Workstation
Differential Report
Report Date: 10/16/98 16:35:41
First Scan:
Scan Date: |
10/14/98 11:46:53 |
Completion Status:
|
Second Scan:
Scan Date: |
10/14/98 11:21:06 |
Completion Status:
|
Report Description:
This report compares the workstation's security vulnerabilities detected in
two different scans. Vulnerabilities are classified as having High, Medium, and Low
severity. High risk vulnerabilities are those which
provide unauthorized access to your workstation. Medium risk
vulnerabilities are those which provide access to sensitive data on your workstation, and
which may lead to the exploitation of higher risk vulnerabilities. Low risk vulnerabilities are those that provide access to
potentially sensitive information.
You can use the links below to go directly to the specified section of the report.
Vulnerabilities in First Scan Only (from High to Low severity): | Vulnerabilities in Second Scan Only (from High to Low severity): |
Vulnerability: | The Java Script patch is not applied | Severity: High | | Description: | The Java Script patch is not applied. This means your system is vulnerable to malicious intent over the Internet. Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer or Windows 98 could terminate. | | Fix: | Apply the scripting patch or disable Active Scripting in the "Untrusted" and "Internet" zones. Apply the scripting patch as follows: - 1. Open Netscape Navigator or Internet Explorer.
- 2. Enter this URL: http://www.microsoft.com/msdownload/vbscript/scripting.asp
- 3. Download the scr31en.exe patch (700K).
- 4. Once the download is complete, execute the scr31en.exe file.
Disable Active Scripting as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under Scripting, navigate to Active scripting.
- 7. Click Disable.
- 8. Click OK.
More Information: Microsoft security bulletins: http://www.microsoft.com/security/bulletin.htm http://www.microsoft.com/security/bulletins/ms98-011.htm http://www.microsoft.com/ie/security/jscript.htm Microsoft Knowledge Base (KB) article, (Q191200), http://support.microsoft.com/support/kb/articles/q191/2/00.asp
Windows Update Site, http://windowsupdate.microsoft.com | | Additional Info: | C:\WINNT\System32\jscript.dll | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E23-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E25-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E27-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E29-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {99169CB0-A707-11d0-989D-00C04FD919C1} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E26-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | mdm | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {0C66DFD9-D523-11CF-A3EF-143AB8000000} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {275D9D50-5FF5-11CF-A5E1-00AA006BBF16} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {3BFFE820-0900-11d0-BE0A-00A0C90A6BEE} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {3D14228C-FBE1-11d0-995D-00C04FD919C1} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {5CB66670-D3D4-11CF-ACAB-00A024A55AEF} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {182C40F0-32E4-11D0-818B-00A0C9231C29} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {7999FC25-D3C6-11CF-ACAB-00A024A55AEF} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {ADA44581-02C1-11D1-804A-0000F8036614} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {B1CE7318-848F-11D0-8D13-00C04FC2E0C7} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {CBD759F3-76AA-11CF-BE3A-00AA00A2FA25} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {D97A6DA1-9C1C-11D0-9C3C-00A0C922E764} | | |
Vulnerabilities in Both Scans (from High to Low severity): |
Vulnerability: | Windows Key with Incorrect Permissions | Severity: High | | Description: | The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion key is set to allow any user to modify the subkeys. This allows members of the "Everyone" group to create an entry under the Run and RunOnce keys that contains the name of a program to run when the computer starts. | | Fix: | Set the registry permissions to allow read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Set permissions as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
- 4. From the Security menu, choose Permissions.
- 5. Allow only read access to the Everyone group.
| | Additional Info: | Software\Microsoft\Windows\CurrentVersion\RunOnce | | |
Vulnerability: | Bad File Version Vulnerability | Severity: Medium | | Description: | This vulnerability is raised when the S3 for Windows generic file version checker detects a file which is not current. | | Fix: | Install a patch or upgrade from the vendor of the outdated file. There may be a workaround. | | Additional Info: | C:\Program Files\Microsoft Office\Office\Winword.exe | | |
Vulnerability: | Bad File Version Vulnerability | Severity: Medium | | Description: | This vulnerability is raised when the S3 for Windows generic file version checker detects a file which is not current. | | Fix: | Install a patch or upgrade from the vendor of the outdated file. There may be a workaround. | | Additional Info: | C:\WINNT\system32\rpcrt4.dll | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E27-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | mdm | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E23-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E25-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E26-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {7999FC25-D3C6-11CF-ACAB-00A024A55AEF} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {94751E29-27E6-11D2-96FD-00104B6A7B04} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {99169CB0-A707-11d0-989D-00C04FD919C1} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {275D9D50-5FF5-11CF-A5E1-00AA006BBF16} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {0C0A3666-30C9-11D0-8F20-00805F2CD064} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {0C66DFD9-D523-11CF-A3EF-143AB8000000} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {182C40F0-32E4-11D0-818B-00A0C9231C29} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {5CB66670-D3D4-11CF-ACAB-00A024A55AEF} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | Microsoft Script Debugger | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {3BFFE820-0900-11d0-BE0A-00A0C90A6BEE} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {3D14228C-FBE1-11d0-995D-00C04FD919C1} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {9209B1A6-964A-11D0-9372-00A0C9034910} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {ADA44581-02C1-11D1-804A-0000F8036614} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {B1CE7318-848F-11D0-8D13-00C04FC2E0C7} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {CBD759F3-76AA-11CF-BE3A-00AA00A2FA25} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {D97A6DA1-9C1C-11D0-9C3C-00A0C922E764} | | |
Vulnerability: | DCOM RunAs Value Altered | Severity: Medium | | Description: | The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. | | Fix: | Remove the RunAs value to restore the user context to that of the calling user. Remove the RunAs value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. Locate the subkey which has had the RunAs value inserted.
- 5. Remove the RunAs value.
| | Additional Info: | {A87F84D0-7A74-11D0-B216-080000185165} | | |
Vulnerability: | Regedit Is Associated With .reg Files | Severity: Medium | | Description: | Regedit.exe was found associated with registry files. | | Fix: | Remove NOTEPAD association from the NT registry. Remove association as follows as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE/Software/Classes/regfile/shell/open/command.
- 4. Edit your key value name to remove the notepad association.
| | Additional Info: | | | |
Vulnerability: | Regfile Associations Can Be Changed By Non-Admins | Severity: Medium | | Description: | Improper permissions were found on the registry key valuename specifying a command association with registry files. | | Fix: | Restrict non-Administrators write access for the command key in the NT registry. Restrict access as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE/Software/Classes/regfile/shell/open/command.
- 4. From the Security menu, choose Permissions.
- 5. Restrict non-Administrators write access.
| | Additional Info: | | | |
Vulnerability: | Registry Access Allowed For All Users | Severity: Medium | | Description: | The winreg key was found to be vulnerable. The permissions on the SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg key control remote access to the registry. If the 'everyone' group is not allowed access, null session access to the registry can be prevented. If this key is not present, remote access to the registry is not controlled, and if found in conjunction with Service Pack 3 not applied, can allow non-authenticated users to write registry keys. | | Fix: | Apply the patch and Service Pack 3 and modify the registry for RestrictAnonymous. Apply SP3 as follows: - 1. From the Start menu, choose Run.
- 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes / ' and click OK.
- 3. Choose the desired country abbreviation.
- 4. Choose nt40/.
- 5. Choose ussp3/ or sp3/.
- 6. Choose i386/nt4sp3_1.exe for an Intel processor or ALPHA/nt4sp3_a.exe for an Alpha processor.
Restrict registry access as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurePipeServers\Winreg.
- 4. From the Security menu, choose Permissions.
- 5. Restrict access Everyone.
| | Additional Info: | | | |
Vulnerability: | Scheduler Key Has Incorrect Permissions | Severity: Medium | | Description: | The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the schedule service. Server Operators have permission to write to this registry tree, which would allow them to manually schedule jobs to be run by the schedule service, which normally executes under the system user context. This can be used to raise the Server Operator's access level to Administrator. | | Fix: | Remove Server operator write access to the schedule key in the NT registry. Remove write access as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule.
- 4. From the Security menu, choose Permissions.
- 5. Remove Server Operator write access.
| | Additional Info: | | | |
Vulnerability: | URL Security Zone Active X execution | Severity: Medium | | Description: | Allows ActiveX controls and plug-ins to be launched from the URL security zoneIE_Security_Zones of the HTML page that contains the control. | | Fix: | Disable æRun Active X controls and Plug-ins' on IE 4.x. Disable æRun Active X controls and Plug-insÆ as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under ActiveX Controls and plugins, navigate to Run Active X controls and Plug-ins.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Internet zone | | |
Vulnerability: | Winlogon Key Has Incorrect Permissions | Severity: Medium | | Description: | The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key has two values which can be used to cause a process to execute upon either system bootup, or when a user logs on. The programs pointed to by the System value run under the system user context after boot, and could be used to change a user's rights or access level. The UserInit value runs applications when a user logs in. The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator. | | Fix: | Remove Server Operator write access to the winlogon key. Remove association as follows as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon.
- 4. From the Security menu, choose Permissions.
- 5. Remove Server Operator write access.
| | Additional Info: | | | |
Vulnerability: | A user's password never expires | Severity: Low | | Description: | A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access. | | Fix: | Set the userÆs password to expire in 42 days. Set the userÆs password as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose UserÆs Rights.
- 4. Under Minimum Password Age, set the value to 42 days.
| | Additional Info: | IWAM_SAMCURE! | | |
Vulnerability: | A user's password never expires | Severity: Low | | Description: | A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access. | | Fix: | Set the userÆs password to expire in 42 days. Set the userÆs password as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose UserÆs Rights.
- 4. Under Minimum Password Age, set the value to 42 days.
| | Additional Info: | Guest | | |
Vulnerability: | A user's password never expires | Severity: Low | | Description: | A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access. | | Fix: | Set the userÆs password to expire in 42 days. Set the userÆs password as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose UserÆs Rights.
- 4. Under Minimum Password Age, set the value to 42 days.
| | Additional Info: | isssupport | | |
Vulnerability: | A user's password never expires | Severity: Low | | Description: | A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access. | | Fix: | Set the userÆs password to expire in 42 days. Set the userÆs password as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose UserÆs Rights.
- 4. Under Minimum Password Age, set the value to 42 days.
| | Additional Info: | IUSR_SAMCURE! | | |
Vulnerability: | Account Management Auditing not Enabled | Severity: Low | | Description: | Account Management Auditing is not enabled. Account Management auditing records when new users and groups are created or changed. Since these events are highly sensitive, it is recommended that these events always be audited. | | Fix: | Enable User and Group Management auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable User and Group Management auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | Account Management Auditing not Enabled | Severity: Low | | Description: | Account Management Auditing is not enabled. Account Management auditing records when new users and groups are created or changed. Since these events are highly sensitive, it is recommended that these events always be audited. | | Fix: | Enable User and Group Management auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable User and Group Management auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | DCOM is Enabled. | Severity: Low | | Description: | DCOM was found to be enabled. DCOM may be used to execute programs remotely. | | Fix: | Disable DCOM in the NT regietry. Disable DCOM as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Ole.
- 4. Open the EnableDCOM key and change the value to N.
- 5. Click OK.
| | Additional Info: | | | |
Vulnerability: | DCOM RunAs Value Writeable | Severity: Low | | Description: | The DCOM RunAs Value was found to be writeable. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. The RunAs key is writeable by the Interactive (console) user by default, which implies that if the console user were tricked into executing a trojan which altered the registry, or if someone other than the normal user were to log on locally, then DCOM calls could be executed under the console user's context by a remote user. If the console user was of a higher access level than the network user, a security breach could result. | | Fix: | Remove Interactive User write access to the AppID Key in the NT registry. Remove write access as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
- 4. From the Security menu, choose Permissions.
- 5. Remove Interactive user write permissions and propagate these permissions down that portion of the registry tree.
| | Additional Info: | Software\Classes\AppID | | |
Vulnerability: | Lan Manager Security | Severity: Low | | Description: | LAN Manager-style hashes are enabled for network authentication. LM hashes are relatively easily broken through a brute force attack, and the stronger Windows NT style hashes should be used. For more information see the online help topic entitled LAN Manager Security. | | Fix: | Apply Windows NT 4.0 Service Pack 3 (SP3) and apply the lm-fix. Apply SP3 as follows: - 1. From the Start menu, choose Run.
- 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/ ' and click OK.
- 3. Choose the desired country abbreviation.
- 4. Choose nt40/.
- 5. Choose ussp3/ or sp3/
- 6. Choose i386/nt4sp3_1.exe for an Intel processor or ALPHA/nt4sp3_a.exe for an Alpha processor.
-AND- Apply the lm-fix as follows: - 1. From the Start menu, choose Run.
- 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/lm-fix/ and press ENTER.
- 3. View the README.TXT for patch version and execution.
| | Additional Info: | | | |
Vulnerability: | Logon Auditing not Enabled | Severity: Low | | Description: | Logon Auditing is not enabled. It is important to audit logon and logoff success and failure to be able to detect and track unauthorized access attempts. | | Fix: | Enable Logon and Logoff auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Logon and Logoff auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | Logon Auditing not Enabled | Severity: Low | | Description: | Logon Auditing is not enabled. It is important to audit logon and logoff success and failure to be able to detect and track unauthorized access attempts. | | Fix: | Enable Logon and Logoff auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Logon and Logoff auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Missing PowerPoint Security Patch | Severity: Low | | Description: | This check detected the absence of the PowerPoint security patch. If missing, Internet Explorer will execute an application from within PowerPoint without warning the user. | | Fix: | Apply the PowerPoint (PP) security patch. Apply the PP patch as follows: - 1. Open Netscape Navigator or Internet Explorer.
- 2. Enter this URL: http://www.microsoft.com/msdownload/iesecurity/iepptsecurity.htm.
- 3. Download the PPTWarn.exe patch.
| | Additional Info: | | | |
Vulnerability: | Missing PowerPoint Security Patch | Severity: Low | | Description: | This check detected the absence of the PowerPoint security patch. If missing, Internet Explorer will execute an application from within PowerPoint without warning the user. | | Fix: | Apply the PowerPoint (PP) security patch. Apply the PP patch as follows: - 1. Open Netscape Navigator or Internet Explorer.
- 2. Enter this URL: http://www.microsoft.com/msdownload/iesecurity/iepptsecurity.htm.
- 3. Download the PPTWarn.exe patch.
| | Additional Info: | C:\WINNT\inf\PPTWarn.inf | | |
Vulnerability: | Multihomed Host | Severity: Low | | Description: | The Scanner has detected that the host has more than one network card installed. Under ordinary circumstances, this is not considered a serious risk. If the host is placed outside the firewall, it could provide an entry point for an intruder. Note - this vulnerability was determined by reading the Windows NT registry. | | Fix: | If multihomed hosts are outside of your security policy, remove the additional network adapter. | | Additional Info: | | | |
Vulnerability: | NetBIOS share found | Severity: Low | | Description: | This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability. | | Fix: | Correct the share permissions or remove the share. LOCAL MACHINE: Set the permissions explicitly as follows: - 1. Navigate to the share in Windows Explorer.
- 2. Right-click on the share, select Properties.
- 3. Under the Sharing tab, review the permissions.
- 4. Allow access only to approved users.
- 5. Click OK.
-OR- Open the command line, remove the share as follows: - 1. From the Start menu, select Run.
- 2. Type cmd, then click OK. This opens the command line.
- 3. Type net share sharename /delete, where sharename is the name of the share.
- 4. Type exit to return to the Windows NT desktop.
REMOTE HOST (GUI): Remove the share as follows: - 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
- 2. Select the host. From the Computer menu, select Shared Directories.
- 3. Select the share and click Stop Sharing.
| | Additional Info: | E | | |
Vulnerability: | NetBIOS share found | Severity: Low | | Description: | This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability. | | Fix: | Correct the share permissions or remove the share. LOCAL MACHINE: Set the permissions explicitly as follows: - 1. Navigate to the share in Windows Explorer.
- 2. Right-click on the share, select Properties.
- 3. Under the Sharing tab, review the permissions.
- 4. Allow access only to approved users.
- 5. Click OK.
-OR- Open the command line, remove the share as follows: - 1. From the Start menu, select Run.
- 2. Type cmd, then click OK. This opens the command line.
- 3. Type net share sharename /delete, where sharename is the name of the share.
- 4. Type exit to return to the Windows NT desktop.
REMOTE HOST (GUI): Remove the share as follows: - 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
- 2. Select the host. From the Computer menu, select Shared Directories.
- 3. Select the share and click Stop Sharing.
| | Additional Info: | ADMIN$ | | |
Vulnerability: | NetBIOS share found | Severity: Low | | Description: | This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability. | | Fix: | Correct the share permissions or remove the share. LOCAL MACHINE: Set the permissions explicitly as follows: - 1. Navigate to the share in Windows Explorer.
- 2. Right-click on the share, select Properties.
- 3. Under the Sharing tab, review the permissions.
- 4. Allow access only to approved users.
- 5. Click OK.
-OR- Open the command line, remove the share as follows: - 1. From the Start menu, select Run.
- 2. Type cmd, then click OK. This opens the command line.
- 3. Type net share sharename /delete, where sharename is the name of the share.
- 4. Type exit to return to the Windows NT desktop.
REMOTE HOST (GUI): Remove the share as follows: - 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
- 2. Select the host. From the Computer menu, select Shared Directories.
- 3. Select the share and click Stop Sharing.
| | Additional Info: | C$ | | |
Vulnerability: | No Anti-virus Software Installed. | Severity: Low | | Description: | S3/Win did not detect the installation of popular anti-virus software. This version of S3/Win detects the following A-V packages: Norton AntiVirus, McAfee VirusScan, Incoulan (95 only), Dr. Solomon (95 only), IBM AntiVirus. | | Fix: | Install an anti-virus or disable this check. | | Additional Info: | | | |
Vulnerability: | Object Auditing not Enabled | Severity: Low | | Description: | Object Auditing is not enabled. Object access includes files and registry keys. Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings. | | Fix: | Enable File and Object Access auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable File and Object Access auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Object Auditing not Enabled | Severity: Low | | Description: | Object Auditing is not enabled. Object access includes files and registry keys. Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings. | | Fix: | Enable File and Object Access auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable File and Object Access auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | One or more Office 97 files are out of date. | Severity: Low | | Description: | The indicated file is known to have security risks. | | Fix: | Download the most recent Office patch from http://www.microsoft.com/office. | | Additional Info: | C:\Program Files\Microsoft Office\Office\Winword.exe | | |
Vulnerability: | OS/2 Subsystem Enabled | Severity: Low | | Description: | Windows NT was C2 evaluated with the OS/2 subsystem disabled. Enabling the OS/2 subsystem can allow a process to persist across logins. | | Fix: | Remove the Os2 value from the NT registry. Remove the Os2 value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HSystem\CurrentControlSet\Control\Session Manager\SubSystems.
- 4. Remove the Os2 value, and the file which is pointed to be the value data.
| | Additional Info: | | | |
Vulnerability: | Outlook long file name patch not applied | Severity: Low | | Description: | This patch fixes a problem that can crash Outlook when recieving files with long file names. See security bulletin MS98-008 for details. | | Fix: | Apply the patch indicated in MS98-008. Apply the patch as follows: - 1. Open Netscape Navigator or Internet Explorer.
- 2. Enter this URL: http://www.microsoft.com/security/.
- 3. Click on MS98-08.
- 4. Under What Microsoft is Doing, select the patch appropriate for your system.
- 5. Follow the instructions.
| | Additional Info: | C:\Program Files\Outlook Express\msimnui.dll | | |
Vulnerability: | Page File not Cleared at Shutdown | Severity: Low | | Description: | The Windows NT pagefile can contain sensitive information, and should be cleared upon shutdown if required by your security policy. Some versions of the Netware authentication module will store the user name and password in clear-text, and this can be extracted from the pagefile. | | Fix: | Activate the ClearPageFileAtShutdown value. Activate the ClearPageFileAtShutdown value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.
- 4. Locate the 'ClearPageFileAtShutdown' value, and set it to 1.
| | Additional Info: | | | |
Vulnerability: | Performance Monitor Readable | Severity: Low | | Description: | The permissions on the Software\Microsoft\Windows NT\CurrentVersion\Perflib key are incorrect. This allows non-administrators to read performance counters, and monitor which processes are running. Under NT 4.0, registry access from the network can be denied completely. | | Fix: | Restrict registry access and/or reset permissions. Restrict registry access as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib.
- 4. From the Security menu, choose Permissions.
- 5. Verify that the permissions allow write access to Administrators and System.
| | Additional Info: | | | |
Vulnerability: | Policy Auditing not Enabled | Severity: Low | | Description: | Policy Auditing is not enabled. Policy auditing records when security policy changes are made. Since these events are highly sensitive, it is recommended that these events always be audited. | | Fix: | Enable Security Policy Changes auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Security Policy Changes auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Policy Auditing not Enabled | Severity: Low | | Description: | Policy Auditing is not enabled. Policy auditing records when security policy changes are made. Since these events are highly sensitive, it is recommended that these events always be audited. | | Fix: | Enable Security Policy Changes auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Security Policy Changes auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | Posix Enabled | Severity: Low | | Description: | Windows NT was C2 evaluated with the POSIX subsystem disabled. Enabling the POSIX subsystem can also subject a host to trojan horse attacks, since it is possible to create a file with a lower case name which will be found in a search prior to a file with an upper case name. | | Fix: | Remove the POSIX value. Remove the POSIX value as follows: - 1. From the Start menu, choose Run.
- 2. Type regedt32 and click OK. This opens the Registry Editor.
- 3. Navigate to HSystem\CurrentControlSet\Control\Session Manager\SubSystems.
- 4. Remove the POSIX value, and the file which is pointed to be the value data.
| | Additional Info: | | | |
Vulnerability: | Privilege Auditing not Enabled | Severity: Low | | Description: | Privilege Auditing is not enabled. Privilege auditing records when any user rights (such as the right to backup and restore files) are granted to a user or process. | | Fix: | Enable Use of User Rights auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Use of User Rights auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | Privilege Auditing not Enabled | Severity: Low | | Description: | Privilege Auditing is not enabled. Privilege auditing records when any user rights (such as the right to backup and restore files) are granted to a user or process. | | Fix: | Enable Use of User Rights auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Use of User Rights auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Process Auditing not Enabled | Severity: Low | | Description: | Process Auditing is not enabled. Process auditing records when processes are started and stopped. Auditing these events typically produces a large number of event logs, and is not normally enabled. | | Fix: | Enable Process Tracking auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Process Tracking auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Process Auditing not Enabled | Severity: Low | | Description: | Process Auditing is not enabled. Process auditing records when processes are started and stopped. Auditing these events typically produces a large number of event logs, and is not normally enabled. | | Fix: | Enable Process Tracking auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Process Tracking auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | System Auditing not Enabled | Severity: Low | | Description: | System Event Auditing is not enabled. System events include startup and shutdown. | | Fix: | Enable Restart, Shutdown, and System auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Restart, Shutdown, and System auditing on Success and Failure.
| | Additional Info: | Success | | |
Vulnerability: | System Auditing not Enabled | Severity: Low | | Description: | System Event Auditing is not enabled. System events include startup and shutdown. | | Fix: | Enable Restart, Shutdown, and System auditing. Enable auditing as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the Policies menu, choose Audit.
- 4. Enable Restart, Shutdown, and System auditing on Success and Failure.
| | Additional Info: | Failure | | |
Vulnerability: | Unauthorized user can debug programs. | Severity: Low | | Description: | Without this patch, unauthorized user may run published exploit tools to debug and crash programs. See security bulletin MS98-009 for details. | | Fix: | Apply the patch indicated in MS98-009. Apply the patch as follows: - 1. Open Netscape Navigator or Internet Explorer.
- 2. Enter this URL: http://www.microsoft.com/security/.
- 3. Click on MS98-09.
- 4. Under What Microsoft is Doing, select the patch appropriate for your system.
- 5. Follow the instructions.
| | Additional Info: | C:\WINNT\system32\csrsrv.dll | | |
Vulnerability: | Unknown NT Service | Severity: Low | | Description: | A service was found which was not known to ship with Windows NT. Services can be used to install back doors, or provide unauthorized network access. Any service which is not approved by your security policy should be removed. | | Fix: | Use instsrv from the Windows NT Resource Kit to remove the unwanted service. Remove the service as follows: - 1. From the Start menu, choose Run.
- 2. Type cmd and click OK. This opens the command line.
- 3. At a command prompt, type instsrv [service name] remove and press <ENTER>.
- 4. Type exit and press <ENTER> to return to windows.
| | Additional Info: | IISADMIN | | |
Vulnerability: | Unknown NT Service | Severity: Low | | Description: | A service was found which was not known to ship with Windows NT. Services can be used to install back doors, or provide unauthorized network access. Any service which is not approved by your security policy should be removed. | | Fix: | Use instsrv from the Windows NT Resource Kit to remove the unwanted service. Remove the service as follows: - 1. From the Start menu, choose Run.
- 2. Type cmd and click OK. This opens the command line.
- 3. At a command prompt, type instsrv [service name] remove and press <ENTER>.
- 4. Type exit and press <ENTER> to return to windows.
| | Additional Info: | dRMON SmartAgent | | |
Vulnerability: | URL Security Zone active scripting | Severity: Low | | Description: | Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use embedded objects (such as ActiveX or Java), provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious scripts. | | Fix: | Disable 'Active scripting' in IE 4.x. Disable æActive scripting' as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under Scripting, navigate to Active scripting.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Internet zone | | |
Vulnerability: | URL Security Zone active scripting | Severity: Low | | Description: | Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use embedded objects (such as ActiveX or Java), provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious scripts. | | Fix: | Disable 'Active scripting' in IE 4.x. Disable æActive scripting' as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under Scripting, navigate to Active scripting.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Restricted sites zone | | |
Vulnerability: | URL Security Zone file download | Severity: Low | | Description: | Allows files to be downloaded directly from the URL security zoneIE_Security_Zones of the HTML page containing the download link. A potentially malicious or virus-infected program may be received without the user's knowledge. | | Fix: | Disable æFile download' on IE 4.x. Disable æFile downloadÆ as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under Downloads, navigate to File Download.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Internet zone | | |
Vulnerability: | URL Security Zone java scripting | Severity: Low | | Description: | Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use Java applets, provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious Java applets or scripts. | | Fix: | Disable 'Scripting of Java applets' in IE 4.x. Disable æScripting of Java applets' as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under Scripting, navigate to Scripting of Java applets.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Internet zone | | |
Vulnerability: | URL Security Zone scripting safe Active X controls. | Severity: Low | | Description: | Allows ActiveX controls marked as safe to be scripted from the URL security zoneIE_Security_Zones of the HTML page that contains the script. Potentially malicious scripts containing ActiveX controls may be automatically executed by the browser. | | Fix: | Disable 'Download unsigned Active X controls' on IE 4.x. Disable æScript Active X controls marked safe for scriptingÆ as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under ActiveX Controls and plugins, navigate to Script Active X controls marked safe for scripting.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Internet zone | | |
Vulnerability: | URL Security Zone scripting safe Active X controls. | Severity: Low | | Description: | Allows ActiveX controls marked as safe to be scripted from the URL security zoneIE_Security_Zones of the HTML page that contains the script. Potentially malicious scripts containing ActiveX controls may be automatically executed by the browser. | | Fix: | Disable 'Download unsigned Active X controls' on IE 4.x. Disable æScript Active X controls marked safe for scriptingÆ as follows: - 1. Open Internet Explorer 4.x.
- 2. From the View menu, choose Internet Options.
- 3. Click the Security tab.
- 4. Under Internet Zone, click Custom (for expert users).
- 5. Click Settings.
- 6. Under ActiveX Controls and plugins, navigate to Script Active X controls marked safe for scripting.
- 7. Click Disable.
- 8. Click OK.
| | Additional Info: | Restricted sites zone | | |
Vulnerability: | User never logged on | Severity: Low | | Description: | The shown user has never logged on. If this is a new account, you may ignore the message. If it is an old account, it should be considered dormant. | | Fix: | Set the userÆs password to expire in 42 days. Assign the userÆs password as follows: - 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
- 2. Select the account.
- 3. From the User menu, choose Delete.
- 4. Verify by clicking OK.
| | Additional Info: | IWAM_SAMCURE! | | |
Vulnerability: | Windows NT Messenger service running | Severity: Low | | Description: | The Windows NT Messenger service enables a user to send pop-up messages to other users, which could be used for social engineering attacks. A side effect of running this service is that it causes the name of the current user to be broadcast in the NetBIOS name table, which gives the attacker a valid user name to use in Brute Force attempts. | | Fix: | Disable the Messenger service. Disable the Messenger service as follows: - 1. From the Start menu, choose Settings, Control Panel, Services.
- 2. Under Services, select Messenger.
- 3. Click Stop.
| | Additional Info: | | | |
Vulnerability: | Windows NT Remote Access service running | Severity: Low | | Description: | Remote Access services were discovered. These services provide users dial-in/out capabilities. These services may bypass required security mechanisms and provide network access to attackers. | | Fix: | Disable dial-in for remote access services or uninstall the services. Remove dial-in on Remote Access services as follows: - 1. From the Start menu, select Settings, Control Panel, Network.
- 2. On the Services tab, select one of the Remote Access services.
- 3. Select Properties and click Configure.
- 4. Disable dial-in.
- 5. Repeat for other Remote Access services.
-OR- Uninstall the services as follows: - 1. From the Start menu, select Settings, Control Panel, Services.
- 2. Select each of the Remote Access services and click the Stop button.
- 3. Also click Disable to stop the service from restarting at the next reboot.
| | Additional Info: | | | |
|