sign in sign up
<<
Home , Encrypting File System

Security

Assessment

Security Policy Assessment

Prepared for: XYZ Company Prepared by: Novosad Hayes Associates http://www.novosadhayes.com

01/01/2015

CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way.

Scan Date: 01/01/2015

Security Policy Assessment SECURITY ASSESSMENT Table of Contents

1 - Summary 2 - Domain Policies: XYZ.HOU 2.1 - Default Domain Policy: XYZ.HOU 2.1.1 - Account Policies/Password Policy 2.1.2 - Account Policies/Account Lockout Policy 2.1.3 - Account Policies/Kerberos Policy 2.1.4 - Local Policies/User Rights Assignment 2.1.5 - Local Policies/Security Options 2.1.6 - Public Key Policies/Encrypting 2.2 - Default Domain Controllers Policy: XYZ.HOU 2.2.1 - Local Policies/Audit Policy 2.2.2 - Local Policies/User Rights Assignment 2.2.3 - Local Policies/Security Options 3 - Local Security 3.1 - Account Policies 3.1.1 - Password Policy 3.1.2 - Account Lockout Policy 3.2 - Local Policies 3.2.1 - Audit Policy 3.2.2 - User Rights Assignment 3.2.3 - Security Options

PROPRIETARY & CONFIDENTIAL PAGE 2 of 18

Security Policy Assessment SECURITY ASSESSMENT 1 - Summary

Sampled Systems IP Addresses Computer Name 111.111.1.11 XYZDC00 Windows 2012 Standard 111.111.1.11 XYZDC00 Standard 111.111.1.11 XYZDC01 Windows Server 2012 Standard 111.111.1.11 XYZACC-PC Professional 2 - Domain Policies: CTC.HOU

PROPRIETARY & CONFIDENTIAL PAGE 3 of 18

Security Policy Assessment SECURITY ASSESSMENT 2.1 - Default Domain Policy: XYZ.HOU

2.1.1 - Account Policies/Password Policy

Policy Setting Enforce password history 24 passwords remembered Maximum password age 0 days Minimum password age 1 days Minimum password length 7 characters Password must meet complexity requirements Enabled Store passwords using reversible Disabled

2.1.2 - Account Policies/Account Lockout Policy

Policy Setting Account lockout threshold Disabled

2.1.3 - Account Policies/Kerberos Policy

Policy Setting Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes

2.1.4 - Local Policies/User Rights Assignment

PROPRIETARY & CONFIDENTIAL PAGE 4 of 18

Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Manage auditing and security log XYZ\Exchange Enterprise Servers, BUILTIN\Administrators

2.1.5 - Local Policies/Security Options

Network Security Policy Setting Network security: Force logoff when logon hours expire Disabled

2.1.6 - Public Key Policies/Encrypting File System

Certificates Issued To Issued By Expiration Date Intended Purposes Administrator Administrator 6/5/2011 2:40:58 PM File Recovery

PROPRIETARY & CONFIDENTIAL PAGE 5 of 18

Security Policy Assessment SECURITY ASSESSMENT 2.2 - Default Domain Controllers Policy: XYZ.HOU

2.2.1 - Local Policies/Audit Policy

Policy Setting Audit account logon events Success Audit account management No auditing Audit directory service access No auditing Audit logon events Success Audit object access No auditing Audit policy change No auditing Audit privilege use No auditing Audit process tracking No auditing Audit system events No auditing

2.2.2 - Local Policies/User Rights Assignment

Policy Setting Access this computer from the network BUILTIN\Pre- Compatible Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, Everyone, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Act as part of the operating system Add workstations to domain NT AUTHORITY\Authenticated Users Adjust memory quotas for a process IIS APPPOOL\DefaultAppPool, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators Allow log on locally BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators, BUILTIN\Account Operators Back up files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators Bypass traverse checking BUILTIN\Pre-Windows 2000 Compatible Access, Everyone, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators Change the system BUILTIN\Server Operators, BUILTIN\Administrators

