Nessus Report

Nessus Scan Report

03/Dec/2013:03:12:53

Table Of Contents
Compliance Executive
Compliance Tests

Compliance Executive

[-] Collapse All
[+] Expand All

Compliance Tests

FAILED 1.1.1 Enforce Password History: 24 passwords
PASSED 1.1.2 Maximum Password Age: 90 minutes
FAILED 1.1.3 Minimum Password Age: 1 day
FAILED 1.1.4 Minimum Password Length: 8 characters
FAILED 1.1.5 Password Must Meet Complexity Requirements: Enabled
PASSED 1.1.6 Store Passwords Using Reversible Encryption: Disabled
PASSED 1.1.7 Account Lockout Duration: 15 minutes (minimum)
PASSED 1.1.8 Account Lockout Threshold: maximum of 50 attempts
PASSED 1.1.9 Reset Account Lockout Counter After: 15 minutes (minimum)
PASSED 1.2.10 Audit: Shut Down System Immediately if Unable to Log Security Audits: Disabled
PASSED 1.2.11 Audit: Force Audit Policy Subcategory Settings (Windows Vista or Later) to Override Audit Policy Category Settings: Enabled
FAILED 1.3.1 Audit Policy: System: IPsec Driver: Success and Failure
FAILED 1.3.2 Audit Policy: System: Security State Change: Success and Failure
FAILED 1.3.3 Audit Policy: System: Security System Extension: Success and Failure
PASSED 1.3.4 Audit Policy: System: Security Integrity: Success and Failure
PASSED 1.3.5 Audit Policy: Logon-Logoff: Logoff: Success (minimum).
PASSED 1.3.6 Audit Policy: Logon-Logoff: Logon: Success (minimum).
PASSED 1.3.7 Audit Policy: Logon-Logoff: Special Logon: Success (minimum).
PASSED 1.3.8 Audit Policy: Object Access: File System: No Auditing or Failure or Success or Success and Failure.
PASSED 1.3.9 Audit Policy: Object Access: Registry: No Auditing or Failure or Success or Success and Failure.
PASSED 1.3.10 Audit Policy: Privilege Use: Sensitive Privilege Use: No Auditing or Failure or Success or Success and Failure.
FAILED 1.3.11 Audit Policy: Detailed Tracking: Process Creation: Success (minimum).
FAILED 1.3.12 Audit Policy: Policy Change: Audit Policy Change: Success and Failure.
PASSED 1.3.13 Audit Policy: Policy Change: Authentication Policy Change: Success (minimum)
FAILED 1.3.14 Audit Policy: Account Management: Computer Account Management: Success (minimum)
PASSED 1.3.15 Audit Policy: Account Management: Distribution Group Management: No Auditing or Failure or Success or Success and Failure.
FAILED 1.3.16 Audit Policy: Account Management: Other Account Management Events: Success (minimum)
PASSED 1.3.17 Audit Policy: Account Management: Security Group Management: Success (minimum)
PASSED 1.3.18 Audit Policy: Account Management: User Account Management: Success (minimum)
FAILED 1.3.19 Audit Policy: Account Logon: Credential Validation: Success (minimum)
WARNING 1.4.1 Application: Maximum Log Size (KB): 32 MB
WARNING 1.4.2 Application: Retain Old Events: Disabled (overwrite old events)
WARNING 1.4.3 Security: Maximum Log Size (KB): 80 MB
WARNING 1.4.4 Security: Retain Old Events: Disabled (overwrite old events)
WARNING 1.4.5 System: Maximum Log Size (KB): 32 MB
WARNING 1.4.6 System: Retain Old Events: Disabled (overwrite old events)
WARNING 1.5.1 Windows Firewall: Domain: Firewall State: Enabled
WARNING 1.5.2 Windows Firewall: Domain: Inbound Connections: Block
WARNING 1.5.3 Windows Firewall: Domain: Display a Notification: Yes: Display a notification.
WARNING 1.5.4 Windows Firewall: Domain: Allow Unicast Response: No (do not allow unicast response).
WARNING 1.5.7 Windows Firewall: Private: Firewall State: On
WARNING 1.5.8 Windows Firewall: Private: Inbound Connections: Block Inbound Connections
WARNING 1.5.9 Windows Firewall: Private: Display a Notification: Yes: Display a notification.
WARNING 1.5.10 Windows Firewall: Private: Allow Unicast Response: No (do not allow unicast response)
WARNING 1.5.13 Windows Firewall: Public: Firewall State: On
WARNING 1.5.14 Windows Firewall: Public: Inbound Connections: Block inbound connections
WARNING 1.5.15 Windows Firewall: Public: Display a Notification: No
WARNING 1.5.16 Windows Firewall: Public: Allow Unicast Response: No (disallow unicast response)
WARNING 1.5.17 Windows Firewall: Public: Apply Local Firewall Rules: No
WARNING 1.5.18 Windows Firewall: Public: Apply Local Connection Security Rules: No
