#90539 - 2003-01-20 10:08 PM
Re: PostPrep-Test Post , please ignore code
|
Jochen
KiX Supporter
Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
|
|
Top
|
|
|
|
#90540 - 2003-01-22 10:16 AM
Re: PostPrep-Test Post , please ignore code
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
TEST TEST... 060 milliseconds to complete Commands 16 Functions 7 Macros 2
break on ; this is a comment test for color GREEN ? "System Memory = "val(WMIQuery("TotalPhysicalMemory","Win32_LogicalMemoryConfiguration"))/1024 " MB" for each $dimm in Split(WMIQuery("Capacity","Win32_PhysicalMemory"),"|") ? "Dimm Size = "val($dimm) / 1048576 " MB" next
FUNCTION WMIQuery($what,$where,) dim $strQuery, $objEnumerator, $value $strQuery = "Select $what From $where" $SystemSet = GetObject("winmgmts:{impersonationLevel=impersonate}!//@WKSTA") $objEnumerator = $SystemSet.ExecQuery($strQuery) For Each $objInstance in $objEnumerator If @Error = 0 and $objInstance <> "" $=execute("$$value = $$objInstance.$what") $WMIQuery="$value"+"|"+"$WMIQuery" EndIf Next $WMIQuery=left($WMIQuery,len($WMIQuery)-1) exit @error ENDFUNCTION
TEST 2 TEST 2
; arrayenumkey.kix break on $subkey='HKEY_LOCAL_MACHINE\SOFTWARE' $array=arrayenumkey($subkey) ? 'Number of software Packages:'+ubound($array) for $counter=0 to ubound($array) ? 'Software Package '+right(' '+$counter,2)+' = '+$array[$counter] next exit 0 function arrayenumkey($regsubkey) dim $retcode, $subkeycounter, $currentsubkey, $subkeyarray if not keyexist($regsubkey) $arrayenumkey='' return endif $subkeycounter=0 do $currentsubkey=enumkey($regsubkey,$subkeycounter) if $currentsubkey<>259 and @ERROR=0 redim preserve $subkeyarray[$subkeycounter] $subkeyarray[$subkeycounter]=$currentsubkey $subkeycounter=$subkeycounter+1 endif until $currentsubkey=259 or @ERROR $arrayenumkey=$subkeyarray endfunction
[ 22. January 2003, 10:20: Message edited by: NTDOC ]
|
Top
|
|
|
|
#90542 - 2003-01-22 10:34 AM
Re: PostPrep-Test Post , please ignore code
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Okay.. BIGGER Test
TEST TEST #3
49K File size Convert time: 03 Seconds 996 milliseconds Commands: 281 Functions: 161 Macros: 16
; Original date script downloaded: 05/10/2001 ; Registry Security Script (Kix32) ; Allows an administrator to set 46 security-related Registry edits for NT defined in 3 ; increasingly-secure (and modifiable) levels. Includes the ability to prompt the user for ; each edit or wholly automate the entire process. Also includes debug functions ; ; ; ************************************************************************************ ; ; REGSEC.KIX ; Registry Security Script ; rpuckett@snl.com ; Version 1.0.3 ; February 3, 2000 ; ; ************************************************************************************ ; ; This script is designed to provide Administrators with a mechanism for importing ; (currently) 46 individual Security-related Registry edits to systems on a network. ; The script employs 3 levels of security (DEFCON 1-3) that define a tailorable ; set of edits based on the level. I have segmented the edits as I would use them, ; but they can be moved into different DEFCON settings (and these can be expanded) ; to suit your needs by changing the $LEVEL value for each defined edit. You may ; also wish to provide a prompt to the User, providing them with a messagebox that ; defines the edit type which they can then accept or decline. This is set using the ; $QUERYUSR variable. If set to "1", a messagebox is displayed for each edit. This ; can also be expanded upon as the value can be placed in (and reset for) specific ; edits, while others can remain automated (with a setting of "0"). All of these ; variables can also be mixed and matched based on the use of the INGROUP function, ; allowing you to tailor the installation method(s) even further. ; ; Ex. IF INGROUP ("SYSTEMS") = 1 ; $QUERYUSR = "1" ; $DEFCON = 2 ; blah, blah, blah... ; ENDIF ; ; Finally, you can simply output the types of edits associated with each DEFCON level ; by setting the $DEGBUG variable to "1" ("0" actually runs the edits for each level). ; ; As this script employs looping through each edit, it is easily updated as new ; security edits become available. Simply add a new label (:SECREGxx - with the 'xx' ; representing the next available number after 46) and replace the $NEXT variable of ; the preceding label with the name of the new label. Finally, be sure to add a ; $NEXT variable to the last new :SECREGxx label with a value of "END". Make sure to ; set the $LEVEL value of each edit to identify it's DEFCON level. ; ; NOTE: The $SPECIAL variable, when set to "1", defines an additional action for the ; edit it is assigned to in the GOSUB 'ADDFUNT'. This can be used to run functions ; or options to preclude an edit. If you employ the $SPECIAL value in future edits, ; be sure to add the additional functions to the ADDFUNCT GOSUB routine by referencing ; the $REGVALUE as an added CASE value. All files referenced in special functions are ; copied from the $GETFILES value (currently @LSERVER\NETLOGON), but this can be ; changed to whatever location you desire. ; ; WARNING (and DISCLAIMER): ; Nothing replaces common sense, especially when it comes to the Registry and ; Security. The documentation added to each edit (along with the associated MSKB ; Article/Whitepaper Information) should help you to understand the basic function of ; the edit as well as to provide you with another location for more information. ; Avoid potentially serious consequences by reading everything available on a ; particular edit if it is unfamiliar to you. Do not use edits that are untested ; in your environment as they may have unforseeable (and undesireable) outcomes. ; ; ************************************************************************************
; SCRIPT VARIABLES
; OPTIONAL SETTINGS - 0 or 1 ; 0 - Automatic Addition of Values ; 1 - Display Messagebox Query for each Setting $QUERYUSR = "1"
; OPTIONAL SETTINGS - 0 or 1 ; 0 - Run DEFCON Level Defined Registry Changes ; 1 - Display DEFCON Level Registry Information Only (No Changes Made) $DEBUG = "1"
; OPTIONAL SETTINGS - 1, 2, 3 ; 1 - DEFCON 1 / Basic Security (Good for most environments) ; 2 - DEFCON 2 / Enhanced Security (Disables connectivity to LM/9x Clients) ; 3 - DEFCON 3 / Advanced Security (Near C2 Settings) $DEFCON = "3"
; LOG LOCATION & NAME (Root of C:\ *not* recommended) $LOGNAME = "C:\@WKSTA.TXT"
; SERVER TO BE NOTIFIED OF ERRORS $NOTIFYSVR = "NOTIFY_SERVER_HERE"
; SPECIAL VARIABLE SETTING FOR REGISTRY CHANGES ; REQUIRING ADDITIONAL OPERATIONS $SPECIAL = "0"
; LOCATION FROM WHICH $SPECIAL FUNCTION FILES ARE COPIED (like PASSFILT.DLL, etc.) $GETFILES = "@LSERVER\NETLOGON"