PROPRIETARY & CONFIDENTIAL PAGE 6 of 18

Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Create a pagefile BUILTIN\Administrators Create a token object Create global objects BUILTIN\Administrators, NT AUTHORITY\SERVICE Create permanent shared objects programs BUILTIN\Administrators Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on locally Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators Force from a remote system BUILTIN\Server Operators, BUILTIN\Administrators Generate security audits IIS APPPOOL\DefaultAppPool, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Impersonate a client after BUILTIN\Administrators, NT AUTHORITY\SERVICE Increase scheduling priority BUILTIN\Administrators Load and unload device drivers BUILTIN\Administrators Lock pages in memory Log on as a batch job CTC\Administrator Log on as a service IIS APPPOOL\DefaultAppPool, NT AUTHORITY\NETWORK SERVICE Manage auditing and security log BUILTIN\Administrators, CTC\Exchange Enterprise Servers Modify firmware environment values BUILTIN\Administrators Profile single process BUILTIN\Administrators Profile system performance BUILTIN\Administrators Remove computer from docking station BUILTIN\Administrators a process level token IIS APPPOOL\DefaultAppPool, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE Restore files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators Shut down the system BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators, BUILTIN\Account Operators Synchronize directory service data Take ownership of files or other objects BUILTIN\Administrators

2.2.3 - Local Policies/Security Options

PROPRIETARY & CONFIDENTIAL PAGE 7 of 18

Security Policy Assessment SECURITY ASSESSMENT

Domain Controller Policy Setting Domain controller: LDAP server signing requirements None

Domain Member Policy Setting Domain member: Digitally encrypt or sign secure channel data (always) Enabled

Microsoft Network Server Policy Setting network server: Digitally sign communications (always) Enabled Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Security Policy Setting Network security: LAN Manager authentication level Send NTLM response only

PROPRIETARY & CONFIDENTIAL PAGE 8 of 18

Security Policy Assessment SECURITY ASSESSMENT 3 - Local Security Settings

3.1 - Account Policies

3.1.1 - Password Policy

Policy Setting Computers Enforce password history 24 passwords remembered All Sampled Maximum password age 0 All Sampled Minimum password age 1 days All Sampled Minimum password length 7 characters All Sampled Password must meet complexity requirements Enabled All Sampled Store passwords using reversible encryption Disabled All Sampled

3.1.2 - Account Lockout Policy

Policy Setting Computers Account lockout duration Not Applicable All Sampled Account lockout threshold Disabled All Sampled Reset account lockout counter after Not Applicable All Sampled

PROPRIETARY & CONFIDENTIAL PAGE 9 of 18

Security Policy Assessment SECURITY ASSESSMENT 3.2 - Local Policies

3.2.1 - Audit Policy

Policy Setting Computers Audit account logon events Success XYZDC00, XYZDC00, XYZDC01 No auditing XYZACC-PC Audit account management No auditing All Sampled Audit directory service access No auditing All Sampled Audit logon events Success XYZDC00, CTCDC00, CTCDC01 No auditing XYZACC-PC Audit object access No auditing All Sampled Audit policy change No auditing All Sampled Audit privilege use No auditing All Sampled Audit process tracking No auditing All Sampled Audit system events No auditing All Sampled

3.2.2 - User Rights Assignment

Policy Setting Computers Access this computer from the network Everyone,Authenticated Users,Administrators,Pre-Windows XYZDC00, XYZDC00, XYZDC01 2000 Compatible Access,ENTERPRISE DOMAIN CONTROLLERS Everyone,Administrators,Users,Backup Operators XYZACC-PC Add workstations to domain Authenticated Users XYZDC00, XYZDC00, XYZDC01 Adjust memory quotas for a process LOCAL SERVICE,NETWORK SERVICE,Administrators,* XYZDC00, XYZDC00 LOCAL SERVICE,NETWORK SERVICE,Administrators,IIS XYZDC01 APPPOOL\DefaultAppPool LOCAL SERVICE,NETWORK SERVICE,Administrators XYZACC-PC Allow log on locally Administrators,Account Operators,Server Operators,Print XYZDC00, XYZDC00, XYZDC01 Operators,Backup Operators Guest,Administrators,Users,Backup Operators XYZACC-PC Allow log on through Administrators XYZDC00, XYZDC00, XYZDC01

PROPRIETARY & CONFIDENTIAL PAGE 10 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers Administrators,Remote Desktop Users XYZACC-PC Back up files and directories Administrators,Server Operators,Backup Operators XYZDC00, XYZDC00, XYZDC01 Administrators,Backup Operators XYZACC-PC Bypass traverse checking Everyone,Authenticated Users,LOCAL SERVICE,NETWORK XYZDC00, XYZDC00, XYZDC01 SERVICE,Administrators,Pre-Windows 2000 Compatible Access Everyone,LOCAL SERVICE,NETWORK XYZACC-PC SERVICE,Administrators,Users,Backup Operators Change the system time LOCAL SERVICE,Administrators,Server Operators XYZDC00, XYZDC00, XYZDC01 LOCAL SERVICE,Administrators XYZACC-PC Change the time zone LOCAL SERVICE,Administrators,Server Operators XYZDC00, XYZDC00, XYZDC01 LOCAL SERVICE,Administrators,Users XYZACC-PC Create a pagefile Administrators All Sampled Create global objects LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE All Sampled Create symbolic links Administrators All Sampled Debug programs Administrators All Sampled Enable computer and user accounts to be Administrators XYZDC00, XYZDC00, XYZDC01 trusted for delegation Force shutdown from a remote system Administrators,Server Operators XYZDC00, XYZDC00, XYZDC01 Administrators XYZACC-PC Generate security audits LOCAL SERVICE,NETWORK SERVICE,* XYZDC00, XYZDC00 LOCAL SERVICE,NETWORK SERVICE,IIS XYZDC01 APPPOOL\DefaultAppPool LOCAL SERVICE,NETWORK SERVICE XYZACC-PC Impersonate a client after authentication LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE All Sampled Increase a process working set Users,Window Manager\Window Manager Group XYZDC00, XYZDC00, XYZDC01 Users XYZACC-PC Increase scheduling priority Administrators All Sampled Load and unload device drivers Administrators All Sampled Log on as a batch job Administrator XYZDC00, XYZDC00, XYZDC01 Administrators,Backup Operators,Performance Log Users XYZACC-PC Log on as a service NETWORK SERVICE XYZDC00, XYZDC00 NETWORK SERVICE,IIS APPPOOL\DefaultAppPool XYZDC01 NT SERVICE\ALL SERVICES XYZACC-PC Manage auditing and security log Exchange Enterprise Servers,Administrators CTCDC00, CTCDC00, CTCDC01 CTC\Exchange Enterprise Servers,Administrators CTCACC-PC Modify firmware environment values Administrators All Sampled

PROPRIETARY & CONFIDENTIAL PAGE 11 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers Perform volume maintenance tasks Administrators All Sampled Profile single process Administrators All Sampled Profile system performance Administrators XYZDC00, XYZDC00, XYZDC01 Administrators,NT SERVICE\WdiServiceHost XYZACC-PC Remove computer from docking station Administrators XYZDC00, XYZDC00, XYZDC01 Administrators,Users XYZACC-PC Replace a process level token LOCAL SERVICE,NETWORK SERVICE XYZDC00, XYZDC00 LOCAL SERVICE,NETWORK SERVICE,IIS XYZDC01 APPPOOL\DefaultAppPool LOCAL SERVICE,NETWORK SERVICE XYZACC-PC Restore files and directories Administrators,Server Operators,Backup Operators XYZDC00, XYZDC00, XYZDC01 Administrators,Backup Operators XYZACC-PC Shut down the system Administrators,Account Operators,Server Operators,Print XYZDC00, XYZDC00, XYZDC01 Operators,Backup Operators Administrators,Users,Backup Operators XYZACC-PC Take ownership of files or other objects Administrators All Sampled Deny access to this computer from the Guest XYZACC-PC network Deny log on locally Guest XYZACC-PC

3.2.3 - Security Options

Policy Setting Computers Accounts: Administrator account status Enabled XYZDC00, XYZDC00, XYZDC01 Disabled XYZACC-PC Accounts: Block Microsoft accounts Not Defined XYZDC00, XYZDC00, XYZDC01 Accounts: Guest account status Disabled All Sampled Accounts: Limit local account use of blank Enabled All Sampled passwords to console logon only Accounts: Rename administrator account Administrator All Sampled Accounts: Rename guest account Guest All Sampled Audit: Audit the access of global system Disabled All Sampled objects Audit: Audit the use of Disabled All Sampled

