System Scanner X-Force
Know Your Risks


Workstation Vulnerabilities Report
Report Date: 10/16/98 16:33:36

Policy: Heavy
Comment:
Scan Date: 10/14/98 11:46:53 Completion Status: OK

Report Description:

This report displays a summary of the workstation's security vulnerabilities.  Vulnerabilities are classified as having High, Medium, and Low severity.  High risk vulnerabilities are those which provide unauthorized access to your workstation.  Medium risk vulnerabilities are those which provide access to sensitive data on your workstation, and which may lead to the exploitation of higher risk vulnerabilities.  Low risk vulnerabilities are those that provide access to potentially sensitive information.

Vulnerabilities (from High to Low severity):

Vulnerability: Windows Key with Incorrect Permissions Severity: High
Description: The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion key is set to allow any user to modify the subkeys. This allows members of the "Everyone" group to create an entry under the Run and RunOnce keys that contains the name of a program to run when the computer starts.
Fix: Set the registry permissions to allow read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.

Set permissions as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Allow only read access to the Everyone group.
Additional Info: Software\Microsoft\Windows\CurrentVersion\RunOnce
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E25-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {5CB66670-D3D4-11CF-ACAB-00A024A55AEF}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {5CB66670-D3D4-11CF-ACAB-00A024A55AEF}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {7999FC25-D3C6-11CF-ACAB-00A024A55AEF}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {7999FC25-D3C6-11CF-ACAB-00A024A55AEF}
Vulnerability: URL Security Zone Active X execution Severity: Medium
Description: Allows ActiveX controls and plug-ins to be launched from the URL security zoneIE_Security_Zones of the HTML page that contains the control.
Fix: Disable æRun Active X controls and Plug-ins' on IE 4.x.

Disable æRun Active X controls and Plug-insÆ as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under ActiveX Controls and plugins, navigate to Run Active X controls and Plug-ins.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Internet zone
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {9209B1A6-964A-11D0-9372-00A0C9034910}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {99169CB0-A707-11d0-989D-00C04FD919C1}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E25-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E26-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E26-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E27-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E27-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E29-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E29-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E23-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {0C66DFD9-D523-11CF-A3EF-143AB8000000}
Vulnerability: Bad File Version Vulnerability Severity: Medium
Description: This vulnerability is raised when the S3 for Windows generic file version checker detects a file which is not current.
Fix: Install a patch or upgrade from the vendor of the outdated file. There may be a workaround.
Additional Info: C:\Program Files\Microsoft Office\Office\Winword.exe
Vulnerability: Bad File Version Vulnerability Severity: Medium
Description: This vulnerability is raised when the S3 for Windows generic file version checker detects a file which is not current.
Fix: Install a patch or upgrade from the vendor of the outdated file. There may be a workaround.
Additional Info: C:\WINNT\system32\rpcrt4.dll
Vulnerability: Winlogon Key Has Incorrect Permissions Severity: Medium
Description: The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key has two values which can be used to cause a process to execute upon either system bootup, or when a user logs on. The programs pointed to by the System value run under the system user context after boot, and could be used to change a user's rights or access level. The UserInit value runs applications when a user logs in. The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator.
Fix: Remove Server Operator write access to the winlogon key.

Remove association as follows as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Remove Server Operator write access.
Additional Info:
Vulnerability: Scheduler Key Has Incorrect Permissions Severity: Medium
Description: The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the schedule service. Server Operators have permission to write to this registry tree, which would allow them to manually schedule jobs to be run by the schedule service, which normally executes under the system user context. This can be used to raise the Server Operator's access level to Administrator.
Fix: Remove Server operator write access to the schedule key in the NT registry.

Remove write access as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Remove Server Operator write access.
Additional Info:
Vulnerability: Registry Access Allowed For All Users Severity: Medium
Description: The winreg key was found to be vulnerable. The permissions on the SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg key control remote access to the registry. If the 'everyone' group is not allowed access, null session access to the registry can be prevented. If this key is not present, remote access to the registry is not controlled, and if found in conjunction with Service Pack 3 not applied, can allow non-authenticated users to write registry keys.
Fix: Apply the patch and Service Pack 3 and modify the registry for RestrictAnonymous.

Apply SP3 as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes / ' and click OK.
  3. 3. Choose the desired country abbreviation.
  4. 4. Choose nt40/.
  5. 5. Choose ussp3/ or sp3/.
  6. 6. Choose i386/nt4sp3_1.exe for an Intel processor or ALPHA/nt4sp3_a.exe for an Alpha processor.

Restrict registry access as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurePipeServers\Winreg.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Restrict access Everyone.
Additional Info:
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: mdm
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {3D14228C-FBE1-11d0-995D-00C04FD919C1}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {0C66DFD9-D523-11CF-A3EF-143AB8000000}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {3D14228C-FBE1-11d0-995D-00C04FD919C1}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {182C40F0-32E4-11D0-818B-00A0C9231C29}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {182C40F0-32E4-11D0-818B-00A0C9231C29}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {275D9D50-5FF5-11CF-A5E1-00AA006BBF16}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {275D9D50-5FF5-11CF-A5E1-00AA006BBF16}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {3BFFE820-0900-11d0-BE0A-00A0C90A6BEE}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {3BFFE820-0900-11d0-BE0A-00A0C90A6BEE}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {94751E23-27E6-11D2-96FD-00104B6A7B04}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
Vulnerability: Regfile Associations Can Be Changed By Non-Admins Severity: Medium
Description: Improper permissions were found on the registry key valuename specifying a command association with registry files.
Fix: Restrict non-Administrators write access for the command key in the NT registry.

Restrict access as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE/Software/Classes/regfile/shell/open/command.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Restrict non-Administrators write access.
Additional Info:
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {99169CB0-A707-11d0-989D-00C04FD919C1}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: mdm
Vulnerability: Regedit Is Associated With .reg Files Severity: Medium
Description: Regedit.exe was found associated with registry files.
Fix: Remove NOTEPAD association from the NT registry.

Remove association as follows as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE/Software/Classes/regfile/shell/open/command.
  4. 4. Edit your key value name to remove the notepad association.
Additional Info:
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {D97A6DA1-9C1C-11D0-9C3C-00A0C922E764}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {D97A6DA1-9C1C-11D0-9C3C-00A0C922E764}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {CBD759F3-76AA-11CF-BE3A-00AA00A2FA25}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {B1CE7318-848F-11D0-8D13-00C04FC2E0C7}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {B1CE7318-848F-11D0-8D13-00C04FC2E0C7}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {ADA44581-02C1-11D1-804A-0000F8036614}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {ADA44581-02C1-11D1-804A-0000F8036614}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {CBD759F3-76AA-11CF-BE3A-00AA00A2FA25}
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: Microsoft Script Debugger
Vulnerability: DCOM RunAs Value Altered Severity: Medium
Description: The DCOM RunAs Value was found to be altered. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context.
Fix: Remove the RunAs value to restore the user context to that of the calling user.

Remove the RunAs value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. Locate the subkey which has had the RunAs value inserted.
  5. 5. Remove the RunAs value.
Additional Info: {A87F84D0-7A74-11D0-B216-080000185165}
Vulnerability: A user's password never expires Severity: Low
Description: A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access.
Fix: Set the userÆs password to expire in 42 days.

Set the userÆs password as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose UserÆs Rights.
  4. 4. Under Minimum Password Age, set the value to 42 days.
Additional Info: Guest
Vulnerability: Missing PowerPoint Security Patch Severity: Low
Description: This check detected the absence of the PowerPoint security patch. If missing, Internet Explorer will execute an application from within PowerPoint without warning the user.
Fix: Apply the PowerPoint (PP) security patch.

Apply the PP patch as follows:

  1. 1. Open Netscape Navigator or Internet Explorer.
  2. 2. Enter this URL: http://www.microsoft.com/msdownload/iesecurity/iepptsecurity.htm.
  3. 3. Download the PPTWarn.exe patch.
Additional Info:
Vulnerability: Unknown NT Service Severity: Low
Description: A service was found which was not known to ship with Windows NT. Services can be used to install back doors, or provide unauthorized network access. Any service which is not approved by your security policy should be removed.
Fix: Use instsrv from the Windows NT Resource Kit to remove the unwanted service.

