Best practices for Security Audit
When managing Windows devices, an important priority is the safety and security of the devices. It is often stated that a chain is only as strong as its weakest link, and a large network may have many links. At its most fundamental level, the challenge of ensuring device security can be summarized by the following two questions:
- What is the ideal security policy for my network?
- How many devices deviate from the ideal policy?
In order to help you answer these questions, Datto RMM provides a Security Audit component and monitoring policy set intended to pinpoint common security concerns on Windows devices. These concerns are raised both in the StdOut from the component run and within the Windows Event Log. This information can then be caught by the monitoring policy and filtered. If you are linking into a PSA solution, workflow rules can also be applied to tickets.
The component is called Security Audit [WIN]. It runs on Windows 7 SP1 and up (including Windows Server builds) of any language. The monitoring policy is called Windows: Security Audit Component. It is configured to look for Event Log entries raised by the component. Both are available for free within their respective sections of the ComStore.
The Security Audit [WIN] component inspects the following criteria:
- If the device is running Windows 7 SP0 or older, the script terminates immediately.
- If the device is running Windows 7 SP1, the following checks are performed:
- If the date is before the 14th of January 2020, a warning is raised to alert the Administrator that support for the device will soon be discontinued.
- If the date is on or after the 14th of January 2020, an alert is raised to note that the device is officially obsolete and should be upgraded or replaced.
- If the device is running Windows 8.0, an alert is raised to note that the device is officially obsolete and should be upgraded or replaced.
- Is the Guest account enabled?
- Is the Administrator account enabled?
NOTE The component is designed to work with builds of Windows in all languages. It does not search for the literal usernames "Guest" and "Administrator."
- Are there any active local (non-domain) accounts on the device with administrative privileges?
- If the device is not part of a domain, what is the password policy?
NOTE Active Directory Administrators are advised to flag accounts as This account is sensitive in order to mitigate token impersonation attacks. Go here for more information.
- Does the device have a default username/password combination stored in plain text in the registry?
- If so, is the password eight characters or longer?
- If so, is it one of the five most-commonly encountered passwords (12345, qwerty, letmein, etc.)?
NOTE A default Windows account username and password pair can optionally be stored in the registry at the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon under the value names DefaultUsername and DefaultPassword. Naturally, this is considered a security risk as passwords are stored in plain text.
- Does the device restrict access to anonymous SMB shares (Null-Session access)?
- Is the Telnet server running?
- Is the device configured as an SMBv1 Server or Client?
NOTE While some legacy network appliances mandate the use of SMB version 1, it is required that networks deprecate all support for the protocol due to its complete lack of security. Go here for more information.
- Is Windows Firewall running?
- Is it enabled for Public, Private, and Domain-based networks?
- What profile is active at the time of analysis?
- Has the TeamViewer application been used on this device?
NOTE A warning is raised if TeamViewer is known to have been used on the local device. This is purely for the purpose of informing Administrators about remote connections that may have occurred on the device outside of proper procedure or oversight. The warning is not intended to suggest that TeamViewer is harmful or undesired software.
- Is UEFI secure boot enabled?
- Are Windows 10 Exploit Protection settings, if available, enabled?
- Are files with known problematic extensions prohibited from execution?
The component considers the file extensions VBS, SCR, and CPL to be problematic due to their common association with viruses and malware. The code checks the Windows Security Policy settings to see if any file path rules have been set up to block execution of files with these extensions. The component also checks to see if a rule exists to catch use of the Right-to-Left Override (RLO) unicode character, which can be used to obscure file extensions.
As part of a typical run, the component logs noteworthy discoveries in the Windows Event Log. The codes used to log the events are shown below. These are all included as part of the Windows: Security Audit Component monitoring policy available in the ComStore. Please consult the following chart to help you decide which events are important to you.
|ID||Summary||More Detail||Event Tier||Alert Tier|
|59101||OS not supported: Script cannot run||Anything pre-7 SP1||Error||High|
|59102||Windows 7 will expire (but has not yet)||Warning||Moderate|
|59103||OS not supported: Script will run||7 SP0, 7 SP1 post-expiration, 8.0||Error||High|
|59104||Guest Account is enabled||Warning||Moderate|
|59105||Local Administrator Account is enabled||Warning||Moderate|
|59106||Local Account (username) is listed as an Administrator||Warning||Moderate|
|59107||Windows login password stored in plain text in registry||Warning||Critical|
|59108||Windows login password, stored in registry, is shorter than 8 characters||Warning||High|
|59109||Windows login password, stored in registry, is one of the five most common passwords (fragments)||password, p4ssw0rd, 12345, qwerty, letmein||Error||Critical|
|59110||Access to anonymous shares is permitted||Warning||High|
|59111||Telnet Server is running||Warning||High|
|59112||Device is configured as an SMBv1 Server||Warning||Critical|
|59113||Device is configured as an SMBv1 Client||Warning||Critical|
|59114||UEFI Secure Boot is permitted on the device but has not been enabled||Warning||High|
|59115||Windows 10 Exploit Protection Settings differ from best practice defaults||Warning||Moderate|
|59116||Windows Firewall disabled for private networks||Warning||Moderate|
|59117||Windows Firewall disabled for public networks||Warning||High|
|59118||Windows Firewall disabled for domains||Warning||Moderate|
|59119||Windows Firewall is not running||Warning||High|
|59120||Security Policy is not configured to block problematic file types||CPL, SCR, VBS, and RLO||Error||High|
|59121||Reserved for future use||Warning||Moderate|
|59122||Reserved for future use||Warning||Moderate|
|59123||Reserved for future use||Error||High|
The Datto RMM Product Management team is happy to hear suggestions for features to add to the component. Please submit any suggestions via the Comments or Requests? link in the ComStore.