Host Configuration Assessment - Windows



OS Information Gathering

systeminfo
wmic computersystem get domainrole

0 - Standalone workstation
1 - Member workstation
2 - Standalone server
3 - Member server
4 - Domain controller

secedit /export /cfg cfg.ini > nul
net user administrator > netuseradmin.txt
auditpol.exe /get /category:* > auditpol.txt
netsh advfirewall show allprofiles > firewall.txt
net accounts > netaccount.txt
gpresult /f /h evid/gporesult.html > nul
accesschk /accepteula -q -a * > accesschk.txt

*Simplify the process with Scgary!










User Right Assignment


type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight\|^SeIncreaseBasePriorityPrivilege\|^SeIncreaseWorkingSetPrivilege\|^SeNetworkLogonRight\|^SeTcbPrivilege\|^SeImpersonatePrivilege\|^SeSecurityPrivilege\|^SeInteractiveLogonRight\|^SeUndockPrivilege\|^SeTakeOwnershipPrivilege"







CIS Recommended:









Administrators (*S-1-5-32-544)


type cfg.ini | grep "^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeDebugPrivilege\|^SeShutdownPrivilege\|^SeIncreaseBasePriorityPrivilege\|^SeSecurityPrivilege\|^SeInteractiveLogonRight\|^SeUndockPrivilege\|^SeTakeOwnershipPrivilege"


    

  • Create a pagefile (SeCreatePagefilePrivilege)
    • 

  • Force shutdown from a remote system (SeRemoteShutdownPrivilege)
    • 

  • Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight)
    • 

  • Debug programs (SeDebugPrivilege)
    • 

  • Shut down the system (SeShutdownPrivilege)
    • 

  • Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
    • 

  • Manage auditing and security log (SeSecurityPrivilege)
    • 

  • Allow log on locally (SeInteractiveLogonRight)
    • 

  • Remove computer from docking station (SeUndockPrivilege)
    • 

  • Take ownership of files or other objects (SeTakeOwnershipPrivilege)
    • 






No One


type cfg.ini | grep "^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeTcbPrivilege"


    

  • Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
    • 

  • Lock pages in memory (SeLockMemoryPrivilege)
    • 

  • Access Credential Manager as a trusted caller (SeTrustedCredManAccessPrivilege)
    • 

  • Act as part of the operating system (SeTcbPrivilege)
    • 






Guest (*S-1-5-32-546)


type cfg.ini | grep "^SeDenyNetworkLogonRight\|^SeDenyBatchLogonRight\|^SeDenyInteractiveLogonRight"


    

  • Deny access to this computer from the network (SeDenyNetworkLogonRight)
    • 

  • Deny log on as a batch job (SeDenyBatchLogonRight)
    • 

  • Deny log on locally (SeDenyInteractiveLogonRight)
    • 








Administrators, Authenticated Users, Backup Operators, Local Service, Network Service

(*S-1-5-32-544, [Authenticated User], *S-1-5-32-551, *S-1-5-19, *S-1-5-20)


type cfg.ini | grep "^SeChangeNotifyPrivilege"


    

  • Bypass traverse checking (SeChangeNotifyPrivilege)
    • 








Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE

(*S-1-5-32-544, *S-1-5-6,  *S-1-5-19, *S-1-5-20)


type cfg.ini | grep "^SeCreateGlobalPrivilege\|^SeImpersonatePrivilege"


    

  • Create global objects (SeCreateGlobalPrivilege)
    • 

  • Impersonate a client after authentication (SeImpersonatePrivilege)
    • 








Administrators, Local Service, Network Service (*S-1-5-32-544, *S-1-5-19, *S-1-5-20)


type cfg.ini | grep "^SeIncreaseQuotaPrivilege"


    

  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
    • 








Administrators, Local Service (*S-1-5-32-544, *S-1-5-19)


type cfg.ini | grep "^SeIncreaseWorkingSetPrivilege"


    

  • Increase a process working set (SeIncreaseWorkingSetPrivilege)
    • 








Local Service, Network Service (*S-1-5-19, *S-1-5-20)


type cfg.ini | grep "^SeAuditPrivilege"


    

  • Generate security audits (SeAuditPrivilege)
    • 








Administrators, Authenticated Users (*S-1-5-32-544, [Authenticated User])


type cfg.ini | grep "^SeNetworkLogonRight"


    

  • Access this computer from the network (SeNetworkLogonRight)
    • 














Well-known security identifiers: https://support.microsoft.com/en-us/kb/243330







Account Lockout Policy


type cfg.ini | grep "^LockoutBadCount"
type netaccount.txt | grep "^Lockout duration (minutes)\|^Lockout observation window (minutes)"




CIS Recommended:


LockoutBadCount = 6 (or fewer)
Lockout duration (minutes): 15 (or greater)
Lockout observation window (minutes): 15 (or greater)








Password Policy


type cfg.ini | grep "ClearTextPassword\|MinimumPasswordLength\|^MaximumPasswordAge\|PasswordHistorySize\|MinimumPasswordAge\|PasswordComplexity"



CIS Recommended:


MinimumPasswordAge = 1 (or greater)
MaximumPasswordAge = 60 (or less)
MinimumPasswordLength = 14 (or greater)
PasswordComplexity = 1 (Enabled)
PasswordHistorySize = 24 (or greater) 
ClearTextPassword = 0 (Disabled)






Security Options 

Accounts Policy and Network Access Policy 






type cfg.ini | grep "^EnableGuestAccount\|^LSAAnonymousNameLookup"



CIS Recommended:



EnableGuestAccount = 0 #Disable Guest account
LSAAnonymousNameLookup = 0 #Do not allow anonymous SID/Name translation












Obtain the following registry key value for assessment: 


reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polices\Explorer\"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" 
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management"
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters:DisableIPSourceRouting"




CIS Recommended:

Note: report.txt referring to the report generated by Scgary


    

  • 1. Audit Policy
    
    
    type report.txt | grep "SCENoApplyLegacyAuditPolicy\|crashonauditfail"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
    SCENoApplyLegacyAuditPolicy REG_DWORD       0x1     #Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
    crashonauditfail            REG_DWORD       0x0     #Do not Shut down system immediately if unable to log security audits

    

    • 

  • 2. Device Policy
    
    
    type report.txt | grep "AllocateDASD\|AddPrinterDrivers"
    

    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
    AllocateDASD                REG_SZ          2       #Allow Administrators and Interactive Users to format and eject removable media

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers"
    AddPrinterDrivers           REG_DWORD       0x1     #Prevent users from installing printer drivers

    

    • 

  • 3. Domain Member Policy
    
    
    type report.txt | grep "DisablePasswordChange\|SealSecureChannel\|SignSecureChannel\|RequireSignOrSeal\|MaximumPasswordAge\|RequireStrongKey"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters"
    DisablePasswordChange      REG_DWORD       0x0      #Disable machine account password changes
    SealSecureChannel          REG_DWORD       0x1      #Digitally encrypt secure channel data (when possible)
    SignSecureChannel          REG_DWORD       0x1      #Digitally sign secure channel data (when possible)
    RequireSignOrSeal          REG_DWORD       0x1      #Digitally encrypt or sign secure channel data (always)
    MaximumPasswordAge         REG_DWORD       0x1e     #Maximum machine account password age [30 days]
    RequireStrongKey           REG_DWORD       0x1      #Require strong (Windows 2000 or later) session key

    

    • 

  • 4. Interactive logon Policy
    
    
    type report.txt | grep "scremoveoption\|PasswordExpiryWarning\|DisableCAD\|CachedLogonsCount\|ForceUnlockLogon\|dontdisplaylastusername"
    

    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
    scremoveoption              REG_SZ          1       #The Smart Card removal option configured to Lock Workstation (1-Lock Workstation; 2-Force Logoff)
    PasswordExpiryWarning       REG_DWORD       0xe     #Prompt user to change password before expiration [14 days]
    DisableCAD                  REG_DWORD       0x1     #Required to press CTRL+ALT+DEL before logging on to Window
    CachedLogonsCount           REG_SZ          0       #0 Number of previous logons to cache (in case domain controller is not available)
    ForceUnlockLogon            REG_DWORD       0x1     #Require Domain Controller authentication to unlock workstation

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
    dontdisplaylastusername     REG_DWORD       0x1     #Do not display last user name

    

    • 

  • 5. Microsoft network client Policy
    
    
    type report.txt | grep "EnablePlainTextPassword\|RequireSecuritySignature\|EnableSecuritySignature"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters"
    EnablePlainTextPassword     REG_DWORD       0x0     #Do not send unencrypted password to third-party SMB servers
    RequireSecuritySignature    REG_DWORD       0x1     #Digitally sign communications (always)
    EnableSecuritySignature     REG_DWORD       0x1     #Digitally sign communications (if server agrees)

    

    • 

  • 6. MSS
    
    
    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
    AutoAdminLogon              REG_SZ          0       #Automatic logons must be disabled

    

    • 

  • 7. Microsoft Network Server Policy
    
    
    type report.txt | grep "enablesecuritysignature\|requiresecuritysignature\|enableforcedlogoff\|autodisconnect"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters"
    enablesecuritysignature     REG_DWORD       0x1     #Digitally sign communications (if client agrees)
    requiresecuritysignature    REG_DWORD       0x1     #Digitally sign communications (always)
    enableforcedlogoff          REG_DWORD       0x1     #Disconnect clients when logon hours expire
    autodisconnect              REG_DWORD       0xf     #Amount of idle time required before suspending session [15 minutes]

    

    • 

  • 8. Network Access Policy
    
    
    type report.txt | grep "forceguest\|restrictanonymous\|restrictanonymoussam\|everyoneincludesanonymous\|restrictnullsessaccess\|NullSessionShares\|Machine"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
    forceguest                  REG_DWORD      0x0     #Sharing and security model for local accounts [Classic - local users authenticate as themselves]
    restrictanonymous           REG_DWORD      0x1     #Do not allow anonymous enumeration of SAM accounts and shares
    restrictanonymoussam        REG_DWORD      0x1     #Do not allow anonymous enumeration of SAM accounts
    everyoneincludesanonymous   REG_DWORD      0x0     #Do not let Everyone permissions apply to anonymous users
    
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters"
    restrictnullsessaccess      REG_DWORD      0x1     #Restrict anonymous access to Named Pipes and Shares
    NullSessionShares           REG_MULTI_SZ           #Shares that can be accessed anonymously [None]

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths"
    Machine                     REG_MULTI_SZ   System\CurrentControlSet\Control\Print\Printers\0System\CurrentControlSet\Services\Eventlog\0Software\Microsoft\OLAP Server\0Software\Microsoft\Windows NT\CurrentVersion\Print\0Software\Microsoft\Windows NT\CurrentVersion\Windows\0System\CurrentControlSet\Control\ContentIndex\0System\CurrentControlSet\Control\Terminal Server\0System\CurrentControlSet\Control\Terminal Server\UserConfig\0System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\0Software\Microsoft\Windows NT\CurrentVersion\Perflib\0System\CurrentControlSet\Services\SysmonLog #Remotely accessible registry paths and sub-paths

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths"
    Machine                     REG_MULTI_SZ   System\CurrentControlSet\Control\ProductOptions\0System\CurrentControlSet\Control\Server Applications\0Software\Microsoft\Windows NT\CurrentVersion #Remotely accessible registry paths

    

    • 

  • 9. Network Security Policy
    
    
    type report.txt | grep "LmCompatibilityLevel\|NoLmHash\|NtlmMinServerSec\|NtlmMinClientSec\|ldapclientintegrity"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
    LmCompatibilityLevel       REG_DWORD       0x5     #LAN Manager authentication level [Send NTLMv2 response only. Refuse LM & NTLM]
    NoLmHash                   REG_DWORD       0x1     #Do not store LAN Manager hash value on next password change

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0"
    NtlmMinServerSec           REG_DWORD      0x20080000     #Minimum session security for NTLM SSP based (including secure RPC) servers [Require NTLMv2 session security,Require 128-bit encryption]
    NtlmMinClientSec           REG_DWORD     0x20080000      #Minimum session security for NTLM SSP based (including secure RPC) clients [Require NTLMv2 session security,Require 128-bit encryption]  

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP"
    ldapclientintegrity        REG_DWORD     0x1     #LDAP client signing requirements [Negotiate signing]

    

    • 

  • 10. Recovery Console Policy 
    
    
    type report.txt | grep "setcommand\|securitylevel"
    

    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole"
    setcommand                 REG_DWORD     0x0     #Do not allow floppy copy and access to all drives and all folders
    securitylevel              REG_DWORD     0x0     #Do not allow automatic administrative logon

    

    • 

  • 11. Shutdown Policy 
    
    
    type report.txt | grep "ClearPageFileAtShutdown\|shutdownwithoutlogon"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management"
    ClearPageFileAtShutdown    REG_DWORD    0x0     #Do not clear virtual memory pagefile
    shutdownwithoutlogon       REG_DWORD    0x0     #Do not allow system to be shut down without having to log on

    

    • 

  • 12. System cryptography Policy 
    
    
    type report.txt | grep "    Enabled"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy"
    Enabled                    REG_DWORD    0x1     #Use FIPS compliant algorithms for encryption, hashing, and signing

    

    • 

  • 13. System Objects Policy 
    
    
    type report.txt | grep "obcaseinsensitive\|ProtectionMode"
    

    "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel"
    obcaseinsensitive          REG_DWORD    0x1    #Require case insensitivity for non-Windows subsystems
     
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager"   
    ProtectionMode             REG_DWORD    0x1    #Strengthen default permissions of internal system objects (e.g. Symbolic Links)

    

    • 

  • 14. System Setting Policy 
    
    
    type report.txt | grep "authenticodeenabled"
    

    "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
    authenticodeenabled        REG_DWORD    0x1    #Use Certificate Rules on Windows Executables for Software Restriction Policies

    

    • 

  • 15. User Account Control Policy 
    
    
    type report.txt | grep "ConsentPromptBehaviorAdmin\|ConsentPromptBehaviorUser\|EnableLUA\|FilterAdministratorToken\|EnableUIADesktopToggle\|PromptOnSecureDesktop\|ValidateAdminCodeSignatures\|EnableVirtualization\|EnableInstallerDetection\|EnableSecureUIAPaths"
    

    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5    #When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege
    ConsentPromptBehaviorUser     REG_DWORD    0x3    #When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege
    EnableLUA                     REG_DWORD    0x1    #Run all administrators in Admin Approval Mode
    FilterAdministratorToken      REG_DWORD    0x1    #Admin Approval Mode for the Built-in Administrator account
    EnableUIADesktopToggle        REG_DWORD    0x0    #Do not allow UIAccess applications to prompt for elevation without using the secure desktop
    PromptOnSecureDesktop         REG_DWORD    0x1    #Switch to the secure desktop when prompting for elevation
    ValidateAdminCodeSignatures   REG_DWORD    0x0    #Does not enforce PKI certification path validation before a given executable file is permitted to run
    EnableVirtualization          REG_DWORD    0x1    #Virtualize file and registry write failures to per-user locations
    EnableInstallerDetection      REG_DWORD    0x1    #Detect application installations and prompt for elevation
    EnableSecureUIAPaths          REG_DWORD    0x1    #Only elevate UIAccess applications that are installed in secure locations

    

    • 




Reference: Windows Registry Cheat Sheet by Axcel Security 






Audit Policies 

CIS Recommended:




Success and Failure


type auditpol.txt | grep "Security Group Management\|Other Account Management Events\|User Account Management\|Sensitive Privilege Use\|IPsec Driver\|Security State Change\|Security System Extension\|System Integrity\|  Logon\|Credential Validation"



Success


type auditpol.txt | grep "Computer Account Management\|Authentication Policy Change\|^  Logoff\|Special Logon\|Process Creation"



No Auditing


type auditpol.txt | grep "File System\|Handle Manipulation \|Filtering Platform Packet Drop\|Certification Services\|SAM\|Detailed File Share\|Registry\|Kernel Object\|Filtering Platform Connection\|File Share\|Application Generated\|Other Object Access Events\|Distribution Group Management\|Application Group Management\|Directory Service Access\|Directory Service Replication\|Directory Service Changes\|Detailed Directory Service Replication\|Non Sensitive Privilege Use\|Other Privilege Use Events\|Filtering Platform Policy Change\|Other Policy Change Events\|Authorization Policy Change \|MPSSVC Rule-Level Policy Change\|Other System Events\|IPsec Extended Mode\|Network Policy Server\|IPsec Main Mode\|Other Logon/Logoff Events\|Account Lockout\|IPsec Quick Mode\|Kerberos Service Ticket Operations\|Other Account Logon Events \|Kerberos Authentication Service\|Process Termination\|RPC Events\|DPAPI Activity"











Event Log Service


reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Security"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Application"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\System"




CIS Recommended:


Security Event Log



maxSize = Enabled:196608
retention = Disabled




Application Event Log



maxSize = Enabled:32768
retention = Disabled




System Event Log



maxSize = Enabled:32768
retention = Disabled








Firewall with Advanced Security


type firewall.txt | grep "InboundUserNotification\|LocalConSecRules\|LocalFirewallRules\|UnicastResponseToMulticast\|Firewall Policy\|State" | sort



CIS Recommended:



    

  • Display a notification 
    • 

  • Apply local connection security rules 
    • 

  • Do not allow unicast response 
    • 

  • Turn On Firewall state 
    • 

  • Apply local firewall rules 
    • 

  • Block Inbound connections 
    • 

  • Allow Outbound connections
    • 





InboundUserNotification         Enable 
LocalConSecRules                N/A (GPO-store only) #Check Manually
LocalFirewallRules              N/A (GPO-store only) #Check Manually
UnicastResponseToMulticast      Disable
Firewall Policy                 BlockInbound,AllowOutbound
State                           ON








Reference:

http://www.cygwin.com/

https://support.cloudpassage.com/hc/en-us/articles/228557507-Rule-Check-Local-Security-Policy-Setting-Windows-

https://technet.microsoft.com/en-us/library/dn221963%28v=ws.10%29.aspx






























Popular posts from this blog









Remote Desktop Protocol (RDP) Security






Image







  Common Remote Desktop Protocol (RDP) Vulnerabilities   Terminal Services Encryption Level is Medium or Low  Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness  Terminal Services Doesn't Use Network Level Authentication (NLA) Only    Terminal Services Encryption Level is Medium or Low   Vulnerability Assessment:           Host Assessment:           Remediation:     Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level     Set client connection encryption level to High     Note:    High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD S...








Read more










Penetration Testing - Network






Image







    Manual Vulnerability Assessment   TCP/21: FTP   Anonymous FTP Enabled   anonymous guest     TCP/22: SSH  nmap -p 22 --script ssh2-enum-algos <ip_address>     SSH Weak Algorithms Supported    SSH Server CBC Mode Ciphers Enabled  ssh -oCiphers=<ciphers> <ip_address>   SSH Weak MAC Algorithms Enabled   ssh -oMACs=<algorithm> <ip_address>   SSH Protocol v1 Supported  ssh -1 <ip_address> -v     Hardening on SSH  Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com     TCP/23: Telnet   Unencrypted Telnet Server  telnet <ip_address> 23   TCP/25: SMTP   SMTP Service Cleartext Login Permitted  telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN    Mailserver answer to VRFY and EXPN requests  *   nc <ip_address> 25 EXPN root VRFY root     TCP/53: DNS   DNS Server Cache Snooping Remote Information Disclosure ...








Read more










Damn Vulnerable Web Services (DVWS) - Walkthrough






Image







       Installation  Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.   https://github.com/snoopysecurity/dvws     WSDL Enumeration   Spider DVWS using Burp Suite and look for service.php          Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price     XPATH Injection   User Login:  1' or '1'='1    User Password:  1' or '1'='1              Command Injection   Original Request    parameter value of name  is " find "   by default             Edited Request    change the parameter value of  name  from "find" to " dir "              Cross Site Tracing (XST)   Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e...








Read more










Server Message Block (SMB) Security






Image







     Common SMB related vulnerabilities   Microsoft Windows SMBv1 Multiple Vulnerabilities  SMB Signing Disabled  Microsoft Windows SMB NULL Session Authentication  Microsoft Windows SMB Shares Unprivileged Access          Network Discovery:   TCP port 5357 - Web Services on Devices API (WSDAPI)     File and Printer Sharing:   TCP port 135 - Remote Procedure Call (RPC)  TCP port 139 - NETBIOS Session Service  TCP port 445 - Server Message Block (SMB)          By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented       Microsoft Windows SMBv1 Multiple Vulnerabilities   Vulnerability Assessment:       NSE script smb-protocols  can be used to check if the server supported NT LM 0.12 (SMBv1) .       Host Assessment:  Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}           Remediation:  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters...








Read more










Offensive Security Testing Guide






Image







         This cheat sheet compiles the commands we learned to exploit vulnerable machines. However, these commands alone may not be sufficient to obtain your Offensive Security Certified Professional (OSCP) certification. So... Try Harder!      Information Gathering    Operating System   Windows  Interesting Path  "Documents and Settings"/Administrator/Desktop  file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini  C:\Users\<User>\AppData\Local\Temp  #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook   Active Connection   netstat -...








Read more










Web Server Hardening - Apache Tomcat






Image







      Reference: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html     1. Remove Extraneous Resources   Removing sample resources  C:\xampp\Tomcat\webapps\docs  C:\xampp\Tomcat\webapps\examples   Removing Manager Application if not using  C:\xampp2\Tomcat\webapps\host-manager  C:\xampp2\Tomcat\webapps\manager  C:\xampp2\Tomcat\conf\Catalina\localhost\manager.xml   Disable unused Connector  C:\xampp2\tomcat\conf\server.xml   cat server.xml | grep "Connector"        2. Limit Server Platform Information Leaks   Alter the Advertised server information  Audit:  cd $CATALINA_HOME/lib jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties grep server.info org/apache/catalina/util/ServerInfo.properties      Remediation:  server.info=<SomeWebServer> server.number=<someversion> server.built=     Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors  Turn off TRACE   Affected file: $CATALINA_HOME/conf/server.xml   Remediation:...








Read more










Content Page







 The Cheat Sheets offer a variety of information security cheat sheets on various security assessments and provides code to simplify testing and verification processes.     Penetration Testing    Network  CMS - WordPress  Mobile - Android  Mobile - iOS  Web Service (API) Security   Damn Vulnerable Web Services - Walkthrough     OWASP Series    2017  A1 Injection  2017  A3 Sensitive Data Exposure  2017  A4 XML External Entities (XXE)  2017 A6 Security Misconfiguration  2017 A7 Cross-Site Scripting (XSS)  2017 A8 Insecure Deserialization     Configuration Assessment   Windows  Linux  Network Device    Web Server Hardening   Apache  PHP  MySQL  SSL Security    Database Assessment   Oracle  PostgreSQL  Database Assessment Tool    Host Device Hardening   Server Message Block (SMB) Security  Remote Desktop Protocol (RDP) Security    Social Engineering    Social Engineering Testing - Phishing  Email Security     Malware   Exploitation using Shell  Post Exploitation     Physical ...








Read more










Mobile Penetration Testing - Android






Image







   Testing Environment   Android Emulator   Geny Motion: https://www.genymotion.com/fun-zone/     Android Debug Bridge (ADB)   C:\Users\<User>\AppData\Local\Android\Sdk\platform-tools   adb -s <specific device> shell #Specific Device adb -d shell #Device adb -e shell #Emulator   Basic ADB command  adb install <apk file> adb pull <location>  adb push <file> <location>    Basic Linux command   cat /proc/version #Kernel version cat /proc/cpuinfo #Processor Information ps #Processes  cat /system/etc/permissions/platform.xml #Permission and GID    Information Gathering   Retrieve APK file from Device (Recommended)  adb shell pm list packages pm path <package> adb pull <apk path>    Retrieve APK file from Internet   https://apkpure.com        To check the certificate information  keytool -printcert -file CERT.RSA #C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe    Android Manifest Analysis   1. Activity, Service, Content Provider, Broadcast ...








Read more










Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)






Image







    XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.    DOM-Based XSS  Proof of Concept   <html> <head> <title>DOM-based Cross-site Scripting</title> </head> <body> Hi, <script> var pos = document.URL.indexOf("name=")+5; //finds the position of value var userInput = document.URL.substring(pos,document.URL.length); //copy the value into userInput variable document.write(unescape(userInput));  //writes content to the webpage </script> </body> </html>       XSS Validation Bypass  <Script>alert(1)</script> <script<script>>alert(1)</script> <svg onload=...








Read more