PROPRIETARY & CONFIDENTIAL PAGE 12 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers privilege Audit: Force audit policy subcategory settings Not Defined All Sampled ( or later) to override audit policy category settings Audit: Shut down system immediately if Disabled All Sampled unable to log security audits DCOM: Machine Access Restrictions in Not Defined All Sampled Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Not Defined All Sampled Security Descriptor Definition Language (SDDL) syntax Devices: Allow undock without having to log Enabled All Sampled on Devices: Allowed to and eject Not Defined All Sampled removable media Devices: Prevent users from installing printer Enabled XYZDC00, XYZDC00, XYZDC01 drivers Disabled XYZACC-PC Devices: Restrict -ROM access to locally Not Defined All Sampled logged-on user only Devices: Restrict floppy access to locally Not Defined All Sampled logged-on user only Domain controller: Allow server operators to Not Defined All Sampled schedule tasks Domain controller: LDAP server signing None XYZDC00, XYZDC00, XYZDC01 requirements Not Defined XYZACC-PC Domain controller: Refuse machine account Not Defined All Sampled password changes Domain member: Digitally encrypt or sign Enabled All Sampled secure channel data (always) Domain member: Digitally encrypt secure Enabled All Sampled channel data (when possible) Domain member: Digitally sign secure channel Enabled All Sampled data (when possible) Domain member: Disable machine account Disabled All Sampled password changes

PROPRIETARY & CONFIDENTIAL PAGE 13 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers Domain member: Maximum machine account 30 days All Sampled password age Domain member: Require strong (Windows Enabled All Sampled 2000 or later) session key Interactive logon: Display user information Not Defined All Sampled when the session is locked Interactive logon: Do not display last user Disabled All Sampled name Interactive logon: Do not require Disabled XYZDC00, XYZDC00, XYZDC01 CTRL+ALT+ Not Defined XYZACC-PC Interactive logon: Machine account lockout Not Defined XYZDC00, XYZDC00, XYZDC01 threshold Interactive logon: Machine inactivity limit Not Defined XYZDC00, XYZDC00, XYZDC01 Interactive logon: Number of previous logons 10 logons All Sampled to cache (in case domain controller is not available) Interactive logon: Prompt user to change 5 days All Sampled password before expiration Interactive logon: Require Domain Controller Disabled All Sampled authentication to unlock workstation Interactive logon: Require Disabled All Sampled Interactive logon: Smart card removal No Action All Sampled behavior Microsoft network client: Digitally sign Disabled All Sampled communications (always) Microsoft network client: Digitally sign Enabled All Sampled communications (if server agrees) Microsoft network client: Send unencrypted Disabled All Sampled password to third-party SMB servers Microsoft network server: Amount of idle time 15 minutes All Sampled required before suspending session Microsoft network server: Attempt S4U2Self Not Defined XYZDC00, XYZDC00, XYZDC01 to obtain claim information Microsoft network server: Digitally sign Enabled XYZDC00, XYZDC00, XYZDC01 communications (always) Disabled XYZACC-PC Microsoft network server: Digitally sign Enabled XYZDC00, XYZDC00, XYZDC01

PROPRIETARY & CONFIDENTIAL PAGE 14 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers communications (if client agrees) Disabled XYZACC-PC Microsoft network server: Disconnect clients Enabled All Sampled when logon hours expire Microsoft network server: Server SPN target Not Defined All Sampled name validation level Network access: Allow anonymous SID/Name Disabled All Sampled translation Network access: Do not allow anonymous Enabled All Sampled enumeration of SAM accounts Network access: Do not allow anonymous Disabled All Sampled enumeration of SAM accounts and shares Network access: Do not allow storage of Disabled All Sampled passwords and credentials for network authentication Network access: Let Everyone permissions Disabled All Sampled apply to anonymous users Network access: Named Pipes that can be ,netlogon,samr,lsarpc XYZDC00, XYZDC00, XYZDC01 accessed anonymously Network access: Remotely accessible registry System\CurrentControlSet\Control\ProductOptions,System\Cu All Sampled paths rrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion Network access: Remotely accessible registry System\CurrentControlSet\Control\Print\Printers,System\Curr All Sampled paths and sub-paths entControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Contr ol\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Termin al Server\DefaultUserConfiguration,Software\Microsoft\Window s NT\CurrentVersion\Perflib,System\CurrentControlSet\Services \SysmonLog Network access: Restrict anonymous access to Enabled All Sampled Named Pipes and Shares

