Assessment of Windows Host Configuration

OS Information Gathering

1
2
systeminfo
wmic computersystem get domainrole 

0 - Standalone workstation
1 - Member workstation
2 - Standalone server
3 - Member server
4 - Domain controller

1
2
3
4
5
6
7
`secedit /export /cfg` cfg.ini `> nul
net user administrator > netuseradmin.txt
auditpol.exe /get /category:* > auditpol.txt
netsh advfirewall show allprofiles > firewall.txt
net accounts > netaccount.txt
gpresult /f /h evid/gporesult.html > nul
accesschk /accepteula -q -a * > accesschk.txt` 

*Simplify this process with Scgary!

User Right Assignment

1
type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight\|^SeIncreaseBasePriorityPrivilege\|^SeIncreaseWorkingSetPrivilege\|^SeNetworkLogonRight\|^SeTcbPrivilege\|^SeImpersonatePrivilege\|^SeSecurityPrivilege\|^SeInteractiveLogonRight\|^SeUndockPrivilege\|^SeTakeOwnershipPrivilege"

CIS Recommendations:

Administrators (*S-1-5-32-544)

1
type cfg.ini | grep "^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeDebugPrivilege\|^SeShutdownPrivilege\|^SeIncreaseBasePriorityPrivilege\|^SeSecurityPrivilege\|^SeInteractiveLogonRight\|^SeUndockPrivilege\|^SeTakeOwnershipPrivilege"

Ability to create a pagefile (SeCreatePagefilePrivilege)
Ability to force a shutdown from a remote system (SeRemoteShutdownPrivilege)
Permission to log on through Remote Desktop Services (SeRemoteInteractiveLogonRight)
Ability to debug programs (SeDebugPrivilege)
Ability to shut down the system (SeShutdownPrivilege)
Ability to increase scheduling priority (SeIncreaseBasePriorityPrivilege)
Permission to manage auditing and the security log (SeSecurityPrivilege)
Permission to log on locally (SeInteractiveLogonRight)
Ability to remove the computer from a docking station (SeUndockPrivilege)
Ability to take ownership of files or other objects (SeTakeOwnershipPrivilege)

No One

1
type cfg.ini | grep "^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeTcbPrivilege"

Ability to enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
Ability to lock pages in memory (SeLockMemoryPrivilege)
Permission to access Credential Manager as a trusted caller (SeTrustedCredManAccessPrivilege)
Ability to act as part of the operating system (SeTcbPrivilege)

Guest (*S-1-5-32-546)

1
type cfg.ini | grep "^SeDenyNetworkLogonRight\|^SeDenyBatchLogonRight\|^SeDenyInteractiveLogonRight"

No access to this computer from the network (SeDenyNetworkLogonRight)
No ability to log on as a batch job (SeDenyBatchLogonRight)
No ability to log on locally (SeDenyInteractiveLogonRight)

Administrators, Authenticated Users, Backup Operators, Local Service, Network Service
(*S-1-5-32-544, [Authenticated User], *S-1-5-32-551, *S-1-5-19, *S-1-5-20)

1
type cfg.ini | grep "^SeChangeNotifyPrivilege"

Permission to bypass traverse checking (SeChangeNotifyPrivilege)

Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE
(*S-1-5-32-544, *S-1-5-6, *S-1-5-19, *S-1-5-20)

1
type cfg.ini | grep "^SeCreateGlobalPrivilege\|^SeImpersonatePrivilege"

Ability to create global objects (SeCreateGlobalPrivilege)
Ability to impersonate a client after authentication (SeImpersonatePrivilege)

Administrators, Local Service, Network Service (*S-1-5-32-544, *S-1-5-19, *S-1-5-20)

1
type cfg.ini | grep "^SeIncreaseQuotaPrivilege"

Ability to adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Administrators, Local Service (*S-1-5-32-544, *S-1-5-19)

1
type cfg.ini | grep "^SeIncreaseWorkingSetPrivilege"

Ability to increase a process working set (SeIncreaseWorkingSetPrivilege)

Local Service, Network Service (*S-1-5-19, *S-1-5-20)

1
type cfg.ini | grep "^SeAuditPrivilege"

Ability to generate security audits (SeAuditPrivilege)

**Administrators, Authenticated Users **(*S-1-5-32-544, [Authenticated User])

1
type cfg.ini | grep "^SeNetworkLogonRight"