; OPERATING SYSTEM TYPES ; IF THE SYSTEM IS NOT NT WORKSTATION 4.0, THEN EXIT THE SCRIPT... SELECT ; WINDOWS 95 CASE((@INWIN = 2) AND (@DOS = 4.0)) EXIT ; WINDOWS 98 CASE((@INWIN = 2) AND (@DOS >= 4.10)) EXIT ; WINDOWS 2000 CASE((@INWIN = 1) AND (@DOS = 5.0)) EXIT ; WINDOWS NT 4.0 CASE((@INWIN = 1) AND (@DOS = 4.0)) ; CHECK THE NT INSTALLATION TYPE... $NTREG = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions" $NTTYPE = READVALUE($NTREG, "ProductType") IF @ERROR = 0 SELECT CASE $NTTYPE = "WinNT" $OS = "Windows NT Workstation 4.0" GOTO START CASE $NTTYPE = "ServerNT" $OS = "Windows NT Server 4.0 (Stand-Alone)" GOTO START CASE $NTTYPE = "LanmanNT" $OS = "Windows NT Server 4.0 (Domain Controller)" GOTO START CASE 1 $ERRCODE = SENDMESSAGE($NOTIFYSVR, "An unknown wersion of Windows NT [" + $NTTYPE + "] was detected on @WKSTA at @TIME on @DATE") EXIT ENDSELECT ENDIF IF @ERROR <> 0 $ERRCODE = SENDMESSAGE($NOTIFYSVR, "Unable to read the 'ProductType' value from the Registry on @WKSTA at @TIME on @DATE") EXIT ENDIF CASE 1 $ERRCODE = SENDMESSAGE($NOTIFYSVR, "Unable to determine the OS type installed on @WKSTA at @TIME on @DATE") EXIT
ENDSELECT
:START ; **OPTIONAL FUNCTION - PRIVILEGE CHECKING ; REMOVE IF UNNEEDED IN YOUR ENVIRONMENT ;$ACCESS = @PRIV ;SELECT ; CASE $ACCESS = "GUEST" ; ? "GUEST" ; ? "You must possess Administrative privileges to perform these security updates" ; SLEEP 4 ; EXIT ; CASE $ACCESS = "USER" ; ? "USER" ; ? "You must possess Administrative privileges to perform these security updates" ; SLEEP 4 ; EXIT ; CASE $ACCESS = "ADMIN" ; ? "ADMIN" ; ? "The required Administrative privileges are held, continuing..." ; ? " " ; CASE 1 ; ? "OTHER" ; ? "You must possess Administrative privileges to perform these security updates" ; SLEEP 4 ; EXIT ;ENDSELECT
; CHECK THE INSTALLED SERVICE PACK VERSION... $SPREG = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" $SPVER = READVALUE($SPREG, "CSDVersion") IF @ERROR = 0 ? "This system is running - " + $OS ? "Service Pack Version - " + $SPVER ENDIF
IF @ERROR <> 0 $ERRCODE = SENDMESSAGE($NOTIFYSVR, "Unable to read the 'CSDVersion' value from the Registry on @WKSTA at @TIME on @DATE") ENDIF
; DISPLAY SELECTED DEFCON LEVEL ? "DEFCON Level " + $DEFCON + " Selected"
; SETUP SECURITY LOG IF OPEN(1, $LOGNAME, 5) = 0 $X = WRITELINE (1, Chr(13) + Chr(10) + "Security Log for @WKSTA" + Chr(13) + Chr(10) + "Time - @TIME / Date - @DATE" + Chr(13) + Chr(10) + "System is running - " + $OS + Chr(13) + Chr(10) + "Service Pack Version - " + $SPVER+ Chr(13) + Chr(10) + "Selected Security Level is DEFCON - " + $DEFCON + Chr(13) + Chr(10) + Chr(13) + Chr(10)) ELSE $ERRCODE = SENDMESSAGE($NOTIFYSVR, "Unable to write to the Security Log on @WKSTA at @TIME on @DATE") ENDIF IF CLOSE(1) = 0 ENDIF
; DEBUG MODE - Display DEBUG Header IF $DEBUG = "1" ? "In Debug Mode, No changes will be made..." ? "DEFCON LEVEL " + $DEFCON + " REGISTRY CHANGES:" ? " " ENDIF GOTO SECREG1
; SECURITY REGISTRY EDITS
; These values are recursed through by passing into the CHECKSEC ; function the values of each desired change and using the $NEXT ; variable to send the function to the next desired change. ; NOTE: Registry edits that possess the $SPECIAL variable utilize ; the ADDFUNC GOSUB routine to perform additional required ; operations.
:SECREG1 $DSCRIPTN = "Enable Auditing of Base Objects" ; Enable auditing of objects not in the File System or Registry. ; Useful in debugging or high-level security environments. The ; Audit Policy option "File and Object Access" must be enabled. ; WARNING - leads to high volume of event records recorded in the ; event log. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "AuditBaseObjects" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG2 GOTO CHECKSEC
:SECREG2 $DSCRIPTN = "Shutdown System with Full Event Log" ; Shut the system when the Security Event Log is full. Ensure that ; the Event Log is configured large enough to allow for long periods ; between shutdowns. ; See MSKB Article Q140058 for an explanation of the function ; See MSKB Articles Q232564, Q149393 & Q178208 for additional configuration ; issues and potential problems with this edit's use. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "CrashOnAuditFail" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG3 GOTO CHECKSEC
:SECREG3 $DSCRIPTN = "Restrict Anonymous Users from Enumerating Shared Resources" ; Restrict non-authenticated accounts (anonymous or NULL connections ; from enumerating Local/Domain User names or network shares (as well as obtaining ; the local system's password policy). This should be used in conjunction with the ; securing of the NullSessionShares & NullSessionPipes under HKLM\SYSTEM; CurrentControlSet\Services\LanmanServer\Parameters. Also, see SECREG37/ "Restrict ; All Null Session Access". See MSKB Article Q143474 for further details $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "RestrictAnonymous" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG4 GOTO CHECKSEC
:SECREG4 $DSCRIPTN = "Enable Full Privilege Auditing" ; This enables the auditing of those privileges that are not normally ; in the NT audit schema, they are: ; 1. Bypass Traverse Checking(SeChangeNotifyPrivilege) ; 2. Debug Programs (SeDebugPrivilege) ; 3. Create a Token Object (SeCreateTokenPrivilege) ; 4. Replace a Process-Level Token (SeAssignPrimaryTokenPrivilege) ; 5. Generate Security Audits (SeAuditPrivilege) ; 6. Backup Files & Directories (SeBackupPrivilege) ; 7. Restore Files & Directories (SeRestorePrivilege) ; NOTE: Enabling this edit will lead to huge Security event logs (and slow ; server performance) as every backup and restore operation will be FULLY logged. ; See the Microsoft Security Whitepaper located on their \Security website for ; further information $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "FullPrivilegeAuditing" $REGTYPE = "REG_BINARY" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG5 GOTO CHECKSEC
:SECREG5 ; Restricts the installation of Printer Drivers to the members of the local ; Administrators group only. See the Microsoft Security Whitepaper located ; on their \Security website for further information $DSCRIPTN = "Restrict Print Driver Installation" $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" $REGVALUE = "AddPrintDrivers" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "1" $NEXT = SECREG6 GOTO CHECKSEC
:SECREG6 $DSCRIPTN = "Disable CD-ROM Auto-Run" ; This disables the automatic playing of CD-ROMs when they are inserted into ; the CD-ROM drive. Really a nuisance more than a security risk but there exists ; the potential for *someone* to create a CD that automatically runs (via ; AUTORUN.INF) a segment or series of code that can insert a trojan, destroy data, ; etc. From the TWEAKUI settings. $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom" $REGVALUE = "Autorun" $REGTYPE = "REG_DWORD" $GOOD = "0" $BAD = "1" $SPECIAL = "0" $NEXT = SECREG7 GOTO CHECKSEC
:SECREG7 $DSCRIPTN = "Disable Caching of Logon Credentials" ; This edit disables the caching of credentials used to establish connections to ; remote systems. These credentials allow for seemless reconnection to resources ; during an active logon session should that session be broken for any reason. ; The danger is when a user stays logged onto a system and then walks away, leaving ; the cached credentials available to the next user if they had failed to logoff. ; See MSKB Article Q172931 for further details. $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "CachedLogonsCount" $REGTYPE = "REG_DWORD" $GOOD = "0" $BAD = "1" $SPECIAL = "0" $NEXT = SECREG8 GOTO CHECKSEC
:SECREG8 $DSCRIPTN = "Restrict Allocation of CD-ROMs" ; This, alone with SECREG9, restict the access to the CD and Floppy drives by remote ; users so that they can only be used by an interactively logged-on user. ; See MSKB Article Q172520 $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "AllocateCDRoms" $REGTYPE = "REG_SZ" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG9 GOTO CHECKSEC
:SECREG9 $DSCRIPTN = "Restrict Allocation of Floppy Drives" ; This, alone with SECREG8, restict the access to the CD and Floppy drives by remote ; users so that they can only be used by an interactively logged-on user. ; See MSKB Article Q172520 $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "AllocateFloppies" $REGTYPE = "REG_SZ" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG10 GOTO CHECKSEC
:SECREG10 $DSCRIPTN = "Disable Shutdown Button at Logon" ; This edit removes the Shutdown button from NT's logon screen. This denies an ; unauthenticated user the ability to shut a system down (though the power switch, reset ; button and power cable will also need to be secured to make this option effective). ; See MSKB Article Q114817 & 143164 for further details $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "ShutdownWithoutLogon" $REGTYPE = "REG_SZ" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG11 GOTO CHECKSEC
:SECREG11 $DSCRIPTN = "Disable Display of the Last Logged-on User" ; Security through obscurity. This edit ensures that the last logged-on username does ; not appear in the logon dialog box so that it might be used to attempt to gain ; unauthorized access to a system. See MSKB Article Q114463 for further details $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "DontDisplayLastUserName" $REGTYPE = "REG_SZ" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG12 GOTO CHECKSEC
:SECREG12 $DSCRIPTN = "Disable Caching of Roaming Profiles" ; This edit deletes a cached Roaming Profile once the user logs off of the system. This ; can be useful if you have an administrative profile that may contain sensitive data in ; the NTUSER.DAT file and you wish to secure it from prying eyes. The downside is that the ; profile will have to be reloaded from the server each time you logon, making it a long ; logon process if the profile is rather large. See MSKB Article Q173870 for further details $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $REGVALUE = "DeleteRoamingCache" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG13 GOTO CHECKSEC
:SECREG13 $DSCRIPTN = "Disable Administrative Shares" ; This edit removes the default Administrative shares (C$, D$) on a workstation running ; the Server service. It can be replaced by a more stringent security policy and obscure ; hidden share names (appended with the $ at the end of the share name). See MSKB Articles ; Q156365 & Q185590 for further details. $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $REGVALUE = "AutoShareWks" $REGTYPE = "REG_DWORD" $GOOD = "0" $BAD = "1" $SPECIAL = "0" $NEXT = SECREG14 GOTO CHECKSEC
:SECREG14 $DSCRIPTN = "Secure Base System Objects" ; This enables a greater degree of protection on such objects as known System DLLs. It ; is recommended if you have interactive users who are *not* local Administrators who may ; be attempting to gain greater access to a system (such as with kiosk machines). See MSKB ; Article Q218473 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" $REGVALUE = "ProtectionMode" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG15 GOTO CHECKSEC
:SECREG15 $DSCRIPTN = "Clear the Pagefile at Shutdown" ; This edit clears the System Pagefile(s) at shutdown to ensure that potentially sensitive data ; is not written to it at shutdown (as some third-party products may do). See MSKB Article Q182086 ; for more information. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" $REGVALUE = "ClearPageFileAtShutdown" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG16 GOTO CHECKSEC
:SECREG16 $DSCRIPTN = "Restrict Guest Access to the Application Event Log" ; This edit, along with SECREG17 & 18, remove the ability for members of Guests to view ; or manipulate the Event Log settings on the local station. $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application" $REGVALUE = "RestrictGuestAccess" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG17 GOTO CHECKSEC
:SECREG17 $DSCRIPTN = "Restrict Guest Access to the Security Event Log" ; This edit, along with SECREG16 & 18, remove the ability for members of Guests to view ; or manipulate the Event Log settings on the local station. $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security" $REGVALUE = "RestrictGuestAccess" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG18 GOTO CHECKSEC
:SECREG18 $DSCRIPTN = "Restrict Guest Access to the System Event Log" ; This edit, along with SECREG16 & 17, remove the ability for members of Guests to view ; or manipulate the Event Log settings on the local station. $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System" $REGVALUE = "RestrictGuestAccess" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG19 GOTO CHECKSEC
:SECREG19 $DSCRIPTN = "Disable Source Routing of IP Packets" ; This key, while available since SP3, was apparently not doing it's job. The new hotfix ; IPSRFIXI.EXE resolves the vulnerability regarding the undesired routing of IP Source packets ; or for using non-routing systems to "bounce" packets off of (in order to make the traffic ; appear to be coming from that system). See MSKB Articles Q240382 & Q217336 for further details. $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" $REGVALUE = "DisableIPSourceRouting" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG20 GOTO CHECKSEC
:SECREG20 $DSCRIPTN = "Sign Secure Session Channel Traffic" ; This edit enables the signing of SSC traffic between members of a Domain to ensure that ; the sender/receiver of session authentication traffic (such as the $MACHINE.ACC & password) is ; verified. See MSKB Article Q183859 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" $REGVALUE = "SignSecureChannel" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG21 GOTO CHECKSEC
:SECREG21 $DSCRIPTN = "Seal Secure Session Channel Traffic" ; This edit enables the encryption of SSC traffic, so that the machine name is encrypted and the ; password is doubly-encrypted, as well as all additional SSC-related traffic. See MSKB Article ; Q183859 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" $REGVALUE = "SealSecureChannel" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG22 GOTO CHECKSEC
:SECREG22 $DSCRIPTN = "Require Sign/Seal of Secure Session Channel Traffic" ; this setting ensures that all SSC traffic is either signed or sealed. If enabled, all DCs ; MUST also have this value set. See MSKB Article Q183859 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" $REGVALUE = "RequireSignOrSeal" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG23 GOTO CHECKSEC
:SECREG23 $DSCRIPTN = "Enable Forced Logoffs" ; By default, this value is set to 1 but is normally not visible under this subkey unless ; someone has run NET CONFIG SERVER /HIDDEN:YES|NO, in which case all of the values ; normally controlled dynamically by the operating system are written as static entries ; under this key. This key ensures that the server can force connections off of ; the system. $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $REGVALUE = "EnableForcedLogOff" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG24 GOTO CHECKSEC
:SECREG24 $DSCRIPTN = "Disable Clear Text Passwords" ; See SP3 Documentation on this Registry edit. Some environments that support UNIX ; interoperability may require that authentication be allowed to be sent in the clear. ; This change ensures that if a system (such as a mobile/laptop NT user) has been in ; an environment such as this, the setting is checked (and disabled). $LEVEL = "1" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters" $REGVALUE = "EnablePlainTextPassword" $REGTYPE = "REG_DWORD" $GOOD = "0" $BAD = "1" $SPECIAL = "0" $NEXT = SECREG25 GOTO CHECKSEC
:SECREG25 $DSCRIPTN = "Disable 8.3 Name Generation for Win16/DOS" ; Not only a security issue but a performance enhancer as well, this edit disables ; the creation of short filenames/paths for use with DOS/Win16 applications. ; See MSKB Articles Q121007 & Q210638 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" $REGVALUE = "NtfsDisable8dot3NameCreation" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG26 GOTO CHECKSEC
:SECREG26 $DSCRIPTN = "Disable Caching of Encrypted Web Pages to Disk" ; Configurable through the Properties/ Advanced page of Internet Explorer, the value is ; actually listed as 'Do not save encrypted pages to disk'. This can be set under ; HKEY_USERS\.DEFAULT\.. to ensure that the value is added for all new users as well. $LEVEL = "1" $REGKEY = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" $REGVALUE = "DisableCachingOfSSLPages" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG27 GOTO CHECKSEC
:SECREG27 $DSCRIPTN = "Enable SMB Packet Signing on NT Workstations" ; This edit enables the signing of all CIFS/SMB traffic from the workstation verifying ; the originating address. This edit can produce significant overhead (greater than the ; 10-15% specified in the MSKB Article). See MSKB Article Q161372 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters" $REGVALUE = "EnableSecuritySignature" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG28 GOTO CHECKSEC
:SECREG28 $DSCRIPTN = "Require SMB Packet Signing on NT Workstations" ; This edit enables the requirement of all CIFS/SMB traffic from the workstation to be signed. ; This edit can produce significant overhead (greater than the 10-15% specified in the ; MSKB Article). See MSKB Article Q161372 for further details. $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters" $REGVALUE = "RequireSecuritySignature" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG29 GOTO CHECKSEC
:SECREG29 ; If you are absolutely certain that you have clients that are NOT using DCOM, ; use this edit. Read the COM Security whitepaper or MSKB Article Q158508 for ; further details. $DSCRIPTN = "Disable DCOM" $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole" $REGVALUE = "EnableDCOM" $REGTYPE = "REG_SZ" $GOOD = "N" $BAD = "Y" $SPECIAL = "0" $NEXT = SECREG30 GOTO CHECKSEC
:SECREG30 $DSCRIPTN = "Restrict All Null Session Access" ; This edit purportedly removes a Null session's ability to perform operations normally ; available to Null Sessions, it may cause problems with applications running as services that ; attempt to access UNC paths or some COM apps. See MSKB Article Q158508 for further details. ; NOTE: The edit is incorrectly referenced in the article as "RestrictNullSessionAccess". $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $REGVALUE = "RestrictNullSessAccess" $REGTYPE = "REG_DWORD" $GOOD = "1" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG31 GOTO CHECKSEC
:SECREG31 $DSCRIPTN = "Enable PASSFILT/Complex Passwords" ; This edit sets up complex password requirements for the local station. ; 1. Passwords must be at least 6 characters long. ; 2. Passwords must contain characters from at least 3 of the following 4 classes: ; ; Class Examples ; ----- -------- ; English Upper Case Letters A, B, C, ... Z ; English Lower Case Letters a, b, c, ... z ; Westernized Arabic Numerals 0, 1, 2, ... 9 ; Non-alphanumeric characters .,;:*&%! ; ; 3. Passwords may not contain your user name or any part of your full name. ; This edit contains a GOSUB routine ($SPECIAL = "1") that runs the copy of ; PASSFILT.DLL from the NETLOGON directory of the authenticating server to ; the %SystemRoot%\System32 subdirectory of the local station. This edit should ; be used in conjunction with the NT Resource Kit tool PASSPROP.EXE on all NT Servers. ; See the SP3 documentation for more information on PASSFILT.DLL $LEVEL = "2" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "Notification Packages" $REGTYPE = "REG_MULTI_SZ" ; For those users of Netware, otherwise Nuke FPNWCLNT. ;$GOOD = "FPNWCLNT|PASSFILT|" $GOOD = "PASSFILT|" $BAD = "FPNWCLNT" $SPECIAL = "1" $NEXT = SECREG32 GOTO CHECKSEC
:SECREG32 $DSCRIPTN = "Disable LM Authentication" ; This edit has several options that you can configure for your environment as you see ; fit. For the full functionality of this edit to be used, several conditions must be met. ; You must have SP4 or greater installed and for settings above 3, these values must ; exist on all DCs as well. As there are many configuration options involved here, you ; must be very careful when applying this value. The default established here is 2, disabling ; all LM activity (95 clients). ; ; Value: LMCompatibilityLevel ; Valid Range: 0-5 Default: 0 ; Description: This parameter specifies the type of authentication to be used. ; Level 0 - Send LM response and NTLM response; never use NTLMv2 session ; security Level 1 - Use NTLMv2 session security if negotiated ; Level 2 - Send NTLM authenication only ; Level 3 - Send NTLMv2 authentication only ; Level 4 - DC refuses LM authentication ; Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2) ; ; WARNING: Read *ALL* of MSKB Article Q147706 before using this edit! $LEVEL = "3" $REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" $REGVALUE = "LMCompatibilityLevel" $REGTYPE = "REG_MULTI_SZ" $GOOD = "2" $BAD = "0" $SPECIAL = "0" $NEXT = SECREG33 GOTO CHECKSEC
:SECREG33 $DSCRIPTN = "Disable the OS/2 & Posix Subsystems" ; This edit removes both the OS/2 & Posix subsystem entries as well as the individual values ; for each (as denoted by the GOSUB $SPECIAL = "1" value) and the files OS2SS.EXE and PSXSS.EXE. ; These two subsystems leave a potentially exploitable hole in a Workstations security.
|
Top
|
|
|
|
#90545 - 2003-01-22 09:38 PM
Re: PostPrep-Test Post , please ignore code
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
Heck no I'm not skeptic. I think it is a GREAT tool and can't hardly wait till you guys release it for general use.
Darn good job Jooel and Jochen.... Hopefully Shawn will complete build 38 soon and you guys can finish up any other little minor glitches and the rest of us can then start using this new tool.
Thanks Jochen and Jooel for spending the time on this so that we can all enjoy it.
LOVE IT...LOVE IT...LOVE IT...LOVE IT...LOVE IT...
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 918 anonymous users online.
|
|
|