PROPRIETARY & CONFIDENTIAL PAGE 15 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers Network access: Shares that can be accessed Not Defined All Sampled anonymously Network access: Sharing and security model Classic - local users authenticate as themselves All Sampled for local accounts Network security: Allow Local System to use Not Defined All Sampled computer identity for NTLM Network security: Allow LocalSystem NULL Not Defined All Sampled session fallback Network security: Configure encryption types Not Defined All Sampled allowed for Kerberos Network security: Do not store LAN Manager Enabled All Sampled hash value on next password change Network security: Force logoff when logon Disabled All Sampled hours expire Network security: LAN Manager Send NTLM response only XYZDC00, XYZDC00, XYZDC01 authentication level Not Defined XYZACC-PC Network security: LDAP client signing Negotiate signing All Sampled requirements Network security: Minimum session security Require 128-bit encryption All Sampled for NTLM SSP based (including secure RPC) clients Network security: Minimum session security Require 128-bit encryption All Sampled for NTLM SSP based (including secure RPC) servers Network security: Restrict NTLM: Add remote Not Defined All Sampled server exceptions for NTLM authentication Network security: Restrict NTLM: Add server Not Defined All Sampled exceptions in this domain Network security: Restrict NTLM: Audit Not Defined All Sampled Incoming NTLM Traffic Network security: Restrict NTLM: Audit NTLM Not Defined All Sampled authentication in this domain Network security: Restrict NTLM: Incoming Not Defined All Sampled NTLM traffic Network security: Restrict NTLM: NTLM Not Defined All Sampled authentication in this domain

PROPRIETARY & CONFIDENTIAL PAGE 16 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers Network security: Restrict NTLM: Outgoing Not Defined All Sampled NTLM traffic to remote servers : Allow automatic Disabled All Sampled administrative logon Recovery console: Allow floppy and Disabled All Sampled access to all drives and all folders Shutdown: Allow system to be shut down Disabled XYZDC00, XYZDC00, XYZDC01 without having to log on Enabled XYZACC-PC Shutdown: Clear virtual memory pagefile Disabled All Sampled System cryptography: Force strong key Not Defined All Sampled protection for user keys stored on the computer System cryptography: Use FIPS compliant Disabled All Sampled algorithms for encryption, hashing, and signing System objects: Require case insensitivity for Enabled All Sampled non-Windows subsystems System objects: Strengthen default Enabled All Sampled permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems Posix All Sampled System settings: Use Certificate Rules on Disabled All Sampled Windows Executables for Software Restriction Policies : Admin Approval Mode Disabled All Sampled for the Built-in Administrator account User Account Control: Allow UIAccess Disabled All Sampled applications to prompt for elevation without using the secure desktop User Account Control: Behavior of the Prompt for consent for non-Windows binaries All Sampled elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the Prompt for credentials All Sampled elevation prompt for standard users User Account Control: Detect application Enabled All Sampled installations and prompt for elevation User Account Control: Only elevate Disabled All Sampled

PROPRIETARY & CONFIDENTIAL PAGE 17 of 18 Security Policy Assessment SECURITY ASSESSMENT

Policy Setting Computers executables that are signed and validated User Account Control: Only elevate UIAccess Enabled All Sampled applications that are installed in secure locations User Account Control: Run all administrators Enabled All Sampled in Admin Approval Mode User Account Control: Switch to the secure Enabled All Sampled desktop when prompting for elevation User Account Control: Virtualize file and Enabled All Sampled registry write failures to per-user locations Network Security: Allow PKU2U authentication Not Defined XYZACC-PC requests to this computer to use online identities

PROPRIETARY & CONFIDENTIAL PAGE 18 of 18