[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)



=================================
Candidate: CAN-1999-0499
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

NETBIOS share information may be published through SNMP registry keys
in NT.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0534
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0535
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.

VOTE:  MODIFY

Perhaps this could be re-worded a bit.  The CVE CAN-1999-00582 specifies
"...settings for lockouts".  To remain consistent with the other, maybe
it
should specify "...settings for passwords"
I think most people would agree that passwords should be at least 8
characters; contain letters (upper and lowercase), numbers and at least
one
non-alphanumeric; should only be good a limited time 30-90 days; and
should
not contain character combinations from user's prior 2 or 3 passwords.

Suggested rewrite - 
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for passwords, e.g. passwords of sufficient
length, periodic required password changes, or new password uniqueness 

=================================
Candidate: CAN-1999-0546
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

The Windows NT guest account is enabled.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0562
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

The registry in Windows NT can be accessed remotely by users who are
not administrators.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

..reg files are associated with the Windows NT registry editor, making
the registry susceptible to Trojan Horse attacks.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.

VOTE:  REVIEWING

=================================
Candidate: CAN-1999-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.

VOTE:  REVIEWING

=================================
Candidate: CAN-1999-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.

VOTE:  ACCEPT

=================================
Candidate: CAN-1999-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.

VOTE:  MODIFY

Maybe a rewording of this one too.  I think most people would agree on
some "minimum" policies like 3-5 bad attempts lockout for an hour or
until
the administrator unlocks the account.

Suggested rewrite - 
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for lockouts, e.g. lockout duration,
lockout after bad logon attempts, etc.

=================================
Candidate: CAN-1999-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT administrator account has the default name of
Administrator.

VOTE:  REJECT

There are ways to identify the administrator account anyway, so this is
only a
minor delay to someone that is knowledgeable.  This, in and of itself,
doesn't really strike me as a vulnerability, anymore than the root
account on a Unix box.

==================================

 ------------------------------------------------------------
 David W. Baker
 INFOSEC Engineer                           bakerd@mitre.org
 G023 - Secure Information Technology      (703) 883-3658
 The MITRE Corporation                     (703) 883-1397 FAX
 1820 Dolley Madison Blvd, Mailstop W422    McLean, VA, 22102
 ------------------------------------------------------------

 
Page Last Updated: May 22, 2007