Remove the service as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type cmd and click OK. This opens the command line.
  3. 3. At a command prompt, type instsrv [service name] remove and press <ENTER>.
  4. 4. Type exit and press <ENTER> to return to windows.
Additional Info: dRMON SmartAgent
Vulnerability: Unknown NT Service Severity: Low
Description: A service was found which was not known to ship with Windows NT. Services can be used to install back doors, or provide unauthorized network access. Any service which is not approved by your security policy should be removed.
Fix: Use instsrv from the Windows NT Resource Kit to remove the unwanted service.

Remove the service as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type cmd and click OK. This opens the command line.
  3. 3. At a command prompt, type instsrv [service name] remove and press <ENTER>.
  4. 4. Type exit and press <ENTER> to return to windows.
Additional Info: IISADMIN
Vulnerability: Windows NT Messenger service running Severity: Low
Description: The Windows NT Messenger service enables a user to send pop-up messages to other users, which could be used for social engineering attacks. A side effect of running this service is that it causes the name of the current user to be broadcast in the NetBIOS name table, which gives the attacker a valid user name to use in Brute Force attempts.
Fix: Disable the Messenger service.

Disable the Messenger service as follows:

  1. 1. From the Start menu, choose Settings, Control Panel, Services.
  2. 2. Under Services, select Messenger.
  3. 3. Click Stop.
Additional Info:
Vulnerability: A user's password never expires Severity: Low
Description: A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access.
Fix: Set the userÆs password to expire in 42 days.

Set the userÆs password as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose UserÆs Rights.
  4. 4. Under Minimum Password Age, set the value to 42 days.
Additional Info: isssupport
Vulnerability: Policy Auditing not Enabled Severity: Low
Description: Policy Auditing is not enabled. Policy auditing records when security policy changes are made. Since these events are highly sensitive, it is recommended that these events always be audited.
Fix: Enable Security Policy Changes auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Security Policy Changes auditing on Success and Failure.
Additional Info: Success
Vulnerability: URL Security Zone active scripting Severity: Low
Description: Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use embedded objects (such as ActiveX or Java), provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious scripts.
Fix: Disable 'Active scripting' in IE 4.x.

Disable æActive scripting' as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under Scripting, navigate to Active scripting.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Restricted sites zone
Vulnerability: One or more Office 97 files are out of date. Severity: Low
Description: The indicated file is known to have security risks.
Fix: Download the most recent Office patch from http://www.microsoft.com/office.
Additional Info: C:\Program Files\Microsoft Office\Office\Winword.exe
Vulnerability: Windows NT Remote Access service running Severity: Low
Description: Remote Access services were discovered. These services provide users dial-in/out capabilities. These services may bypass required security mechanisms and provide network access to attackers.
Fix: Disable dial-in for remote access services or uninstall the services.

Remove dial-in on Remote Access services as follows:

  1. 1. From the Start menu, select Settings, Control Panel, Network.
  2. 2. On the Services tab, select one of the Remote Access services.
  3. 3. Select Properties and click Configure.
  4. 4. Disable dial-in.
  5. 5. Repeat for other Remote Access services.

-OR-

Uninstall the services as follows:

  1. 1. From the Start menu, select Settings, Control Panel, Services.
  2. 2. Select each of the Remote Access services and click the Stop button.
  3. 3. Also click Disable to stop the service from restarting at the next reboot.
Additional Info:
Vulnerability: URL Security Zone scripting safe Active X controls. Severity: Low
Description: Allows ActiveX controls marked as safe to be scripted from the URL security zoneIE_Security_Zones of the HTML page that contains the script. Potentially malicious scripts containing ActiveX controls may be automatically executed by the browser.
Fix: Disable 'Download unsigned Active X controls' on IE 4.x.

Disable æScript Active X controls marked safe for scriptingÆ as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under ActiveX Controls and plugins, navigate to Script Active X controls marked safe for scripting.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Restricted sites zone
Vulnerability: URL Security Zone active scripting Severity: Low
Description: Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use embedded objects (such as ActiveX or Java), provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious scripts.
Fix: Disable 'Active scripting' in IE 4.x.

Disable æActive scripting' as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under Scripting, navigate to Active scripting.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Internet zone
Vulnerability: URL Security Zone java scripting Severity: Low
Description: Allows script code embedded in HTML pages within the URL security zoneIE_Security_Zones to be able to use Java applets, provided that the applets expose properties, methods, and events. The browser may automatically execute potentially malicious Java applets or scripts.
Fix: Disable 'Scripting of Java applets' in IE 4.x.

Disable æScripting of Java applets' as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under Scripting, navigate to Scripting of Java applets.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Internet zone
Vulnerability: Policy Auditing not Enabled Severity: Low
Description: Policy Auditing is not enabled. Policy auditing records when security policy changes are made. Since these events are highly sensitive, it is recommended that these events always be audited.
Fix: Enable Security Policy Changes auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Security Policy Changes auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Outlook long file name patch not applied Severity: Low
Description: This patch fixes a problem that can crash Outlook when recieving files with long file names. See security bulletin MS98-008 for details.
Fix: Apply the patch indicated in MS98-008.

Apply the patch as follows:

  1. 1. Open Netscape Navigator or Internet Explorer.
  2. 2. Enter this URL: http://www.microsoft.com/security/.
  3. 3. Click on MS98-08.
  4. 4. Under What Microsoft is Doing, select the patch appropriate for your system.
  5. 5. Follow the instructions.
Additional Info: C:\Program Files\Outlook Express\msimnui.dll
Vulnerability: Process Auditing not Enabled Severity: Low
Description: Process Auditing is not enabled. Process auditing records when processes are started and stopped. Auditing these events typically produces a large number of event logs, and is not normally enabled.
Fix: Enable Process Tracking auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Process Tracking auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Unauthorized user can debug programs. Severity: Low
Description: Without this patch, unauthorized user may run published exploit tools to debug and crash programs. See security bulletin MS98-009 for details.
Fix: Apply the patch indicated in MS98-009.

Apply the patch as follows:

  1. 1. Open Netscape Navigator or Internet Explorer.
  2. 2. Enter this URL: http://www.microsoft.com/security/.
  3. 3. Click on MS98-09.
  4. 4. Under What Microsoft is Doing, select the patch appropriate for your system.
  5. 5. Follow the instructions.
Additional Info: C:\WINNT\system32\csrsrv.dll
Vulnerability: Privilege Auditing not Enabled Severity: Low
Description: Privilege Auditing is not enabled. Privilege auditing records when any user rights (such as the right to backup and restore files) are granted to a user or process.
Fix: Enable Use of User Rights auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Use of User Rights auditing on Success and Failure.
Additional Info: Failure
Vulnerability: No Anti-virus Software Installed. Severity: Low
Description: S3/Win did not detect the installation of popular anti-virus software. This version of S3/Win detects the following A-V packages: Norton AntiVirus, McAfee VirusScan, Incoulan (95 only), Dr. Solomon (95 only), IBM AntiVirus.
Fix: Install an anti-virus or disable this check.
Additional Info:
Vulnerability: URL Security Zone scripting safe Active X controls. Severity: Low
Description: Allows ActiveX controls marked as safe to be scripted from the URL security zoneIE_Security_Zones of the HTML page that contains the script. Potentially malicious scripts containing ActiveX controls may be automatically executed by the browser.
Fix: Disable 'Download unsigned Active X controls' on IE 4.x.

Disable æScript Active X controls marked safe for scriptingÆ as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under ActiveX Controls and plugins, navigate to Script Active X controls marked safe for scripting.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Internet zone
Vulnerability: Missing PowerPoint Security Patch Severity: Low
Description: This check detected the absence of the PowerPoint security patch. If missing, Internet Explorer will execute an application from within PowerPoint without warning the user.
Fix: Apply the PowerPoint (PP) security patch.

Apply the PP patch as follows:

  1. 1. Open Netscape Navigator or Internet Explorer.
  2. 2. Enter this URL: http://www.microsoft.com/msdownload/iesecurity/iepptsecurity.htm.
  3. 3. Download the PPTWarn.exe patch.
Additional Info: C:\WINNT\inf\PPTWarn.inf
Vulnerability: Account Management Auditing not Enabled Severity: Low
Description: Account Management Auditing is not enabled. Account Management auditing records when new users and groups are created or changed. Since these events are highly sensitive, it is recommended that these events always be audited.
Fix: Enable User and Group Management auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable User and Group Management auditing on Success and Failure.
Additional Info: Success
Vulnerability: URL Security Zone file download Severity: Low
Description: Allows files to be downloaded directly from the URL security zoneIE_Security_Zones of the HTML page containing the download link. A potentially malicious or virus-infected program may be received without the user's knowledge.
Fix: Disable æFile download' on IE 4.x.

Disable æFile downloadÆ as follows:

  1. 1. Open Internet Explorer 4.x.
  2. 2. From the View menu, choose Internet Options.
  3. 3. Click the Security tab.
  4. 4. Under Internet Zone, click Custom (for expert users).
  5. 5. Click Settings.
  6. 6. Under Downloads, navigate to File Download.
  7. 7. Click Disable.
  8. 8. Click OK.
Additional Info: Internet zone
Vulnerability: Logon Auditing not Enabled Severity: Low
Description: Logon Auditing is not enabled. It is important to audit logon and logoff success and failure to be able to detect and track unauthorized access attempts.
Fix: Enable Logon and Logoff auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Logon and Logoff auditing on Success and Failure.
Additional Info: Success
Vulnerability: Account Management Auditing not Enabled Severity: Low
Description: Account Management Auditing is not enabled. Account Management auditing records when new users and groups are created or changed. Since these events are highly sensitive, it is recommended that these events always be audited.
Fix: Enable User and Group Management auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable User and Group Management auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Multihomed Host Severity: Low
Description: The Scanner has detected that the host has more than one network card installed. Under ordinary circumstances, this is not considered a serious risk. If the host is placed outside the firewall, it could provide an entry point for an intruder. Note - this vulnerability was determined by reading the Windows NT registry.
Fix: If multihomed hosts are outside of your security policy, remove the additional network adapter.

Additional Info:
Vulnerability: Page File not Cleared at Shutdown Severity: Low
Description: The Windows NT pagefile can contain sensitive information, and should be cleared upon shutdown if required by your security policy. Some versions of the Netware authentication module will store the user name and password in clear-text, and this can be extracted from the pagefile.
Fix: Activate the ClearPageFileAtShutdown value.

Activate the ClearPageFileAtShutdown value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.
  4. 4. Locate the 'ClearPageFileAtShutdown' value, and set it to 1.
Additional Info:
Vulnerability: Posix Enabled Severity: Low
Description: Windows NT was C2 evaluated with the POSIX subsystem disabled. Enabling the POSIX subsystem can also subject a host to trojan horse attacks, since it is possible to create a file with a lower case name which will be found in a search prior to a file with an upper case name.
Fix: Remove the POSIX value.

Remove the POSIX value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HSystem\CurrentControlSet\Control\Session Manager\SubSystems.
  4. 4. Remove the POSIX value, and the file which is pointed to be the value data.
Additional Info:
Vulnerability: OS/2 Subsystem Enabled Severity: Low
Description: Windows NT was C2 evaluated with the OS/2 subsystem disabled. Enabling the OS/2 subsystem can allow a process to persist across logins.
Fix: Remove the Os2 value from the NT registry.

Remove the Os2 value as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HSystem\CurrentControlSet\Control\Session Manager\SubSystems.
  4. 4. Remove the Os2 value, and the file which is pointed to be the value data.
Additional Info:
Vulnerability: Lan Manager Security Severity: Low
Description: LAN Manager-style hashes are enabled for network authentication. LM hashes are relatively easily broken through a brute force attack, and the stronger Windows NT style hashes should be used. For more information see the online help topic entitled LAN Manager Security.
Fix: Apply Windows NT 4.0 Service Pack 3 (SP3) and apply the lm-fix.

Apply SP3 as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/ ' and click OK.
  3. 3. Choose the desired country abbreviation.
  4. 4. Choose nt40/.
  5. 5. Choose ussp3/ or sp3/
  6. 6. Choose i386/nt4sp3_1.exe for an Intel processor or ALPHA/nt4sp3_a.exe for an Alpha processor.

-AND-

Apply the lm-fix as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/lm-fix/ and press ENTER.
  3. 3. View the README.TXT for patch version and execution.
Additional Info:
Vulnerability: A user's password never expires Severity: Low
Description: A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access.
Fix: Set the userÆs password to expire in 42 days.

Set the userÆs password as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose UserÆs Rights.
  4. 4. Under Minimum Password Age, set the value to 42 days.
Additional Info: IUSR_SAMCURE!
Vulnerability: A user's password never expires Severity: Low
Description: A user's password never expires. If there is no expiration, and the password is cracked, it is never changed. This is a risk because it allows unauthorized access to your system appear as authorized access.
Fix: Set the userÆs password to expire in 42 days.

Set the userÆs password as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose UserÆs Rights.
  4. 4. Under Minimum Password Age, set the value to 42 days.
Additional Info: IWAM_SAMCURE!
Vulnerability: User never logged on Severity: Low
Description: The shown user has never logged on. If this is a new account, you may ignore the message. If it is an old account, it should be considered dormant.
Fix: Set the userÆs password to expire in 42 days.

Assign the userÆs password as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the User menu, choose Delete.
  4. 4. Verify by clicking OK.
Additional Info: IWAM_SAMCURE!
Vulnerability: NetBIOS share found Severity: Low
Description: This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability.
Fix: Correct the share permissions or remove the share.

LOCAL MACHINE:

Set the permissions explicitly as follows:

  1. 1. Navigate to the share in Windows Explorer.
  2. 2. Right-click on the share, select Properties.
  3. 3. Under the Sharing tab, review the permissions.
  4. 4. Allow access only to approved users.
  5. 5. Click OK.

-OR-

Open the command line, remove the share as follows:

  1. 1. From the Start menu, select Run.
  2. 2. Type cmd, then click OK. This opens the command line.
  3. 3. Type net share sharename /delete, where sharename is the name of the share.
  4. 4. Type exit to return to the Windows NT desktop.

REMOTE HOST (GUI):

Remove the share as follows:

  1. 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
  2. 2. Select the host. From the Computer menu, select Shared Directories.
  3. 3. Select the share and click Stop Sharing.
Additional Info: C$
Vulnerability: System Auditing not Enabled Severity: Low
Description: System Event Auditing is not enabled. System events include startup and shutdown.
Fix: Enable Restart, Shutdown, and System auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Restart, Shutdown, and System auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Performance Monitor Readable Severity: Low
Description: The permissions on the Software\Microsoft\Windows NT\CurrentVersion\Perflib key are incorrect. This allows non-administrators to read performance counters, and monitor which processes are running. Under NT 4.0, registry access from the network can be denied completely.
Fix: Restrict registry access and/or reset permissions.

