists on Disk: No
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
** No data found **
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Users group All Extended Rights Allow
Domain Users group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
User4 user All Extended Rights Allow
User4 user Read All Properties Allow
Users group All Extended Rights Allow
Users group Read All Properties Allow
Rights Policies:** No data found **
Event Audit:** No data found **
Event Logging:** No data found **
System Access:** No data found **
Kerberos Policy:** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 49 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Registry Keys:** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 50 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System/ Policies/ {5471F07B-E3BF-47E6-A2DF-40E55805852D}
GPO Display Name: New Group Policy Object
GPO Exists on Disk: No
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
** No data found **
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
Rights Policies:** No data found **
Event Audit:** No data found **
Event Logging:** No data found **
System Access:** No data found **
Kerberos Policy:** No data found **
Registry Keys:** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 51 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System/ Policies/ {6AC1786C-016F-11D2-945F-00C04fB984F9}
GPO Display Name: Default Domain Controllers Policy
GPO Exists on Disk: Yes
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
Object Type NoO/Ride
LinkDisabled
Block Inheritance at OU Level
Domain Controllers OU No No No
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
Rights Policies:
Right Account Name Type
Access this computer from the network Administrators group
Authenticated Users well-known
Enterprise Domain Controllers well-known
Everyone well-known
Pre-Windows 2000 Compatible Access group
Act as part of the operating system
Add workstations to domain Authenticated Users well-known
Adjust memory quotas for a process *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996
unknown
Administrators group
Local Service well-known
Network Service well-known
Allow log on locally Account Operators group
Administrators group
Backup Operators group
Print Operators group
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 52 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Account Name Type
Server Operators group
Backup files and directories Administrators group
Backup Operators group
Server Operators group
Bypass traverse checking *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996
unknown
Administrators group
Authenticated Users well-known
Everyone well-known
Pre-Windows 2000 Compatible Access group
Change the system time Administrators group
Local Service well-known
Server Operators group
Create a page file Administrators group
Create a token object
Create permanent shared objects
Debug programs Administrators group
Deny access to this computer from the network SUPPORT_388945a0 user
Deny log on as a batch job
Deny log on as a service
Deny log on locally SophosSAUPUFFADDER0 user
SUPPORT_388945a0 user
Enable accounts to be trusted for delegation Administrators group
Force shutdown from a remote system Administrators group
Server Operators group
Generate security audits Local Service well-known
Network Service well-known
Increase scheduling priority Administrators group
Load and unload device drivers Administrators group
Print Operators group
Lock pages in memory
Log on as a batch job Local Service well-known
SUPPORT_388945a0 user
Log on as a service *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996
unknown
Network Service well-known
SophosSAUPUFFADDER0 user
SQLServer2005SQLBrowserUser$PUFFADDER group
SYSTEM well-known
Manage auditing and security log Administrators group
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 53 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Account Name Type
Modify firmware environment values Administrators group
Profile single process Administrators group
Profile system performance Administrators group
Remove computer from docking station Administrators group
Replace a process-level token *S-1-5-80-1144924461-1383973570-550994615-1093434689-3433800466
unknown
*S-1-5-80-4003569689-492506040-2645153450-1162762568-2405087996
unknown
Local Service well-known
Network Service well-known
Restore files and directories Administrators group
Backup Operators group
Server Operators group
Shut down the system Administrators group
Backup Operators group
Print Operators group
Server Operators group
Synchronize directory service data
Take ownership of files or other objects Administrators group
Event Audit:
Policy Name Policy Value
Audit Account Logon Events Success
Audit Account Management Success
Audit Directory Service Access
Success
Audit Logon Events Success
Audit Object Access No Auditing
Audit Policy Change Success
Audit Privilege Use No Auditing
Audit Process Tracking No Auditing
Audit System Events Success
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 54 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Registry Keys:
Registry Key Registry Value
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel 2
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature 1
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
1
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal 1
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity 1
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 55 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System/ Policies/ {F754BFE4-52E2-45B3-9034-36D5C65E8700}
GPO Display Name: Snake GPO test
GPO Exists on Disk: Yes
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
Object Type NoO/Ride
LinkDisabled
Block Inheritance at OU Level
TEST GPO PC OU No No No
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 56 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
System/ Policies/ {F9BA3B20-1DDA-41D1-B91A-77D94D6EAB7F}
GPO Display Name: Regional and Language
GPO Exists on Disk: Yes
Computer Configuration Disabled: No
User Configuration Disabled: No
GPO Links:
Object Type NoO/Ride
LinkDisabled
Block Inheritance at OU Level
TEST GPO PC OU Yes No No
GPO Permissions:
Account Name Type Permission Allow/Deny
Authenticated Users well-known All Extended Rights Allow
Authenticated Users well-known Read All Properties Allow
CREATOR OWNER well-known Read All Properties Allow
Domain Admins group Read All Properties Allow
Domain Admins group Read All Properties Allow
Enterprise Admins group Read All Properties Allow
ENTERPRISE DOMAIN CONTROLLERS well-known Read All Properties Allow
SYSTEM well-known Read All Properties Allow
Rights Policies:
** No data found **
Event Audit:
** No data found **
Event Logging:
** No data found **
System Access:
** No data found **
Kerberos Policy:
** No data found **
Registry Keys:
** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 57 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
5.6 GPO Version Discrepancies
Section Summary
SekChek found 0 discrepancies between the versions of GPOs in AD and SYSVOL.
Section Detail
** No data found **
Implications
The versions of Group Policy Objects (GPOs) defined in Active Directory and in SYSVOL should normally be identical.
If the GPO versions differ it may indicate a replication problem. This will cause unintended differences between the policies that are defined and those that are actually applied on the system.
Risk Rating
Low to high (dependent on the nature of the GPO).
Recommended Action
Ensure you understand the reason for any discrepancies between the versions of GPO objects.
Where appropriate, ensure you take the necessary action to address the cause of the problem.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 58 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
6. Password Setting Objects (PSOs)Section Summary
There is one PSO defined on your system: 0% (0) are not linked to any user or group objects.
Section Detail
PSO: Snake PSO test
Property Value
PSO Precedence 1
PSO Description Test PSO 1
PSO DisplayName Test PSO 1
Lockout Duration (never) (D:HH:MM:SS)
Lockout Observation Window 1:00:00:00 (D:HH:MM:SS)
Lockout Threshold 5
Maximum Password Age 35:00:00:00 (D:HH:MM:SS)
Minimum Password Age (none) (D:HH:MM:SS)
Minimum Password Length 10
Password Complexity Enabled Y
Password History Length 12
Reversible Password Encryption N
When Changed (not replicated) 25-Jan-2013 13:34:00
When Created 25-Jan-2013 13:34:00
PSO Applies To... CN=TestGroup3, CN=Users, DC=Snake, DC=com (Object Type= Group, Members= 0)
CN=Cloud 2, OU=Amazon, DC=Snake, DC=com (Object Type= Group, Members= 1)
Notes
Password Setting Objects (PSOs) were introduced in Microsoft Windows Server 2008, and only apply to domains where the domain functional level is set to Windows Server 2008 or higher.
PSOs can only be applied to User / inetOrgPerson objects and global security groups.
PSO Precedence: Establishes the PSO’s precedence in situations where a user is a member of multiple groups with different password policies.
Account Policies (Lockout Duration etc): Refer Domain Accounts Policy for a definition of each policy setting.
PSO Applies To: The users and groups to which the Account Policies in the PSO are applied.
Implications
PSOs allow you to define multiple Account Policies per Active Directory domain, which was not permitted prior to Windows 2008. The main benefit of PSOs is that they allow you to control Account Policies at a more granular level by applying different Account Policies to selected users and groups.
Note that the Account Policies defined in a PSO will always override the settings defined in the Domain Accounts Policy for the users and groups to which the PSO is linked.
For more information, see SekChek’s white paper MS-Windows Password Settings Objects (PSOs) at: www.sekchek.com/White-Papers.htm.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 59 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Risk Rating
Medium to high depending on the policies in effect over groups and users.
Recommended Action
If PSOs are employed, you should ensure that the Account Policies defined in the PSOs are set to appropriate values.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 60 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
7. Customer-Selected Registry Key ValuesSection Summary
The following subsection lists the 2 registry keys that were selected during the extract.
Section Detail
Registry Key Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\Installer - ServiceControl
601
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos - EEServer v2
Implications
The correct settings of certain registry keys will enhance security, auditing and management on the system.
For example, having appropriate values for “remote access” will decrease the risk of intruders gaining illegal access to the system.
For many registry keys a value of ‘0’ means that the feature is not enabled and a value of ‘1’ or greater means enabled.
Risk Rating
Low to high. (Dependant on the registry setting being considered).
Recommended Action
Ensure that registry values are set to appropriate values where applicable.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 61 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
8. User Accounts Defined In The DomainSection Summary
There are 16 user accounts defined in your domain: 12.5% (2) of user accounts have Administrator privileges 6.3% (1) of user accounts have Guest privileges 81.3% (13) of user accounts have User privileges 0.0% (0) of user accounts are protected against accidental deletion
Section Detail
Common Name Path Privilege Memberof Group
Type/Scope
Administrator Users Administrator Administrators SLB
Domain Admins SG
Domain Users SG
Enterprise Admins SU
Group Policy Creator Owners SG
Schema Admins SU
Sophos Console Administrators
SL
Sophos DB Admins SL
Sophos Full Administrators SL
SophosAdministrator SL
Bradley test TEST GPO PC User Domain Users SG
GpLink Test Users Administrator Administrators SLB
Domain Users SG
Sophos Console Administrators
SL
Sophos DB Admins SL
Sophos Full Administrators SL
SophosAdministrator SL
Guest Users Guest Domain Guests SG
Guests SLB
krbtgt Users User Denied RODC Password Replication Group
SL
Domain Users SG
SekTest User4 Users User Domain Users SG
Utilisateurs EPM Sharepoint SG
SekTest User5 Users User Domain Users SG
Utilisateurs EPM Sharepoint SG
SekTest User6 Users User Domain Users SG
Sophos Console Administrators
SL
Sophos DB Admins SL
Sophos Full Administrators SL
SophosAdministrator SL
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 62 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Common Name Path Privilege Memberof Group
Type/Scope
Utilisateurs EPM Sharepoint SG
SekTest User7 Users User Domain Users SG
Utilisateurs EPM Sharepoint SG
SekTest User9 Users User Domain Users SG
Utilisateurs EPM Sharepoint SG
SophosSAUPUFFADDER0 Users User Domain Users SG
SophosUpdateMgr Users User Domain Users SG
Sun user Amazon User Domain Users SG
Nature SG
SUPPORT_388945a0 Users User Domain Users SG
HelpServicesGroup SL
Virtual1 Cloud Amazon User Cloud 1 SG
Domain Users SG
Virtual2 Cloud Amazon User Cloud 2 SG
Domain Users SG
For details of all user properties see worksheet _All_User_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms.
For details of internal system accounts see worksheet System_Accounts in the MS-Excel workbook.
Note. The above is a list of user accounts, which have been defined in the domain. It does not include user accounts from other domains or servers that are members of this domain’s groups.
For those other accounts, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members.
Account Name: This name is unique in the domain.Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different container for another user with a different Account Name (above). This is the name under which the user is listed in the Active Directory MMC Console under the container it belongs to.Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.Group Type / Scope: SG – Security GlobalSL – Security LocalSLB – Security Local - BuiltinSU – Security Universal
Note. The list only shows memberships of Security groups. I.e. memberships of Distribution groups are excluded from the list.
For a more detailed description of group types refer to report section Groups Defined in the Domain .
Implications
Varying levels of control (rights) over the domain, domain containers and domain organizational units can be delegated to users and/or groups of the domain or other domains.
If users belong to groups with permissions and rights greater than they need, they will have access to resources and system functions not in line with their job functions.
The Administrator privilege is the most powerful privilege in the domain and can perform all actions on the domain. Users with Administrator privilege have full control over the domain resources.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 63 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Members of groups such as Print Operators, Account Operators, Server Operators and Backup Operators also acquire special privileges. Consult the report section titled: Domain Local Groups and their Members, for a more detailed analysis.
Risk Rating
Medium to high (dependent on users’ job functions and the number of accounts with special privileges).
Recommended Action
Ensure that user accounts are defined in containers or organizational units where the controls over them are appropriate.
Users’ rights and group memberships should be checked to ensure they are not granted unnecessary privileges or rights.
Most users should be assigned to the built-in global group Domain Users and the built-in local group Users.
The number of accounts with Administrator privilege should be kept to a minimum. These accounts should only be used for administrative functions. Users with administrative privileges should use a separate account for normal day-to-day use.
You should consider renaming the built-in Administrator account to a less obvious name to lessen the possibility of hackers guessing the password, as they would have to guess the account name also. This account can never be locked out due to failed logon attempts. The account cannot be disabled or deleted.
You should consider renaming the built-in Guest account to a less obvious name. Hackers trying to obtain illegal access often target this account.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 64 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
9. Groups Defined In the DomainSection Summary
All Group TypesThere are a total of 57 group accounts defined on your domain: 64.9% (37) of groups are Local Groups 29.8% (17) of groups are Global Groups 5.3% (3) of groups are Universal Groups 0.0% (0) of groups are Application Basic Groups 0.0% (0) of groups are Application Query Groups 0.0% (0) of groups are protected against accidental deletion
Security Groups OnlyThere are 57 security groups defined on your domain: 64.9% (37) of these are Local security Groups 29.8% (17) of these are Global security Groups 5.3% (3) of these are Universal security Groups
Section Detail
Common Name Path Type/ Scope
Account Operators Builtin SLB
Administrators Builtin SLB
Allowed RODC Password Replication Group Users SL
Backup Operators Builtin SLB
Cert Publishers Users SL
Certificate Service DCOM Access Builtin SLB
Cloud 1 Amazon SG
Cloud 2 Amazon SG
Cryptographic Operators Builtin SLB
Denied RODC Password Replication Group Users SL
Distributed COM Users Builtin SLB
DnsAdmins Users SL
DnsUpdateProxy Users SG
Domain Admins Users SG
Domain Computers Users SG
Domain Controllers Users SG
Domain Guests Users SG
Domain Users Users SG
Enterprise Admins Users SU
Enterprise Read-only Domain Controllers Users SU
Event Log Readers Builtin SLB
Group Policy Creator Owners Users SG
Guests Builtin SLB
HelpServicesGroup Users SL
IIS_IUSRS Builtin SLB
Incoming Forest Trust Builders Builtin SLB
Nature Amazon SG
Network Configuration Operators Builtin SLB
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 65 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Common Name Path Type/ Scope
Performance Log Users Builtin SLB
Performance Monitor Users Builtin SLB
Pre-Windows 2000 Compatible Access Builtin SLB
Print Operators Builtin SLB
RAS and IAS Servers Users SL
Read-only Domain Controllers Users SG
Remote Desktop Users Builtin SLB
Replicator Builtin SLB
Schema Admins Users SU
Server Operators Builtin SLB
Sophos Console Administrators Users SL
Sophos DB Admins Users SL
Sophos Full Administrators Users SL
SophosAdministrator Users SL
SophosDomainAdministrator Users SG
SophosDomainPowerUser Users SG
SophosDomainUser Users SG
SophosOnAccess Users SL
SophosPowerUser Users SL
SophosUser Users SL
SQLServer2005SQLBrowserUser$PUFFADDER
Users SL
SQLServerMSSQLServerADHelperUser$PUFFADDER
Users SL
TelnetClients Users SL
Terminal Server License Servers Builtin SLB
TestGroup3 Users SG
TestGroup4 Users SG
Users Builtin SLB
Utilisateurs EPM Sharepoint Users SG
Windows Authorization Access Group Builtin SLB
For details of all properties see worksheet Group_Accounts in the MS-Excel workbook. For definitions of the properties please see Glossary of Terms.
NOTE: The above is a list of groups, which have been defined in the domain. It does not include groups, from other domains or servers that are members of this domain’s groups.
Account Name: This name is unique in the domain.Common Name: This name is unique inside the container or organizational unit but can be duplicated in a different container for another group with a different Account Name (above). This is the name under which the group is listed in the Active Directory MMC Console under the container it belongs to.Path: Container or Organizational Unit the group belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 66 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Group Type/Scope:
AB Application BasicAQ Application QueryDG Distribution Global DL Distribution Local DU Distribution Universal SG Security Global SL Security Local SLB Security Local - BuiltinSU Security Universal
There are 3 types of groups in Windows 200x* domains:
Security groups Distribution groups Application groups
Security groups can define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to the individual users. The permissions are assigned once to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network.
Distribution groups are not security-enabled. Distribution groups can be used, for example, with e-mail applications (such as Exchange), to send e-mail to collections of users.
Application groups are not security enabled and include basic application groups and LDAP query groups. Application groups are specific to Authorization Manager role-based administration. An application group is a group of users, computers, or other security principals. An application group is not a group of applications.
Membership of an Application Query group is dynamically calculated from LDAP queries.
Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three different group scopes: universal, global, and local.
Built-in Local Security groups are defined by the Windows 200x* security system. They cannot be moved or deleted from their original container (Builtin). Those groups cannot be members of other groups.
For membership of groups and more details on group scope, consult the report sections: Domain Local Groups and their Members, Domain Global Groups and their Members and Domain Universal Groups and their Members.
Implications
Varying levels of control (rights) over the domain; domain containers and domain organizational units can be delegated to groups of the domain or other domains.
Risk Rating
Medium to high (dependent on groups’ functions and what controls are granted over the groups).
Recommended Action
Ensure that groups are defined in containers or organizational units where the controls over them are appropriate.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 67 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
10. Domain Local Groups and their Members
Section Summary
There are a total of 37 Local Security groups, containing the following 47 members, defined on your domain: 59.5% (22) of these groups are empty / have no members 2.1% (1) of the members are defined in other domains
Section Detail
Group Name Member MemberDomain
MbrClass
Account Operators
Administrators Administrator user
Domain Admins group
Enterprise Admins group
GpLinkTest user
Allowed RODC Password Replication Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Group
Cert Publishers group
Domain Admins group
Domain Controllers group
Enterprise Admins group
Group Policy Creator Owners group
krbtgt user
Read-only Domain Controllers group
Schema Admins group
Distributed COM Users
DnsAdmins
Event Log Readers
Guests Domain Guests group
Guest user
HelpServicesGroup SUPPORT_388945a0 user
IIS_IUSRS IUSR Unknown Domain (NT AUTHORITY)
unknown
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access Authenticated Users well-known
Print Operators
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 68 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Group Name Member MemberDomain
MbrClass
RAS and IAS Servers
Remote Desktop Users Cloud 1 group
Cloud 2 group
Replicator
Server Operators
Sophos Console Administrators Administrator user
Domain Admins group
Enterprise Admins group
GpLinkTest user
User6 user
Sophos DB Admins Administrator user
Domain Admins group
Enterprise Admins group
GpLinkTest user
User6 user
Sophos Full Administrators Administrator user
Domain Admins group
Enterprise Admins group
GpLinkTest user
User6 user
SophosAdministrator Administrator user
Domain Admins group
Enterprise Admins group
GpLinkTest user
SophosDomainAdministrator group
User6 user
SophosOnAccess
SophosPowerUser SophosDomainPowerUser group
SophosUser Domain Users group
SophosDomainUser group
SQLServer2005SQLBrowserUser$PUFFADDER
SQLServerMSSQLServerADHelperUser$PUFFADDER
TelnetClients
Terminal Server License Servers
Users Authenticated Users well-known
Domain Users group
Interactive well-known
Windows Authorization Access Group Enterprise Domain Controllers well-known
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 69 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Notes
Members of Local Distribution groups are not listed here, as there is no security implication on these groups.
Group Account Name or Member Account Name: This name is unique in the domain.
Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analysed, this field will be empty.
Member Class: When = Unknown, it means that the account or group is a member of the local group but that the server/domain where the account or group is registered could not be reached to obtain the account information. The local groups showing these accounts as members should be checked to establish the origin and details of these accounts.
When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.
Domain Local Groups
Groups with domain local scope can have as their members groups and accounts from Windows 200x* or Windows NT domains and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as Local Groups.
In native-mode Windows 200x* domains, Local Groups can have accounts, global groups, and universal groups from any domain, as well as local groups from the same domain, as members.
In mixed-mode Windows 200x* domains, Local Groups can have accounts and global groups from any domain as members but cannot have local groups as members.
Groups with domain local scope are typically used to define and manage access to resources within a single domain.
Built-in Local Groups are installed in the domain. These groups are security groups and represent common sets of rights and permissions that can be used to grant certain roles, rights, and permissions to the accounts and groups that are placed into these default groups. Default groups with domain local scope are located in the ‘Builtin’ container.
The default (built-in) Local Groups are:
Account Operators Administrators Backup Operators Guests Pre-Windows 2000 Compatible Access Print Operators Replicator Server Operators Users
These built-in groups have domain local scope and are primarily used to assign default sets of permissions to users who may have some administrative control in that domain. For example, the Administrators group in a domain has a broad set of administrative authority over all accounts and resources in the domain.
The following shows the default rights held by some of these groups.
Administrators: Members of the Administrators group have full control over the computer. It is the only built-in group that is automatically granted every built-in right and ability in the system.
Backup Operators: Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log onto the computer and shut it down, but they cannot change security settings.
Replicator: The Replicator group supports directory replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of the domain controller. Do not add the user accounts of actual users to this group.
Implications
If users or groups belong to Local Groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the Local Groups.
The built-in Local Group, which has normal default user rights and permissions, is the Users group. Another built-in Local Group with limited default privileges is Guests.
Built-in Local Groups cannot be deleted.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 70 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
New Local Groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) can be assigned to them.
Risk Rating
Medium to high (dependent on users’ job functions and groups’ roles).
Recommended Action
Privileges and rights acquired by users and groups via their membership of Local Groups should be checked to ensure they are consistent with the users’ job functions and groups’ roles.
Most users or groups should be assigned to the Users Local Group.
Users or groups assigned to privileged Local Groups should be kept to a minimum and their membership fully justified. As a rule, only individual users and not groups, should be added to privileged Local Groups as this affords better control.
Those accounts or groups from other domains, which are members of privileged Local Groups, should be carefully checked and fully justified.
If it can be avoided, users and groups from other domains should not be members of privileged Local Groups.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 71 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
11. Domain Global Groups and their Members Section Summary
There are a total of 17 Global Security groups, containing the following 30 members, defined on your domain: 41.2% (7) of these groups are empty / have no members
Section Detail
Group Name Member Member Class
Cloud 1 Virtual1 user
Cloud 2 Virtual2 user
DnsUpdateProxy
Domain Admins Administrator user
Domain Computers BEOWOLF Computer
REDWOLF Computer
Domain Controllers BOOMSLANG Computer
PUFFADDER Computer
Domain Guests Guest user
Domain Users Administrator user
bradley user
GpLinkTest user
krbtgt user
SophosSAUPUFFADDER0 user
SophosUpdateMgr user
Sun user
SUPPORT_388945a0 user
User4 user
User5 user
User6 user
User7 user
User9 user
Virtual1 user
Virtual2 user
Group Policy Creator Owners Administrator user
Nature Sun user
Read-only Domain Controllers
SophosDomainAdministrator
SophosDomainPowerUser
SophosDomainUser
TestGroup3
TestGroup4
Utilisateurs EPM Sharepoint User4 user
User5 user
User6 user
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 72 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Group Name Member Member Class
User7 user
User9 user
Notes
Group Account Name or Member Account Name: This name is unique in the domain.
Global Group
Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in a domain tree or forest. Groups with a global scope are referred to as Global Groups.
In native-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain and global groups from the same domain.
In mixed-mode Windows 200x* domains, Global Groups can have, as their members, accounts from the same domain but cannot have groups as members.
Default predefined groups with global scope are normally located in the Users container.
The predefined Global Groups placed in the Users container are:
Cert Publishers Domain Admins Domain Computers Domain Controllers Domain Guests Domain Users Enterprise Admins Group Policy Admins Schema Admins
These groups with global scope can be used to collect the various types of user accounts in the domain (regular users, administrators, and guests) into groups. These groups can then be placed in Local Groups.
By default, any user account created in a domain is automatically added to the Domain Users group and any computer account created is automatically added to the Domain Computers group.
The Domain Users and Domain Computers groups can be used to represent all the accounts created in the domain.
For example, if all the users in this domain need to have access to a printer, permissions for the printer can be assigned to the Domain Users group (or the Domain Users group can be placed into a local group that has permissions for the printer).
Groups with global scope are normally used to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside their own domain, accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog.
Global groups cannot be created or maintained on Windows NT/200x* Workstations or Windows NT/200x* Servers, which are not Domain Controllers. However, for Windows NT/200x* Workstations or NT/200x* Server computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations or servers, and can be members of local groups at those workstations or servers.
Implications
If users are assigned to global groups with permissions and rights greater than they need, they will have access to unnecessary system resources and functions via the permissions and rights associated with the global groups.
Global groups can be members of local groups in the domain and other domains or members of other global groups in the domain, thus acquiring their rights and granting those rights to users belonging to the global groups.
New global groups can be created and powerful rights (e.g. Take Ownership of Files and other Objects) assigned to them.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 73 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Risk Rating
Medium to high (dependent on users’ job functions and groups’ functions).
Recommended Action
Privileges and rights assigned to global groups and their membership of other groups should be checked to ensure that they are justified.
Most users should only be assigned to the Domain Users global group.
Users assigned to privileged global groups (such as Domain Admins) should be kept to a minimum and their membership fully justified.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 74 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
12. Domain Universal Groups and their Members Section Summary
There are a total of 3 Universal Security groups, containing the following 2 members, defined in your domain: 33.3% (1) of these groups are empty / have no members 0.0% (0) of these members are defined in other domains
Section Detail
Group Name Member MemberDomain
MbrClass
Enterprise Admins Administrator user
Enterprise Read-only Domain Controllers
Schema Admins Administrator user
Notes
Group Account Name or Member Account Name: This name is unique in the domain.
Member Domain: The name of a trusted domain, if the group member is an external account. If the member belongs to the domain analyzed, this field will be empty.
Member Class: When = Unknown, it means that the account or group is a member of the universal group but that the server/domain where the account or group is registered could not be reached to obtain the account information. The universal groups showing these accounts as members should be checked to establish the origin and details of these accounts.
When a server/domain cannot be reached for account information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.
Universal Groups
Groups with universal scope can have as members groups and accounts from any Windows 200x* domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with a universal scope are referred to as Universal Groups.
In native-mode Windows 200x* domains, Universal Groups can have, as their members, accounts from any domain, global groups from any domain and universal groups from any domain.
In mixed-mode Windows 200x* domains, groups with universal scope cannot be created.
Groups with universal scope can be used to consolidate groups that span domains. For example, global groups from different domains can be nested in universal groups. Using this strategy, any membership changes in the groups having global scope do not affect the group with universal scope.
Implications
If users or groups are assigned to universal groups with permissions and rights greater than they need, they will have access to unnecessary resources and functions via the permissions and rights associated with the universal groups.
Risk Rating
Medium to high (dependent on users’ job functions and groups’ functions).
Recommended Action
Privileges and rights assigned to universal groups and their membership of other groups should be checked to ensure that they are justified.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 75 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
13. Last Logons, 30 Days and OlderSection Summary
All Accounts50.0% (8) of the user accounts on your domain have not logged-on in the last 30 days: 43.8% (7) have not logged-on in the last 60 days 43.8% (7) have not logged-on in the last 90 days 37.5% (6) have not logged-on in the last 180 days 37.5% (6) have not logged-on in the last 360 days 37.5% (6) have not logged-on in the last 2 years 37.5% (6) have never been used, or their last logon date is unknown
Excluding Disabled Accounts25.0% (4) of the user accounts on your domain have not logged-on in the last 30 days: 18.8% (3) have not logged-on in the last 60 days 18.8% (3) have not logged-on in the last 90 days 18.8% (3) have not logged-on in the last 180 days 18.8% (3) have not logged-on in the last 360 days 18.8% (3) have not logged-on in the last 2 years 18.8% (3) have never been used, or their last logon date is unknown
All Administrator Accounts0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days: 0.0% (0) have not logged-on in the last 60 days 0.0% (0) have not logged-on in the last 90 days 0.0% (0) have not logged-on in the last 180 days 0.0% (0) have not logged-on in the last 360 days 0.0% (0) have not logged-on in the last 2 years 0.0% (0) have never been used, or their last logon date is unknown
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of the administrator accounts on your domain have not logged-on in the last 30 days: 0.0% (0) have not logged-on in the last 60 days 0.0% (0) have not logged-on in the last 90 days 0.0% (0) have not logged-on in the last 180 days 0.0% (0) have not logged-on in the last 360 days 0.0% (0) have not logged-on in the last 2 years 0.0% (0) have never been used, or their last logon date is unknown
Domain Controllers (DCs) ScannedSekChek scanned 2 out of 2 DCs for users' last logon times. See Domain Controllers in the Domain for more information.
The last logon for the builtin Administrator account was 0 days ago.
Industry Average Comparison (> 30 days)
Note:This is an exception report, so only lists accounts that have not logged on in the last 30 days. I.e. if an account logged in 29 days ago (or more recently) it will not be listed in the report section.
Section Detail
Last Logon Account Name Path State Privilege
Guest Users D Guest
krbtgt Users D User
SophosSAUPUFFADDER0 Users User
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 76 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Last Logon Account Name Path State Privilege
SophosUpdateMgr Users User
Sun Amazon User
SUPPORT_388945a0 Users D User
02-Aug-2013 User6 Users E User
24-Sep-2013 User4 Users User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Implications
Some of these user accounts may no longer be required. Inactive user accounts are a prime target for intruders. If their passwords are compromised, they can be used with little fear of detection.
Risk Rating
Low to Medium.
Recommended Action
The list of accounts should be reviewed and redundant ones should be deleted.
Accounts that will be required later (longer term), should be disabled until required.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 77 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
14. Passwords, 30 Days and OlderSection Summary
All Accounts50.0% (8) of the user accounts on your domain have not had their passwords changed in the last 30 days: 43.8% (7) have not had their passwords changed in the last 60 days 43.8% (7) have not had their passwords changed in the last 90 days 43.8% (7) have not had their passwords changed in the last 180 days 25.0% (4) have not had their passwords changed in the last 360 days 12.5% (2) have not had their passwords changed in the last 2 years
Excluding Disabled Accounts25.0% (4) of the user accounts on your domain have not had their passwords changed in the last 30 days: 18.8% (3) have not had their passwords changed in the last 60 days 18.8% (3) have not had their passwords changed in the last 90 days 18.8% (3) have not had their passwords changed in the last 180 days 12.5% (2) have not had their passwords changed in the last 360 days 6.3% (1) have not had their passwords changed in the last 2 years
All Administrator Accounts50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days: 50.0% (1) have not had their passwords changed in the last 60 days 50.0% (1) have not had their passwords changed in the last 90 days 50.0% (1) have not had their passwords changed in the last 180 days 50.0% (1) have not had their passwords changed in the last 360 days 50.0% (1) have not had their passwords changed in the last 2 years
Administrator Accounts (Excluding Disabled Accounts)50.0% (1) of the administrator accounts on your domain have not had their passwords changed in the last 30 days: 50.0% (1) have not had their passwords changed in the last 60 days 50.0% (1) have not had their passwords changed in the last 90 days 50.0% (1) have not had their passwords changed in the last 180 days 50.0% (1) have not had their passwords changed in the last 360 days 50.0% (1) have not had their passwords changed in the last 2 years
The password for the builtin Administrator account was last changed 1556 days ago.
Industry Average Comparison (> 30 days)
Note:This is an exception report, so only lists accounts whose passwords have not changed in the last 30 days. I.e. if an account's password was changed 29 days ago (or more recently) it will not be listed in the report section.
Section Detail
PasswordAge (days)
Account Name Path State Privilege
1556 Administrator Users Administrator
1556 SUPPORT_388945a0 Users D User
436 krbtgt Users D User
436 User5 Users User
337 User6 Users E User
292 User9 Users LE User
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 78 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
PasswordAge (days)
Account Name Path State Privilege
270 User7 Users User
51 User4 Users User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account State:
L Locked An account is automatically locked by the system once the number of invalid login attempts, as defined by the security policy, has been reached.
D Disabled A disabled account has been manually disabled by the administrator.
E Expired An account expires once the expiry date, which has been set by the administrator is reached.
DE Disabled & Expired An expired account which has also been manually disabled by the administrator.
DL Disabled & Locked A locked account which has also been manually disabled by the administrator.
Implications
This could indicate that these users are not required to change their passwords on a regular basis or that the accounts are inactive and redundant. A password that is not changed on a frequent basis increases the risk of it being compromised over time.
Risk Rating
Medium. If password controls are weak (e.g. Password Never Expires set in user accounts) the risk is high.
Recommended Action
The accounts should be reviewed and deleted if they are no longer required. Otherwise, their password change interval should be brought in line with installation standards.
The Leading Practice is to force users to change their passwords every 30 to 60 days.
Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 79 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
15. Passwords that Never ExpireSection Summary
All Accounts87.5% (14) of users are never required to change their passwords due to security settings in individual user accounts.
Excluding Disabled Accounts62.5% (10) of users are never required to change their passwords due to security settings in individual user accounts.
All Administrator Accounts50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts.
Administrator Accounts (Excluding Disabled Accounts)50.0% (1) of administrator accounts are never required to change their passwords due to security settings in individual user accounts.
Industry Average Comparison
Section Detail
Account Name Path State Privilege
Administrator Users Administrator
bradley TEST GPO PC User
Guest Users D Guest
SophosSAUPUFFADDER0 Users User
SophosUpdateMgr Users User
Sun Amazon User
SUPPORT_388945a0 Users D User
User4 Users User
User5 Users User
User6 Users E User
User7 Users User
User9 Users LE User
Virtual1 Amazon User
Virtual2 Amazon User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 80 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Implications
If users are not required to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the real user changes the password to a new one.
The password change interval is set in the Password Policies. However, the system default can be overridden via the Password Never Expires parameter at user account level.
Risk Rating
Medium to High.
Recommended Action
Password change intervals for these user accounts should be brought in-line with the installation standard.
The Leading Practice for a password change interval is between 30 and 60 days.
You should also check the Accounts Policy to confirm that the Maximum Password Change Interval is set to an acceptable value.
Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 81 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
16. Accounts not Requiring a PasswordSection Summary
All Accounts6.3% (1) of users are allowed to logon with a zero length password due to security settings in individual user accounts.
Excluding Disabled Accounts0.0% (0) of users are allowed to logon with a zero length password due to security settings in individual user accounts.
All Administrator Accounts0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts.
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of administrator accounts are allowed to logon with a zero length password due to security settings in individual user accounts.
Industry Average Comparison
Section Detail
Account Name Path State
Privilege
Guest Users D Guest
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See the General Note in the System Details section for a general explanation of paths.
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Implications
The setting that allows zero-length (null) passwords to be defined at user account level is one of the values that cannot be displayed via the standard Windows 'Active Directory Users and Computers' interface. It can only be displayed (or set) via a special programmatic interface.
An Administrator can set passwords for the listed accounts to null regardless of domain-level security settings. The accounts could then be used to login to the system without a password, despite the security policy settings defined at domain-level. However, the system will not allow users to change their own passwords to null provided that domain-level security settings prevent it. This can only be done by an Administrator via the 'Reset Password' function or via a programmatic interface.
Because SekChek for Windows does not analyse user passwords it is not possible to determine which of the listed accounts actually have null passwords assigned to them.
For more information, see SekChek’s white paper MS-Windows Accounts not Requiring a Password at: www.sekchek.com/White-Papers.htm.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 82 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Risk Rating
Low to High. (Dependant on the privileges assigned to the user account)
In general, allowing the use of null passwords is a very high security risk, because it will allow any person in possession of a valid account name to gain access to your system and information resources. However, there may be some special situations where it is appropriate for null passwords to be assigned to some special accounts (e.g. anonymous access with minimal privileges).
Recommended Action
In general, you should ensure strong passwords are assigned to all user accounts defined on your system. The Leading Practice for a minimum password length is 7 characters.
You should also ensure that all accounts allowed null passwords are fully justified.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 83 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
17. Invalid Logon Attempts Greater than 3Section Summary
All Accounts0.0% (0) of user accounts have invalid logon attempts greater than 3.
Excluding Disabled Accounts0.0% (0) of user accounts have invalid logon attempts greater than 3.
All Administrator Accounts0.0% (0) of administrator accounts have invalid logon attempts greater than 3.
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of administrator accounts have invalid logon attempts greater than 3.
Industry Average Comparison
Section Detail
** No data found **
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Implications
Invalid logon attempts indicate the number of unsuccessful attempts at signing on to your system with the listed accounts. The value is reset to ‘0’ after a successful sign-on to the system.
Consistently high values could indicate that an intruder is attempting to guess user passwords to gain access to your system.
The Lockout Threshold parameter in the Account Lockout Policies determines the number of failed logon attempts for user accounts before accounts are locked out.
Risk Rating
Low to Medium. (Dependent on the value assigned to the Lockout Threshold parameter in the Account Lockout Policies)
Recommended Action
You should ensure that the Lockout Threshold in the Accounts Policy is set to a reasonable value. A value of 3 is the Leading Practice.
Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by Administrators.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 84 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
18. Users not Allowed to Change PasswordsSection Summary
All Accounts56.3% (9) of the users defined to your system are not allowed to change their passwords.
Excluding Disabled Accounts37.5% (6) of the users defined to your system are not allowed to change their passwords.
All Administrator Accounts0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords.
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of the administrator accounts defined to your system are not allowed to change their passwords.
Industry Average Comparison
Section Detail
Account Name Path State Privilege
Guest Users D Guest
SophosSAUPUFFADDER0 Users User
SophosUpdateMgr Users User
Sun Amazon User
SUPPORT_388945a0 Users D User
User7 Users User
User9 Users LE User
Virtual1 Amazon User
Virtual2 Amazon User
Implications
If users are not permitted to change their passwords on a frequent basis, their passwords are likely to become known to other employees and potential intruders. The user profile could then be used to gain unauthorised access to systems and data until the password is changed to a new one.
The password change interval is set in the Accounts Policy. However, individual accounts can have the User Cannot Change Password parameter set which overrides the policy standard.
A value of Yes in the Account Disabled column indicates that the account has been disabled by a security administrator, is locked due to excessive failed login attempts, or has expired. See Disabled Accounts for details.
Risk Rating
Medium to High.
Recommended Action
The User Cannot Change Password parameter in user accounts should only be set for those accounts where a common sign on is required (The “built in” Guest account is an example of a “common” account). The privileges and group membership of these accounts should be carefully monitored.
Some service accounts, such as for SMS, normally do not have their passwords changed frequently. For those accounts, the account name and password should be such that they are very difficult to guess.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 85 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
19. Accounts with Expiry DateSection Summary
All Accounts12.5% (2) of user accounts are set to expire on a certain date. 12.5% (2) of accounts have expired
All Administrator Accounts0.0% (0) of administrator accounts are set to expire on a certain date. 0.0% (0) of administrator accounts have expired
Section Detail:
Account Name Path Account Expires
Privilege
User6 Users 06-Oct-2011 User
User9 Users 01-Oct-2011 User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Implications
The Account Expires parameter allows you to ensure the account is automatically disabled on the assigned date. When an account expires, a user who is logged on remains logged on but cannot establish new network connections. After logging off, that user cannot log on again unless the expiration date is reset or cleared.
Risk Rating
Low to Medium.
Recommended Action
It is good practice to set an expiration date for temporary accounts or accounts assigned to contractors and part-time workers.
For added security and to help ensure that accounts are disabled when no longer used, you could consider setting expiration dates for all user accounts. Note however, that this will add to the administrative workload and may inconvenience genuine users when their accounts expire and need to be reset by an administrator.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 86 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
20. Disabled AccountsSection Summary
All Accounts18.8% (3) of user accounts have been disabled.
All Administrator Accounts0.0% (0) of administrator accounts have been disabled.
Industry Average Comparison
Section Detail
Account Name Path Last Logon Privilege
Guest Users Guest
krbtgt Users User
SUPPORT_388945a0 Users User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Implications
No security risks. A housekeeping issue only.
Accounts are disabled because they have reached the expiration date or have been disabled by the administrator.
Risk Rating
None.
Recommended Action
These accounts should be checked and deleted if no longer required.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 87 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
21. Locked Out AccountsSection Summary
All Accounts6.3% (1) of user accounts are 'locked out'.
All Administrator Accounts0.0% (0) of administrator accounts are 'locked out'.
Industry Average Comparison
Section Detail
Account Name Path Last Logon Privilege
User9 Users 07-Nov-2013 User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Implications
These accounts are locked due to an excessive number of failed logon attempts. This could be an indication that intruders are attempting to access your system.
Lockout Threshold in the accounts policy defines the number of failed logon attempts for user accounts before accounts are locked out.
Risk Rating
Medium to High.
Recommended Action
The reason these accounts have been “locked out” should be investigated and appropriate action taken.
You should ensure that the Lockout Threshold is set to a reasonable value. A value of 3 is the Leading Practice.
Ideally, the Lockout Duration should be set to 0 (forever) in the Accounts Policy. This ensures that accounts are locked when the lockout threshold is exceeded and can only be unlocked by Administrators.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 88 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
22. Accounts Whose Passwords Must Change at Next LogonSection Summary
All Accounts6.3% (1) of user accounts must change their password at next logon.
Excluding Disabled Accounts0.0% (0) of user accounts must change their password at next logon.
All Administrator Accounts0.0% (0) of administrator accounts must change their password at next logon.
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of administrator accounts must change their password at next logon.
Section Detail
Account Name Path State
Privilege
krbtgt Users D User
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the user belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account State: Account is Disabled (D), Locked (L), Expired (E), or a combination of them. Eg. (DL) (DE).
Implications
The list details those accounts that must change their password at next logon. This can be as a result of a new account or as a result of the account password having been reset by an administrator with the indicator User Must Change Password At Next Logon turned on.
If the chosen passwords are default passwords known to most persons, those accounts could be used by anybody to gain illegal access to the domain with the rights/privileges of the account.
Risk Rating
Low to Medium (depending on the password assigned by the administrator).
Recommended Action
It is good practice to set the User Must Change Password At Next Logon indicator for new user accounts or when administrators reset passwords. This will force the user to change the initial or new password allocated at the first or next logon.
The password chosen by the administrator should be unique and not a default password known to most persons.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 89 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
23. Accounts Created in the Last 90 DaysSection Summary
All Accounts68.8% (11) of user accounts were created in the last 360 days: 18.8% (3) were created in the last 30 days 18.8% (3) were created in the last 60 days 43.8% (7) were created in the last 90 days 43.8% (7) were created in the last 180 days 68.8% (11) were created in the last 360 days 31.3% (5) were created more than a year ago
All Administrator Accounts50.0% (1) of administrator accounts were created in the last 360 days: 0.0% (0) were created in the last 30 days 0.0% (0) were created in the last 60 days 0.0% (0) were created in the last 90 days 0.0% (0) were created in the last 180 days 50.0% (1) were created in the last 360 days 50.0% (1) were created more than a year ago
Group Accounts19.3% (11) of group accounts were created in the last 360 days: 5.3% (3) were created in the last 30 days 5.3% (3) were created in the last 60 days 5.3% (3) were created in the last 90 days 5.3% (3) were created in the last 180 days 19.3% (11) were created in the last 360 days 80.7% (46) were created more than a year ago
Computer Accounts25.0% (1) of computer accounts were created in the last 360 days: 0.0% (0) were created in the last 30 days 0.0% (0) were created in the last 60 days 0.0% (0) were created in the last 90 days 0.0% (0) were created in the last 180 days 25.0% (1) were created in the last 360 days 75.0% (3) were created more than a year ago
Note: This is an exception report, so it only lists accounts created in the last 90 days. For details of accounts created more than 90 days ago, see column 'Created' in worksheets _All_User_Accounts and Group_Accounts in the MS-Excel workbook.
Section Detail
Create Date Account Name Path Account Type
Privilege
07-Nov-2013 Cloud 1 Amazon Group -
07-Nov-2013 Cloud 2 Amazon Group -
07-Nov-2013 Nature Amazon Group -
07-Nov-2013 Sun Amazon User User
07-Nov-2013 Virtual1 Amazon User User
07-Nov-2013 Virtual2 Amazon User User
29-Aug-2013 User5 Users User User
29-Aug-2013 User6 Users User User
29-Aug-2013 User7 Users User User
29-Aug-2013 User9 Users User User
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 90 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Notes
Account Name: This name is unique in the domain.
Path: Container or Organizational Unit the account belongs to. The higher-level containers or organizational units are written first in the path, followed by the lower level containers or organizational units. See General Note in the System Details section for a general explanation on paths.
Account Type: User or Group.
Implications
The authorisation of new accounts, as well as changes to existing accounts, are key management controls that underpin the security of system and information resources.
If accounts are defined without management’s knowledge or authorisation, they could be used to gain illegal access to your domain and system resources with little fear of detection.
Risk Rating
High (if accounts are defined without appropriate management authorisation).
Recommended Action
You should ensure management authorisation was formally provided prior to defining new accounts. Supporting documentation should minimally include: a reason for creating the account; the security groups the account should belong to; and the system resources required by the account owner.
Before management gives an employee access to a user account they should ensure the employee is made aware of the organisation’s security policies and the employee’s responsibilities for system security.
Independent audits of new accounts should be conducted on a regular basis to ensure management controls are appropriate and are being applied in a consistent and effective manner.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 91 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24. Rights and Privileges
The following seven subsections provide general recommendations regarding rights, and analyses of the Effective rights assigned to Local, Global and Universal groups, user accounts, Well Known objects and external objects:
Descriptions & General Recommendations for Rights
Rights Assigned to Local Groups
Rights Assigned to Universal Groups (Native mode only)
Rights Assigned to Global Groups
Rights Assigned to Users
Rights Assigned to Well-Known Objects
Rights Assigned to External Objects
Notes
In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies apply. However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers.
This has important security implications as accounts can, for example, be granted powerful rights on one or more domain controller while being denied the same rights on other domain controllers.
Implications
Rights and privileges allow users to perform certain actions on the system, such as the ability to Backup Files & Directories. Rights/Privileges apply to the system as a whole and are different to permissions, which apply to specific objects.
User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system resources, and they can override the permissions that are set on a particular object on the computer.
The special account LocalSystem has built-in capabilities that correspond to almost all privileges and logon rights. Processes that are running as part of the operating system are associated with this account, and they require a complete set of user rights. The system services that are supplied with Windows 200x* are configured automatically to run as LocalSystem. Although other services can be configured to also run under this account, it is recommended that this be done with care.
Logon rights control how security principals are allowed access to the computer, whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights, one to allow logging on to the computer and another to deny logging on to the computer. A deny logon right can be used to exclude groups or individual accounts that have been assigned an allow logon right. Deny rights take precedence over allow rights.
Rights and privileges are assigned to specific accounts directly via the User Rights policy, or indirectly via group membership.
Note that members of a Local, Global or Universal group automatically inherit all rights granted to that group. This includes Global groups or users from other domains that are members of a Local or Universal group.
To ease the task of account administration, it is recommended that Rights are primarily assigned to groups rather than to individual user accounts. When Rights are assigned to a group, the Rights are assigned automatically to each user who is added to the group. This is easier than assigning Rights to individual user accounts as each account is created.
If users are given inappropriate rights it can lead to a high security risk.
Risk Rating
Medium to high depending on the rights granted to groups and users.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 92 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Recommended Action
Rights should be justified according to the person’s job function.
In general, rights should be assigned by adding user accounts to one of the built-in groups that already has the needed rights, rather than by administering the User Rights policy.
The recommendations on the following page serve as a guideline only. Powerful rights should only be granted to users or special accounts (e.g. SMS account) when absolutely necessary. They should also be reviewed on a regular basis.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 93 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.1 Descriptions & General Recommendations for Rights
Right Description Recommendation
Access this computer from the network
Allows a user to connect to the computer from the network. By default, this right is assigned to Administrators, Everyone, and Power Users.
Initially granted to Administrators, Everyone and Power Users. Restrict as required.
Act as part of the operating system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. Note that the calling process can also build an anonymous token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to use the LocalSystem account (which already includes the privilege), rather than create a separate account and assign the privilege to it.
Grant to no one.
Add workstations to domain Allows a user to add workstations to the domain. Adding a workstation to a domain enables the workstation to recognize the domain's user and global groups accounts. By default, members of a domain's Administrators and Account Operators groups have the right to add a workstation to a domain. This right cannot be taken away. They can also grant this right to other users.
Grant to Administrators and Account Operators.
Adjust memory quotas for a process
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial-of-service attack. By default, this privilege is assigned to Administrators.
Grant to no one.
Allow log on locally Allows a user to log on locally at the computer’s keyboard. For servers and domain controllers, by default, this right is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.
For servers and domain controllers (I.e. not work stations), grant to Administrators and Operators only.
Allow log on through Terminal Services
Windows XP (or later) only. Allows a user to log on to the computer by using a Remote Desktop connection.
By default, this right is assigned to Administrators and Remote Desktop Users.
Backup files and directories Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. By default, this privilege is assigned to Administrators and Backup Operators. (See also “Restore files and directories” in this table.)
Grant only to Administrator and Backup Operator.
Bypass traverse checking Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft® Windows® file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone.
Restrict as required. It is enabled by default for all users.
Change the system time Allows the user to set the time for the internal clock of the computer. By default, this privilege is assigned to Administrators and Power Users.
Grant to Administrators only.
Create a page file Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties. By default, this privilege is assigned to Administrators.
Grant to Administrators only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 94 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Description Recommendation
Create a token object Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. When a process requires this privilege, use the LocalSystem account (which already includes the privilege), rather than create a separate user account and assign this privilege to it.
Grant to no one.
Create global objects Windows 2000 (SP4 or later) only. Allows a user account to create global objects in a Terminal Services session. Note that users can still create session-specific objects without being assigned this user right.
By default, members of the Administrators group, the System account, and Services that are started by the Service Control Manager are assigned the "Create global objects" user right.
Create permanent shared objects
Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that extend the Windows object namespace. Components that are running in kernel mode already have this privilege assigned to them; it is not necessary to assign them the privilege.
Grant to no one or to Administrators only.
Debug programs Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. By default, this privilege is assigned to Administrators.
Grant to no one unless required for development purposes.
Deny access to this computer from the network
Prohibits a user or group from connecting to the computer from the network. By default, no one is denied this right.
Grant as required.
Deny log on as a batch job Prohibits a user or group from logging on through a batch-queue facility. By default, no one is denied the right to log on as a batch job.
Grant as required.
Deny log on as a service Prohibits a user or group from logging on as a service. By default, no one is denied the right to log on as a service.
Grant as required.
Deny log on locally Prohibits a user or group from logging on locally at the keyboard. By default, no one is denied this right.
Grant as required.
Deny log on through Terminal Services
Windows XP (or later) only. Prohibits a user from logging on to the computer using a Remote Desktop connection.
Grant as required.
Enable accounts to be trusted for delegation
Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service.
Grant to Administrators only. Misuse of this privilege could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
Force shutdown from a remote system
Allows a user to shut down a computer from a remote location on the network. (See also “Shut down the system” in this table.) By default, this privilege is assigned to Administrators.
Grant to Administrators only.
Generate security audits Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. (See also “Manage auditing and security log” in this table.)
Give this right to secure servers.
Impersonate a Client after authentication
Windows 2000 (SP4 or later) only. Permits programs that run on behalf of the user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.
By default, members of the Administrators group and the System account are assigned the right.
Increase scheduling priority Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box. By default, this privilege is
Grant to Administrators only.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 95 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Description Recommendation
assigned to Administrators.
Load and unload device drivers Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; these device drivers can be installed only by Administrators. Note that device drivers run as trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. By default, this privilege is assigned to Administrators.
Grant to Administrators only.
Lock pages in memory Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. This privilege is obsolete and is therefore never selected.
Grant to no one.
Log on as a batch job Allows a user to log on by using a batch-queue facility. By default, this right is assigned to Administrators.
Grant to no one.
Log on as a service Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. By default, this right is not assigned to anyone.
Grant to no one.
Manage auditing and security log
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, registry keys and other objects. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer. By default, this privilege is assigned to Administrators.
Grant to Administrators only.
Modify firmware environment values
Allows modification of system environment variables either by a process through an API or by a user through System Properties. By default, this privilege is assigned to Administrators.
Grant to Administrators only.
Perform volume maintenance tasks
Windows XP (or later) only. Allows a non-administrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user's access token when a process running in the user's security context calls SetFileValidData().
By default, this right is assigned to members of the Administrators group.
Profile single process Allows a user to run Microsoft® Windows NT® and Windows 2000 performance-monitoring tools to monitor the performance of nonsystem processes. By default, this privilege is assigned to Administrators and Power Users.
Grant to Administrators only.
Profile system performance Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes. By default, this privilege is assigned to Administrators.
Grant to Administrators or Operators.
Remove computer from docking station
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. By default, this privilege is assigned to Administrators, Power Users, and Users.
Grant as required.
Replace a process-level token Allows a parent process to replace the access token that is associated with a child process.
Grant to no one. This is a powerful right used only by the system.
Restore files and directories Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. (See also “Back up files and directories” in this table.) By default, this privilege is assigned to Administrators and Backup Operators.
Grant to Administrators and Backup Operators only. This right overrides file and directory permissions.
Shut down the system Allows a user to shut down the local computer. At domain level this applies to all domain controllers in
Grant to Administrators and Operators only. Especially for domain controllers or
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 96 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Description Recommendation
the domain. On a server or workstation, this applies to that machine only.
servers. On workstations, this can be granted to all users.
Synchronize directory service data
Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers. By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers.
Grant to Administrators only.
Take ownership of files or other objects
Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. At domain level this applies to all domain controllers in the domain. On a server or workstation, this applies to that machine only.
Grant to Administrators only. This right overrides permissions protecting the object(s).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 97 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.2 Rights Assigned to Local Groups
Local groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.
Local Group has Right
viamembership
ofLocal1*Local2*Local3
In Native Mode domains, a Local Security Group can be a member of other Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.
In Mixed Mode domains, a Local Security Group cannot be a member of another Local Security Group.
For a complete list of groups see report section Groups Defined in the Domain .
Local Group Right Via Groups
Account Operators Allow log on locally
Administrators Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Allow log on through Terminal Services
Backup files and directories
Bypass traverse checking
Change the system time
Create a page file
Create global objects
Debug programs
Enable accounts to be trusted for delegation
Force shutdown from a remote system
Impersonate a Client after authentication
Increase scheduling priority
Load and unload device drivers
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
Take ownership of files or other objects
Backup Operators Allow log on locally
Backup files and directories
Restore files and directories
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 98 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Local Group Right Via Groups
Shut down the system
Pre-Windows 2000 Compatible Access Access this computer from the network
Bypass traverse checking
Print Operators Allow log on locally
Load and unload device drivers
Shut down the system
Server Operators Allow log on locally
Backup files and directories
Change the system time
Force shutdown from a remote system
Restore files and directories
Shut down the system
SQLServer2005SQLBrowserUser$PUFFADDER
Log on as a service
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 99 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.3 Rights Assigned to Universal Groups (Native mode only)
Universal groups can acquire rights indirectly via membership of another Universal or Local security group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.
Universal Group has Right
viamembership
of
Local1*Local2*Universal1*Universal2 or
Universal1*Universal2*Universal3
In Native Mode domains, a Universal Security Group can be a member of other Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.
In Mixed Mode domains, Universal Security Groups cannot be created.
For a complete list of groups see report section Groups Defined in the Domain .
** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 100 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.4 Rights Assigned to Global Groups
Global groups can acquire rights indirectly via membership of another group or groups (the column Group Account Name) or by direct assignment (the column Group Account Name is empty). E.g.
Global Group
has Rightvia
membershipof
LocalGroupor
Local1*Local2*Universal1*Global1 or
Universal1*Universal2*Global1 or
Global1*Global2*Global3
In Native Mode domains a Global Security Group can be a member of other Global, Universal or Local Security Groups. Rights can propagate through nested security groups. In those cases, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the group acquires the right.
In Mixed Mode domains a Global Security Group can be a member of Local Security Groups only.
For a complete list of groups see report section Groups Defined in the Domain .
Global Group Right Via Groups
Domain Admins Access this computer from the network Administrators
Adjust memory quotas for a process Administrators
Allow log on locally Administrators
Allow log on through Terminal Services Administrators
Backup files and directories Administrators
Bypass traverse checking Administrators
Change the system time Administrators
Create a page file Administrators
Create global objects Administrators
Debug programs Administrators
Enable accounts to be trusted for delegation
Administrators
Force shutdown from a remote system Administrators
Impersonate a Client after authentication Administrators
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking station Administrators
Restore files and directories Administrators
Shut down the system Administrators
Take ownership of files or other objects Administrators
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 101 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.5 Rights Assigned to Users
The following two reports list all rights assigned to users, including rights assigned directly to users (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name). The first report is Grouped by Right and the second is Grouped by User Account.
In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
User Account
has Rightvia
membershipof
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
For a complete list of groups see report section Groups Defined in the Domain .
Section Summary
12.5% (2) of user accounts have right 'Access this computer from the network'6.3% (1) of user accounts have right 'Deny access to this computer from the network'12.5% (2) of user accounts have right 'Access this computer from the network(Effective)'0.0% (0) of user accounts have right 'Act as part of the operating system'0.0% (0) of user accounts have right 'Add workstations to domain'12.5% (2) of user accounts have right 'Adjust memory Quotas for a process'12.5% (2) of user accounts have right 'Backup files and directories'12.5% (2) of user accounts have right 'Bypass traverse checking'12.5% (2) of user accounts have right 'Change the system time'0.0% (0) of user accounts have right 'Create a token object'12.5% (2) of user accounts have right 'Create global objects'12.5% (2) of user accounts have right 'Create a page file'0.0% (0) of user accounts have right 'Create permanent shared objects'12.5% (2) of user accounts have right 'Debug programs'12.5% (2) of user accounts have right 'Force shutdown from a remote system'0.0% (0) of user accounts have right 'Generate security audits'12.5% (2) of user accounts have right 'Impersonate a Client after authentication'12.5% (2) of user accounts have right 'Increase scheduling priority'12.5% (2) of user accounts have right 'Load and unload device drivers'0.0% (0) of user accounts have right 'Lock pages in memory'6.3% (1) of user accounts have right 'Log on as a batch job'0.0% (0) of user accounts have right 'Deny logon as a batch job'6.3% (1) of user accounts have right 'Logon as a batch job(Effective)'6.3% (1) of user accounts have right 'Log on as a service'0.0% (0) of user accounts have right 'Deny logon as a service'6.3% (1) of user accounts have right 'Logon as a service(Effective)'12.5% (2) of user accounts have right 'Log on locally'12.5% (2) of user accounts have right 'Deny user from logging on locally'12.5% (2) of user accounts have right 'Log on locally(Effective)'12.5% (2) of user accounts have right 'Allow logon through Terminal Services'0.0% (0) of user accounts have right 'Deny logon through Terminal Services'12.5% (2) of user accounts have right 'Logon through Terminal Services(Effective)'12.5% (2) of user accounts have right 'Manage auditing and security log'12.5% (2) of user accounts have right 'Modify firmware environment values'12.5% (2) of user accounts have right 'Perform volume maintenance tasks'12.5% (2) of user accounts have right 'Profile single process'12.5% (2) of user accounts have right 'Profile system performance'0.0% (0) of user accounts have right 'Replace a process-level token'12.5% (2) of user accounts have right 'Restore files and directories'12.5% (2) of user accounts have right 'Shut down the system'12.5% (2) of user accounts have right 'Take ownership of files or other objects'12.5% (2) of user accounts have right 'Set the Trusted for Delegation setting'12.5% (2) of user accounts have right 'Undock a laptop with the Windows 2000 interface'0.0% (0) of user accounts have right 'Synchronize directory service data'
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 102 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Grouped by Right
Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.
Right Account Name Via Groups
Access this computer from the network Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Access this computer from the network (Effective)
Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Act as part of the operating system
Adjust memory quotas for a process Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Allow log on locally Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Allow log on through Terminal Services Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Backup files and directories Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Bypass traverse checking Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Change the system time Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Create a page file Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 103 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Account Name Via Groups
Create a token object
Create global objects Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Create permanent shared objects
Debug programs Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Deny access to this computer from the network SUPPORT_388945a0
Deny log on as a batch job
Deny log on as a service
Deny log on locally SophosSAUPUFFADDER0
SUPPORT_388945a0
Deny log on through Terminal Services
Enable accounts to be trusted for delegation Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Force shutdown from a remote system Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Generate security audits
Impersonate a Client after authentication Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Increase scheduling priority Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Load and unload device drivers Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Lock pages in memory
Log on as a batch job SUPPORT_388945a0
Log on as a batch job (Effective) SUPPORT_388945a0
Log on as a service SophosSAUPUFFADDER0
Log on as a service (Effective) SophosSAUPUFFADDER0
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 104 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Right Account Name Via Groups
Manage auditing and security log Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Modify firmware environment values Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Perform volume maintenance tasks Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Profile single process Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Profile system performance Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Remove computer from docking station Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Replace a process-level token
Restore files and directories Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Shut down the system Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Synchronize directory service data
Take ownership of files or other objects Administrator Administrators
Administrator Administrators*Domain Admins
Administrator Administrators*Enterprise Admins
GpLinkTest Administrators
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 105 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Grouped by User Account
Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.
Account Name Right Via Groups
Act as part of the operating system
Create a token object
Create permanent shared objects
Deny log on as a batch job
Deny log on as a service
Deny log on through Terminal Services
Generate security audits
Lock pages in memory
Replace a process-level token
Synchronize directory service data
Administrator Access this computer from the network Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Access this computer from the network (Effective)
Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Adjust memory quotas for a process Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Allow log on locally Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Allow log on through Terminal Services Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Backup files and directories Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Bypass traverse checking Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Change the system time Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Create a page file Administrators
Administrators*Domain Admins
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 106 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Account Name Right Via Groups
Administrators*Enterprise Admins
Create global objects Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Debug programs Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Enable accounts to be trusted for delegation Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Force shutdown from a remote system Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Impersonate a Client after authentication Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Increase scheduling priority Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Load and unload device drivers Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Manage auditing and security log Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Modify firmware environment values Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Perform volume maintenance tasks Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Profile single process Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Profile system performance Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Remove computer from docking station Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 107 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Account Name Right Via Groups
Restore files and directories Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Shut down the system Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Take ownership of files or other objects Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
GpLinkTest Access this computer from the network Administrators
Access this computer from the network (Effective)
Administrators
Adjust memory quotas for a process Administrators
Allow log on locally Administrators
Allow log on through Terminal Services Administrators
Backup files and directories Administrators
Bypass traverse checking Administrators
Change the system time Administrators
Create a page file Administrators
Create global objects Administrators
Debug programs Administrators
Enable accounts to be trusted for delegation Administrators
Force shutdown from a remote system Administrators
Impersonate a Client after authentication Administrators
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking station Administrators
Restore files and directories Administrators
Shut down the system Administrators
Take ownership of files or other objects Administrators
SophosSAUPUFFADDER0 Deny log on locally
Log on as a service
Log on as a service (Effective)
SUPPORT_388945a0 Deny access to this computer from the network
Deny log on locally
Log on as a batch job
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 108 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Account Name Right Via Groups
Log on as a batch job (Effective)
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 109 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.6 Rights Assigned to Well-Known Objects
Notes
Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local System, Principal Self, Authenticated Users, Creator Owner, and so on.
The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).
In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
Well-Known Object
has Right
via
membership
of
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
For a complete list of groups see report section Groups Defined in the Domain .
Account Name Right Via Groups
Authenticated Users Access this computer from the network
Access this computer from the network Pre-Windows 2000 Compatible Access
Add workstations to domain
Bypass traverse checking
Bypass traverse checking Pre-Windows 2000 Compatible Access
Enterprise Domain Controllers
Access this computer from the network
Everyone Access this computer from the network
Bypass traverse checking
Service Create global objects
Impersonate a Client after authentication
SYSTEM Log on as a service
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 110 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
24.7 Rights Assigned to External Objects
Notes
The external objects are users, groups or computers that belong to other domains.
When “Unknown” is reflected, it means that the server/domain where the object is registered could not be reached to obtain the information.
When a server/domain cannot be reached for information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.
The following report lists rights assigned to external objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).
In cases of rights acquired indirectly, the Group Account Name will be written in the format of: Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
External Object has Right
via
membership
of
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
For a complete list of groups see report section Groups Defined in the Domain .
** No data found **
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 111 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
25. Discretionary Access Controls (DACL) for ContainersSection Summary
This report section analyses 4,572 DACLs defined on the following classes of container objects: Containers: 4,366 DACLs Domains: 51 DACLs Organizational Units: 129 DACLs Sites: 26 DACLs
Notes
A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known object) and specifies a set of permissions allowed or denied for that account.
Key:
Permission The permission(s) the trustee has over the object.
Type Allow = Allow permission to trusteeDeny = Deny Permission to trustee
Trustee The account to which the permission is assigned for the specified object.(G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer;(?) = The account is from an external domain and we cannot resolve the account type
Object The object on which the account has the permission.(D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site
Permission Applies To
Specifies where the permissions are applied: This object only This object and all child objects Child objects only Computer objects Group objects GroupPolicyContainer objects Organizational Unit objects Site objects Trusted Domain objects User objects
Bhvr(Behaviour)
P -The permission applies to objects within the container specified (object the permission applies to) only. If omitted, the permission will propagate to all child objects of the container within the tree.I - The permission is inherited from the parent object.If omitted, the permission is defined directly on the specified object.PI – Both Options
Section Detail
For details see worksheet DACLs in the MS-Excel workbook.
Implications
Some of the permissions are very powerful and they should be carefully assigned to users and groups.
Risk Rating
Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.)
Recommended Action
You should check that the listed permissions over objects are appropriate and in line with users’ job functions.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 112 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
26. Trusted and Trusting DomainsSection Summary
The domain being analysed has trust relationships with 2 other domains 50.0% (1) are trusted domains 50.0% (1) are trusting domains 0.0% (0) are both trusted and trusting domains
Section Detail
Domain Name Trust Type Attributes Trusted Trusting
SnakeNY MIT Kerberos realm Disallow transitivity Yes
SnakeWP MIT Kerberos realm Disallow transitivity Yes
Implications
A trust relationship is a link between two domains where the trusting domain honours logon authentications of the trusted domain.
Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts.
In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A.
In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C.
Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships.
Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other domain trees.
A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides for distributed authentication and authorization in Windows 200x*.
In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA.
If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa.
Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.
Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains.
The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain.
Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in trusted domains can undermine security on the trusting domains.
Risk Rating
Medium to High (dependant on the quality of security standards applied in trusted domains).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 113 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Recommended Action
You should satisfy yourself that security in domains trusted by your domain is implemented and administered to appropriate standards. You should consider running SekChek on domain controllers for all trusted domains.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 114 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
27. Servers and WorkstationsNotes
Role: DC = Domain Controller, S = Server, WS = Workstation
When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that the object does not refer to an actual machine.
Section Summary
There are 4 computer accounts defined in your domain: 50.0% (2) are Domain Controllers 0.0% (0) are Servers 50.0% (2) are Workstations 0.0% (0) of computer accounts are protected against accidental deletion
Breakdown of Operating Systems: 25.0% (1) are running Windows 7 Enterprise 25.0% (1) are running Windows Server 2003 25.0% (1) are running Windows Server 2008 R2 Enterprise 25.0% (1) are running Windows Vista? Enterprise
Section Detail
Common Name Path OS & Version Role
BEOWOLF Computers Windows Vista? Enterprise 6.0 (6002) WS
BOOMSLANG Domain Controllers Windows Server 2003 5.2 (3790) DC
PUFFADDER Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601)
DC
REDWOLF Computers Windows 7 Enterprise 6.1 (7601) WS
Implications
Every server and workstation will provide various services to users within the domain.
Servers normally offer services such as SQL databases, business applications, Active Directory, Email and remote access services.
Workstations are normally used by end users to logon to thedomain and make use of domain resources and services as required.
Resources and services can be shared, with varying access permission settings, on all servers and workstations.
Every server and workstation is a potential security risk because they provide an access path to domain resources.
Risk Rating
Medium to High (Depending on the type of servers, their configuration and security setting standards applied).
Recommended Action
You should ensure that:
Configurations and security settings are defined to appropriate standards Services and resources are appropriately restricted on servers and workstations Accounts databases have the appropriate security settings to help prevent illegal access The rights assigned to accounts and groups are effectively controlled Effective virus detection and prevention services are installed, running and started automatically at system start-
up time
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 115 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
28. Domain Controllers in the DomainSection Summary
There are 2 Domain Controllers (DCs) defined in your domain. 0 DCs are configured as Read Only Domain Controllers (RODC) 100.0% (2) were scanned for users' last logon times.
Section Detail
Common Name
Path Scanned forLast Logons
RODC FSMO/GC Role
BOOMSLANG Domain Controllers Yes No Domain Naming Master
Global Catalog
Schema Master
PUFFADDER Domain Controllers Yes No Global Catalog
Infrastructure Master
PDC Emulator
RID Master
Domain ControllerA domain controller (DC) is a computer running Windows 200x* Server that holds a copy of Active Directory.
DCs authenticate domain logons and track changes made to accounts, groups, and policy and trust relationships in a domain. A domain can contain more than one DC.
Windows 200x* Server domain controllers provide an extension of the capabilities and features provided by Windows NT Server 4.0 domain controllers. For example, domain controllers in Windows 200x* support multimaster replication, synchronizing data on each domain controller and ensuring consistency of information over time. Multimaster replication is an evolution of the primary and backup domain controller of Windows NT Server 4.0, in which only one server, the primary domain controller, had a read and write copy of the directory.
Read Only Domain Controller (RODC)A read-only domain controller (RODC) was introduced in the Windows Server 2008 operating system.
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
Flexible Single Master Operation (FSMO) RolesFSMO Roles are roles assigned to Domain Controllers on a domain running Active Directory, and include:
Domain Naming Master:The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain.
Infrastructure Master:When an object in Domain A is referenced by another object in Domain B, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the Active Directory object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. Unique per domain.
PDC Emulator:In a Windows 200x domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.Unique per domain.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 116 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
RID Master:The RID (Relative ID) Master is responsible for assigning pools of RIDs to other DCs on the domain. Each DC on a domain is allowed to create new security principal objects. The RID Master issues each DC with a pool of RIDs to assign to these newly created objects. Naturally, as new objects are created, this pool diminishes. Once the pool falls below a threshold, the DC issues a request to the RID Master for an additional pool of RIDs. Unique per domain.
Schema Master:The DC holding the role of Schema Master is responsible for processing updates to the AD schema. Once the Schema Master updates the AD schema, these changes are then replicated to other DCs on the domain. Unique per enterprise; as such, it is possible that this role is not held by a DC on this domain.
Global Catalog (GC)A DC can also hold a copy of the global catalog.
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in an Active Directory forest. The global catalog is stored on DCs that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different DCs.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a DC that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
Risk Rating
Low to medium depending on the security standards applied to all Domain Controllers in the Domain.
Recommended Action
You should confirm that the security standards applied to all Domain Controllers conform to the expected security standards.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 117 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
29. Accounts Allowed to Dial In through RASSection Summary
SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan.
All Acounts12.5% (2) of users have permission to dial-in to your domain through RAS 0.0% (0) of these users are not called back by RAS 100.0% (2) of these users can set their own RAS Call-back Number 0.0% (0) of these users have their RAS Call-back Number set by the Administrator
Excluding Disabled Accounts12.5% (2) of users have permission to dial-in to your domain through RAS 0.0% (0) of these users are not called back by RAS 100.0% (2) of these users can set their own RAS Call-back Number 0.0% (0) of these users have their RAS Call-back Number set by the Administrator
All Administrator Acounts0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS
Administrator Accounts (Excluding Disabled Accounts)0.0% (0) of administrator accounts have permission to dial-in to your domain through RAS
Section Detail
SekChek could not determine whether there are any RAS servers on the network because the host system's Computer Browser service was not running during the Scan.
** No data found **
The following profiles have permission to dial-in to your domain through RAS:
Account Name Callback Callback NbrSet By
PhoneNumber
ServiceType
Privilege
AccountState
Virtual1 Yes Caller Callback Framed User
Virtual2 Yes Caller Callback Framed User
LEGEND:Call Back = Yes : The Server will call back the user before log on is allowed.Callback Number Set By = Administrator : The call back number is pre set.Callback Number Set By = Caller : The user provides a call back number every time.Phone Number Reflects the pre set phone number for call back.Account State : Account is Disabled (D), Locked (L), Expired (E), or a
combination of them. Eg. (DL) (DE).
If there are accounts listed with RAS privileges and no RAS servers found, it means that the accounts have been granted RAS privileges but that either:
No RAS servers were visible when this analysis was done; or There was a RAS service installed at some stage but it has been discontinued.
0 ports listed in RAS servers indicates that the server has the RAS service configured but not active (started).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 118 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Implications
RAS (Remote Access Service) allows users to access your system remotely via modems, ISDN etc.
RAS increases the risk of unauthorised access to your system because your system is visible to a much larger number of potential intruders via the public telephone network. The risk is greater if privileged users, such as Administrators, are allowed access through RAS.
In general, multiple RAS servers also increase security risks simply because the number of external access points, which all require securing, is obviously greater. The strength of general security and RAS security on those servers is an important factor in controlling the risks.
You will obtain the most comprehensive view of RAS privileges by running SekChek on the domain controller, selected RAS servers, and domain controllers for each trusted domain and on their RAS servers.
When servers and workstations are members of a domain, they will usually allow users to logon to the domain. For workstations and servers that are not domain members (i.e. Standalone machines), domain logon is normally not available to users.
Inappropriate security settings in RAS can create significant security exposures.
Risk Rating
Medium to high (dependent on settings for RAS users, RAS parameters and the strength of password controls.).
Recommended Action
You should only grant dial in (RAS) access to those users who require it for their job functions. Ensure that RAS access is not granted to all user accounts by default.
In general, you should ensure that the call back feature is enabled for all RAS users and that a pre-set phone number is used.
Do not grant RAS access to privileged accounts (e.g. Administrators) unless absolutely necessary.
If possible, restrict the log-on hours for RAS users. This feature can be set for individual user accounts.
Ensure that the option to prevent clear-text passwords being negotiated is utilised. This is a setting within RAS.
Review the RAS settings on all RAS servers on a regular basis and ensure that appropriate security standards are applied on all of these machines.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 119 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
30. Services and Drivers on the MachineSection Summary
There are a total of 367 Services installed.
These Services include the following types:
53.1% (195) are Kernel Drivers 7.4% (27) are File System Drivers 12.5% (46) are Own Process 26.4% (97) are Shared Process 0.5% (2) are Own Process (Interactive) 0.0% (0) are Shared Process (Interactive)
The Services start types are:
8.2% (30) System Boot 7.1% (26) System 18.5% (68) Automatic 62.7% (230) Manual 3.5% (13) Disabled
Their current states are:
52.3% (192) Stopped 0.0% (0) Starting 0.0% (0) Stopping 47.7% (175) Running 0.0% (0) Continuing 0.0% (0) Pausing 0.0% (0) Paused
Following are two reports. The first enumerates services, their state and start type. The second enumerates services with their logon account and path name containing the executable. The services listed are on the machine being analysed and do not reflect services installed on other machines.
Section Detail
Service Name Display Name State Service Type Start Type
1394ohci 1394 OHCI Compliant Host Controller Stopped Kernel Driver Manual
ACPI Microsoft ACPI Driver Running Kernel Driver Boot
AcpiPmi ACPI Power Meter Driver Stopped Kernel Driver Manual
adp94xx adp94xx Stopped Kernel Driver Manual
adpahci adpahci Stopped Kernel Driver Manual
adpu320 adpu320 Stopped Kernel Driver Manual
ADWS Active Directory Web Services Running Own Process Automatic
AeLookupSvc Application Experience Running Shared Process Manual
AFD Ancillary Function Driver for Winsock Running Kernel Driver System
agp440 Intel AGP Bus Filter Stopped Kernel Driver Manual
ALG Application Layer Gateway Service Stopped Own Process Manual
aliide aliide Stopped Kernel Driver Manual
amdide amdide Stopped Kernel Driver Manual
AmdK8 AMD K8 Processor Driver Stopped Kernel Driver Manual
AmdPPM AMD Processor Driver Stopped Kernel Driver Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 120 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
amdsata amdsata Stopped Kernel Driver Manual
amdsbs amdsbs Stopped Kernel Driver Manual
amdxata amdxata Running Kernel Driver Boot
AppID AppID Driver Stopped Kernel Driver Manual
AppIDSvc Application Identity Stopped Shared Process Manual
Appinfo Application Information Stopped Shared Process Manual
AppMgmt Application Management Running Shared Process Manual
arc arc Stopped Kernel Driver Manual
arcsas arcsas Stopped Kernel Driver Manual
AsyncMac RAS Asynchronous Media Driver Running Kernel Driver Manual
atapi IDE Channel Running Kernel Driver Boot
AudioEndpointBuilder Windows Audio Endpoint Builder Stopped Shared Process Manual
AudioSrv Windows Audio Stopped Shared Process Manual
b06bdrv Broadcom NetXtreme II VBD Stopped Kernel Driver Manual
b57nd60a Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 Stopped Kernel Driver Manual
BDESVC BitLocker Drive Encryption Service Stopped Shared Process Manual
Beep Beep Stopped Kernel Driver Manual
BFE Base Filtering Engine Running Shared Process Automatic
BITS Background Intelligent Transfer Service Stopped Shared Process Manual
blbdrive blbdrive Running Kernel Driver System
bowser Browser Support Driver Running File System Driver Manual
BrFiltLo Brother USB Mass-Storage Lower Filter Driver Stopped Kernel Driver Manual
BrFiltUp Brother USB Mass-Storage Upper Filter Driver Stopped Kernel Driver Manual
Browser Computer Browser Stopped Shared Process Disabled
Brserid Brother MFC Serial Port Interface Driver (WDM) Stopped Kernel Driver Manual
BrSerWdm Brother WDM Serial driver Stopped Kernel Driver Manual
BrUsbMdm Brother MFC USB Fax Only Modem Stopped Kernel Driver Manual
BrUsbSer Brother MFC USB Serial WDM Driver Stopped Kernel Driver Manual
cdfs CD/DVD File System Reader Running File System Driver Disabled
cdrom CD-ROM Driver Running Kernel Driver System
CertPropSvc Certificate Propagation Running Shared Process Manual
CLFS Common Log (CLFS) Running Kernel Driver Boot
clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86 Running Own Process Automatic
clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64 Running Own Process Automatic
CmBatt Microsoft ACPI Control Method Battery Driver Stopped Kernel Driver Manual
cmdide cmdide Stopped Kernel Driver Manual
CNG CNG Running Kernel Driver Boot
Compbatt Compbatt Stopped Kernel Driver Manual
CompositeBus Composite Bus Enumerator Driver Running Kernel Driver Manual
COMSysApp COM+ System Application Stopped Own Process Manual
crcdisk Crcdisk Filter Driver Stopped Kernel Driver Disabled
CryptSvc Cryptographic Services Running Shared Process Automatic
DcomLaunch DCOM Server Process Launcher Running Shared Process Automatic
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 121 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
defragsvc Disk Defragmenter Stopped Own Process Manual
Dfs DFS Namespace Running Own Process Automatic
DfsC DFS Namespace Client Driver Running File System Driver System
DfsDriver DFS Namespace Server Filter Driver Running File System Driver System
DFSR DFS Replication Running Own Process Automatic
DfsrRo DFS Replication ReadOnly Driver Running File System Driver Boot
Dhcp DHCP Client Running Shared Process Automatic
discache System Attribute Cache Running Kernel Driver System
Disk Disk Driver Running Kernel Driver Boot
DNS DNS Server Running Own Process Automatic
Dnscache DNS Client Running Shared Process Automatic
dot3svc Wired AutoConfig Stopped Shared Process Manual
DPS Diagnostic Policy Service Running Shared Process Automatic
DXGKrnl LDDM Graphics Subsystem Stopped Kernel Driver Manual
EapHost Extensible Authentication Protocol Stopped Shared Process Manual
ebdrv Broadcom NetXtreme II 10 GigE VBD Stopped Kernel Driver Manual
EFS Encrypting File System (EFS) Stopped Shared Process Manual
elxstor elxstor Stopped Kernel Driver Manual
ErrDev Microsoft Hardware Error Device Driver Stopped Kernel Driver Manual
eventlog Windows Event Log Running Shared Process Automatic
EventSystem COM+ Event System Running Shared Process Automatic
exfat exFAT File System Driver Stopped File System Driver Manual
fastfat FAT12/16/32 File System Driver Stopped File System Driver Manual
FCRegSvc Microsoft Fibre Channel Platform Registration Service Stopped Shared Process Manual
fdc Floppy Disk Controller Driver Running Kernel Driver Manual
fdPHost Function Discovery Provider Host Running Shared Process Manual
FDResPub Function Discovery Resource Publication Stopped Shared Process Manual
FileInfo File Information FS MiniFilter Stopped File System Driver Manual
Filetrace Filetrace Stopped File System Driver Manual
flpydisk Floppy Disk Driver Running Kernel Driver Manual
FltMgr FltMgr Running File System Driver Boot
FontCache Windows Font Cache Service Running Shared Process Automatic
FontCache3.0.0.0 Windows Presentation Foundation Font Cache 3.0.0.0 Stopped Own Process Manual
FsDepends File System Dependency Minifilter Stopped File System Driver Manual
fvevol Bitlocker Drive Encryption Filter Driver Running Kernel Driver Boot
gagp30kx Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms
Stopped Kernel Driver Manual
gpsvc Group Policy Client Running Shared Process Automatic
HDAudBus Microsoft UAA Bus Driver for High Definition Audio Stopped Kernel Driver Manual
HidBatt HID UPS Battery Driver Stopped Kernel Driver Manual
hidserv Human Interface Device Access Stopped Shared Process Manual
HidUsb Microsoft HID Class Driver Stopped Kernel Driver Manual
hkmsvc Health Key and Certificate Management Stopped Shared Process Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 122 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
HpSAMD HpSAMD Stopped Kernel Driver Manual
HTTP HTTP Running Kernel Driver Manual
hwpolicy Hardware Policy Driver Running Kernel Driver Boot
i8042prt i8042 Keyboard and PS/2 Mouse Port Driver Running Kernel Driver Manual
iaStorV Intel RAID Controller Windows 7 Stopped Kernel Driver Manual
idsvc Windows CardSpace Stopped Shared Process Manual
iirsp iirsp Stopped Kernel Driver Manual
IKEEXT IKE and AuthIP IPsec Keying Modules Stopped Shared Process Manual
intelide intelide Running Kernel Driver Boot
intelppm Intel Processor Driver Running Kernel Driver Manual
ioatdma Intel(R) QuickData Technology Device Stopped Kernel Driver Manual
IPBusEnum PnP-X IP Bus Enumerator Stopped Shared Process Disabled
IpFilterDriver IP Traffic Filter Driver Stopped Kernel Driver Manual
iphlpsvc IP Helper Running Shared Process Automatic
IPMIDRV IPMIDRV Stopped Kernel Driver Manual
IPNAT IP Network Address Translator Stopped Kernel Driver Manual
isapnp isapnp Stopped Kernel Driver Manual
iScsiPrt iScsiPort Driver Stopped Kernel Driver Manual
IsmServ Intersite Messaging Running Own Process Automatic
kbdclass Keyboard Class Driver Running Kernel Driver Manual
kbdhid Keyboard HID Driver Stopped Kernel Driver Manual
kdc Kerberos Key Distribution Center Running Shared Process Automatic
KeyIso CNG Key Isolation Stopped Shared Process Manual
KSecDD KSecDD Running Kernel Driver Boot
KSecPkg KSecPkg Running Kernel Driver Boot
ksthunk Kernel Streaming Thunks Stopped Kernel Driver Manual
KtmRm KtmRm for Distributed Transaction Coordinator Stopped Shared Process Manual
LanmanServer Server Running Shared Process Automatic
LanmanWorkstation Workstation Running Shared Process Automatic
lltdio Link-Layer Topology Discovery Mapper I/O Driver Running Kernel Driver Automatic
lltdsvc Link-Layer Topology Discovery Mapper Stopped Shared Process Manual
lmhosts TCP/IP NetBIOS Helper Running Shared Process Automatic
LSI_FC LSI_FC Stopped Kernel Driver Manual
LSI_SAS LSI_SAS Stopped Kernel Driver Manual
LSI_SAS2 LSI_SAS2 Stopped Kernel Driver Manual
LSI_SCSI LSI_SCSI Stopped Kernel Driver Manual
luafv UAC File Virtualization Running File System Driver Automatic
megasas megasas Stopped Kernel Driver Manual
MegaSR MegaSR Stopped Kernel Driver Manual
Microsoft SharePoint Workspace Audit Service
Microsoft SharePoint Workspace Audit Service Stopped Own Process Manual
MMCSS Multimedia Class Scheduler Stopped Shared Process Manual
Modem Modem Stopped Kernel Driver Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 123 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
monitor Microsoft Monitor Class Function Driver Service Stopped Kernel Driver Manual
mouclass Mouse Class Driver Running Kernel Driver Manual
mouhid Mouse HID Driver Running Kernel Driver Manual
mountmgr Mount Point Manager Running Kernel Driver Boot
mpio Microsoft Multi-Path Bus Driver Stopped Kernel Driver Manual
mpsdrv Windows Firewall Authorization Driver Running Kernel Driver Manual
MpsSvc Windows Firewall Running Shared Process Automatic
mrxsmb SMB MiniRedirector Wrapper and Engine Running File System Driver Manual
mrxsmb10 SMB 1.x MiniRedirector Running File System Driver Manual
mrxsmb20 SMB 2.0 MiniRedirector Running File System Driver Manual
msahci msahci Stopped Kernel Driver Manual
msdsm Microsoft Multi-Path Device Specific Module Stopped Kernel Driver Manual
MSDTC Distributed Transaction Coordinator Running Own Process Automatic
Msfs Msfs Running File System Driver System
mshidkmdf Pass-through HID to KMDF Filter Driver Stopped Kernel Driver Manual
msisadrv msisadrv Running Kernel Driver Boot
MSiSCSI Microsoft iSCSI Initiator Service Stopped Shared Process Manual
msiserver Windows Installer Stopped Own Process Manual
MsRPC MsRPC Stopped Kernel Driver Manual
mssmbios Microsoft System Management BIOS Driver Running Kernel Driver System
MSSQL$SOPHOS SQL Server (SOPHOS) Running Own Process Automatic
MSSQLServerADHelper100 SQL Active Directory Helper Service Stopped Own Process Disabled
MTConfig Microsoft Input Configuration Driver Stopped Kernel Driver Manual
Mup Mup Running File System Driver Boot
napagent Network Access Protection Agent Stopped Shared Process Manual
NDIS NDIS System Driver Running Kernel Driver Boot
NdisCap NDIS Capture LightWeight Filter Stopped Kernel Driver Manual
NdisTapi Remote Access NDIS TAPI Driver Running Kernel Driver Manual
Ndisuio NDIS Usermode I/O Protocol Stopped Kernel Driver Manual
NdisWan Remote Access NDIS WAN Driver Running Kernel Driver Manual
NDProxy NDIS Proxy Running Kernel Driver Manual
NetBIOS NetBIOS Interface Running File System Driver System
NetBT NetBT Running Kernel Driver System
Netlogon Netlogon Running Shared Process Automatic
Netman Network Connections Running Shared Process Manual
netprofm Network List Service Running Shared Process Manual
NetTcpPortSharing Net.Tcp Port Sharing Service Stopped Shared Process Disabled
netvsc netvsc Running Kernel Driver Manual
nfrd960 nfrd960 Stopped Kernel Driver Manual
NlaSvc Network Location Awareness Running Shared Process Automatic
Npfs Npfs Running File System Driver System
nsi Network Store Interface Service Running Shared Process Automatic
nsiproxy NSI proxy service driver. Running Kernel Driver System
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 124 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
NTDS Active Directory Domain Services Running Shared Process Automatic
NtFrs File Replication Service Running Own Process Automatic
Ntfs Ntfs Running File System Driver Manual
Null Null Running Kernel Driver System
nv_agp NVIDIA nForce AGP Bus Filter Stopped Kernel Driver Manual
nvraid nvraid Stopped Kernel Driver Manual
nvstor nvstor Stopped Kernel Driver Manual
ohci1394 1394 OHCI Compliant Host Controller (Legacy) Stopped Kernel Driver Manual
ose Office Source Engine Stopped Own Process Manual
osppsvc Office Software Protection Platform Stopped Own Process Manual
Parport Parallel port driver Stopped Kernel Driver Manual
partmgr Partition Manager Running Kernel Driver Boot
pci PCI Bus Driver Running Kernel Driver Boot
pciide pciide Stopped Kernel Driver Manual
pcmcia pcmcia Stopped Kernel Driver Manual
pcw Performance Counters for Windows Driver Running Kernel Driver Boot
PEAUTH PEAUTH Running Kernel Driver Automatic
PerfHost Performance Counter DLL Host Stopped Own Process Manual
pla Performance Logs & Alerts Stopped Shared Process Manual
PlugPlay Plug and Play Running Shared Process Automatic
PolicyAgent IPsec Policy Agent Stopped Shared Process Manual
Power Power Running Shared Process Automatic
PptpMiniport WAN Miniport (PPTP) Running Kernel Driver Manual
Processor Processor Driver Stopped Kernel Driver Manual
ProfSvc User Profile Service Running Shared Process Automatic
ProtectedStorage Protected Storage Stopped Shared Process Manual
Psched QoS Packet Scheduler Running Kernel Driver System
ql2300 ql2300 Stopped Kernel Driver Manual
ql40xx ql40xx Stopped Kernel Driver Manual
RasAcd Remote Access Auto Connection Driver Stopped Kernel Driver Manual
RasAgileVpn WAN Miniport (IKEv2) Running Kernel Driver Manual
RasAuto Remote Access Auto Connection Manager Stopped Shared Process Manual
Rasl2tp WAN Miniport (L2TP) Running Kernel Driver Manual
RasMan Remote Access Connection Manager Stopped Shared Process Manual
RasPppoe Remote Access PPPOE Driver Running Kernel Driver Manual
RasSstp WAN Miniport (SSTP) Running Kernel Driver Manual
rdbss Redirected Buffering Sub Sysytem Running File System Driver System
rdpbus Remote Desktop Device Redirector Bus Driver Running Kernel Driver Manual
RDPCDD RDPCDD Running Kernel Driver System
RDPDR Terminal Server Device Redirector Driver Running Kernel Driver Manual
RDPENCDD RDP Encoder Mirror Driver Running Kernel Driver System
RDPREFMP Reflector Display Driver used to gain access to graphics data
Running Kernel Driver System
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 125 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
RDPWD RDP Winstation Driver Running Kernel Driver Manual
RemoteAccess Routing and Remote Access Stopped Shared Process Disabled
RemoteRegistry Remote Registry Running Shared Process Automatic
RpcEptMapper RPC Endpoint Mapper Running Shared Process Automatic
RpcLocator Remote Procedure Call (RPC) Locator Stopped Own Process Manual
RpcSs Remote Procedure Call (RPC) Running Shared Process Automatic
RSoPProv Resultant Set of Policy Provider Stopped Shared Process Manual
rspndr Link-Layer Topology Discovery Responder Running Kernel Driver Automatic
s3cap s3cap Running Kernel Driver Manual
sacdrv sacdrv Stopped Kernel Driver Boot
sacsvr Special Administration Console Helper Stopped Shared Process Manual
SamSs Security Accounts Manager Running Shared Process Automatic
SAVAdminService Sophos Anti-Virus status reporter Running Own Process Automatic
SAVOnAccess SAVOnAccess Running File System Driver System
SAVService Sophos Anti-Virus Running Own Process Automatic
sbp2port SBP-2 Transport/Protocol Bus Driver Stopped Kernel Driver Manual
SCardSvr Smart Card Stopped Shared Process Manual
scfilter Smart card PnP Class Filter Driver Stopped Kernel Driver Manual
Schedule Task Scheduler Running Shared Process Automatic
SCPolicySvc Smart Card Removal Policy Stopped Shared Process Manual
secdrv Security Driver Running Kernel Driver Automatic
seclogon Secondary Logon Stopped Shared Process Manual
SENS System Event Notification Service Running Shared Process Automatic
Serenum Serenum Filter Driver Running Kernel Driver Manual
Serial Serial port driver Running Kernel Driver System
sermouse Serial Mouse Driver Stopped Kernel Driver Manual
SessionEnv Remote Desktop Configuration Running Shared Process Manual
sffdisk SFF Storage Class Driver Stopped Kernel Driver Manual
sffp_mmc SFF Storage Protocol Driver for MMC Stopped Kernel Driver Manual
sffp_sd SFF Storage Protocol Driver for SDBus Stopped Kernel Driver Manual
sfloppy High-Capacity Floppy Disk Drive Stopped Kernel Driver Manual
SharedAccess Internet Connection Sharing (ICS) Stopped Shared Process Disabled
ShellHWDetection Shell Hardware Detection Running Shared Process Automatic
SiSRaid2 SiSRaid2 Stopped Kernel Driver Manual
SiSRaid4 SiSRaid4 Stopped Kernel Driver Manual
Smb Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session)
Stopped Kernel Driver Manual
SNMPTRAP SNMP Trap Stopped Own Process Manual
Sophos Agent Sophos Agent Running Own Process Automatic
Sophos AutoUpdate Service Sophos AutoUpdate Service Running Own Process Automatic
Sophos Certification Manager Sophos Certification Manager Running Own Process Automatic
Sophos Management Service Sophos Management Service Running Own Process Automatic
Sophos Message Router Sophos Message Router Running Own Process Automatic
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 126 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
SophosBootDriver SophosBootDriver Stopped Kernel Driver Disabled
spldr Security Processor Loader Driver Running Kernel Driver Boot
Spooler Print Spooler Running Own Process(I) Automatic
sppsvc Software Protection Stopped Own Process Automatic
sppuinotify SPP Notification Service Stopped Shared Process Manual
SQLAgent$SOPHOS SQL Server Agent (SOPHOS) Stopped Own Process Disabled
SQLBrowser SQL Server Browser Running Own Process Automatic
SQLWriter SQL Server VSS Writer Running Own Process Automatic
srv Server SMB 1.xxx Driver Running File System Driver Manual
srv2 Server SMB 2.xxx Driver Running File System Driver Manual
srvnet srvnet Running File System Driver Manual
SSDPSRV SSDP Discovery Stopped Shared Process Disabled
SstpSvc Secure Socket Tunneling Protocol Service Stopped Shared Process Manual
stexstor stexstor Stopped Kernel Driver Manual
storflt Disk Virtual Machine Bus Acceleration Filter Driver Running Kernel Driver Boot
storvsc storvsc Stopped Kernel Driver Manual
storvsp storvsp Stopped Kernel Driver Manual
SUM Sophos Update Manager Running Own Process Automatic
swenum Software Bus Driver Running Kernel Driver Manual
swi_service Sophos Web Intelligence Service Running Own Process Automatic
swprv Microsoft Software Shadow Copy Provider Stopped Own Process Manual
SynthVid SynthVid Running Kernel Driver Manual
TapiSrv Telephony Stopped Own Process Manual
TBS TPM Base Services Stopped Shared Process Manual
Tcpip TCP/IP Protocol Driver Running Kernel Driver Boot
TCPIP6 Microsoft IPv6 Protocol Driver Stopped Kernel Driver Manual
tcpipreg TCP/IP Registry Compatibility Running Kernel Driver Automatic
TDPIPE TDPIPE Stopped Kernel Driver Manual
TDTCP TDTCP Running Kernel Driver Manual
tdx NetIO Legacy TDI Support Driver Running Kernel Driver System
TermDD Terminal Device Driver Running Kernel Driver System
TermService Remote Desktop Services Running Shared Process Manual
THREADORDER Thread Ordering Server Stopped Shared Process Manual
TrkWks Distributed Link Tracking Client Stopped Shared Process Manual
TrustedInstaller Windows Modules Installer Running Own Process Manual
tssecsrv Remote Desktop Services Security Filter Driver Running Kernel Driver Manual
TsUsbFlt TsUsbFlt Stopped Kernel Driver Manual
tunnel Microsoft Tunnel Miniport Adapter Driver Running Kernel Driver Manual
uagp35 Microsoft AGPv3.5 Filter Stopped Kernel Driver Manual
udfs udfs Stopped File System Driver Disabled
UI0Detect Interactive Services Detection Stopped Own Process(I) Manual
uliagpkx Uli AGP Bus Filter Stopped Kernel Driver Manual
umbus UMBus Enumerator Driver Running Kernel Driver Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 127 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
UmPass Microsoft UMPass Driver Stopped Kernel Driver Manual
UmRdpService Remote Desktop Services UserMode Port Redirector Running Shared Process Manual
upnphost UPnP Device Host Stopped Shared Process Disabled
usbccgp Microsoft USB Generic Parent Driver Stopped Kernel Driver Manual
usbehci Microsoft USB 2.0 Enhanced Host Controller Miniport Driver
Stopped Kernel Driver Manual
usbhub Microsoft USB Standard Hub Driver Stopped Kernel Driver Manual
usbohci Microsoft USB Open Host Controller Miniport Driver Stopped Kernel Driver Manual
usbprint Microsoft USB PRINTER Class Stopped Kernel Driver Manual
USBSTOR USB Mass Storage Driver Stopped Kernel Driver Manual
usbuhci Microsoft USB Universal Host Controller Miniport Driver
Stopped Kernel Driver Manual
UxSms Desktop Window Manager Session Manager Running Shared Process Automatic
VaultSvc Credential Manager Stopped Shared Process Manual
vdrvroot Microsoft Virtual Drive Enumerator Driver Running Kernel Driver Boot
vds Virtual Disk Running Own Process Manual
vga vga Stopped Kernel Driver Manual
VgaSave VgaSave Running Kernel Driver System
vhdmp vhdmp Stopped Kernel Driver Manual
viaide viaide Stopped Kernel Driver Manual
Vid Vid Stopped Kernel Driver Manual
vmbus Virtual Machine Bus Running Kernel Driver Boot
VMBusHID VMBusHID Running Kernel Driver Manual
vmicheartbeat Hyper-V Heartbeat Service Running Own Process Automatic
vmickvpexchange Hyper-V Data Exchange Service Running Own Process Automatic
vmicshutdown Hyper-V Guest Shutdown Service Running Own Process Automatic
vmictimesync Hyper-V Time Synchronization Service Running Own Process Automatic
vmicvss Hyper-V Volume Shadow Copy Requestor Running Own Process Automatic
volmgr Volume Manager Driver Running Kernel Driver Boot
volmgrx Dynamic Volume Manager Running Kernel Driver Boot
volsnap Storage volumes Running Kernel Driver Boot
vsmraid vsmraid Stopped Kernel Driver Manual
VSS Volume Shadow Copy Stopped Own Process Manual
W32Time Windows Time Running Shared Process Manual
WacomPen Wacom Serial Pen HID Driver Stopped Kernel Driver Manual
WANARP Remote Access IP ARP Driver Stopped Kernel Driver Manual
Wanarpv6 Remote Access IPv6 ARP Driver Running Kernel Driver System
WcsPlugInService Windows Color System Stopped Shared Process Manual
Wd Wd Stopped Kernel Driver Manual
Wdf01000 Kernel Mode Driver Frameworks service Running Kernel Driver Boot
WdiServiceHost Diagnostic Service Host Stopped Shared Process Manual
WdiSystemHost Diagnostic System Host Stopped Shared Process Manual
Wecsvc Windows Event Collector Stopped Shared Process Manual
wercplsupport Problem Reports and Solutions Control Panel Support Stopped Shared Process Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 128 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Display Name State Service Type Start Type
WerSvc Windows Error Reporting Service Stopped Shared Process Manual
WfpLwf WFP Lightweight Filter Running Kernel Driver System
WIMMount WIMMount Stopped File System Driver Manual
WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service Stopped Shared Process Manual
Winmgmt Windows Management Instrumentation Running Shared Process Automatic
WinRM Windows Remote Management (WS-Management) Running Shared Process Automatic
WmiAcpi Microsoft Windows Management Interface for ACPI Stopped Kernel Driver Manual
wmiApSrv WMI Performance Adapter Stopped Own Process Manual
WPDBusEnum Portable Device Enumerator Service Stopped Shared Process Manual
ws2ifsl Windows Socket 2.0 Non-IFS Service Provider Support Environment
Running Kernel Driver System
wuauserv Windows Update Running Shared Process Automatic
WudfPf User Mode Driver Frameworks Platform Driver Stopped Kernel Driver Manual
wudfsvc Windows Driver Foundation - User-mode Driver Framework
Stopped Shared Process Manual
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 129 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Section Detail
Service Name Logon Name Path Name
1394ohci \SystemRoot\system32\drivers\1394ohci.sys
ACPI \SystemRoot\system32\drivers\ACPI.sys
AcpiPmi \SystemRoot\system32\drivers\acpipmi.sys
adp94xx \SystemRoot\system32\DRIVERS\adp94xx.sys
adpahci \SystemRoot\system32\DRIVERS\adpahci.sys
adpu320 \SystemRoot\system32\DRIVERS\adpu320.sys
ADWS LocalSystem C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
AeLookupSvc localSystem C:\Windows\system32\svchost.exe -k netsvcs
AFD \SystemRoot\system32\drivers\afd.sys
agp440 \SystemRoot\system32\drivers\agp440.sys
ALG NT AUTHORITY\ LocalService C:\Windows\System32\alg.exe
aliide \SystemRoot\system32\drivers\aliide.sys
amdide \SystemRoot\system32\drivers\amdide.sys
AmdK8 \SystemRoot\system32\DRIVERS\amdk8.sys
AmdPPM \SystemRoot\system32\DRIVERS\amdppm.sys
amdsata \SystemRoot\system32\drivers\amdsata.sys
amdsbs \SystemRoot\system32\DRIVERS\amdsbs.sys
amdxata \SystemRoot\system32\drivers\amdxata.sys
AppID \SystemRoot\system32\drivers\appid.sys
AppIDSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Appinfo LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
AppMgmt LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
arc \SystemRoot\system32\DRIVERS\arc.sys
arcsas \SystemRoot\system32\DRIVERS\arcsas.sys
AsyncMac system32\DRIVERS\asyncmac.sys
atapi \SystemRoot\system32\drivers\atapi.sys
AudioEndpointBuilder LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
AudioSrv NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
b06bdrv \SystemRoot\system32\DRIVERS\bxvbda.sys
b57nd60a system32\DRIVERS\b57nd60a.sys
BDESVC localSystem C:\Windows\System32\svchost.exe -k netsvcs
Beep
BFE NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
BITS LocalSystem C:\Windows\System32\svchost.exe -k netsvcs
blbdrive system32\DRIVERS\blbdrive.sys
bowser system32\DRIVERS\bowser.sys
BrFiltLo \SystemRoot\system32\DRIVERS\BrFiltLo.sys
BrFiltUp \SystemRoot\system32\DRIVERS\BrFiltUp.sys
Browser LocalSystem C:\Windows\System32\svchost.exe -k netsvcs
Brserid \SystemRoot\System32\Drivers\Brserid.sys
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 130 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
BrSerWdm \SystemRoot\System32\Drivers\BrSerWdm.sys
BrUsbMdm \SystemRoot\System32\Drivers\BrUsbMdm.sys
BrUsbSer \SystemRoot\System32\Drivers\BrUsbSer.sys
cdfs system32\DRIVERS\cdfs.sys
cdrom \SystemRoot\system32\drivers\cdrom.sys
CertPropSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
CLFS \SystemRoot\System32\CLFS.sys
clr_optimization_v2.0.50727_32 LocalSystem C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
clr_optimization_v2.0.50727_64 LocalSystem C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
CmBatt \SystemRoot\system32\DRIVERS\CmBatt.sys
cmdide \SystemRoot\system32\drivers\cmdide.sys
CNG \SystemRoot\System32\Drivers\cng.sys
Compbatt \SystemRoot\system32\DRIVERS\compbatt.sys
CompositeBus \SystemRoot\system32\drivers\CompositeBus.sys
COMSysApp LocalSystem C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
crcdisk \SystemRoot\system32\DRIVERS\crcdisk.sys
CryptSvc NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkService
DcomLaunch LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch
defragsvc localSystem C:\Windows\system32\svchost.exe -k defragsvc
Dfs LocalSystem C:\Windows\system32\dfssvc.exe
DfsC System32\Drivers\dfsc.sys
DfsDriver system32\drivers\dfs.sys
DFSR LocalSystem C:\Windows\system32\DFSRs.exe
DfsrRo \SystemRoot\system32\drivers\dfsrro.sys
Dhcp NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
discache System32\drivers\discache.sys
Disk \SystemRoot\system32\DRIVERS\disk.sys
DNS LocalSystem C:\Windows\system32\dns.exe
Dnscache NT AUTHORITY\ NetworkService
C:\Windows\system32\svchost.exe -k NetworkService
dot3svc localSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
DPS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
DXGKrnl \SystemRoot\System32\drivers\dxgkrnl.sys
EapHost localSystem C:\Windows\System32\svchost.exe -k netsvcs
ebdrv \SystemRoot\system32\DRIVERS\evbda.sys
EFS LocalSystem C:\Windows\System32\lsass.exe
elxstor \SystemRoot\system32\DRIVERS\elxstor.sys
ErrDev \SystemRoot\system32\drivers\errdev.sys
eventlog NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
EventSystem NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 131 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
exfat
fastfat
FCRegSvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
fdc system32\DRIVERS\fdc.sys
fdPHost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
FDResPub NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
FileInfo system32\drivers\fileinfo.sys
Filetrace system32\drivers\filetrace.sys
flpydisk system32\DRIVERS\flpydisk.sys
FltMgr \SystemRoot\system32\drivers\fltmgr.sys
FontCache NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
FontCache3.0.0.0 NT Authority\ LocalService C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
FsDepends System32\drivers\FsDepends.sys
fvevol \SystemRoot\System32\DRIVERS\fvevol.sys
gagp30kx \SystemRoot\system32\DRIVERS\gagp30kx.sys
gpsvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
HDAudBus \SystemRoot\system32\drivers\HDAudBus.sys
HidBatt \SystemRoot\system32\DRIVERS\HidBatt.sys
hidserv LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
HidUsb \SystemRoot\system32\drivers\hidusb.sys
hkmsvc localSystem C:\Windows\System32\svchost.exe -k netsvcs
HpSAMD \SystemRoot\system32\drivers\HpSAMD.sys
HTTP system32\drivers\HTTP.sys
hwpolicy \SystemRoot\System32\drivers\hwpolicy.sys
i8042prt \SystemRoot\system32\drivers\i8042prt.sys
iaStorV \SystemRoot\system32\drivers\iaStorV.sys
idsvc LocalSystem C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
iirsp \SystemRoot\system32\DRIVERS\iirsp.sys
IKEEXT LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
intelide \SystemRoot\system32\drivers\intelide.sys
intelppm system32\DRIVERS\intelppm.sys
ioatdma \SystemRoot\System32\Drivers\qd260x64.sys
IPBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
IpFilterDriver system32\DRIVERS\ipfltdrv.sys
iphlpsvc LocalSystem C:\Windows\System32\svchost.exe -k NetSvcs
IPMIDRV \SystemRoot\system32\drivers\IPMIDrv.sys
IPNAT System32\drivers\ipnat.sys
isapnp \SystemRoot\system32\drivers\isapnp.sys
iScsiPrt \SystemRoot\system32\drivers\msiscsi.sys
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 132 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
IsmServ LocalSystem C:\Windows\System32\ismserv.exe
kbdclass \SystemRoot\system32\drivers\kbdclass.sys
kbdhid \SystemRoot\system32\drivers\kbdhid.sys
kdc LocalSystem C:\Windows\System32\lsass.exe
KeyIso LocalSystem C:\Windows\system32\lsass.exe
KSecDD \SystemRoot\System32\Drivers\ksecdd.sys
KSecPkg \SystemRoot\System32\Drivers\ksecpkg.sys
ksthunk \SystemRoot\system32\drivers\ksthunk.sys
KtmRm NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
LanmanServer LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
LanmanWorkstation NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k NetworkService
lltdio system32\DRIVERS\lltdio.sys
lltdsvc NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService
lmhosts NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
LSI_FC \SystemRoot\system32\DRIVERS\lsi_fc.sys
LSI_SAS \SystemRoot\system32\DRIVERS\lsi_sas.sys
LSI_SAS2 \SystemRoot\system32\DRIVERS\lsi_sas2.sys
LSI_SCSI \SystemRoot\system32\DRIVERS\lsi_scsi.sys
luafv \SystemRoot\system32\drivers\luafv.sys
megasas \SystemRoot\system32\DRIVERS\megasas.sys
MegaSR \SystemRoot\system32\DRIVERS\MegaSR.sys
Microsoft SharePoint Workspace Audit Service
NT AUTHORITY\ LocalService C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE'' /auditservice
MMCSS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
Modem system32\drivers\modem.sys
monitor system32\DRIVERS\monitor.sys
mouclass \SystemRoot\system32\drivers\mouclass.sys
mouhid system32\DRIVERS\mouhid.sys
mountmgr \SystemRoot\System32\drivers\mountmgr.sys
mpio \SystemRoot\system32\drivers\mpio.sys
mpsdrv System32\drivers\mpsdrv.sys
MpsSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
mrxsmb system32\DRIVERS\mrxsmb.sys
mrxsmb10 system32\DRIVERS\mrxsmb10.sys
mrxsmb20 system32\DRIVERS\mrxsmb20.sys
msahci \SystemRoot\system32\drivers\msahci.sys
msdsm \SystemRoot\system32\drivers\msdsm.sys
MSDTC NT AUTHORITY\ NetworkService
C:\Windows\System32\msdtc.exe
Msfs
mshidkmdf \SystemRoot\System32\drivers\mshidkmdf.sys
msisadrv \SystemRoot\system32\drivers\msisadrv.sys
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 133 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
MSiSCSI LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
msiserver LocalSystem C:\Windows\system32\msiexec.exe /V
MsRPC
mssmbios \SystemRoot\system32\drivers\mssmbios.sys
MSSQL$SOPHOS LocalSystem C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\sqlservr.exe'' -sSOPHOS
MSSQLServerADHelper100 LocalSystem C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
MTConfig \SystemRoot\system32\DRIVERS\MTConfig.sys
Mup \SystemRoot\System32\Drivers\mup.sys
napagent NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k NetworkService
NDIS \SystemRoot\system32\drivers\ndis.sys
NdisCap system32\DRIVERS\ndiscap.sys
NdisTapi system32\DRIVERS\ndistapi.sys
Ndisuio system32\DRIVERS\ndisuio.sys
NdisWan system32\DRIVERS\ndiswan.sys
NDProxy
NetBIOS system32\DRIVERS\netbios.sys
NetBT System32\DRIVERS\netbt.sys
Netlogon LocalSystem C:\Windows\system32\lsass.exe
Netman LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
netprofm NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService
NetTcpPortSharing NT AUTHORITY\ LocalService C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
netvsc \SystemRoot\system32\drivers\netvsc60.sys
nfrd960 \SystemRoot\system32\DRIVERS\nfrd960.sys
NlaSvc NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k NetworkService
Npfs
nsi NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService
nsiproxy system32\drivers\nsiproxy.sys
NTDS LocalSystem C:\Windows\System32\lsass.exe
NtFrs LocalSystem C:\Windows\system32\ntfrs.exe
Ntfs
Null
nv_agp \SystemRoot\system32\drivers\nv_agp.sys
nvraid \SystemRoot\system32\drivers\nvraid.sys
nvstor \SystemRoot\system32\drivers\nvstor.sys
ohci1394 \SystemRoot\system32\drivers\ohci1394.sys
ose LocalSystem C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
osppsvc NT AUTHORITY\ NetworkService
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Parport \SystemRoot\system32\DRIVERS\parport.sys
partmgr \SystemRoot\System32\drivers\partmgr.sys
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 134 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
pci \SystemRoot\system32\drivers\pci.sys
pciide \SystemRoot\system32\drivers\pciide.sys
pcmcia \SystemRoot\system32\DRIVERS\pcmcia.sys
pcw \SystemRoot\System32\drivers\pcw.sys
PEAUTH system32\drivers\peauth.sys
PerfHost NT AUTHORITY\ LocalService C:\Windows\SysWow64\perfhost.exe
pla NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
PlugPlay LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch
PolicyAgent NT Authority\ NetworkService C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
Power LocalSystem C:\Windows\system32\svchost.exe -k DcomLaunch
PptpMiniport system32\DRIVERS\raspptp.sys
Processor \SystemRoot\system32\DRIVERS\processr.sys
ProfSvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
ProtectedStorage LocalSystem C:\Windows\system32\lsass.exe
Psched system32\DRIVERS\pacer.sys
ql2300 \SystemRoot\system32\DRIVERS\ql2300.sys
ql40xx \SystemRoot\system32\DRIVERS\ql40xx.sys
RasAcd System32\DRIVERS\rasacd.sys
RasAgileVpn system32\DRIVERS\AgileVpn.sys
RasAuto localSystem C:\Windows\System32\svchost.exe -k netsvcs
Rasl2tp system32\DRIVERS\rasl2tp.sys
RasMan localSystem C:\Windows\System32\svchost.exe -k netsvcs
RasPppoe system32\DRIVERS\raspppoe.sys
RasSstp system32\DRIVERS\rassstp.sys
rdbss system32\DRIVERS\rdbss.sys
rdpbus system32\DRIVERS\rdpbus.sys
RDPCDD System32\DRIVERS\RDPCDD.sys
RDPDR System32\drivers\rdpdr.sys
RDPENCDD system32\drivers\rdpencdd.sys
RDPREFMP system32\drivers\rdprefmp.sys
RDPWD
RemoteAccess localSystem C:\Windows\System32\svchost.exe -k netsvcs
RemoteRegistry NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k regsvc
RpcEptMapper NT AUTHORITY\ NetworkService
C:\Windows\system32\svchost.exe -k RPCSS
RpcLocator NT AUTHORITY\ NetworkService
C:\Windows\system32\locator.exe
RpcSs NT AUTHORITY\ NetworkService
C:\Windows\system32\svchost.exe -k rpcss
RSoPProv LocalSystem C:\Windows\system32\RSoPProv.exe
rspndr system32\DRIVERS\rspndr.sys
s3cap \SystemRoot\system32\drivers\vms3cap.sys
sacdrv \SystemRoot\system32\DRIVERS\sacdrv.sys
sacsvr LocalSystem C:\Windows\System32\svchost.exe -k netsvcs
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 135 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
SamSs LocalSystem C:\Windows\system32\lsass.exe
SAVAdminService LocalSystem C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
SAVOnAccess system32\DRIVERS\savonaccess.sys
SAVService NT AUTHORITY\ LocalService C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
sbp2port \SystemRoot\system32\drivers\sbp2port.sys
SCardSvr NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
scfilter System32\DRIVERS\scfilter.sys
Schedule LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
SCPolicySvc LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
secdrv
seclogon LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
SENS LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
Serenum system32\DRIVERS\serenum.sys
Serial system32\DRIVERS\serial.sys
sermouse \SystemRoot\system32\DRIVERS\sermouse.sys
SessionEnv localSystem C:\Windows\System32\svchost.exe -k netsvcs
sffdisk \SystemRoot\system32\drivers\sffdisk.sys
sffp_mmc \SystemRoot\system32\drivers\sffp_mmc.sys
sffp_sd \SystemRoot\system32\drivers\sffp_sd.sys
sfloppy \SystemRoot\system32\DRIVERS\sfloppy.sys
SharedAccess LocalSystem C:\Windows\System32\svchost.exe -k netsvcs
ShellHWDetection LocalSystem C:\Windows\System32\svchost.exe -k netsvcs
SiSRaid2 \SystemRoot\system32\DRIVERS\SiSRaid2.sys
SiSRaid4 \SystemRoot\system32\DRIVERS\sisraid4.sys
Smb system32\DRIVERS\smb.sys
SNMPTRAP NT AUTHORITY\ LocalService C:\Windows\System32\snmptrap.exe
Sophos Agent LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\ManagementAgentNT.exe'' -service -name Agent
Sophos AutoUpdate Service LocalSystem C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe''
Sophos Certification Manager LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\CertificationManagerServiceNT.exe'' -background -ORBSvcConf ''C:\Program Files (x86)\Sophos\Enterprise Console\svc.conf
Sophos Management Service LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\MgntSvc.exe''
Sophos Message Router LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\Remote Management System\RouterNT.exe'' -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194
SophosBootDriver system32\DRIVERS\SophosBootDriver.sys
spldr
Spooler LocalSystem C:\Windows\System32\spoolsv.exe
sppsvc NT AUTHORITY\ NetworkService
C:\Windows\system32\sppsvc.exe
sppuinotify NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 136 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
SQLAgent$SOPHOS NT AUTHORITY\ NETWORK SERVICE
C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SOPHOS\MSSQL\Binn\SQLAGENT.EXE'' -i SOPHOS
SQLBrowser NT AUTHORITY\ LOCAL SERVICE
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
SQLWriter LocalSystem C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
srv System32\DRIVERS\srv.sys
srv2 System32\DRIVERS\srv2.sys
srvnet System32\DRIVERS\srvnet.sys
SSDPSRV NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
SstpSvc NT Authority\ LocalService C:\Windows\system32\svchost.exe -k LocalService
stexstor \SystemRoot\system32\DRIVERS\stexstor.sys
storflt \SystemRoot\system32\drivers\vmstorfl.sys
storvsc \SystemRoot\system32\drivers\storvsc.sys
storvsp \SystemRoot\system32\drivers\storvsp.sys
SUM LocalSystem C:\Program Files (x86)\Sophos\Enterprise Console\SUM\SUMService.exe
swenum \SystemRoot\system32\drivers\swenum.sys
swi_service NT AUTHORITY\ LocalService C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
swprv LocalSystem C:\Windows\System32\svchost.exe -k swprv
SynthVid \SystemRoot\system32\drivers\VMBusVideoM.sys
TapiSrv NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k tapisrv
TBS NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
Tcpip \SystemRoot\System32\drivers\tcpip.sys
TCPIP6 system32\DRIVERS\tcpip.sys
tcpipreg System32\drivers\tcpipreg.sys
TDPIPE system32\drivers\tdpipe.sys
TDTCP system32\drivers\tdtcp.sys
tdx system32\DRIVERS\tdx.sys
TermDD \SystemRoot\system32\drivers\termdd.sys
TermService NT Authority\ NetworkService C:\Windows\System32\svchost.exe -k termsvcs
THREADORDER NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
TrkWks LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
TrustedInstaller localSystem C:\Windows\servicing\TrustedInstaller.exe
tssecsrv System32\DRIVERS\tssecsrv.sys
TsUsbFlt system32\drivers\tsusbflt.sys
tunnel system32\DRIVERS\tunnel.sys
uagp35 \SystemRoot\system32\DRIVERS\uagp35.sys
udfs system32\DRIVERS\udfs.sys
UI0Detect LocalSystem C:\Windows\system32\UI0Detect.exe
uliagpkx \SystemRoot\system32\drivers\uliagpkx.sys
umbus system32\DRIVERS\umbus.sys
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 137 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
UmPass \SystemRoot\system32\DRIVERS\umpass.sys
UmRdpService localSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
upnphost NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
usbccgp \SystemRoot\system32\drivers\usbccgp.sys
usbehci \SystemRoot\system32\DRIVERS\usbehci.sys
usbhub \SystemRoot\system32\drivers\usbhub.sys
usbohci \SystemRoot\system32\DRIVERS\usbohci.sys
usbprint \SystemRoot\system32\DRIVERS\usbprint.sys
USBSTOR \SystemRoot\system32\drivers\USBSTOR.SYS
usbuhci \SystemRoot\system32\DRIVERS\usbuhci.sys
UxSms localSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
VaultSvc LocalSystem C:\Windows\system32\lsass.exe
vdrvroot \SystemRoot\system32\drivers\vdrvroot.sys
vds LocalSystem C:\Windows\System32\vds.exe
vga system32\DRIVERS\vgapnp.sys
VgaSave \SystemRoot\System32\drivers\vga.sys
vhdmp \SystemRoot\system32\drivers\vhdmp.sys
viaide \SystemRoot\system32\drivers\viaide.sys
Vid \SystemRoot\system32\drivers\Vid.sys
vmbus \SystemRoot\system32\drivers\vmbus.sys
VMBusHID \SystemRoot\system32\drivers\VMBusHID.sys
vmicheartbeat NT AUTHORITY\ NetworkService
C:\Windows\system32\vmicsvc.exe -feature Heartbeat
vmickvpexchange NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature KvpExchange
vmicshutdown LocalSystem C:\Windows\system32\vmicsvc.exe -feature Shutdown
vmictimesync NT AUTHORITY\ LocalService C:\Windows\system32\vmicsvc.exe -feature TimeSync
vmicvss LocalSystem C:\Windows\system32\vmicsvc.exe -feature VSS
volmgr \SystemRoot\system32\drivers\volmgr.sys
volmgrx \SystemRoot\System32\drivers\volmgrx.sys
volsnap \SystemRoot\system32\drivers\volsnap.sys
vsmraid \SystemRoot\system32\DRIVERS\vsmraid.sys
VSS LocalSystem C:\Windows\system32\vssvc.exe
W32Time NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
WacomPen \SystemRoot\system32\DRIVERS\wacompen.sys
WANARP system32\DRIVERS\wanarp.sys
Wanarpv6 system32\DRIVERS\wanarp.sys
WcsPlugInService NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k wcssvc
Wd \SystemRoot\system32\DRIVERS\wd.sys
Wdf01000 \SystemRoot\system32\drivers\Wdf01000.sys
WdiServiceHost NT AUTHORITY\ LocalService C:\Windows\System32\svchost.exe -k LocalService
WdiSystemHost LocalSystem C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 138 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Name Logon Name Path Name
Wecsvc NT AUTHORITY\ NetworkService
C:\Windows\system32\svchost.exe -k NetworkService
wercplsupport localSystem C:\Windows\System32\svchost.exe -k netsvcs
WerSvc localSystem C:\Windows\System32\svchost.exe -k WerSvcGroup
WfpLwf system32\DRIVERS\wfplwf.sys
WIMMount system32\drivers\wimmount.sys
WinHttpAutoProxySvc NT AUTHORITY\ LocalService C:\Windows\system32\svchost.exe -k LocalService
Winmgmt localSystem C:\Windows\system32\svchost.exe -k netsvcs
WinRM NT AUTHORITY\ NetworkService
C:\Windows\System32\svchost.exe -k NetworkService
WmiAcpi \SystemRoot\system32\drivers\wmiacpi.sys
wmiApSrv localSystem C:\Windows\system32\wbem\WmiApSrv.exe
WPDBusEnum LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
ws2ifsl \SystemRoot\system32\drivers\ws2ifsl.sys
wuauserv LocalSystem C:\Windows\system32\svchost.exe -k netsvcs
WudfPf system32\drivers\WudfPf.sys
wudfsvc LocalSystem C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
Services and DriversA service is an executable object that is installed in a registry database maintained by the Service Control Manager. The executable file associated with a service can be started at boot time by a boot program or by the system, or the Service Control Manager can start it on demand. The two types of service are Win32 services and driver services.
A Win32 service is a service that conforms to the interface rules of the Service Control Manger. This enables the Service Control Manager to start the service at system start-up or on demand and enables communication between the service and service control programs. A Win32 service can execute in its own process, or it can share a process with other Win32 services.
A driver service is a service that follows the device driver protocols for Microsoft Windows rather than using the Service Control Manager interface.
Implications
Having inappropriate or unnecessary services installed can create security risks and provide potential access paths or tools to intruders.
There are a great number of services that can be installed and it would require volumes to document the security implications attached to each one. Some of them will increase security risks if not appropriately configured, controlled and secured. Examples are; Remote Access Services (RAS), Internet related services and network services.
Some of the more common services are:
Service Function Comments
NetDDE, NetDDEdsdm Services for creating a communication channel or a trusted share for Windows applications to share data over a network.
Shares (directories, files and printers) should be managed to ensure that sensitive information is not made available unnecessarily via this channel.
EventLog, SENS Event Log Service and System Event Notification Service.
Ensure these services are started to enable the capturing of event messages to the logs.
SNMP, SNMPTRAP Simple Network Management Protocol to manage devices on a network.
Manage access to information via this protocol, as it can supply valuable information about your network and network devices.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 139 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Service Function Comments
W3SVC, IISADMIN, IAS Internet Information Server, World Wide Web Publishing Service and Internet Authentication Service.
Ensure correct configuration of these services as misconfiguration of these can compromise security.
RemoteAccess, Rasman, RasAcd, RasAuto, RasArp
Remote Access services. Ensure correct configuration of these services as misconfiguration of these can compromise security.
NdisTapi, NdisWan, NetBIOS, NwlnkSpx, Tcpip
Network Protocol and Transport layer services/drivers.
Ensure that these protocols/drivers are configured correctly as incorrect configuration can leave the network open to penetration.
Attaching unsecured logon accounts to services can create significant security exposures.
Installing service executables in unsecured directories can also create significant security exposures.
Risk Rating
Medium to High (Depending on the type of services installed, their configuration and security settings).
Recommended Action
You should ensure that:
Only required and appropriate services are installed. Their configuration and security settings are to appropriate standards. Service executables are in secure directories. Logon accounts attached to services have the appropriate security settings to help prevent illegal access. The rights assigned to user accounts and groups are effectively controlled (consult report section titled Rights
and Privileges). Effective virus detection and prevention services are installed, running and activated/started automatically at
system start-up time.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 140 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
31. Server Roles and FeaturesSection Summary
There are 26 Server roles and features installed on the system.
Section Detail
Server Roles and Features
.NET Framework 4.5 Features
--- .NET Framework 4.5
--- WCF Services
------ TCP Port Sharing
Active Directory Domain Services
DNS Server
File And Storage Services
--- File and iSCSI Services
------ File Server
--- Storage Services
Group Policy Management
Remote Server Administration Tools
--- Role Administration Tools
------ AD DS and AD LDS Tools
--------- Active Directory module for Windows PowerShell
--------- AD DS Tools
------------ Active Directory Administrative Center
------------ AD DS Snap-Ins and Command-Line Tools
------ DNS Server Tools
User Interfaces and Infrastructure
--- Graphical Management Tools and Infrastructure
--- Server Graphical Shell
Windows PowerShell
--- Windows PowerShell 3.0
--- Windows PowerShell ISE
WoW64 Support
Implications
All roles and features installed on your Server increase the attack surface of your system and present additional opportunities for intruders to exploit any vulnerabilities that may exist. Your system is particularly vulnerable if Windows features are incorrectly configured.
Unnecessary roles and features also consume system resources, such as disk space and CPU cycles. In addition, they increase the frequency of Microsoft updates and associated system restarts.
Risk Rating
Medium to High (Depending on the role or feature).
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 141 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Recommended Action
You should ensure that:
All installed roles and features are appropriate and authorised Windows roles and features are appropriately configured
You should also consider using a mimimal Server Core installation, rather than versions of Windows Server that installs the full GUI with unnecessary components, such as Windows Explorer, Internet Explorer and the Control Panel.
For more information about Server Core see: http://en.wikipedia.org/wiki/Windows_Server_2008#Server_Core.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 142 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
32. Task SchedulerSection Summary
There are 71 scheduled tasks defined in 52 task folders: 33.8% (24) of tasks are hidden 73.2% (52) of tasks are enabled 26.8% (19) of tasks are disabled 39.4% (28) of tasks have never executed 12.7% (9) of tasks returned a non-zero result (may have failed) The registered tasks contain 69 event triggers 17.4% (12) of event triggers are disabled
Section Detail
For details see worksheet Scheduled_Tasks in the MS-Excel workbook.
Implications
The Task Scheduler ensures that important system maintenance and diagnostic functions are performed on a regular and consistent basis without the need for manual intervention.
Some examples of scheduled tasks are jobs that:
Create regular system protection points
Download and install anti-virus updates
Ensure digital certificates for users and machines are current and valid
Consolidate fragmented space on disk drives
Synchronise the system time
If certain tasks do not execute, or they fail to complete successfully, it could impact on the performance, stability or security of your system.
Risk Rating
Low to medium (Depending on the task and its status).
Recommended Action
You should ensure that important scheduled tasks:
Are configured in accordance with your requirements
Are not accidentally disabled
Execute successfully
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 143 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
33. Security Updates, Patches and Hot-FixesSection Summary
There are 2 Security Updates, Patches and Hot-Fixes installed on this system.
Windows Update Settings Windows Update status: OK Important updates: Download updates but let me choose whether to install them Install new updates: Every day at 03:00 Recommended updates: No Allow all users to install: Yes Configuration enforced: No Updates were installed: 23-Sep-2013 10:09:13 Most recent check for updates: 25-Oct-2013 03:52:33
Section Detail
UpdateReference
Install Date
Installed By Service Pack
Description
KB976902 10/14/2013 SNAKE\administrator Update
KB976932 10/14/2013 SNAKE\administrator Service Pack
Implications
This report section lists hot-fixes installed on the system by Microsoft’s hotfix.exe or update.exe utilities.
Note that hot-fixes and patches applied to third-party (non-Microsoft) software products are not included because they are typically not installed by these utilities. Examples of other exclusions are entries written by Shavlik (records are in a proprietary format) and records relating to uninstall routines, such as ServicePackUninstall.
A software patch or hot-fix is a program file that installs one or more files on your system to correct a software problem. A Windows hot-fix program file is typically named KB (or Q) nnnnnn.exe, where nnnnnn is a six-digit number assigned by Microsoft. You can obtain details of a hot-fix by searching Microsoft’s Knowledge Base (KB) on the unique hot-fix number.
Many hot-fixes address security vulnerabilities that are discovered in software components, such as Windows, Exchange, Internet Explorer, IIS and SQL.
If you lack a policy to ensure relevant hot-fixes are promptly identified and installed, your system will be exposed to an increased risk of being compromised, damaged or exploited.
Some examples of these security exposures are: unauthorised remote access to your system; illegal execution of code; elevation of privileges; and denial of service attacks.
Risk Rating
Medium to High (Depending on the vulnerability).
Recommended Action
You should implement policy to ensure you are aware of newly discovered security vulnerabilities. You should also ensure that appropriate hot-fixes are promptly evaluated and installed on your systems.
Microsoft offers several advisory services and tools that can assist you with the process. These include Technet, various notification services and security bulletins, and tools such as Hfnetchk, which checks computers for the absence of security patches / hot-fixes.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 144 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
34. Products InstalledSection Summary
There are 39 MSI-installed software products on this system.
Section Detail
Product Name Version Install Date
Publisher
Acrobat.com 1.6.65 2012-01-24 Adobe Systems Incorporated
Adobe AIR 1.5.0.7220 2012-01-24 Adobe Systems Inc.
Adobe Reader 9.1 9.1.0 2012-01-24 Adobe Systems Incorporated
Microsoft Office Access MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Access Setup Metadata MUI (English) 2010
14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Excel MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Groove MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office InfoPath MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Office 64-bit Components 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office OneNote MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Outlook MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office PowerPoint MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Professional Plus 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Proof (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Proof (French) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Proof (Spanish) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Proofing (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Publisher MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Shared 64-bit MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Shared MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Shared Setup Metadata MUI (English) 2010
14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft Office Word MUI (English) 2010 14.0.4763.1000 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Browser 10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Common Files 10.0.1600.22 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Common Files 10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Database Engine Services
10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Database Engine Services
10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Database Engine Shared
10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Database Engine Shared
10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Native Client 10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 RsFx Driver 10.1.2531.0 2012-01-24 Microsoft Corporation
Microsoft SQL Server 2008 Setup Support Files 10.1.2531.0 2012-01-24 Microsoft Corporation
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 145 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Product Name Version Install Date
Publisher
Microsoft SQL Server VSS Writer 10.1.2531.0 2012-01-24 Microsoft Corporation
Sophos Anti-Virus 9.7.0 2012-01-24 Sophos Limited
Sophos AutoUpdate 2.5.8 2012-01-24 Sophos Limited
Sophos Enterprise Console 4.5.1 2012-01-24 Sophos Plc
Sophos Update Manager 1.1.1.141 2012-01-24 Sophos plc
Sql Server Customer Experience Improvement Program
10.1.2531.0 2012-01-24 Microsoft Corporation
For details of all properties see worksheet Products in the MS-Excel workbook.
Implications
This report section lists software products that were installed by Windows Installer (MSI). Unauthorised software installations could cause the following risks:
Compromised security, if the software does not originate from a reputable vendor or it has not been properly tested prior to implementation.
Legal action and penalties due to the use of unlicensed software on your systems.
Additional training and maintenance costs due to the need to support multiple versions of similar software.
Risk Rating
Medium / High (if unauthorised software is installed on your system).
Recommended Action
You should ensure that software policies define a list of approved software and prevent the installation of unauthorised software products. Policies should be consistently enforced and regularly monitored for compliance.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 146 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
35. Current Network ConnectionsSection Summary
SekChek was unable to analyse active network connections because the required dll was not present on the system.
Section Detail
** No data found. **
Process IDThe process identification number attached to the Current Network Connection.
Local AddressThe address of the local end of the socket.
Local PortThe port number of the local end of the socket.
Remote AddressThe address of the remote end of the socket.
Remote PortThe port number of the remote end of the socket.
StateShows the connection state of the socket. This can be one of the following values:
CLOSE_WAIT The remote end has shut down, waiting for the socket to closeCLOSED The socket is not being usedCLOSING Both sockets are shut down but we still don’t have all our data sentESTABLISHED The socket has an established connectionFIN_WAIT1 The socket is closed and the connection is shutting downFIN_WAIT2 The connection is closed and the socket is waiting for a shutdown from the remote endIDLE Idle, opened but not boundLAST_ACK The remote end has shut down and the socket is closed. Waiting for acknowledgementLISTENING The socket is listening for incoming connectionsSYN_RECV A connection request has been received from the networkSYN_SENT The socket is actively attempting to establish a connectionTIME_WAIT The socket is waiting after close to handle packets still in the network UNKNOWN The state of the socket is unknown
FilenameThe filename of the process that is attached to the Current Network Connection.
Implications
This report section lists all active network connections for TCP protocols, including the local and remote addresses, the ports in use and the state of each connection. It does not indicate which services are configured to use these ports.
The port numbers used by some of the most common network services are:
Port number Service7 echo20 ftp data21 ftp22 ssh23 telnet25 smtp43 whois53 DNS69 tftp79 finger80 http110 POP3
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 147 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
119 nntp143 IMAP161 snmp443 https512 exec194 Irc
Network services and their associated ports provide several opportunities for intruders to exploit your system. Some examples are:
Services such as telnet (port 23) and ftp (port 21) transmit user passwords in clear text format, which makes them vulnerable to access via ‘sniffer’ software;
Older versions of services often contain security weaknesses, which can be exploited to gain access to your system using the account under which the service is run;
Services such as finger (port 79), provide intruders with useful information about your system, such as details of inactive user accounts, which can be used to gain access to your system.
Risk Rating
Medium to High. (If inappropriate network services are running)
Recommended Action
You should determine what services are configured to use these ports and:
Disable any unused or redundant services; Limit the number of services that run under the ‘administrator’ account by running them under an account with
less privileges; Frequently check with your software vendor for security vulnerabilities in the services you are running and apply
any relevant software patches; Consider replacing services that transmit passwords in clear text format with more secure software; Ensure that hosts running open services are located behind properly configured firewall machines; Monitor open ports and connections for signs of unusual activity, particularly from addresses external to your
organisation.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 148 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
36. Logical DrivesSection Summary
There were a total of 4 logical drives defined to your domain controller when this analysis was run.
Section Detail
Drive Type VolumeName
Serial Number FileSystem
Disk Size(MB)
Free Space(MB)
% Free Comment
A:\ Removable
C:\ Fixed 7CA7-6D3D NTFS 40857 24409 59.74%
D:\ CDROM 20120124_1531
C71C-CE20 CDFS 78 0.00%
Z:\ Remote New Volume 45BD-987 NTFS 2996 2977 99.35%
Disk QuotasNote that the free space displayed for a drive may exceed the disk size if disk quotas are used (indicated by **User Quotas** in the Comment field). This is because the Free Space column indicates the total amount of free space on the drive, while the Disk Size column indicates the space available to the user under the disk quota rules.
Implications
The NTFS file system provides more security features than the FAT system. It should be used whenever security is a concern. With NTFS, you can assign a variety of protections to files and directories.
Risk Rating
Medium to High (Depending on the sensitivity of files and directories).
Recommended Action
As a rule, you should ensure that sensitive files and directories are on NTFS partitions.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 149 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
37. Network SharesSection Summary
There were a total of 10 Network Shares defined to your domain controller when this analysis was run.
Section Detail
Share Name Path Type Max Uses Remark
ADMIN$ C:\Windows Special Share *unlimited* Remote Admin
BG temp C:\BG temp File Share *unlimited*
C$ C:\ Special Share *unlimited* Default share
IPC$ Interprocess communication (IPC)
*unlimited* Remote IPC
NETLOGON C:\Windows\SYSVOL\sysvol\Snake.com\SCRIPTS
File Share *unlimited* Logon server share
SophosUpdate C:\ProgramData\Sophos\Update Manager\Update Manager
File Share *unlimited*
SUMInstallSet C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller
File Share *unlimited* Sophos Update Manager Installer
SYSVOL C:\Windows\SYSVOL\sysvol File Share *unlimited* Logon server share
WolfSpace_2 C:\BG temp File Share *unlimited*
WolfSpace1 C:\DfsRoots\WolfSpace1 File Share *unlimited*
Implications
Windows Server enables you to designate resources you want to share with others. For example:
When a directory is shared, authorised users can make connections to the directory (and access its files) from their own workstations.
When a printer is shared, many users can print from it over the network.
Once a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user. With Windows Server, you create the appropriate level of network resources security with a combination of resource sharing and resource permissions.
Risk Rating
Medium to High (Depending on the sensitivity of the data stored in the shared directories).
Recommended Action
You should ensure that directories containing sensitive data files are not shared or are adequately secured via resource permissions.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 150 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
38. Home Directories, Logon Scripts and ProfilesSection Summary
All Accounts 100.0% (16) of user accounts do not have a home directory. 100.0% (16) of user accounts do not have a logon script. 100.0% (16) of user accounts are not restricted to logging on from specific workstations. 100.0% (16) of user accounts do not have specific logon profiles.
Excluding Disabled Accounts 68.8% (11) of user accounts do not have a home directory. 68.8% (11) of user accounts do not have a logon script. 68.8% (11) of user accounts are not restricted to logging on from specific workstations. 68.8% (11) of user accounts do not have specific logon profiles.
All Administrator Accounts 100.0% (2) of administrator accounts do not have a home directory. 100.0% (2) of administrator accounts do not have a logon script. 100.0% (2) of administrator accounts are not restricted to logging on from specific workstations. 100.0% (2) of administrator accounts do not have specific logon profiles.
Administrator Accounts (Excluding Disabled Accounts) 100.0% (2) of administrator accounts do not have a home directory. 100.0% (2) of administrator accounts do not have a logon script. 100.0% (2) of administrator accounts are not restricted to logging on from specific workstations. 100.0% (2) of administrator accounts do not have specific logon profiles.
Industry Average Comparison (All Accounts)
Section Detail
Account Name HomeDirectory
LogonScript Path
WorkstationRestrictions
LogonProfile
State Privilege
Administrator No No No No Administrator
bradley No No No No User
GpLinkTest No No No No Administrator
Guest No No No No D Guest
krbtgt No No No No D User
SophosSAUPUFFADDER0 No No No No User
SophosUpdateMgr No No No No User
Sun No No No No User
SUPPORT_388945a0 No No No No D User
User4 No No No No User
User5 No No No No User
User6 No No No No E User
User7 No No No No User
User9 No No No No LE User
Virtual1 No No No No User
Virtual2 No No No No User
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 151 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Implications
A home directory is used as the user’s default directory for the “File Open” and “Save As” dialog boxes, for the command prompt, and for all applications that do not have a defined working directory.
Home directories make it easier for an administrator to back up user files and delete user accounts because they are grouped in one location.
The home directory can be a local directory on a user’s computer or a shared network directory, and can be assigned to a single user or many users.
A user’s logon script runs automatically every time the user logs on. It can be used to configure a user’s working environment at every logon, and allows an administrator to affect a user’s environment without managing all its aspects. A logon script can be assigned to one or more user accounts.
In Windows 200x* Server, Workstation Restrictions can be used to control the computers from which a user is allowed to log on. The alternative is to allow a user to logon from any computer.
Restricting the workstations a user can use to log on to your system can improve security and discourage potential hackers. This is especially true for sensitive accounts.
A user profile defines the Windows 200x* configuration for a specific user or group of users.
By default, and excepting Guest accounts, each Windows 200x* computer maintains a profile for each user who has logged on to the computer. A profile contains information about a user's Windows 200x* configuration. Much of this information controls options the user can set, such as colour scheme, screen savers, and mouse and keyboard layout.
Other information control options that can be set only by a Windows 200x* administrator include access to common program groups or network printers.
Risk Rating
Medium to Low.
Recommended Action
To minimise potential loss of data and ease administration, users should have defined home directories, which can be regularly backed up.
To ease administration and afford better control over user environments, each user should have a logon script.
You should consider the additional benefits in security that workstation restrictions can provide. It is particularly suited to those environments with high security needs or very sensitive systems and information.
You should consider the benefits of defining logon profiles for users. This can ease administration and enhance security.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 152 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
39. File Permissions and AuditingSection Summary
This report section details the permissions and audit settings for 5 predefined and 0 user selected directories/files on your system.
Section Detail
For details see worksheet Permissions in the MS-Excel workbook.
Implications
This report section lists the owner and access permissions (DACL) for selected files and directories. It also lists the audit settings (SACL) for files and directories.
More specifically, the report section lists the contents of each Access Control Entry (ACE) in the file or directory’s Discretionary Access Control List (DACL). A DACL contains one or more ACEs that control access to the associated resource.
An ACE in a DACL can Allow or Deny access to a resource. A Deny ACE always overrides an Allow ACE.
The report section also lists the contents of each Access Control Entry (ACE) in the file or directory’s System Access Control List (SACL). A SACL contains one or more ACEs that define what actions on the object are audited (e.g. deletion of a file and changes to a folder’s permissions). The event types are Success and Failure.
Legend:
Resource Name The name of the resource being analysed.
Resource Type The type of resource being analysed. At present the only resource types analysed by SekChek are files and directories.
ACL Type The type of ACL being analysed: a DACL or a SACL.
Owner The owner of the resource.
Owner Domain The resource owner’s domain.
Owner Account Type The owner’s account type. E.g. Alias, User.
Ace Nbr The sequential number of the ACE. Window’s reads ACEs in this order until it finds a Deny or Allow ACE that denies or permits access to the resource or an Audit ACE that defines what is audited and the event type.
Account The name of the account to which this ACE applies.
Domain The account’s domain.
Account Type The type of the account. E.g. Alias, User, Group.
Ace Type Allow or Deny access to the resource in the case of an ACE in a DACL; Success or Failure events for a SACL.
Apply Onto Specifies where permissions or auditing are applied. These values are shown as they appear in the Windows’ property box. E.g.:
This folder / object only This folder, subfolders & files This folder & subfolders This folder & files Subfolders & files only Subfolders only Files only
Inherited Indicates whether the permissions or audit settings are inherited from a higher level.
Special Permissions (ACE in a DACL):
Traverse Folder / Execute File For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 153 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.).
For files: Execute File allows or denies running program files (applies to files only).
Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.
List Folder / Read Data List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. Applies to folders only.
Read Data allows or denies viewing data in files (applies to files only).
Read Attributes Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.
Read Extended Attributes Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
Create Files / Write Data Create Files allows or denies creating files within the folder (applies to folders only).
Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).
Create Folders / Append Data Create Folders allows or denies creating folders within the folder (applies to folders only).
Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).
Write Attributes Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.
Write Extended Attributes Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete.
Delete Subfolders And Files Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders)
Delete Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
Read Permissions Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
Change Permissions Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
File Synchronise Allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multithreaded, multiprocess programs.
Windows’ special permissions are logically grouped to form generic permissions: Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 154 of 155
Security Analysis: TESTBEDSystem: PUFFADDER (Snake.com)Analysis Date: 08-Nov-2013 CONFIDENTIAL
The following table illustrates how special permissions are grouped together into these higher-level generic permissions.
Special Permissions FullControl
Modify Read &Execute
List Folder Contents(folders only)
Read Write
Traverse Folder/Execute File x x x x
List Folder/Read Data x x x x x
Read Attributes x x x x x
Read Extended Attributes x x x x x
Create Files/Write Data x x x
Create Folders/Append Data x x x
Write Attributes x x x
Write Extended Attributes x x x
Delete Subfolders and Files x
Delete x x
Read Permissions x x x x x x
Change Permissions x
Take Ownership x
Synchronize x x x x x x
Risk Rating
High (if access permissions are inappropriate and allow unintended access to sensitive resources).
Recommended Action
You should:
Periodically check access permissions for sensitive files and directories to ensure they remain appropriate and reflect the requirements of a person’s job function.
Ensure that all changes to access permissions are properly authorised by management. Consider logging audit events for sensitive files and directories. Note that large numbers of audit log entries may
be generated for frequently accessed files and directories
Produced by SekChek® for Windows V1.0.737, 10-Nov-2013 (Ref. 1201250012) Page 155 of 155