Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.
Account Name Right Via Groups
Act as part of the operating system
Create a token object
Create permanent shared objects
Deny log on as a batch job
Deny log on as a service
Deny log on through Terminal Services
Generate security audits
Lock pages in memory
Replace a process-level token
Synchronize directory service data
Administrator Access this computer from the network Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Access this computer from the network (Effective) Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Adjust memory quotas for a process Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Allow log on locally Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Allow log on through Terminal Services Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Backup files and directories Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Bypass traverse checking Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Change the system time Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Create a page file Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Create global objects Administrators
Administrators*Domain Admins
Account Name Right Via Groups
Debug programs Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Enable accounts to be trusted for delegation Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Force shutdown from a remote system Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Impersonate a Client after authentication Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Increase scheduling priority Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Load and unload device drivers Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Manage auditing and security log Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Modify firmware environment values Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Perform volume maintenance tasks Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Profile single process Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Profile system performance Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Remove computer from docking station Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Restore files and directories Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Shut down the system Administrators
Administrators*Domain Admins
Administrators*Enterprise Admins
Take ownership of files or other objects Administrators
Account Name Right Via Groups
Administrators*Domain Admins
Administrators*Enterprise Admins
GpLinkTest Access this computer from the network Administrators Access this computer from the network (Effective) Administrators
Adjust memory quotas for a process Administrators
Allow log on locally Administrators
Allow log on through Terminal Services Administrators
Backup files and directories Administrators
Bypass traverse checking Administrators
Change the system time Administrators
Create a page file Administrators
Create global objects Administrators
Debug programs Administrators
Enable accounts to be trusted for delegation Administrators
Force shutdown from a remote system Administrators
Impersonate a Client after authentication Administrators
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking station Administrators
Restore files and directories Administrators
Shut down the system Administrators
Take ownership of files or other objects Administrators SophosSAUPUFFADDER0 Deny log on locally
Log on as a service
Log on as a service (Effective)
SUPPORT_388945a0 Deny access to this computer from the network
Deny log on locally
Log on as a batch job
Log on as a batch job (Effective)
24.6 Rights Assigned to Well-Known Objects
Notes
Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local System, Principal Self, Authenticated Users, Creator Owner, and so on.
The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).
In cases of rights acquired indirectly, the Group Account Name will be written in the format of:
Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
Well-Known Object
has Right
via membership
of
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
For a complete list of groups see report section Groups Defined in the Domain .
Account Name Right Via Groups
Authenticated Users Access this computer from the network
Access this computer from the network Pre-Windows 2000 Compatible Access
Add workstations to domain
Bypass traverse checking
Bypass traverse checking Pre-Windows 2000 Compatible Access
Enterprise Domain Controllers Access this computer from the network Everyone Access this computer from the network
Bypass traverse checking
Service Create global objects
Impersonate a Client after authentication
SYSTEM Log on as a service
24.7 Rights Assigned to External Objects
Notes
The external objects are users, groups or computers that belong to other domains.
When “Unknown” is reflected, it means that the server/domain where the object is registered could not be reached to obtain the information.
When a server/domain cannot be reached for information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.
The following report lists rights assigned to external objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).
In cases of rights acquired indirectly, the Group Account Name will be written in the format of:
Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.
External
Object has Right
via membership
of
Group1*Group2*Group3
Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.
For a complete list of groups see report section Groups Defined in the Domain .
** No data found **
25. Discretionary Access Controls (DACL) for Containers
Section Summary
This report section analyses 4,572 DACLs defined on the following classes of container objects:
Containers: 4,366 DACLs
Domains: 51 DACLs
Organizational Units: 129 DACLs
Sites: 26 DACLs
Notes
A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known object) and specifies a set of permissions allowed or denied for that account.
Key:
Permission The permission(s) the trustee has over the object.
Type Allow = Allow permission to trustee Deny = Deny Permission to trustee
Trustee The account to which the permission is assigned for the specified object.
(G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer;
(?) = The account is from an external domain and we cannot resolve the account type Object The object on which the account has the permission.
(D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site Permission
Applies To
Specifies where the permissions are applied:
This object only
This object and all child objects
Child objects only
P -The permission applies to objects within the container specified (object the permission applies to) only.
If omitted, the permission will propagate to all child objects of the container within the tree.
I - The permission is inherited from the parent object.
If omitted, the permission is defined directly on the specified object.
PI – Both Options
Section Detail
For details see worksheet DACLs in the MS-Excel workbook.
Implications
Some of the permissions are very powerful and they should be carefully assigned to users and groups.
Risk Rating
Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.)
Recommended Action
You should check that the listed permissions over objects are appropriate and in line with users’ job functions.
26. Trusted and Trusting Domains
Section Summary
The domain being analysed has trust relationships with 2 other domains
50.0% (1) are trusted domains
50.0% (1) are trusting domains
0.0% (0) are both trusted and trusting domains
Section Detail
Domain Name Trust Type Attributes Trusted Trusting SnakeNY MIT Kerberos realm Disallow transitivity Yes SnakeWP MIT Kerberos realm Disallow transitivity Yes
Implications
A trust relationship is a link between two domains where the trusting domain honours logon authentications of the trusted domain.
Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts.
In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A.
In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C.
Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships.
Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other domain trees.
A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides for distributed authentication and authorization in Windows 200x*.
In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA.
If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa.
Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.
Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains.
The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain.
Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in trusted domains can undermine security on the trusting domains.
Risk Rating
Medium to High (dependant on the quality of security standards applied in trusted domains).
Recommended Action
You should satisfy yourself that security in domains trusted by your domain is implemented and administered to appropriate standards. You should consider running SekChek on domain controllers for all trusted domains.
27. Servers and Workstations
Notes
Role: DC = Domain Controller, S = Server, WS = Workstation
When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that the object does not refer to an actual machine.
Section Summary
There are 4 computer accounts defined in your domain:
50.0% (2) are Domain Controllers
0.0% (0) are Servers
50.0% (2) are Workstations
0.0% (0) of computer accounts are protected against accidental deletion Breakdown of Operating Systems:
25.0% (1) are running Windows 7 Enterprise
25.0% (1) are running Windows Server 2003
25.0% (1) are running Windows Server 2008 R2 Enterprise
25.0% (1) are running Windows Vista? Enterprise
Section Detail
Common Name Path OS & Version Role
BEOWOLF Computers Windows Vista? Enterprise 6.0 (6002) WS BOOMSLANG Domain Controllers Windows Server 2003 5.2 (3790) DC PUFFADDER Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601) DC
REDWOLF Computers Windows 7 Enterprise 6.1 (7601) WS
Implications
Every server and workstation will provide various services to users within the domain.
Servers normally offer services such as SQL databases, business applications, Active Directory, Email and remote access services.
Workstations are normally used by end users to logon to thedomain and make use of domain resources and services as required.
Resources and services can be shared, with varying access permission settings, on all servers and workstations.
Every server and workstation is a potential security risk because they provide an access path to domain resources.
Risk Rating
Medium to High (Depending on the type of servers, their configuration and security setting standards applied).