WARNING 1.6.1 Configure Automatic Updates - 'AUOptions = 3'
WARNING 1.6.1 Configure Automatic Updates - 'NoAutoUpdate = 0'
WARNING 1.6.2 Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box: Disabled
WARNING 1.6.3 No auto-restart with logged on users for scheduled automatic updates installations: Disabled
WARNING 1.6.4 Reschedule Automatic Updates Scheduled Installations: Enabled
FAILED 1.7.6 User Account Control: Run all administrators in Admin Approval Mode: Enabled
PASSED 1.8.1 Access this Computer from the Network: Users and Administrators.
PASSED 1.8.2 Act as part of the Operating System: No One
PASSED 1.8.6 Change the System Time: Local Service and Administrators
PASSED 1.8.7 Create a Pagefile: Administrators
PASSED 1.8.8 Create a Token Object: No One should have this right
PASSED 1.8.10 Create Permanent Shared Objects: No one should have this right
PASSED 1.8.11 Debug Programs
FAILED 1.8.12 Deny Access to this Computer from the Network: Guests
PASSED 1.8.13 Enable Computer and User Accounts to be Trusted for Delegation: No One should have this right
PASSED 1.8.14 Force Shutdown from a Remote System: Administrators
PASSED 1.8.15 Impersonate a Client After Authentication: Administrators, Service, Local Service and Network Service
PASSED 1.8.16 Increase Scheduling Priority: Administrators
PASSED 1.8.17 Load and Unload Device Drivers
PASSED 1.8.18 Lock Pages in Memory: No One should have this user right
PASSED 1.8.19 Manage Auditing and Security Log: Administrators
PASSED 1.8.20 Modify Firmware Environment Values: Administrators
PASSED 1.8.21 Modify an Object Label: No one should have this right
PASSED 1.8.22 Perform Volume Maintenance Tasks: Administrators
PASSED 1.8.24 Profile System Performance: Administrators and NT SERVICE\WdiServiceHost or wdiservicehost
PASSED 1.8.25 Remove Computer from Docking Station: Administrators and Users
FAILED 1.8.26 Replace a Process Level Token: Network Service and Network Service
PASSED 1.8.27 Shutdown the System: Administrators and Users
PASSED 1.8.28 Allow Log on Locally: Administrators and Users
PASSED 1.8.30 Create Symbolic Links: Administrators
FAILED 1.8.31 Deny Log on Locally: Guests
PASSED 1.8.33 Generate Security Audits: Local Service and Network Service
PASSED 1.8.38 Take Ownership of Files or Other Objects: Administrators
PASSED 1.8.39 Access Credential Manager as a Trusted Caller: No One
PASSED 1.9.1 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers: NTLM2 session security, Require 128-bit encryption
PASSED 1.9.3 Accounts: Rename administrator account: Not equal to Administrator or Admin
FAILED 1.9.4 Accounts: Rename guest account: Not equal to guest
PASSED 1.9.6 Accounts: Guest account status: Disabled
PASSED 1.9.7 Network access: Allow anonymous SID/Name translation: Disabled
PASSED 1.9.8 Accounts: Limit local account use of blank passwords to console logon only: Enabled
PASSED 1.9.9 Devices: Allowed to format and eject removable media: Administrators and Interactive Users
PASSED 1.9.10 Devices: Prevent users from installing printer drivers: Enabled
PASSED 1.9.13 Domain member: Digitally encrypt or sign secure channel data (always): Enabled
PASSED 1.9.14 Domain member: Digitally encrypt secure channel data (when possible): Enabled
PASSED 1.9.15 Domain member: Digitally sign secure channel data (when possible): Enabled
PASSED 1.9.16 Domain member: Disable machine account password changes: Disabled
PASSED 1.9.17 Domain member: Maximum machine account password age: Maximum of 30 days
PASSED 1.9.18 Domain member: Require strong (Windows 2000 or later) session key: Enabled
PASSED 1.9.19 Interactive logon: Do not display last user name: Enabled
PASSED 1.9.20 Interactive logon: Number of previous logons to cache (in case domain controller is not available): 2 logons
PASSED 1.9.21 Interactive logon: Prompt user to change password before expiration: 14 days
PASSED 1.9.22 Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled
PASSED 1.9.23 Interactive logon: Smart card removal behavior: Lock Workstation
FAILED 1.9.24 Interactive logon: Message text for users attempting to log on: Configure to your organization's security policy
FAILED 1.9.25 Interactive logon: Message title for users attempting to log on: Configured to your organization's security policy.
PASSED 1.9.27 Microsoft network client: Digitally sign communications (always): Enabled
PASSED 1.9.28 Microsoft network client: Digitally sign communications (if server agrees): Enabled
PASSED 1.9.29 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled
PASSED 1.9.30 Microsoft network server: Amount of idle time required before suspending session: Maximum of 15 minutes
PASSED 1.9.31 Microsoft network server: Digitally sign communications (always): Enabled
PASSED 1.9.32 Microsoft network server: Digitally sign communications (if client agrees): Enabled
PASSED 1.9.33 Microsoft network server: Disconnect clients when logon hours expire: Enabled
PASSED 1.9.35 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended): Disabled
FAILED 1.9.40 MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic: Multicast, broadcast, and ISAKMP are exempt
FAILED 1.9.41 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers: Enabled
PASSED 1.9.44 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended): Enabled
PASSED 1.9.45 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires: 0 Seconds
FAILED 1.9.47 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning: 90%
PASSED 1.9.48 Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
PASSED 1.9.49 Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
PASSED 1.9.50 Network access: Let Everyone permissions apply to anonymous users: Disabled
PASSED 1.9.55 Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
PASSED 1.9.56 Network security: Do not store LAN Manager hash value on next password change: Enabled
PASSED 1.9.57 Network security: LAN Manager authentication level: Send NTLMv2 response only and Refuse LM
PASSED 1.9.58 Network security: LDAP client signing requirements: Negotiate signing
PASSED 1.9.59 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128 - bit encryption.
PASSED 1.9.60 Recovery console: Allow automatic administrative logon: Disabled
PASSED 1.9.65 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled
WARNING 1.9.66 System cryptography: Force strong key protection for user keys stored on the computer: Prompt the User each time a key is first used
WARNING 1.9.72 Network security: Allow PKU2U authentication requests to this computer to use online identities: Disabled
PASSED 1.9.73 Interactive logon: Do not require CTRL+ALT+DEL: Disabled
WARNING 1.10.1 Always prompt client for password upon connection: Enabled
WARNING 1.10.2 Set client connection encryption level: Enabled to High Level
WARNING 1.10.5 Do not allow passwords to be saved: Enabled
WARNING 1.11.1 Turn off downloading of print drivers over HTTP: Enabled
WARNING 1.11.2 Turn off the 'Publish to Web' task for files and folders: Enabled
WARNING 1.11.3 Turn off Internet download for Web publishing and online ordering wizards: Enabled
WARNING 1.11.4 Turn off printing over HTTP: Enabled
WARNING 1.11.5 Turn off Search Companion content file updates: Enabled
WARNING 1.11.6 Turn off the Windows Messenger Customer Experience Improvement Program: Enabled
WARNING 1.12.1 Require a Password When a Computer Wakes (On Battery): Enabled
WARNING 1.12.2 Require a Password When a Computer Wakes (Plugged In): Enabled
WARNING 1.12.4 Turn off Data Execution Prevention for Explorer: Disabled
FAILED 1.12.7 Registry policy processing
WARNING 1.12.10 Restrictions for Unauthenticated RPC Clients: Enabled and Authenticated.
WARNING 1.12.12 Turn off Autoplay: Enabled for all drives
WARNING 1.12.15 Prevent the computer from joining a homegroup: Enabled
PASSED 1.13.1 Do not preserve zone information in file attachments: Disabled
WARNING 1.13.2 Hide mechanisms to remove zone information: Enabled
WARNING 1.13.3 Notify antivirus programs when opening attachments: Enabled
FAILED 1.13.7 Password protect the screen saver = Enabled
FAILED 1.13.8 Force specific screen saver = scrnsave.scr
FAILED 1.13.9 Screen Saver timeout = at most 900 seconds
PASSED 1.13.10 Enable screen saver = Enabled