• No results found

Note. Where the Account Name is blank this means that the Privilege is assigned to nobody.

Account Name Right Via Groups

Act as part of the operating system

Create a token object

Create permanent shared objects

Deny log on as a batch job

Deny log on as a service

Deny log on through Terminal Services

Generate security audits

Lock pages in memory

Replace a process-level token

Synchronize directory service data

Administrator Access this computer from the network Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Access this computer from the network (Effective) Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Adjust memory quotas for a process Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Allow log on locally Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Allow log on through Terminal Services Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Backup files and directories Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Bypass traverse checking Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Change the system time Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Create a page file Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Create global objects Administrators

Administrators*Domain Admins

Account Name Right Via Groups

Debug programs Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Enable accounts to be trusted for delegation Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Force shutdown from a remote system Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Impersonate a Client after authentication Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Increase scheduling priority Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Load and unload device drivers Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Manage auditing and security log Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Modify firmware environment values Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Perform volume maintenance tasks Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Profile single process Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Profile system performance Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Remove computer from docking station Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Restore files and directories Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Shut down the system Administrators

Administrators*Domain Admins

Administrators*Enterprise Admins

Take ownership of files or other objects Administrators

Account Name Right Via Groups

Administrators*Domain Admins

Administrators*Enterprise Admins

GpLinkTest Access this computer from the network Administrators Access this computer from the network (Effective) Administrators

Adjust memory quotas for a process Administrators

Allow log on locally Administrators

Allow log on through Terminal Services Administrators

Backup files and directories Administrators

Bypass traverse checking Administrators

Change the system time Administrators

Create a page file Administrators

Create global objects Administrators

Debug programs Administrators

Enable accounts to be trusted for delegation Administrators

Force shutdown from a remote system Administrators

Impersonate a Client after authentication Administrators

Increase scheduling priority Administrators

Load and unload device drivers Administrators

Manage auditing and security log Administrators

Modify firmware environment values Administrators

Perform volume maintenance tasks Administrators

Profile single process Administrators

Profile system performance Administrators

Remove computer from docking station Administrators

Restore files and directories Administrators

Shut down the system Administrators

Take ownership of files or other objects Administrators SophosSAUPUFFADDER0 Deny log on locally

Log on as a service

Log on as a service (Effective)

SUPPORT_388945a0 Deny access to this computer from the network

Deny log on locally

Log on as a batch job

Log on as a batch job (Effective)

24.6 Rights Assigned to Well-Known Objects

Notes

Well-Known Objects are special identities defined by the Windows 200x* security system, such as Everyone, Local System, Principal Self, Authenticated Users, Creator Owner, and so on.

The following report lists rights assigned to Well-Known Objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).

In cases of rights acquired indirectly, the Group Account Name will be written in the format of:

Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.

Well-Known Object

has Right

via membership

of

Group1*Group2*Group3

Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.

For a complete list of groups see report section Groups Defined in the Domain .

Account Name Right Via Groups

Authenticated Users Access this computer from the network

Access this computer from the network Pre-Windows 2000 Compatible Access

Add workstations to domain

Bypass traverse checking

Bypass traverse checking Pre-Windows 2000 Compatible Access

Enterprise Domain Controllers Access this computer from the network Everyone Access this computer from the network

Bypass traverse checking

Service Create global objects

Impersonate a Client after authentication

SYSTEM Log on as a service

24.7 Rights Assigned to External Objects

Notes

The external objects are users, groups or computers that belong to other domains.

When “Unknown” is reflected, it means that the server/domain where the object is registered could not be reached to obtain the information.

When a server/domain cannot be reached for information, the server/domain is either not available through the network or the server/domain no longer exists in the domain.

The following report lists rights assigned to external objects, including rights assigned directly (the column Group Account Name is empty), and rights acquired indirectly via membership of groups or nested groups (the column Group Account Name).

In cases of rights acquired indirectly, the Group Account Name will be written in the format of:

Group1*Group2*Group3…, starting from the higher-level group from which the user acquires the right. E.g.

External

Object has Right

via membership

of

Group1*Group2*Group3

Consult reports Rights Assigned to Local Groups, Rights Assigned to Universal Groups (Native mode only) and Rights Assigned to Global Groups for a complete list of rights assigned to all Groups.

For a complete list of groups see report section Groups Defined in the Domain .

** No data found **

25. Discretionary Access Controls (DACL) for Containers

Section Summary

This report section analyses 4,572 DACLs defined on the following classes of container objects:

 Containers: 4,366 DACLs

 Domains: 51 DACLs

 Organizational Units: 129 DACLs

 Sites: 26 DACLs

Notes

A discretionary access control list (DACL) is an ordered list of access control entries (ACEs) that define the permissions that apply to an object and its properties. Each ACE identifies an account (user, group, well-known object) and specifies a set of permissions allowed or denied for that account.

Key:

Permission The permission(s) the trustee has over the object.

Type Allow = Allow permission to trustee Deny = Deny Permission to trustee

Trustee The account to which the permission is assigned for the specified object.

(G) = Group; (U) = User; (W) = Well-Known Object; (C) = Computer;

(?) = The account is from an external domain and we cannot resolve the account type Object The object on which the account has the permission.

(D) = Domain; (OU) = Organizational Unit; (C) = Container; (S) = Site Permission

Applies To

Specifies where the permissions are applied:

 This object only

 This object and all child objects

 Child objects only

P -The permission applies to objects within the container specified (object the permission applies to) only.

If omitted, the permission will propagate to all child objects of the container within the tree.

I - The permission is inherited from the parent object.

If omitted, the permission is defined directly on the specified object.

PI – Both Options

Section Detail

For details see worksheet DACLs in the MS-Excel workbook.

Implications

Some of the permissions are very powerful and they should be carefully assigned to users and groups.

Risk Rating

Medium to High. (If users are assigned powerful Permissions that are not in line with their job functions.)

Recommended Action

You should check that the listed permissions over objects are appropriate and in line with users’ job functions.

26. Trusted and Trusting Domains

Section Summary

The domain being analysed has trust relationships with 2 other domains

 50.0% (1) are trusted domains

 50.0% (1) are trusting domains

 0.0% (0) are both trusted and trusting domains

Section Detail

Domain Name Trust Type Attributes Trusted Trusting SnakeNY MIT Kerberos realm Disallow transitivity Yes SnakeWP MIT Kerberos realm Disallow transitivity Yes

Implications

A trust relationship is a link between two domains where the trusting domain honours logon authentications of the trusted domain.

Active Directory services support two forms of trust relationships: one-way, non-transitive trusts and two-way, transitive trusts.

In a one-way trust relationship, if Domain A trusts Domain B, Domain B does not automatically trust Domain A.

In a non-transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C.

Networks running Windows NT 4.0 and earlier versions of Windows NT use one-way, non-transitive trust relationships. You manually create one-way, non-transitive trust relationships between existing domains. As a result, a Windows NT 4.0 (or earlier Windows NT) network with several domains requires the creation of many trust relationships.

Active Directory services support this type of trust for connections to existing Windows NT 4.0 and earlier domains and to allow the configuration of trust relationships with domains in other domain trees.

A two-way, transitive trust is the relationship between parent and child domains within a domain tree and between the top-level domains in a forest of domain trees. This is the default. Trust relationships among domains in a tree are established and maintained automatically. Transitive trust is a feature of the Kerberos authentication protocol, which provides for distributed authentication and authorization in Windows 200x*.

In a two-way trust relationship, if Domain A trusts Domain B, then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. Therefore in a two-way, transitive trust relationship, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA trusts DomainC and DomainC trusts DomainA.

If a two-way, transitive trust exists between two domains, you can assign permissions to resources in one domain to user and group accounts in the other domain, and vice versa.

Two-way, transitive trust relationships are the default in Windows 200x*. When you create a new child domain in a domain tree, a trust relationship is established automatically with its parent domain, which imparts a trust relationship with every other domain in the tree. As a result, users in one domain can access resources to which they have been granted permission in all other domains in a tree.

Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains.

The trusting domain will rely on the trusted domain to verify the userid and password of users logging on the trusted domain.

Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in trusted domains can undermine security on the trusting domains.

Risk Rating

Medium to High (dependant on the quality of security standards applied in trusted domains).

Recommended Action

You should satisfy yourself that security in domains trusted by your domain is implemented and administered to appropriate standards. You should consider running SekChek on domain controllers for all trusted domains.

27. Servers and Workstations

Notes

Role: DC = Domain Controller, S = Server, WS = Workstation

When OS & Version = Not defined and Role = blank, it means that SekChek could not obtain the information or that the object does not refer to an actual machine.

Section Summary

There are 4 computer accounts defined in your domain:

 50.0% (2) are Domain Controllers

 0.0% (0) are Servers

 50.0% (2) are Workstations

 0.0% (0) of computer accounts are protected against accidental deletion Breakdown of Operating Systems:

 25.0% (1) are running Windows 7 Enterprise

 25.0% (1) are running Windows Server 2003

 25.0% (1) are running Windows Server 2008 R2 Enterprise

 25.0% (1) are running Windows Vista? Enterprise

Section Detail

Common Name Path OS & Version Role

BEOWOLF Computers Windows Vista? Enterprise 6.0 (6002) WS BOOMSLANG Domain Controllers Windows Server 2003 5.2 (3790) DC PUFFADDER Domain Controllers Windows Server 2008 R2 Enterprise 6.1 (7601) DC

REDWOLF Computers Windows 7 Enterprise 6.1 (7601) WS

Implications

Every server and workstation will provide various services to users within the domain.

Servers normally offer services such as SQL databases, business applications, Active Directory, Email and remote access services.

Workstations are normally used by end users to logon to thedomain and make use of domain resources and services as required.

Resources and services can be shared, with varying access permission settings, on all servers and workstations.

Every server and workstation is a potential security risk because they provide an access path to domain resources.

Risk Rating

Medium to High (Depending on the type of servers, their configuration and security setting standards applied).

Recommended Action

Related documents