System Security Analysis - Windows
4 Votes |
Description
Property Details
2998604 | |
Beta - Preliminary testing ready for more | |
System Security Analysis - Windows | |
BESC | |
Security Analysis, Firewall, Remote Desktop, IIS, Apache, Telnet, Antivirus | |
suzib6sw on 3/6/2020 10:51:34 AM | |
suzib6sw on 3/6/2020 10:52:49 AM | |
4797 Views / 100 Downloads | |
* Average over 2 ratings. ** Log In or Register to add your rating. |
Properties
Windows Firewall
Period
5 minutes
* Results in a true/false |
If exists running service "MpsSvc" then "Running" Else "Warning"
IPSec Firewall
Period
1 hour
* Results in a true/false |
if (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local" whose (exists values whose(name of it = "ActivePolicy" ) of it) of registry) then "Yes" else "No"
GPO Applied IPSec
Period
1 hour
* Results in a true/false |
if (exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy" whose (exists values whose(name of it = "DSIPSECPolicyFlags" ) of it) of registry) then "Yes" else "No"
File and Print Sharing
Period
1 hour
* Results in a true/false |
if rule group currently enabled "File and Printer sharing" of firewall then "Enabled" else "Disabled"
RDP Services Running?
Period
1 hour
* Results in a true/false |
if( exists services whose((service name of it as lowercase = "TermService" as lowercase ) AND (state of it= "Running") )) AND (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" whose (exists values whose(name of it = "fDenyTSConnections" AND it as string as lowercase = "1" as lowercase ) of it) of registry) then "Yes but denying connections" else if( exists services whose((service name of it as lowercase = "TermService" as lowercase ) AND (state of it= "Running")) ) AND (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" whose (exists values whose(name of it = "fDenyTSConnections" AND it as string as lowercase = "0" as lowercase ) of it) of registry) then "Yes and allowing connections" else "No"
RDP Port
Period
12 hours
* Results in a true/false |
Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry
RDP NLA Enabled?
Period
1 hour
* Results in a true/false |
if (exists keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" Whose (exists values whose (name of it = "UserAuthentication" AND it as string as lowercase ="1" as lowercase) of it) of registry) then "Yes" else "No"
RDP in use on defined port
Period
Every Report
* Results in a true/false |
if exists (sockets of network) whose ((local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) and (tcp state of it as string = "ESTABLISHED")) Then "Active" else "Not in use"
Incoming RDP Logs
Period
6 hours
* Results in a true/false |
(preceding text of first "%0d%0a" of following text of first "User: " of description of it | "Unknown", time generated of it, (if (it = 21) then ("New Session") else ("Resumed Session")) of (event id of it), following text of last ": " of description of it) of records ((integers in(item 0 of it + item 1 of it - 1,maximum of (item 0 of it + item 1 of it - 2000;item 1 of it))) of (record count of it, oldest record number of it)) whose (exists description of it and (event id of it = 21 or event id of it = 25) and description of it does not contain "LOCAL") of event log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
Telnet Client running?
Period
1 hour
* Results in a true/false |
if exists running service "TelnetClient" then "Yes" else "No"
Telnet Server Running
Period
15 minutes
* Results in a true/false |
if exists running service "TelnetServer" then "Yes" else "No"
FTP Running?
Period
15 minutes
* Results in a true/false |
If( exists services whose((service name of it as lowercase = "msftpsvc" as lowercase ) AND (state of it= "Running") OR (service name of it as lowercase = "ftpsvc" as lowercase ) AND (state of it= "Running")) ) then "Yes" else "No"
AntiVirus Installed
Period
15 minutes
* Results in a true/false |
if (exists running service whose (service name of it = "MsMpSvc")) then "MS.System Endpoint Protection" else if (exists running service whose (service name of it = "WinDefend")) then "Windows Defender" else if (exists running service whose (service name of it = "SepMasterService")) then "Symantec" else if (exists running service whose (service name of it = "Symantec AntiVirus")) then "Symantec" else if (exist running service whose (service name of it = "avast! Antivirus")) then "Avast" else if (exists running service whose (service name of it = "CmdAgent"))then "Comodo" else if (exists running service whose (service name of it contains "klnagent"))then "Kaspersky" else if (exists running service whose (service name of it starts with "Avg" as lowercase))then "AVG" else if (exists running service whose (service name of it starts with "ekrn"))then "Eset" else if (exists running service whose (service name of it starts with "Avira" as lowercase))then "Avira" else if (exists running service whose (service name of it starts with "norton antivirus client" as lowercase))then "Norton" else if (exists running service whose (service name of it starts with "mcshield" as lowercase))then "McAfee" else if (exists running service whose (service name of it starts with "InoRT" as lowercase))then "Trend" else if (exists running service whose (service name of it contains "MBAMService" as lowercase))then "MalwareBytes but may not be realtime " else "Investigate"
SQL Server running?
Period
1 day
* Results in a true/false |
if exists services whose((state of it= "Running") AND ((service name of it as lowercase = "MSSQL" as lowercase ) OR (service name of it as lowercase starts with "SQLBrowser" as lowercase ) OR (service name of it as lowercase starts with "SQLAgent" as lowercase )) ) = True Then "Yes" else "No"
IIS Running?
Period
1 hour
* Results in a true/false |
if exists running service "W3SVC" then "Yes" else "No"
Apache/Tomcat Running?
Period
1 hour
* Results in a true/false |
if (exists running application whose (name of it as lowercase = "tomcat7.exe" as lowercase OR name of it as lowercase = "tomcat6.exe" as lowercase ) )or ( exists services whose((service name of it as lowercase starts with "Apache" as lowercase ) AND (state of it= "Running")) ) Then "Yes" Else "No"
Windows last patch date
Period
12 hours
* Results in a true/false |
preceding texts of last " " of preceding texts of last " " of (it as string) of (maximum of last write times of keys whose (name of it contains ".KB" or name of it contains "KB" or name of it starts with "KB") of keys( "HKEYLOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\";"HKEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion\Hotfix") of (registry; native registry))
Version of 32 Bit Java
Period
6 hours
* Results in a true/false |
(concatenations ", " whose(it != "") of names of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment" of registry)
Version of 64 Bit Java
Period
6 hours
* Results in a true/false |
(concatenations ", " whose(it != "") of names of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment" of x64 registry)
Number of Local Admins
Period
1 hour
* Results in a true/false |
number of members of local group "administrators"
Names of Administrators Group
Period
30 minutes
* Results in a true/false |
members of local group "Administrators"
Local Users accounts and Password expiration status
Period
1 day
* Results in a true/false |
(name of it & (if (account disabled flag of it = TRUE) then " - Disabled" else " - Enabled") & (if (password expiration disabled flag of it = TRUE) then " No Password expiration" else "")) of local users
Password age of local users
Period
1 day
* Results in a true/false |
(name of it & " - " & password age of it as string) of local users
IE Proxy Server Status
Period
1 hour
* Results in a true/false |
if (exists key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" whose (value "ProxyEnable" of it as integer = 1) of current user keys (logged on users) of registry) then "Manual Proxy Enabled" else "Automatically Detect"
IE Proxy Server & Port
Period
15 minutes
* Results in a true/false |
if (exists key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" whose (exists value "ProxyServer" of it) of current user keys (logged on users) of registry) then (values "ProxyServer" of key "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" of current user keys (logged on users) of registry as string) else ("not configured")
Wireless SSID
Period
1 day
* Results in a true/false |
if version of client >="9.0" then ssids of wifis of adapters of network else "N/A"
Wireless Encryption Status
Period
6 hours
* Results in a true/false |
if version of client >="9.0" then encryptions of wifis of adapters of network else "N/A"
PPP Enabled
Period
1 day
* Results in a true/false |
exists ip interface whose (point to point of it = true) of networks
Scope of Remote Desktop Firewall
Period
1 day
* Results in a true/false |
if exists (rules of firewall) whose (name of it as string starts with "Remote Desktop" or name of it contains "RDP") then (remote addresses strings of (rules of firewall) whose (name of it as string starts with "Remote Desktop" or name of it contains "RDP")) else "No rule named RDP or Remote Desktop"
IP of Remote Desktop connection
Period
Every Report
* Results in a true/false |
unique values of (remote addresses of (sockets of network) whose ((local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) and (tcp state of it as string= "ESTABLISHED")))
SSH Running? (port 22)
Period
Every Report
* Results in a true/false |
if exists (sockets of network) whose ((local port of it = 22) and (tcp state of it as string = "ESTABLISHED")) Then "Active" else "Not in use"
IP of Remote SSH Connection (Port 22)
Period
Every Report
* Results in a true/false |
unique values of (remote addresses of (sockets of network) whose ((local port of it = 22) and (tcp state of it as string= "ESTABLISHED")))
Winlogbeat Installed?
Period
30 minutes
* Results in a true/false |
if (exists services whose ((service name of it = "winlogbeat") and (state of it = "Running"))) Then "Yes and Running" else if (exists services whose ((service name of it = "winlogbeat") and (state of it != "Running"))) then "Yes but not running" else "Not Installed"
Established TCP and UDP Connections
Period
Every Report
* Results in a true/false |
names of processes of sockets whose ( established of tcp state of it and local port of it = Value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of registry) of network
IE Automatic Configuration Script URL
Period
1 hour
* Results in a true/false |
If Exists value "AutoConfigURL" of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr" of registry then value "AutoConfigURL" of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\Parameters\ProxyMgr" of registry as string Else "Not used for any profiles"
Last Logged in User
Period
1 hour
* Results in a "string"/number |
if (name of operating system as lowercase contains "win") then (if ((name of operating system as lowercase contains "xp") or (name of operating system as lowercase contains "win2003")) then (if not exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "DefaultUserName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged") else (if NOT exist keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" of (if x64 of operating system then (x64 registry;x32 registry) else registry) then values "LastLoggedOnUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\" of (if x64 of operating system then (x64 registry;x32 registry) else registry) as string else "No User Logged")) else ("Not Win")
Names of Users in Remote Desktop Group
Period
30 minutes
* Results in a true/false |
members of local group "Remote Desktop Users"
Warning: Number of patches missing
Period
5 minutes
* Results in a true/false |
number of relevant fixlets whose(exists values whose("Important" = it OR "Critical" = it) of headers "X-Fixlet-Source-Severity" of it AND not exists values whose(it contains " (Superseded)") of headers "Subject" of it AND exists (current date - it) whose(it > 30 * day) of (it as date) of values whose(exists it as date) of headers "X-Fixlet-Source-Release-Date" of it) of sites whose("Fixlet Site" = type of it AND exists names whose(it starts with "Updates for " OR it starts with "Patches for" OR it = "Enterprise Security") of it)
Relevance
Sharing
Social Media: |
Comments
|
|
Good Catch. At the time, the Sql server service was just MSSQL with nothing else. |
|
|
About "SQL Server running?" Shouldn't the first part be contains "MSSQL" not = "MSSQL" ? :) if exists services whose((state of it= "Running") AND ((service name of it as lowercase contains "MSSQL" as lowercase ) OR (service name of it as lowercase starts with "SQLBrowser" as lowercase ) OR (service name of it as lowercase starts with "SQLAgent" as lowercase )) ) = True Then "Yes" else "No" |