|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
Wheee, this ought to be interesting. Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0499 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF NETBIOS share information may be published through SNMP registry keys in NT. VOTE: Accept ================================= Candidate: CAN-1999-0534 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input. VOTE: Modify If we are going to write a laundry list put access to the scheduler in it. ================================= Candidate: CAN-1999-0535 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness. VOTE: Recast inappropriate implies there is appropriate. As a guy who has been monitoring networks for years I have deep reservations about justiying the existance of any fixed cleartext password. For appropriate to exist, some "we" would have to establish some criteria for appropriate passwords. ================================= Candidate: CAN-1999-0546 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF The Windows NT guest account is enabled. VOTE: Accept ================================= Candidate: CAN-1999-0562 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF The registry in Windows NT can be accessed remotely by users who are not administrators. VOTE: Recast This isn't all or nothing, users may be allowed to access part of the registry. ================================= Candidate: CAN-1999-0572 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF ...reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks. VOTE: NOOP I don't quite get what this means, sorry ================================= Candidate: CAN-1999-0575 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking. VOTE: RECAST It isn't a great truth that you should enable all or the above, if you do you potentially introduce a vulnerbility of filling up the file system with stuff you will never look at. ================================= Candidate: CAN-1999-0576 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories. VOTE: REJECT 1.) Too general are we ready to state what the security-critical files and directories are 2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability ================================= Candidate: CAN-1999-0577 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories. VOTE: REJECT ================================= Candidate: CAN-1999-0578 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys. VOTE:REJECT ================================= Candidate: CAN-1999-0579 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys. VOTE:REJECT ================================= Candidate: CAN-1999-0582 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc. VOTE:REJECT The definition is? ================================= Candidate: CAN-1999-0585 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990721 Assigned: 19990607 Category: CF A Windows NT administrator account has the default name of Administrator. VOTE:REJECT I change this on all NT systems I am responsible for, but is root a vulnerability?
|
||||