Permission to access this computer from the network (SeNetworkLogonRight)

Well-known security identifiers:https://support.microsoft.com/en-us/kb/243330

Account Lockout Policy

1
2
type cfg.ini | grep "^LockoutBadCount"
type netaccount.txt | grep "^Lockout duration (minutes)\|^Lockout observation window (minutes)" 

CIS Recommendations:

1
2
3
LockoutBadCount = 6 (or fewer)
Lockout duration (minutes): 15 (or greater)
Lockout observation window (minutes): 15 (or greater) 

Password Policy

1
type cfg.ini | grep "ClearTextPassword\|MinimumPasswordLength\|^MaximumPasswordAge\|PasswordHistorySize\|MinimumPasswordAge\|PasswordComplexity"

CIS Recommendations:

1
2
3
4
5
6
MinimumPasswordAge = 1 (or greater)
MaximumPasswordAge = 60 (or less)
MinimumPasswordLength = 14 (or greater)
PasswordComplexity = 1 (Enabled)
PasswordHistorySize = 24 (or greater) 
ClearTextPassword = 0 (Disabled) 

Security Options

Accounts Policy and Network Access Policy

1
type cfg.ini | grep "^EnableGuestAccount\|^LSAAnonymousNameLookup"

CIS Recommendations:

1
2
EnableGuestAccount = 0 #Disable Guest account
LSAAnonymousNameLookup = 0 #Do not allow anonymous SID/Name translation 

Obtain these registry key values for assessment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polices\Explorer\"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" 
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management"
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters"
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters:DisableIPSourceRouting" 

CIS Recommendations:
Note: report.txt refers to the report generated by Scgary.

1. Audit Policy
1
type report.txt | grep "SCENoApplyLegacyAuditPolicy\|crashonauditfail"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa” SCENoApplyLegacyAuditPolicy REG_DWORD 0x1 #Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings crashonauditfail REG_DWORD 0x0 #Do not Shut down system immediately if unable to log security audits
2. Device Policy
1
type report.txt | grep "AllocateDASD\|AddPrinterDrivers"
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” AllocateDASD REG_SZ 2 #Allow Administrators and Interactive Users to format and eject removable media
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers” AddPrinterDrivers REG_DWORD 0x1 #Prevent users from installing printer drivers
3. Domain Member Policy
1
type report.txt | grep "DisablePasswordChange\|SealSecureChannel\|SignSecureChannel\|RequireSignOrSeal\|MaximumPasswordAge\|RequireStrongKey"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters” DisablePasswordChange REG_DWORD 0x0 #Disable machine account password changes SealSecureChannel REG_DWORD 0x1 #Digitally encrypt secure channel data (when possible) SignSecureChannel REG_DWORD 0x1 #Digitally sign secure channel data (when possible) RequireSignOrSeal REG_DWORD 0x1 #Digitally encrypt or sign secure channel data (always) MaximumPasswordAge REG_DWORD 0x1e #Maximum machine account password age [30 days] RequireStrongKey REG_DWORD 0x1 #Require strong (Windows 2000 or later) session key
4. Interactive logon Policy
1
type report.txt | grep "scremoveoption\|PasswordExpiryWarning\|DisableCAD\|CachedLogonsCount\|ForceUnlockLogon\|dontdisplaylastusername"
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” scremoveoption REG_SZ 1 #The Smart Card removal option configured to Lock Workstation (1-Lock Workstation; 2-Force Logoff) PasswordExpiryWarning REG_DWORD 0xe #Prompt user to change password before expiration [14 days] DisableCAD REG_DWORD 0x1 #Required to press CTRL+ALT+DEL before logging on to Window CachedLogonsCount REG_SZ 0 #0 Number of previous logons to cache (in case domain controller is not available) ForceUnlockLogon REG_DWORD 0x1 #Require Domain Controller authentication to unlock workstation
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” dontdisplaylastusername REG_DWORD 0x1 #Do not display last user name
5. Microsoft network client Policy
1
type report.txt | grep "EnablePlainTextPassword\|RequireSecuritySignature\|EnableSecuritySignature"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters” EnablePlainTextPassword REG_DWORD 0x0 #Do not send unencrypted password to third-party SMB servers RequireSecuritySignature REG_DWORD 0x1 #Digitally sign communications (always) EnableSecuritySignature REG_DWORD 0x1 #Digitally sign communications (if server agrees)