Restrict registry access as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Verify that the permissions allow write access to Administrators and System.
Additional Info:
Vulnerability: Logon Auditing not Enabled Severity: Low
Description: Logon Auditing is not enabled. It is important to audit logon and logoff success and failure to be able to detect and track unauthorized access attempts.
Fix: Enable Logon and Logoff auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Logon and Logoff auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Object Auditing not Enabled Severity: Low
Description: Object Auditing is not enabled. Object access includes files and registry keys. Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings.
Fix: Enable File and Object Access auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable File and Object Access auditing on Success and Failure.
Additional Info: Success
Vulnerability: Object Auditing not Enabled Severity: Low
Description: Object Auditing is not enabled. Object access includes files and registry keys. Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings.
Fix: Enable File and Object Access auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable File and Object Access auditing on Success and Failure.
Additional Info: Failure
Vulnerability: Privilege Auditing not Enabled Severity: Low
Description: Privilege Auditing is not enabled. Privilege auditing records when any user rights (such as the right to backup and restore files) are granted to a user or process.
Fix: Enable Use of User Rights auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Use of User Rights auditing on Success and Failure.
Additional Info: Success
Vulnerability: DCOM RunAs Value Writeable Severity: Low
Description: The DCOM RunAs Value was found to be writeable. DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If this ability is not controlled very carefully, it could provide a network user with the ability to execute arbitrary code under another user context. The RunAs key is writeable by the Interactive (console) user by default, which implies that if the console user were tricked into executing a trojan which altered the registry, or if someone other than the normal user were to log on locally, then DCOM calls could be executed under the console user's context by a remote user. If the console user was of a higher access level than the network user, a security breach could result.
Fix: Remove Interactive User write access to the AppID Key in the NT registry.

Remove write access as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Classes\AppID.
  4. 4. From the Security menu, choose Permissions.
  5. 5. Remove Interactive user write permissions and propagate these permissions down that portion of the registry tree.
Additional Info: Software\Classes\AppID
Vulnerability: DCOM is Enabled. Severity: Low
Description: DCOM was found to be enabled. DCOM may be used to execute programs remotely.
Fix: Disable DCOM in the NT regietry.

Disable DCOM as follows:

  1. 1. From the Start menu, choose Run.
  2. 2. Type regedt32 and click OK. This opens the Registry Editor.
  3. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Ole.
  4. 4. Open the EnableDCOM key and change the value to N.
  5. 5. Click OK.
Additional Info:
Vulnerability: NetBIOS share found Severity: Low
Description: This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability.
Fix: Correct the share permissions or remove the share.

LOCAL MACHINE:

Set the permissions explicitly as follows:

  1. 1. Navigate to the share in Windows Explorer.
  2. 2. Right-click on the share, select Properties.
  3. 3. Under the Sharing tab, review the permissions.
  4. 4. Allow access only to approved users.
  5. 5. Click OK.

-OR-

Open the command line, remove the share as follows:

  1. 1. From the Start menu, select Run.
  2. 2. Type cmd, then click OK. This opens the command line.
  3. 3. Type net share sharename /delete, where sharename is the name of the share.
  4. 4. Type exit to return to the Windows NT desktop.

REMOTE HOST (GUI):

Remove the share as follows:

  1. 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
  2. 2. Select the host. From the Computer menu, select Shared Directories.
  3. 3. Select the share and click Stop Sharing.
Additional Info: ADMIN$
Vulnerability: NetBIOS share found Severity: Low
Description: This vulnerability indicates that a NetBIOS share has been found. If the share has the proper access controls, this is a very low risk vulnerability.
Fix: Correct the share permissions or remove the share.

LOCAL MACHINE:

Set the permissions explicitly as follows:

  1. 1. Navigate to the share in Windows Explorer.
  2. 2. Right-click on the share, select Properties.
  3. 3. Under the Sharing tab, review the permissions.
  4. 4. Allow access only to approved users.
  5. 5. Click OK.

-OR-

Open the command line, remove the share as follows:

  1. 1. From the Start menu, select Run.
  2. 2. Type cmd, then click OK. This opens the command line.
  3. 3. Type net share sharename /delete, where sharename is the name of the share.
  4. 4. Type exit to return to the Windows NT desktop.

REMOTE HOST (GUI):

Remove the share as follows:

  1. 1. From the Start menu, select Programs, Administrative Tools (Common), Server Manager.
  2. 2. Select the host. From the Computer menu, select Shared Directories.
  3. 3. Select the share and click Stop Sharing.
Additional Info: E
Vulnerability: Process Auditing not Enabled Severity: Low
Description: Process Auditing is not enabled. Process auditing records when processes are started and stopped. Auditing these events typically produces a large number of event logs, and is not normally enabled.
Fix: Enable Process Tracking auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Process Tracking auditing on Success and Failure.
Additional Info: Success
Vulnerability: System Auditing not Enabled Severity: Low
Description: System Event Auditing is not enabled. System events include startup and shutdown.
Fix: Enable Restart, Shutdown, and System auditing.

Enable auditing as follows:

  1. 1. From the Start menu, choose Programs, Administrative Tools (Common), User Manager.
  2. 2. Select the account.
  3. 3. From the Policies menu, choose Audit.
  4. 4. Enable Restart, Shutdown, and System auditing on Success and Failure.
Additional Info: Success
Policy: Heavy
AllOn.gif Internet Protocol:
AllOn.gif Service Scan:
Scan ports:
Service port: 0
Max scan: 5
Scan always: Off
AllOn.gif FTP:
Check CD dot dot bug: On
AllFiles: On
CheckSite: On
CheckDir: On
AllOn.gif Browser:
AllOn.gif Internet Explorer:
AllOn.gif Netscape Navigator:
AllOn.gif Operating System:
AllOn.gif Denial of Service:
AllOn.gif OS Version:
AllOn.gif Registry Settings:
Auto Login: On
Base Key Permissions: On
Clear PageFile: On
DCOM RunAs: On
DCOM: On
GetAdmin: On
IP Routing: On
LM Auth: On
LSA Key: On
Minimum of default AutoRun drives: On
Multihomed: On
Multiple Protocols: On
OS/2 enabled: On
Performance Monitor: On
POSIX enabled: On
RAS: On
RAM Disk AutoRun: On
reg File Type Association: On
Remote Registry Access: On
Server Operations: On
SNMP NetBIOS: On
SNMP Public: On
WinKey Permissions: On
AllOn.gif User checks:
Audit policies:
Failure:
Account Management: On
Detailed Tracking: On
Logon: On
Object: On
Policy Change: On
Privilege Use: On
System: On
Success:
Account Management: On
Detailed Tracking: On
Logon: On
Object: On
Policy Change: On
Privilege Use: On
System: On
Flag administrator if named "Administrator": On
Guest account if enabled: On
Password checks:
Blank password: On
No password: On
Passwords in dictionary: On
Password is user's name: On
Password never expires: On
RAS callback number change: On
RAS dial in allowed: On
Days dormant: 365
AllOn.gif Share Checks:
Flag all Shares: On
Guest or Everyone write access: On
Insecure file system shared: On
NTFS share with Guest or Everyone write access: On
AllOn.gif NetBIOS:
Repair dir: On
Service list: On
NetBIOS browser: On
SomeOn.gif Application:
AllOn.gif MS Office:
AllOn.gif Virus Scanner:
AllOff.gif PWS:
AllOn.gif Baselines:
AllOn.gif Registry Scan:
Reset: Off
Audit settings: Off
Ownership: Off
Permissions: Off
Value data: On
Registry keys: R I HKCR\
AllOn.gif File Scan:
Reset: Off
Attributes: Off
Audit settings (NTFS only): Off
Content: On
Ownership (NTFS only): Off
Permissions (NTFS only): Off
Extensions: exe
dll
sys
ocx
scr
class
drv
cpl
vxd
pl
bas
com
Directories: R I C:\WINNT\System32
AllOn.gif Services:
Reset: Off
Application Services: On
Driver Services: On
AllOn.gif Processes:
Reset: Off
Common Run Key in Registry: On
Common Startup Folder: On
Load: On
Run: On
User-specific Run Key in Registry: On
User-specific Startup Folder: On
AllOn.gif User Scan:
Reset: Off
Group membership: On
Logon settings: On
RAS settings: On
User rights: On
AllOn.gif Group Scan:
Reset: Off
Group Rights: On
Users in group: On
AllOn.gif Share Scan:
Reset: Off
Hidden shares: On
Permissions of shared NTFS folder: On
Share permissions: On
Shared printers: On
SomeOn.gif Remote Access:
AllOn.gif Modems:
AllOff.gif pcANYWHERE32:
AllOff.gif Carbon Copy 32:
AllOff.gif Remotely Possible/32:
AllOff.gif LapLink:
AllOn.gif RAS:
AllOff.gif Passwords:
AllOff.gif Password Settings: