Windows Server Security Audit

Windows Server Security Audit Software Update

The new version of XIA Configuration Server version 4.2 it is now possible to obtain a more detailed security audit of your Windows servers and workstations.

The new version includes

  • Improved documentation of local user accounts
  • Local account lockout policies
  • Local password policies
  • Local Security Options
  • Continued support for user rights assignment




Full list of Windows Local Security Options Documented

  • Accounts: Limit local account use of blank passwords to console logon only
  • Accounts: Rename administrator account
  • Accounts: Rename guest account
  • Audit: Audit the access of global system objects
  • Audit: Audit the use of Backup and Restore privilege
  • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
  • Audit: Shut down system immediately if unable to log security audits
  • DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • Devices: Allow undock without having to log on
  • Devices: Allowed to format and eject removable media
  • Devices: Prevent users from installing printer drivers
  • Devices: Restrict CD-ROM access to locally logged-on user only
  • Devices: Restrict floppy access to locally logged-on user only
  • Domain controller: Allow server operators to schedule tasks
  • Domain controller: LDAP server signing requirements
  • Domain controller: Refuse machine account password changes
  • Domain member: Digitally encrypt or sign secure channel data (always)
  • Domain member: Digitally encrypt secure channel data (when possible)
  • Domain member: Digitally sign secure channel data (when possible)
  • Domain member: Disable machine account password changes
  • Domain member: Maximum machine account password age
  • Domain member: Require strong (Windows 2000 or later) session key
  • Interactive logon: Display user information when the session is locked
  • Interactive logon: Do not display last user name
  • Interactive logon: Do not require CTRL+ALT+DEL
  • Interactive logon: Message text for users attempting to log on
  • Interactive logon: Message title for users attempting to log on
  • Interactive logon: Number of previous logons to cache (in case domain controller is not available)
  • Interactive logon: Prompt user to change password before expiration
  • Interactive logon: Require Domain Controller authentication to unlock workstation
  • Interactive logon: Require smart card
  • Interactive logon: Smart card removal behavior
  • Microsoft network client: Digitally sign communications (always)
  • Microsoft network client: Digitally sign communications (if server agrees)
  • Microsoft network client: Send unencrypted password to third-party SMB servers
  • Microsoft network server: Amount of idle time required before suspending session
  • Microsoft network server: Digitally sign communications (always)
  • Microsoft network server: Digitally sign communications (if client agrees)
  • Microsoft network server: Disconnect clients when logon hours expire
  • Microsoft network server: Server SPN target name validation level
  • Network access: Allow anonymous SID/Name translation
  • Network access: Do not allow anonymous enumeration of SAM accounts
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares
  • Network access: Do not allow storage of passwords and credentials for network authentication
  • Network access: Let Everyone permissions apply to anonymous users
  • Network access: Named Pipes that can be accessed anonymously
  • Network access: Remotely accessible registry paths
  • Network access: Remotely accessible registry paths and sub-paths
  • Network access: Restrict anonymous access to Named Pipes and Shares
  • Network access: Shares that can be accessed anonymously
  • Network access: Sharing and security model for local accounts
  • Network security: Allow Local System to use computer identity for NTLM
  • Network security: Allow LocalSystem NULL session fallback
  • Network security: Configure encryption types allowed for Kerberos
  • Network security: Do not store LAN Manager hash value on next password change
  • Network security: Force logoff when logon hours expire
  • Network security: LAN Manager authentication level
  • Network security: LDAP client signing requirements
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
  • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
  • Network security: Restrict NTLM: Add server exceptions in this domain
  • Network security: Restrict NTLM: Audit Incoming NTLM Traffic
  • Network security: Restrict NTLM: Audit NTLM authentication in this domain
  • Network security: Restrict NTLM: Incoming NTLM traffic
  • Network security: Restrict NTLM: NTLM authentication in this domain
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
  • Recovery console: Allow automatic administrative logon
  • Recovery console: Allow floppy copy and access to all drives and all folders
  • Shutdown: Allow system to be shut down without having to log on
  • Shutdown: Clear virtual memory pagefile
  • System cryptography: Force strong key protection for user keys stored on the computer
  • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
  • System objects: Require case insensitivity for non-Windows subsystems
  • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
  • System settings: Optional subsystems
  • System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
  • User Account Control: Admin Approval Mode for the Built-in Administrator account
  • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  • User Account Control: Behavior of the elevation prompt for standard users
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Only elevate executables that are signed and validated
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations
  • User Account Control: Run all administrators in Admin Approval Mode
  • User Account Control: Switch to the secure desktop when prompting for elevation
  • User Account Control: Virtualize file and registry write failures to per-user locations


Windows Server Security Audit

Comments

Post a Comment

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

Image
When you're using the new "Modern" date and time settings in Windows Server 2016, 2019, 2022, Windows 10 and Windows 11 you may find that you can't set the correct date and time and the value "Some settings are managed by your organization". - While you're here - Why not check out our Windows Server Documentation and Audit Tool? The simplest way around this is to go back to the proper control panel using Start, Run, "Control.exe" and searching for "Set the date".  Within here you can set the date and time manually as required If you try and click the Change time zone button you may again get access denied... To resolve this open an elevated command prompt by right clicking the command prompt and selecting Run as Administrator  From there run the command rundll32.exe shell32.dll,Control_RunDLL timedate.cpl This will open the Data and Time control panel app elevated as an Administrator.
Read more

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Image
When you start the trivial FTP (TFTP) server application TFTPD32 or TDTPD64 you may see the following error Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions. This can be because another application is using this port. The easiest way to check if (and which) application is using the port is as administrator run an elevated command prompt and enter netstat -anb > ports.txt Then open ports.txt in Notepad and search for :69, you'll quickly be able to see the process using the required port - While you're here - Why not check out our Windows Server Documentation and Audit Tool?
Read more

Enable function lock for F1-F12 on HP ZBook mobile workstations

Image
When you press the function keys on a HP ZBook mobile workstation you may find that they don't operate as expected. This is because of function lock, if you hold the fn key the function keys work as expected. You can lock the function keys on as described in this document. https://support.hp.com/gb-en/document/c02035108 However there are two things to note Firstly following a BIOS upgrade (which occurs automatically if you have the preinstalled HP software still installed) you may lose your locked function keys and have to reapply.   Secondly the HP documentation states you press the fn lock and fn keys at the same time as per the image below from the page.  While you're here - Why not check out our Windows Server Documentation and Audit Tool? This is not the case, you need to press and hold the fn key, and then tap the fn lock key to toggle function lock, not an obvious thing when you start work first thing in the morning and are hammering the function keys try
Read more