[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)



This cluster is a prime example of many of the high-level content
decisions for configuration problems.  It begins to touch on many of
the intricacies of Windows NT configuration which make it a different
beast than Unix.

The term "security-critical" as used in these descriptions is related
to the "Leveraged vs. Assigned Access" decision, and is an attempt to
distinguish between configuration problems that are truly dangerous in
any configuration, versus those that are dangerous only when
interpreted through the enterprise's policy.  For example, there's no
way that someone or something outside of the enterprise can know if
it's a mistake for a particular user to have Administrator privileges;
but allowing a minimal password length of 2 can allow an attacker to
easliy Leverage that to gain additional access.

Almost all of these candidates are High Cardinality and could be
described using the dot notation that Dave Mann proposed yesterday.
However, some of them are also impossible to completely enumerate, and
a dot notation (or any numbering scheme) would not be effective in
these cases.

CAN-1999-0534 and the audit policy candidates are prime examples of
the "Same Checkbox, Same Vulnerability" and "Different Risk, Same
Configuration Problem" content decisions.  Most tools report
CAN-1999-0534 at one level of abstraction lower than the CVE uses,
which count as 27 different checks.  However, during internal vetting,
this was a prime candidate where all sysadmin-savvy people agreed that
the LOA used by the CVE was the appropriate one.  I consider it a good
example of how dot notation would be beneficial.

The candidates dealing with audit policy also begin to touch on a
previously undiscussed part of the detailed CVE vulnerability
definition, namely a state which "(5) allows an entity to prevent or
limit the tracking of activities which attempt to exploit another
vulnerability."

- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0499
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

NETBIOS share information may be published through SNMP registry keys
in NT.

VOTE:

=================================
Candidate: CAN-1999-0534
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT user has inappropriate rights or privileges, e.g. Act as
System, Add Workstation, Backup, Change System Time, Create Pagefile,
Create Permanent Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory,
Profile Single Process, Remote Shutdown, Replace Process Token,
Restore, System Environment, Take Ownership, or Unsolicited Input.

VOTE:

=================================
Candidate: CAN-1999-0535
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy for passwords has inappropriate,
security-critical settings, e.g. for password length, password age, or
uniqueness.

VOTE:

=================================
Candidate: CAN-1999-0546
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

The Windows NT guest account is enabled.

VOTE:

=================================
Candidate: CAN-1999-0562
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

The registry in Windows NT can be accessed remotely by users who are
not administrators.

VOTE:

=================================
Candidate: CAN-1999-0572
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

..reg files are associated with the Windows NT registry editor, making
the registry susceptible to Trojan Horse attacks.

VOTE:

=================================
Candidate: CAN-1999-0575
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's user audit policy does not log an event success
or failure, e.g. for Logon and Logoff, File and Object Access, Use of
User Rights, User and Group Management, Security Policy Changes,
Restart, Shutdown, and System, and Process Tracking.

VOTE:

=================================
Candidate: CAN-1999-0576
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for security-critical files or directories.

VOTE:

=================================
Candidate: CAN-1999-0577
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's file audit policy does not log an event success
or failure for non-critical files or directories.

VOTE:

=================================
Candidate: CAN-1999-0578
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for security-critical registry keys.

VOTE:

=================================
Candidate: CAN-1999-0579
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT system's registry audit policy does not log an event
success or failure for non-critical registry keys.

VOTE:

=================================
Candidate: CAN-1999-0582
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT account policy has inappropriate, security-critical
settings for lockout, e.g. lockout duration, lockout after bad logon
attempts, etc.

VOTE:

=================================
Candidate: CAN-1999-0585
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990721
Assigned: 19990607
Category: CF

A Windows NT administrator account has the default name of
Administrator.

VOTE:

Page Last Updated or Reviewed: May 22, 2007