6. MSS

1
2
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
    AutoAdminLogon              REG_SZ          0       #Automatic logons must be disabled

7. Microsoft Network Server Policy
1
type report.txt | grep "enablesecuritysignature\|requiresecuritysignature\|enableforcedlogoff\|autodisconnect"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” enablesecuritysignature REG_DWORD 0x1 #Digitally sign communications (if client agrees) requiresecuritysignature REG_DWORD 0x1 #Digitally sign communications (always) enableforcedlogoff REG_DWORD 0x1 #Disconnect clients when logon hours expire autodisconnect REG_DWORD 0xf #Amount of idle time required before suspending session [15 minutes]
8. Network Access Policy
1
type report.txt | grep "forceguest\|restrictanonymous\|restrictanonymoussam\|everyoneincludesanonymous\|restrictnullsessaccess\|NullSessionShares\|Machine"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa” forceguest REG_DWORD 0x0 #Sharing and security model for local accounts [Classic - local users authenticate as themselves] restrictanonymous REG_DWORD 0x1 #Do not allow anonymous enumeration of SAM accounts and shares restrictanonymoussam REG_DWORD 0x1 #Do not allow anonymous enumeration of SAM accounts everyoneincludesanonymous REG_DWORD 0x0 #Do not let Everyone permissions apply to anonymous users
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” restrictnullsessaccess REG_DWORD 0x1 #Restrict anonymous access to Named Pipes and Shares NullSessionShares REG_MULTI_SZ #Shares that can be accessed anonymously [None]
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths” Machine REG_MULTI_SZ System\CurrentControlSet\Control\Print\Printers\0System\CurrentControlSet\Services\Eventlog\0Software\Microsoft\OLAP Server\0Software\Microsoft\Windows NT\CurrentVersion\Print\0Software\Microsoft\Windows NT\CurrentVersion\Windows\0System\CurrentControlSet\Control\ContentIndex\0System\CurrentControlSet\Control\Terminal Server\0System\CurrentControlSet\Control\Terminal Server\UserConfig\0System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\0Software\Microsoft\Windows NT\CurrentVersion\Perflib\0System\CurrentControlSet\Services\SysmonLog #Remotely accessible registry paths and sub-paths
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths” Machine REG_MULTI_SZ System\CurrentControlSet\Control\ProductOptions\0System\CurrentControlSet\Control\Server Applications\0Software\Microsoft\Windows NT\CurrentVersion #Remotely accessible registry paths
9. Network Security Policy
1
type report.txt | grep "LmCompatibilityLevel\|NoLmHash\|NtlmMinServerSec\|NtlmMinClientSec\|ldapclientintegrity"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa” LmCompatibilityLevel REG_DWORD 0x5 #LAN Manager authentication level [Send NTLMv2 response only. Refuse LM & NTLM] NoLmHash REG_DWORD 0x1 #Do not store LAN Manager hash value on next password change
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0” NtlmMinServerSec REG_DWORD 0x20080000 #Minimum session security for NTLM SSP based (including secure RPC) servers [Require NTLMv2 session security,Require 128-bit encryption] NtlmMinClientSec REG_DWORD 0x20080000 #Minimum session security for NTLM SSP based (including secure RPC) clients [Require NTLMv2 session security,Require 128-bit encryption]
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP” ldapclientintegrity REG_DWORD 0x1 #LDAP client signing requirements [Negotiate signing]
10. Recovery Console Policy
1
type report.txt | grep "setcommand\|securitylevel"
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole” setcommand REG_DWORD 0x0 #Do not allow floppy copy and access to all drives and all folders securitylevel REG_DWORD 0x0 #Do not allow automatic administrative logon
11. Shutdown Policy
1
type report.txt | grep "ClearPageFileAtShutdown\|shutdownwithoutlogon"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management” ClearPageFileAtShutdown REG_DWORD 0x0 #Do not clear virtual memory pagefile shutdownwithoutlogon REG_DWORD 0x0 #Do not allow system to be shut down without having to log on
12. System cryptography Policy
1
type report.txt | grep " Enabled"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy” Enabled REG_DWORD 0x1 #Use FIPS compliant algorithms for encryption, hashing, and signing
13. System Objects Policy
1
type report.txt | grep "obcaseinsensitive\|ProtectionMode"
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel” obcaseinsensitive REG_DWORD 0x1 #Require case insensitivity for non-Windows subsystems
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager”
ProtectionMode REG_DWORD 0x1 #Strengthen default permissions of internal system objects (e.g. Symbolic Links)
14. System Setting Policy
1
type report.txt | grep "authenticodeenabled"
“HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers” authenticodeenabled REG_DWORD 0x1 #Use Certificate Rules on Windows Executables for Software Restriction Policies

15. User Account Control Policy

1
type report.txt | grep "ConsentPromptBehaviorAdmin\|ConsentPromptBehaviorUser\|EnableLUA\|FilterAdministratorToken\|EnableUIADesktopToggle\|PromptOnSecureDesktop\|ValidateAdminCodeSignatures\|EnableVirtualization\|EnableInstallerDetection\|EnableSecureUIAPaths"

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” ConsentPromptBehaviorAdmin REG_DWORD 0x5 #When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege ConsentPromptBehaviorUser REG_DWORD 0x3 #When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege EnableLUA REG_DWORD 0x1 #Run all administrators in Admin Approval Mode FilterAdministratorToken REG_DWORD 0x1 #Admin Approval Mode for the Built-in Administrator account EnableUIADesktopToggle REG_DWORD 0x0 #Do not allow UIAccess applications to prompt for elevation without using the secure desktop PromptOnSecureDesktop REG_DWORD 0x1 #Switch to the secure desktop when prompting for elevation ValidateAdminCodeSignatures REG_DWORD 0x0 #Does not enforce PKI certification path validation before a given executable file is permitted to run EnableVirtualization REG_DWORD 0x1 #Virtualize file and registry write failures to per-user locations EnableInstallerDetection REG_DWORD 0x1 #Detect application installations and prompt for elevation EnableSecureUIAPaths REG_DWORD 0x1 #Only elevate UIAccess applications that are installed in secure locations

Reference: Windows Registry Cheat Sheet by Axcel Security

Audit Policies

CIS Recommendations:

Success and Failure

1
type auditpol.txt | grep "Security Group Management\|Other Account Management Events\|User Account Management\|Sensitive Privilege Use\|IPsec Driver\|Security State Change\|Security System Extension\|System Integrity\|  Logon\|Credential Validation"

Success

1
type auditpol.txt | grep "Computer Account Management\|Authentication Policy Change\|^  Logoff\|Special Logon\|Process Creation"

No Auditing

1
type auditpol.txt | grep "File System\|Handle Manipulation \|Filtering Platform Packet Drop\|Certification Services\|SAM\|Detailed File Share\|Registry\|Kernel Object\|Filtering Platform Connection\|File Share\|Application Generated\|Other Object Access Events\|Distribution Group Management\|Application Group Management\|Directory Service Access\|Directory Service Replication\|Directory Service Changes\|Detailed Directory Service Replication\|Non Sensitive Privilege Use\|Other Privilege Use Events\|Filtering Platform Policy Change\|Other Policy Change Events\|Authorization Policy Change \|MPSSVC Rule-Level Policy Change\|Other System Events\|IPsec Extended Mode\|Network Policy Server\|IPsec Main Mode\|Other Logon/Logoff Events\|Account Lockout\|IPsec Quick Mode\|Kerberos Service Ticket Operations\|Other Account Logon Events \|Kerberos Authentication Service\|Process Termination\|RPC Events\|DPAPI Activity"

Event Log Service

1
2
3
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Security"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\Application"
reg query "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Eventlog\System" 

CIS Recommendations:

Security Event Log

1
2
maxSize = Enabled:196608
retention = Disabled 

Application Event Log

1
2
maxSize = Enabled:32768
retention = Disabled 

System Event Log

1
2
maxSize = Enabled:32768
retention = Disabled 

Firewall with Advanced Security

1
type firewall.txt | grep "InboundUserNotification\|LocalConSecRules\|LocalFirewallRules\|UnicastResponseToMulticast\|Firewall Policy\|State" | sort

CIS Recommendations:

Display a notification
Apply local connection security rules
Do not allow unicast responses
Turn On Firewall state
Apply local firewall rules
Block Inbound connections
Allow Outbound connections

1
2
3
4
5
6
InboundUserNotification         Enable 
LocalConSecRules                N/A (GPO-store only) #Check Manually
LocalFirewallRules              N/A (GPO-store only) #Check Manually
UnicastResponseToMulticast      Disable
Firewall Policy                 BlockInbound,AllowOutbound
State                           ON 

References: