![]() ![]() The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. This must be limited to properly protect the system. Some processes may require anonymous access to the registry. The registry is integral to the function, security, and stability of the Windows system. If standard users have these permissions, there is a potential for programs to run with.Īnonymous access to the registry must be restricted. Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. Standard user accounts must only have Read permissions to the Winlogon registry key. Such rights would allow the account to bypass or modify required security restrictions on that machine and. Only administrators responsible for the member server must have Administrator rights on the system.Īn account that does not have Administrator duties must not have Administrator rights. The FTP service allows remote users to access shared files and directories which could provide access to system resources and compromise the system, especially if the user can gain access to the. Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.Īccounts with the "Debug programs" user right can attach a debugger to any process or.Īnonymous enumeration of shares must be restricted.Īllowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.Īnonymous enumeration of SAM accounts must not be allowed.Īnonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.įTP servers must be configured to prevent access to the system drive. Unauthorized accounts must not have the Debug programs user right. This setting restricts access to those defined in "Network access: Named Pipes that can. The Windows Remote Management (WinRM) client must not use Basic authentication.Īnonymous access to Named Pipes and Shares must be restricted.Īllowing anonymous access to named pipes or shares provides the potential for unauthorized system access. The Windows Remote Management (WinRM) service must not use Basic authentication.īasic authentication uses plain text passwords that could be used to compromise a system. Findings (MAC III - Administrative Sensitive) Finding ID ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |