WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet

Transcription

WESTERN GOVERNORS UNIVERSITY Submittal Cover Sheet
WESTERN GOVERNORS UNIVERSITY
Submittal Cover Sheet
Date: 2 July 2007
Student Name: Mark J. Hufford
Student ID Number:
Student Degree Program: BS ITNM
Student Email:
Four Digit Assessment/Project Code: CAPU
Mentor Name: Dr. George Teston
For Revisions Only Indicate Previous Grader:
Submissions received with an altered, incomplete or
missing cover sheet will be returned for resubmission.
Submit to:
Western Governors University
Attn.: Assessment Delivery Department
4001 South 700 East, Suite 700
Salt Lake City, Utah 84107-2533
wgusubmittals@wgu.edu
Capstone Project Cover Sheet
Capstone Project Title:
Network Security & Efficiency Survey
Student Name: Mark J. Hufford
Degree Program: BS ITNM
Mentor Name: Dr. George Teston
Signature Block
Student’s Signature
Mentor’s Signature
Table of Contents
Introduction ............................................. Error! Bookmark not defined.
Rational and Systems Analysis ............................................................... 3
Project Goals and Objectives .................................................................. 8
Project Timeline ................................................................................. 14
Project Development ........................................................................... 16
Actual and Potential Effects .................................................................. 17
Conclusions ....................................................................................... 18
References ........................................................................................ 20
Appendix 1: Competency Matrix ........................................................... 21
Appendix 2: Client Business Model Survey ............................................. 25
Appendix 3: Workstation Survey Spreadsheet ........................................ 25
Appendix 4: Server Survey Spreadsheet................................................ 25
Appendix 5: Sample MBSA Reports ....................................................... 26
Appendix 6: Network Upgrade Proposal ................................................. 50
Appendix 7: End User’s Security Manual ................................................ 50
Appendix 8: Capstone Proposal ............................................................ 50
Page 1
Introduction
Poorly managed network infrastructures can have adverse effects on a
company’s profitability.
Likewise, a lack of network fidelity can damage a
business’s credibility and can result in a loss of customers. This is most
certainly the case with IT training companies. There is a certainly level of
unacceptable irony found when a computer training facility has blaring
security threats in its network. Whether because of a lack of funds or
expertise, many businesses have serious network and computer security
issues that affect the efficiency with which business processes are executed.
So how do companies that find themselves in such situations get back in the
game? Is it possible to recover from a network chokehold without dropping
a load of dough? If you are willing to do a little homework, there most
certainly is!
With good intentions, IT professionals frequently dive right into similar
situations and start fixing problems. All too often, however, this is not
enough. Blindly attacking a network problem is be about as effective as
changing the oil in your car to fix a problem with the brakes. In order to
accurately resolve network issues and maximize network efficiency, a
network survey must be performed. After which, an execution plan should
be devised and closely followed.
Real Planit Computer Training, Inc. is an information technologytraining institute in Fayetteville, Arkansas. In the past 5 years, the company
Page 2
has experienced a lot of growth. As the business grew, the network grew
with it. However, without a network engineer onboard or even a hired
consultant, the network grew out of control. The owner states that the
computers have become progressively slower which has affected the
efficiency with which courses are taught. Likewise, the testing room
computers and servers are prone to frequent crashes; which has a negative
effect on their reputation. As a certified Thomson Prometric™ testing center
and a Certiport™ testing center, there are certain network hardware and
software metrics, they must meet in order to retain partnership status.
I chose to perform a network security survey for Real PlanIT Computer
Training, Inc. The comprehensive survey was designed to indentify
vulnerabilities in their network servers and workstations so that an upgrade
proposal could be delivered.
The project began with a meeting with the client to discuss their
business needs. It is imperative that one understands their client before
attempting to make any changes to their network. An upgrade by any other
means would certainly fail. The meeting with the client was a success and
set the tone for the entire project. I learned a lot about their business
practices, business needs and their information technology needs.
Understanding how their business operates allowed me to plan a survey
around their schedule. It also empowered me with information necessary to
diagnosing the state of the network. As a computer training company, Real
Page 3
PlanIT has many software needs for their student workstations. Each of
these applications has its own list of minimum system requirements that
must be analyzed as part of the survey. It could be possible that some
latency was caused by a lack of hardware horsepower as opposed to a
network security breach. Hence, all of the information gathered from the
preliminary interview and planning meeting was used to develop an effect
network survey that would minimize business impact.
Rational & Systems Analysis
It is worthwhile to research similar projects and industry case studies
in preparation for any project. Two applications that aid in analyzing and
maintaining network security are the Microsoft Baseline Security Analyzer
(MBSA) and Windows Server Update Services (WSUS).
According to Microsoft, “Microsoft Baseline Security Analyzer (MBSA) is
an easy-to-use tool designed for the IT professional that helps small and
medium-sized businesses determine their security state in accordance with
Microsoft security recommendations and offers specific remediation
guidance.” This priceless tool is available as a free download from
Microsoft.com. IT professionals around the world have used it countless
times. Once MBSA is installed and running, the user has the ability to scan
one or multiple computers via the local network. When the scan is
complete, the user is presented with an easy to follow security report. The
Page 4
report highlights potential security threats with relation to missing operating
system patches, missing application patches, whether or not “Automatic
Updates” is enabled and whether or not the Windows Firewall is running. It
will also examine the number of administrative accounts on a system and
password complexity policies. See Figure A for example.
Figure A
With the rate at which technology changes, it becomes a challenge for any
IT professionals to stay on the cutting edge. The MBSA application is
necessary for analyzing the security of Windows networks. Scott Lowe
(2004), a Microsoft Certified Systems Engineer, said the following regarding
the Microsoft Baseline Security Analyzer:
Page 5
“Supporting a huge number of Microsoft applications, MBSA can serve
you in two ways. First, it will help you keep your servers protected
from problems; second, with powerful reporting capabilities, it can
help you actually learn why you need to do the things that are
suggested so you can make an educated decision as to whether
something is an acceptable risk in your environment.”
In 2006, Microsoft performed a case study of a network upgrade that
took place in Stratford, Ontario Canada. The scenario was not far off from
that of Real Planit Computer Training, Inc’s. Running legacy operating
systems and applications, City of Stratford found itself in dire need of a
security analysis and network upgrade. The survey and upgrade
concentrated on the following areas for improvement:
Server operating systems & security
Workstation operating systems & security
Patch management (WSUS)
Firewall configuration
Disaster recovery planning
Business benefits
The upgrade was highly successful because the consultants did their
homework.
Page 6
According to a recent study performed by Keystone Strategy, Inc.
(2005), the bottom line concerning the need for information technology is
that it “is critical to firm growth because it enables firms to scale – an ability
to manage increases the complexity of their business processes,
organization and business model.” Wise investments in information
technology enable profitable business growth.
The most compelling piece of evidence on the validity and necessity of
this project concern the vitality of Real Planit Computer Training, Inc.
Preliminary interviews were conducted in which the feasibility of project
objectives was discussed. The business needs of the company were also
discussed during the interviews. As a result of the interviews, it was learned
that the business model in terms of services offered is two-fold:
Provide high-quality computer training and certification paths for
professional adults
Maintain partnership status with Thomson Prometric™ and Certiport™
in provide testing/certification services to clients
Another discovery was that clients had complained in the recent past of the
speed of the network. Complaints were raised with regard to the stability of
the testing center as well. On occasion, the lagging computers and network
have brought the classroom to a halt; demanding resolution before training
Page 7
could continue. Meanwhile, in the testing center, the workstations and testproviding server would intermittently lock up or even crash all together.
There is a certain level of unacceptable irony had when a computertraining company’s workstations and servers frequently crash. Such
experiences lead to lost business and fewer return customers. Additionally,
frequent computer stability issues lead one to question the credibility of the
company. Ultimately, it could cost the company their partnership with
Thomson Prometric™ or Certiport™.
It was suspected that poor system configuration, missing security
updates, malware and missing anti-virus updates are at the root of their
network woes. They do not want their network operating more efficiently
because it would be nice; they need an overhaul to stay competitive in
business!
Erik Sherman (2007) reports that “organizations with IT strategies
tightly integrated with key business processes typically grow faster, with
more profit, than those lacking real technical savvy.” It enables them to
grow revenue and profit faster than the competition. In Real Planit’s case,
the complete lack of an IT department and IT consultants helps to make
Sherman’s case.
Page 8
Project Goals and Objectives
The most important objective of this project was to provide Real Planit
Computer Training, Inc. with a network upgrade plan to improve the
efficiency with which their business operates. The bottleneck holding back
the growth of the business had been the poor state of the network for some
time. Regardless of the amount of business growth, the computer network
could no longer meet their needs. When computer training is the main
service offered by a service provider, the provider’s computer MUST operate
without any hitches.
Dissecting this objective revealed several underlying goals and objectives.
The goals for this project were as follows:
Provide the client with a current network security snapshot
o Document a workstation survey
o Document a server survey
o Run the Microsoft Baseline Security Analyzer tool and save the
report for each workstation and server
Provide the client with a scheduled plan for regaining network stability
and improving the overall efficiency and performance of the network
Provide the client with a plan for ongoing preventive maintenance and
upkeep
Page 9
Provide the client with an end-user manual for managing Windows
Server Update Services and server based antivirus maintenance
Provide the client with a return on investment estimate
Before any of these deliverables could be provided, a solid understanding of
what the client hoped to get out this was needed. It was necessary to
acquire a firm understanding of how Real Planit Computer Training, Inc.’s
business processes overlap with their network and computer systems. It
would be foolish to attempt to provide a solution without having a solid
understanding of the background of the problem.
Pre-Survey Client Meeting
The first objective was to schedule a meeting to discuss the client’s
business processes and how they relate to their computer systems. As a
computer training company, the client had specific software application
needs for its classroom computers. These applications had a set of
minimum system requirements. In the meeting, we discussed their business
model and needs. We discussed how their objectives lined up with computer
systems. We also discussed their hours of operation and set a schedule for
performing the actual survey. At the end of the meeting, the client was
presented with a survey designed to gather information necessary to
calculate the return on investment at the completion of the network security
Page 10
survey (see Appendix 2). The meeting went well and objective number one
was complete!
Once the survey is complete, I will be able to provide the client with an
execution plan that lays out an upgrade plan as well as an ongoing
preventive maintenance plan. Though the execution of this plan will take
place outside of the Capstone project, it will be the key to a successful
upgrade and improved business efficiency.
Network Security Survey
Prior to the performing the survey, I created two spreadsheets for
capturing data (see Appendix 3 and Appendix 4). The first spreadsheet
targeted workstations and the second targeted servers. I also acquired a
thumb drive to store the results of the MBSA scans for each computer.
When I arrived to perform the survey, the client notified me that there
would be some others working on computers that night. Therefore, the first
thing that went wrong in this goal was my failure to follow-up after the
meeting with a phone call. Had I followed up with a phone call to remind
them that I would be coming, then we could possibly have avoided the
problem. Luckily, there were plenty of computers to survey. Therefore, I
began to survey the workstations that were not in use. Each computer took
about 2 minutes to survey and 10 minutes to run the Microsoft Baseline
Security Analyzer utility. I had failed to get an estimated number of
Page 11
workstations that I would be surveying in our preliminary meeting. Hence,
the survey took a little longer than expected. Fortunately, the users working
on the other computers were finished by the time I got to them, so it was a
blessing in disguise. The survey of the workstations went according to plan,
but when I began to survey the servers, I ran into a problem. The password
list provided by the client did not include the correct password for logging
onto the domain controller. Since the owner had left for the night, I was
unable to survey the domain controller as originally planned. After
contacting the owner the following day, we scheduled a return visit to survey
the domain controller. Once I surveyed the domain controller, my network
security survey was complete. Despite the two minor drawbacks of users in
the building and not having the domain controller’s admin password, the
survey went very well. If I had to do it over again, I would have followed up
the meeting with a phone call to confirm the survey schedule. I would also
ensure that all the username and passwords worked properly before the
owner left the premises. Overall, the goal was achieved as all necessary
data was captured so that an upgrade proposal could be completed.
Page 12
Upgrade Proposal Preparation
I slated one day to complete the upgrade proposal. This proved to be
too little time to complete a fair proposal. The proposal was originally
slotted to contain the following upgrade suggestions:
Domain controller configuration
General server configuration
General workstation configuration
Antivirus / Malware suggestions
ROI Report
End User’s Security Guide
Upgrade timeline
However, I made assumptions about the configuration of their network. I
unknowingly assumed that their domain controller would also be their
default gateway, DHCP and DNS server. However, their network was
divided into four subnets. An ISA server was between the internet service
provider and the internal network and acted as a NAT, RRAS, DNS and DHCP
server. Though their domain controller was also a default gateway, DNS and
DHCP server, it offered up these services within the internal network. I had
failed to anticipate the possibility of a perimeter network. I was able to
complete each of the items listed above and prepare them for presentation
to the client. So this goal was achieved, though not within the originally
slotted timeframe.
Page 13
Proposal Presentation
Once the proposal was complete, a meeting with the client was
scheduled. The meeting’s agenda was as follows:
1. Discuss the results of the survey (state of the network address)
2. Discuss hardware / software upgrade suggestions
3. Discuss projected costs and ROI
4. Question & Answer
5. Discuss implementation schedule
The presentation lasted roughly two hours and was largely successful. I
believe the success was a result of proper planning and a thorough network
survey. As a result of sufficient planning, the network survey was very
smooth and comprehensive. As a result of the successful survey, the
proposal was straightforward and meaningful to the client. With this goal
complete and all deliverables in the hands of the client, the project goals
were all complete!
Each goal was completed and all deliverables were handed over to the
client. They were very satisfied with the proposal. Therefore, they decided
to move forward with a selected portion of the upgrade.
Page 14
Project Timeline
The project timeline was created as a Gantt chart using Microsoft ®
Office Project 2003. Details from the original project plan are listed in
Figure B.
Figure B
Project Plan & Timeline
As can be seen in Figure B, the original project plan was estimated to take
23 hours to complete and span a total of 7 days. The project actually took
about 40 person-hours to complete, although it was completed within 7
days.
Page 15
Two areas took longer than expected to complete. The first was the
network survey. As previously mentioned, I failed to follow-up after our
preliminary meeting and the client inadvertently had scheduled students to
be in the building during the survey. Luckily, there were so many
workstations to survey that the students were gone by the time I got to that
area. I also forgot to ask for a workstation count in our preliminary
meeting. This would have allowed me to better gauge the time it would take
to perform the survey. The only survey related problem that resulted in a
timeline set back was the result of missing administrative passwords for the
domain controller. I forgot to ask for this information and as a result, had to
reschedule the rest of the survey for another night. This resulted in a oneday setback from the original timeline.
The second timeline task that took longer than expected was drafting
the proposal. This happened because I miscalculated the amount of time it
would take to draft each area of the proposal. However, I was still able to
complete the task in a single day to keep the project on schedule. All other
items on the timeline went as scheduled as a result of planning on the front
end and hard work on the back.
The client was very patient throughout the process and I am grateful
for this. I do not expect that every situation in such a project would go as
smoothly without the patience and support of the client as was had by me. I
Page 16
believe if I were to write the timeline again, I would plan in a larger margin
for error and take a slightly less aggressive approach.
Project Development
Prior to the development of this project, Real PlanIT Computer
Training, Inc. was up a creak without a paddle. With their computer network
in security shambles, their workstations were getting slower at an
exponential rate. As a result, students and testers were losing confidence in
the company. The state of their network was affecting their business and
profit opportunities. My project was developed around building up a
business by securing its network and bringing the network to a new level of
efficiency. More specifically, the project concentrated on building a current
network snapshot and then basing an upgrade proposal plan off that
snapshot. Though the project concentrated on best practices for network
security, the business model was the ultimate recipient of services. As with
any project, problems arose that needed addressing. One of these problems
was a scheduling problem during the server. The client scheduled students
to be in the building during the survey. At first, I thought this might be a
problem. However, I decided to start my survey in a different classroom.
There were so many workstations that by the time I got back to the
students’ classroom, they were done. By rearranging the order in which the
workstation surveys were performed, this problem was averted.
Page 17
Another problem I faced during the development of this project
happened when I realized I did not have the administrative passwords to the
servers. Without this information, I would be unable to perform the surveys
for the client’s server computers. As a result, I had to schedule a revisit to
survey the remaining servers. Because a return trip was necessary to
complete the survey, the timeline was pushed back a day.
I anticipated the network would be configured with the domain
controller as the lone default gateway. I had it in my head that the
configuration suggestions would be rather simple because of this. However,
since there was an ISA server in their perimeter network, I had to make
changes to the configuration suggestions in my proposal. Another
unanticipated requirement related to developing the ROI report for the
client. It was difficult to offer a monetary estimate for operating under the
current network conditions versus the proposed network conditions.
Consequently, I had to change some of the questions on the customer
business survey to help me calculate these figures. The client was gracious
enough to comply.
Actual and Potential Effects
Since this project was in the form of a proposal, the majority of this
section will concentrate on potential effects.
Page 18
The actual effects of this project can be summed up by saying that the
client now has a clear understanding of the importance of network
maintenance and network security. They have seen the bad side of network
security and were provided with a roadmap to the good side. They have
been empowered with information to bring their operation to a new level of
efficiency.
The potential positive effects of this project go are many. When the
client follows through with the upgrade plan, they will have a highly efficient
operating network. As a result of the network operating more efficiently,
their business processes will be able to run more smoothly. There will be
fewer classroom interruptions as a result of computer related problems.
There will be fewer testers that are frustrated with crashing test servers and
workstations. As a result, customers’ confidence in Real PlanIT Computer
Training will increase. The project has the potential to help grow the client’s
business. Without having to worry so much about the network and whether
or not the computers are going to work, they can concentrate on sales,
finances, teaching and so on.
Conclusions
My capstone project proved to be extremely challenging and every bit
as much rewarding. I believe it was highly successful in terms of the
original goals and objectives. Each goal and object was met and customer
expectations were exceeded. Why was it so successful? Why was it so
Page 19
effective? It was in part because of methodical planning on the front end. I
cannot say enough about the necessity of planning. Building the project
plan gave me a roadmap to success that would not have been possible
without it. This project was also successful because of communication. The
client did a marvelous job expressing their needs and current business
model. I did my best at communicating the advantages had by those who
operate on a secure and efficient network. Together we formulated a plan to
upgrade their network while meeting their business needs and minimizing
business impact. Communication was a vital component in this project and
helped bring about the success thereof. Finally, flexibility played a winning
part in this project. Every project will have its hiccups. The ability to be
flexible, think on your feet and come up with alternate solutions is a
necessity for successful project management. It was my pleasure to have
successfully led and completed this project as the project manager. Best of
all, the client is ecstatic about the proposal and cannot wait to implement
the changes. They are ready for a new level of business efficiency.
Page 20
References
Keystone Strategy, Inc Study (2005). Why IT Matters in Midsized Firms.
Retrieved January 31, 2007 from http://www.keyinc.com/it_matters.shtml.
Lowe, Scott (2004). Verify security settings on Windows XP using Microsoft
Baseline Security Analyzer 1.2. Retrieved June 23, 2007 from
http://articles.techrepublic.com.com/5100-1035_11-5221961.html.
Microsoft (2007). City of Stratford Brings Down the Curtain on its Legacy
System with Server Upgrade. Retrieved June 23, 2007 from
http://www.microsoft.com/canada/casestudies/cityofstratford.mspx.
Microsoft (2007). Microsoft Baseline Security Analyzer. Retrieved June 23,
2007 from
http://www.microsoft.com/technet/Security/tools/mbsahome.mspx.
Microsoft (2007). Windows Vista Capable and Premium Ready PCs.
Retrieved January 31, 2007 from
http://www.microsoft.com/windows/products/windowsvista/buyorupgr
ade/capable.mspx.
Sherman, Erik (2007). Investing in IT for a Competitive Edge. Retrieved
January 31, 2007, from
http://www.microsoft.com/business/momentum/content/article.aspx?c
ontentId=1065.
Page 21
Appendix 1: Competency Matrix
Domain/Subdomain Competency
Explanation
LPO1
Identify and apply
leadership behaviors
including: providing
direction and enlisting
others in a shared vision;
searching out challenging
opportunities for change,
growth, and improvement;
fostering collaboration and
building effective teams;
and coaching, mentoring,
counseling and facilitating
professional development.
My project required
collaboration with the client.
The project was certainly
challenging and very
rewarding for all parties
involved. It required a lot of
planning and scheduling to
ensure that everything went
off without a hitch. The
opportunity was all about
change and preparation for
future growth. Ultimately, I
coached the client how to
maintain their network
moving forward.
RUA1 & RUA2
Describe in your own
words the
question/problem to be
addressed.
My project allowed me to
communicate the problem
with the current state of the
client’s network as well as
how it was affecting
profitability within the
company.
RUA1 & RUA2
Divide a question/problem
into related sub-questions
or sub-problems.
The root problem was that
the network was insecure and
it was affecting business
efficiency. My project allowed
me to break this down further
into many sub-problems with
regard to anti-virus, group
policy, passwords, firewall
configuration, hardware
problems, server
configuration, etc.
Page 22
RUA1 & RUA2
Interpret the results of
quantitative and qualitative
analyses of information
related to a
question/problem.
After the initial survey was
complete, I will provided a
report that summarized the
current state of the network.
The results of the survey
were interpreted so that a
proposal for bringing the
network up to current
standards was developed and
presented to the client.
LCO1
Speak clearly and audibly
and use appropriate
language and gestures.
Communication was the key
to success in this project.
There were multiple meetings
to communicate problems,
scheduling information,
project plans, etc. These
meetings allowed me to
demonstrate this
competency.
LCO1
Write instructions for a
particular task or
procedure.
An end-user preventive
maintenance manual was
provided as part of the
Capstone project. The
document included
instructions and general
guidelines for keeping one’s
computer and computer
network secure.
QLO1
Communicate
mathematical reasoning,
mathematical equations,
and calculated results
orally and in writing,
explaining why a formula,
conclusion or inference
makes sense and why the
mathematical reasoning is
valid.
A return on investment (ROI)
report was included in the
proposal. Calculated costs
were used in conjunction with
operating costs to estimate
the amount of time it will take
the client to recoup the
upgrade investment money
and start turning a profit.
Page 23
I290
Plan and implement server
roles and server security.
Server roles were evaluated
during the survey and new
roles and security measures
were suggested in the
proposal.
I290
Plan, implement, and
maintain a network
infrastructure.
A new network infrastructure
plan was presented as part of
the proposal.
I290
Manage and maintain an
Active Directory
infrastructure.
Suggested Active Directory
changes were presented as
part of the proposal.
I290
Plan and implement group
policy.
Group Policy settings were
proposed and presented to
the client to maximize
business efficiency and
security.
I290
Maintain a network
infrastructure.
A preventive maintenance
plan was presented to the
client for ongoing
maintenance of the network
infrastructure.
I270
Configure, manage, and
troubleshoot security
The client’s network had
many security holes prior to
the project. These issues
were identified and addressed
with a resolution strategy in
the proposal. The execution
of the proposal will solve
these security problems.
I270
Create the conceptual
design by gathering and
analyzing business and
technical requirements.
Based on the client’s current
operating procedures, I
created a new design for
workstation security. I also
gathered technical
hardware/software needs of
specific applications to ensure
the network would support
Page 24
them.
I270
Implement, manage,
monitor, and troubleshoot
hardware devices and
drivers.
All workstation and server
hardware devices and drivers
were tested. Necessary
upgrades, changes, etc. were
suggested in the proposal.
Page 25
Appendix 2: Client Business Model Survey
See file “55427 Hufford Mark BS ITNM CAPU Appendix 2.doc”.
Appendix 3: Workstation Survey Spreadsheet
See file “55427 Hufford Mark BS ITNM CAPU Appendix 3.xls”.
Appendix 4: Server Survey Spreadsheet
See file “55427 Hufford Mark BS ITNM CAPU Appendix 4.xls”.
Page 26
Appendix 5: Sample MBSA Reports
Computer name:
IP address:
Security report
name:
Scan date:
Catalog
synchronization
date:
Security update
catalog:
Security
assessment:
WORKGROUP\FAY-TRAIN55
192.168.3.35
WORKGROUP - FAY-TRAIN55 (6-19-2007 8-45 PM)
6/19/2007 8:45 PM
Microsoft Update
Severe Risk
Security Updates
Score Issue
Result
Office
9 security updates are missing. 2 service packs or update
Security rollups are missing.
Updates
Security Updates
Score
ID
Description
Maximum
Severity
Missing MS05-023 Security Update for
Critical
Word 2003 (KB887979)
Missing MS06-039 Security Update for
Office 2003
(KB914455)
Moderate
Missing MS06-054 Security Update for
Publisher 2003
(KB894542)
Important
Missing MS06-058 Security Update for
PowerPoint 2003
(KB923091)
Important
Page 27
Missing MS06-059 Security Update for
Important
Excel 2003 (KB923088)
Missing MS06-062 Security Update for
Office 2003
(KB923272)
Important
Missing MS06-060 Security Update for
Important
Word 2003 (KB923094)
Missing MS06-061 Security Update for
Office 2003
(KB924424)
Critical
Missing MS07-003 Security Update for
Outlook 2003
(KB924085)
Important
Update Rollups and Service Packs
Score
ID
Description
Missing 887620
Project 2003 Service Pack 2
Missing 887616
Office 2003 Service Pack 2
Current Update Compliance
Score
ID
Description
Installed 842532
Office 2003 Service
Pack 1
Installed 902848
Outlook Live 2003
Service Pack 2
Installed 887622
Visio 2003 Service Pack
2
Installed 887619
OneNote 2003 Service
Pack 2
Maximum
Severity
Page 28
Installed 887618
Office 2003 Service
Pack 2 for Proofing
Tools
Installed 920115
Service Pack 3 for
Business Contact
Manager Update and
Small Business
Accounting
Windows 67 security updates are missing. 3 service packs or
Security update rollups are missing.
Updates
Security Updates
Score
ID
Description
Maximum
Severity
Missing MS04-043 Security Update for
Windows XP
(KB873339)
Important
Missing MS04-041 Security Update for
Windows XP
(KB885836)
Important
Missing MS05-007 Security Update for
Windows XP
(KB888302)
Important
Missing MS05-009 Security Update for
Windows Messenger
(KB887472)
Moderate
Missing MS05-013 Security Update for
Windows XP
(KB891781)
Important
Missing MS04-044 Security Update for
Windows XP
(KB885835)
Important
Page 29
Missing MS05-033 Security Update for
Windows XP
(KB896428)
Moderate
Missing MS05-036 Security Update for
Windows XP
(KB901214)
Critical
Missing MS05-018 Security Update for
Windows XP
(KB890859)
Important
Missing MS05-040 Security Update for
Windows XP
(KB893756)
Important
Missing MS05-041 Security Update for
Windows XP
(KB899591)
Moderate
Missing MS05-042 Security Update for
Windows XP
(KB899587)
Moderate
Missing MS05-043 Security Update for
Windows XP
(KB896423)
Critical
Missing MS05-051 Security Update for
Windows XP
(KB902400)
Important
Missing MS05-048 Security Update for
Windows XP
(KB901017)
Important
Missing MS05-045 Security Update for
Windows XP
(KB905414)
Moderate
Missing MS05-047 Security Update for
Windows XP
(KB905749)
Important
Page 30
Missing MS05-049 Security Update for
Windows XP
(KB900725)
Important
Missing MS05-050 Security Update for
Windows XP
(KB904706)
Critical
Missing MS06-002 Security Update for
Windows XP
(KB908519)
Critical
Missing MS06-008 Security Update for
Windows XP
(KB911927)
Important
Missing MS06-006 Security Update for
Windows Media Player
Plug-in (KB911564)
Important
Missing MS06-014 Security Update for
Windows XP
(KB911562)
Critical
Missing MS06-015 Security Update for
Windows XP
(KB908531)
Critical
Missing MS06-024 Security Update for
Windows Media Player
9 (KB917734)
Critical
Missing MS06-030 Security Update for
Windows XP
(KB914389)
Important
Missing MS06-023 Security Update for
Windows XP
(KB917344)
Critical
Missing MS06-022 Security Update for
Windows XP
(KB918439)
Critical
Page 31
Missing MS06-018 Security Update for
Windows XP
(KB913580)
Low
Missing MS06-032 Security Update for
Windows XP
(KB917953)
Important
Missing MS06-025 Security Update for
Windows XP
(KB911280)
Important
Missing MS06-036 Security Update for
Windows XP
(KB914388)
Critical
Missing MS06-050 Security Update for
Windows XP
(KB920670)
Important
Missing MS06-041 Security Update for
Windows XP
(KB920683)
Critical
Missing MS06-052 Security Update for
Windows XP
(KB919007)
Important
Missing MS06-053 Security Update for
Windows XP
(KB920685)
Moderate
Missing MS06-063 Security Update for
Windows XP
(KB923414)
Important
Missing MS06-065 Security Update for
Windows XP
(KB924496)
Moderate
Missing MS06-057 Security Update for
Windows XP
(KB923191)
Critical
Page 32
Missing MS06-061 Security Update for
Windows XP
(KB924191)
Critical
Missing MS06-064 Security Update for
Windows XP
(KB922819)
Low
Missing MS06-070 Security Update for
Windows XP
(KB924270)
Low
Missing MS06-066 Security Update for
Windows XP
(KB923980)
Important
Missing MS06-075 Security Update for
Windows XP
(KB926255)
Important
Missing MS06-078 Security Update for
Windows Media Player
6.4 (KB925398)
Critical
Missing MS06-078 Security Update for
Windows XP
(KB923689)
Critical
Missing MS07-004 Security Update for
Windows XP
(KB929969)
Critical
Missing MS07-006 Security Update for
Windows XP
(KB928255)
Important
Missing MS07-008 Security Update for
Windows XP
(KB928843)
Critical
Missing MS07-007 Security Update for
Windows XP
(KB927802)
Important
Page 33
Missing MS07-012 Security Update for
Windows XP
(KB924667)
Important
Missing MS07-009 Security Update for
Windows XP
(KB927779)
Critical
Missing MS07-013 Security Update for
Windows XP
(KB918118)
Important
Missing MS07-011 Security Update for
Windows XP
(KB926436)
Important
Missing MS07-017 Security Update for
Windows XP
(KB925902)
Critical
Missing MS06-071 MSXML 4.0 SP2
Security Update
(KB927978)
Critical
Missing MS07-022 Security Update for
Windows XP
(KB931784)
Important
Missing MS07-021 Security Update for
Windows XP
(KB930178)
Critical
Missing MS07-019 Security Update for
Windows XP
(KB931261)
Critical
Missing MS07-020 Security Update for
Windows XP
(KB932168)
Critical
Missing MS05-004 Security Update for
Microsoft .NET
Framework, Version
1.1 Service Pack 1
Important
Page 34
(KB886903)
Missing MS05-032 Security Update for
Windows XP
(KB890046)
Moderate
Missing MS06-068 Security Update for
Windows XP
(KB920213)
Critical
Missing MS07-033 Cumulative Security
Critical
Update for Internet
Explorer 6 for Windows
XP (KB933566)
Missing MS07-034 Cumulative Security
Update for Outlook
Express for Windows
XP (KB929123)
Important
Missing MS07-031 Security Update for
Windows XP
(KB935840)
Critical
Missing MS07-035 Security Update for
Windows XP
(KB935839)
Critical
Update Rollups and Service Packs
Score
ID
Description
Missing 931836
Update for Windows XP
(KB931836)
Missing 926874
Windows Internet Explorer 7.0 for
Windows XP
Missing 890830
Windows Malicious Software
Removal Tool - June 2007
(KB890830)
Current Update Compliance
Page 35
Score
ID
Description
Installed MS03-011 816093: Security
Update Microsoft
Virtual Machine
(Microsoft VM)
Installed 867460
Maximum
Severity
Critical
Microsoft .NET
Framework 1.1 Service
Pack 1
Installed MS05-027 Security Update for
Windows XP
(KB896422)
Critical
Installed MS05-025 Cumulative Security
Update for Internet
Explorer for Windows
XP Service Pack 2
(KB883939)
Important
Installed MS05-026 Security Update for
Windows XP
(KB896358)
Critical
Installed MS06-009 Security Update for
Windows XP
(KB901190)
Important
Windows Scan Results
Administrative Vulnerabilities
Scor
Issue
e
Result
Administrat More than 2 Administrators were found on this computer.
ors
User
Page 36
Administrator
S-1-5-21-2074873108-628170394-480669845-40114
Student
Automatic The Automatic Updates feature is disabled on this
Updates
computer.
Windows Firewall is enabled and has exceptions
configured. Windows Firewall is enabled on all network
connections.
Windows
Firewall
Connection Name
Firewall
Exceptions
All Connections
On
Programs,
Services
Local Area Connection
2
On
Programs*,
Services*
Incomplete
No incomplete software update installations were found.
Updates
No user accounts have simple passwords.
Local
Account
Password
Test
User
Weak
Password
Locked
Out
Disable
d
Guest
-
-
Disable
d
HelpAssistant
-
-
Disable
d
SUPPORT_3889
45a0
-
-
Disable
d
ASPNET
-
-
-
Administrator
-
-
-
Page 37
Student
-
-
-
All hard drives (1) are using the NTFS file system.
File
System
Guest
Account
Drive Letter
File System
C:
NTFS
The Guest account is disabled on this computer.
Restrict
Anonymou Computer is properly restricting anonymous access.
s
Password This check was skipped because the computer is not
Expiration joined to a domain.
Autologon This check was skipped because the computer is not
joined to a domain.
Additional System Information
Score
Issue
Result
Windo
ws
Computer is running Windows 2000 or greater.
Version
Auditin This check was skipped because the computer is not joined
g
to a domain.
2 share(s) are present on your computer.
Shares
Share
Directory
Share
ACL
Directory ACL
Page 38
ADMIN
$
C:\WINDO
WS
Admin
Share
BUILTIN\Users - RX,
BUILTIN\Power
Users - RWXD,
BUILTIN\Administrat
ors - F, NT
AUTHORITY\SYSTEM
-F
C$
C:\
Admin
Share
BUILTIN\Administrat
ors - F, NT
AUTHORITY\SYSTEM
- F, BUILTIN\Users RX, Everyone - RX
Some potentially unnecessary services are installed.
Service
s
Service
State
Telnet
Stopped
Internet Information Services (IIS) Scan Results
Score Issue
Result
IIS
Status
IIS is not running on this computer.
SQL Server Scan Results
Score Issue
Result
SQL
Server/MSDE SQL Server and/or MSDE is not installed on this
computer.
Status
Desktop Application Scan Results
Administrative Vulnerabilities
Score Issue
Result
Page 39
4 Microsoft Office product(s) are installed. Some issues
were found.
Macro
Security
Issue
User
Advice
Microsoft
Office Excel
2003
FAY-TRAIN55\Student
Macro
security is set
to low, which
is not secure.
Microsoft
Office
Outlook
2003
FAY-TRAIN55\Student
Macro
security is set
to medium,
which will
allow you to
choose
whether or
not to run
potentially
unsafe
macros.
Microsoft
Office
Outlook
2003
FAYTRAIN55\Administrator
Macro
security is set
to medium,
which will
allow you to
choose
whether or
not to run
potentially
unsafe
macros.
Microsoft
Office Word
2003
FAY-TRAIN55\Student
Macro
security is set
to medium,
which will
allow you to
choose
whether or
not to run
potentially
Page 40
unsafe
macros.
Microsoft
Office Word
2003
FAYTRAIN55\Administrator
Macro
security is set
to medium,
which will
allow you to
choose
whether or
not to run
potentially
unsafe
macros.
Microsoft
Office
PowerPoint
2003
All Users
No security
issues were
found.
IE Zones Internet Explorer zones have secure settings for all users.
Computer name: PROMETRIC\TESTSERVER
IP address: 192.168.4.1
Security report name: PROMETRIC - TESTSERVER (6-19-2007 8-39 PM)
Scan date: 6/19/2007 8:39 PM
Scanned with MBSA version: 2.0.6706.0
Security update catalog: Microsoft Update
Catalog synchronization date:
Security assessment: Severe Risk
Security Updates Scan Results
Issue: Scanning Requirements
Score: Check failed (non-critical)
Result: 1 scanning requirements are missing. A complete scan could
not be performed.
Update Rollups and Service Packs
| MSI | Missing | Windows Installer is required for scanning
products installed on the computer | |
Page 41
Issue: Windows Security Updates
Score: Check failed (critical)
Result: 56 security updates are missing. 2 service packs or update
rollups are missing.
Security Updates
| MS06-053 | Missing | Security Update for Windows 2000
(KB920685) | Moderate |
| MS05-044 | Missing | Security Update for Internet
Explorer 6 Service Pack 1 for Windows 2000 (KB905495) | Moderate |
| MS05-032 | Missing | Security Update for Windows 2000
(KB890046) | Important |
| MS06-015 | Missing | Security Update for Windows 2000
(KB908531) | Critical |
| MS06-036 | Missing | Security Update for Windows 2000
(KB914388) | Critical |
| MS06-031 | Missing | Security Update for Windows 2000
(KB917736) | Moderate |
| MS07-035 | Missing | Security Update for Windows 2000
(KB935839) | Critical |
| MS06-025 | Missing | Security Update for Windows 2000
(KB911280) | Critical |
| MS07-008 | Missing | Security Update for Windows 2000
(KB928843) | Critical |
| MS06-068 | Missing | Security Update for Windows 2000
(KB920213) | Critical |
| MS05-050 | Missing | Security Update for DirectX 9 for
Windows 2000 (KB904706) | Critical |
| MS06-044 | Missing | Security Update for Windows 2000
(KB917008) | Critical |
| MS05-046 | Missing | Security Update for Windows 2000
(KB899589) | Important |
| MS06-070 | Missing | Security Update for Windows 2000
(KB924270) | Critical |
| MS06-018 | Missing | Security Update for Windows 2000
(KB913580) | Moderate |
| MS07-011 | Missing | Security Update for Windows 2000
(KB926436) | Important |
| MS06-041 | Missing | Security Update for Windows 2000
(KB920683) | Critical |
| MS06-066 | Missing | Security Update for Windows 2000
(KB923980) | Important |
Page 42
| MS05-049 | Missing | Security Update for Windows 2000
(KB900725) | Important |
| MS06-076 | Missing | Cumulative Security Update for
Outlook Express 5.5 Service Pack 2 (KB923694) | Important |
| MS07-020 | Missing | Security Update for Windows 2000
(KB932168) | Critical |
| MS05-018 | Missing | Security Update for Windows 2000
(KB890859) | Important |
| MS05-019 | Missing | Security Update for Windows 2000
(KB893066) | Important |
| MS05-027 | Missing | Security Update for Windows 2000
(KB896422) | Important |
| MS05-042 | Missing | Security Update for Windows 2000
(KB899587) | Moderate |
| MS06-002 | Missing | Security Update for Windows 2000
(KB908519) | Critical |
| MS05-048 | Missing | Security Update for Windows 2000
(KB901017) | Important |
| MS07-009 | Missing | Security Update for Microsoft Data
Access Components 2.8 (KB927779) | Critical |
| MS05-041 | Missing | Security Update for Windows 2000
(KB899591) | Moderate |
| MS06-006 | Missing | Security Update for Windows Media
Player Plug-in (KB911564) | Important |
| MS07-033 | Missing | Cumulative Security Update for
Internet Explorer 6 Service Pack 1 (KB933566) | Critical |
| MS06-023 | Missing | Security update for (Jscript Version
5.6) for Windows 2000 (KB917344) | Critical |
| MS06-061 | Missing | Security Update for Windows 2000
(KB924191) | Critical |
| MS06-050 | Missing | Security Update for Windows 2000
(KB920670) | Important |
| MS07-031 | Missing | Security Update for Windows 2000
(KB935840) | Moderate |
| MS07-021 | Missing | Security Update for Windows 2000
(KB930178) | Critical |
| MS07-004 | Missing | Security Update for Internet
Explorer 6 Service Pack 1 (KB929969) | Critical |
| MS05-043 | Missing | Security Update for Windows 2000
(KB896423) | Critical |
| MS07-013 | Missing | Security Update for Windows 2000
(KB918118) | Important |
| MS05-026 | Missing | Security Update for Windows 2000
(KB896358) | Important |
Page 43
| MS06-030 | Missing
(KB914389) | Important |
| MS06-078 | Missing
(KB923689) | Critical |
| MS06-057 | Missing
(KB923191) | Critical |
| MS05-036 | Missing
(KB901214) | Critical |
| MS06-063 | Missing
(KB923414) | Important |
| MS06-078 | Missing
Player 6.4 (KB925398) | Critical |
| MS05-047 | Missing
(KB905749) | Important |
| MS07-022 | Missing
(KB931784) | Important |
| MS06-024 | Missing
Player 9 (KB917734) | Critical |
| MS05-045 | Missing
(KB905414) | Moderate |
| MS05-040 | Missing
(KB893756) | Important |
| MS06-032 | Missing
(KB917953) | Important |
| MS07-017 | Missing
(KB925902) | Critical |
| MS07-012 | Missing
(KB924667) | Important |
| MS06-061 | Missing
(KB925672) | Critical |
| MS06-045 | Missing
(KB921398) | Moderate |
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows Media
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows Media
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| Security Update for Windows 2000
| MSXML 4.0 SP2 Security Update
| Security Update for Windows 2000
Update Rollups and Service Packs
| 890830 | Missing | Windows Malicious Software Removal
Tool - June 2007 (KB890830) | |
| 891861 | Missing | Update Rollup 1 for Windows 2000
Service Pack 4 (KB891861) | |
Current Update Compliance
| MS04-020 | Installed | Security Update for Microsoft
Windows 2000 (KB841872) | Important |
Page 44
| MS05-011 | Installed | Security Update for Windows
2000 (KB885250) | Critical |
| MS05-012 | Installed | Security Update for Windows
2000 (KB873333) | Important |
| MS05-010 | Installed | Security Update for Windows
2000 (KB885834) | Critical |
| MS05-050 | Installed | Security Update for DirectX 8 for
Windows 2000 (KB904706) | Critical |
| MS04-028 | Installed | Security Update for Internet
Explorer 6 Service Pack 1 (KB833989) | Moderate |
| MS03-043 | Installed | Security Update for Microsoft
Windows 2000 (KB828035) | |
| MS03-044 | Installed | Security Update for Microsoft
Windows 2000 (KB825119) | Important |
| MS05-003 | Installed | Security Update for Windows
2000 (KB871250) | Important |
| 867460 | Installed | Microsoft .NET Framework 1.1
Service Pack 1 | |
| MS03-041 | Installed | Security Update for Windows
2000 (KB823182) | |
| MS06-005 | Installed | Security Update for Windows
Media Player 7.1 for Windows 2000 (KB911565) | Important |
| MS03-008 | Installed | 814078: Security Update
(Microsoft Jscript version 5.5, Windows 2000) | |
| MS05-001 | Installed | Security Update for Windows
2000 (KB890175) | Critical |
| MS02-008 | Installed | Security Update, February 13,
2002 (MSXML 4.0) | |
| MS03-008 | Installed | 814078: Security Update
(Microsoft Jscript version 5.1, Windows 2000) | |
| MS04-037 | Installed | Security Update for Windows
2000 (KB841356) | Important |
| MS04-012 | Installed | Security Update for Windows
2000 (KB828741) | Critical |
| MS03-042 | Installed | Security Update for Microsoft
Windows 2000 (KB826232) | Critical |
| MS03-011 | Installed | 816093: Security Update
Microsoft Virtual Machine (Microsoft VM) | Critical |
| MS05-004 | Installed | Security Update for Microsoft
.NET Framework, Version 1.1 Service Pack 1 (KB886903) | Important |
| MS04-016 | Installed | Security Update for DirectX 9.0
(KB839643) | Moderate |
| MS02-050 | Installed | Q329115: Security Update
(Windows 2000) | |
Page 45
| MS05-013 | Installed | Security Update for Windows
2000 (KB891781) | Important |
| MS04-023 | Installed | Security Update for Windows
2000 (KB840315) | Critical |
| MS04-043 | Installed | Security Update for Windows
2000 (KB873339) | Important |
| MS04-016 | Installed | Security Update for DirectX 8.2
(KB839643) | Moderate |
| MS05-014 | Installed | Cumulative Security Update for
Internet Explorer 6 Service Pack 1 (KB867282) | Critical |
| MS02-009 | Installed | Security Update, February 14,
2002 (Internet Explorer 5.5) | |
| MS04-031 | Installed | Security Update for Windows
2000 (KB841533) | Important |
| MS03-023 | Installed | 823559: Security Update for
Microsoft Windows | |
| MS06-022 | Installed | Security Update for Internet
Explorer 6 Service Pack 1 (KB918439) | Critical |
| MS03-049 | Installed | Security Update for Microsoft
Windows (KB828749) | |
| MS03-008 | Installed | 814078: Security Update
(Microsoft Jscript version 5.6, Windows 2000, Windows XP) | |
| MS04-014 | Installed | Security Update for Windows
2000 (KB837001) | Important |
| MS04-028 | Installed | Security Update for Windows
Journal Viewer (KB886179) | Important |
| MS05-017 | Installed | Security Update for Windows
2000 (KB892944) | Important |
| MS03-034 | Installed | Security Update for Microsoft
Windows (KB824105) | |
| MS04-041 | Installed | Security Update for Windows
2000 (KB885836) | Important |
| MS05-015 | Installed | Security Update for Windows
2000 (KB888113) | Important |
| MS05-008 | Installed | Security Update for Windows
2000 (KB890047) | Important |
| MS05-050 | Installed | Security Update for Windows
2000 (KB904706) | Critical |
| MS04-044 | Installed | Security Update for Windows
2000 (KB885835) | Important |
| MS05-002 | Installed | Security Update for Windows
2000 (KB891711) | Critical |
| MS04-011 | Installed | Security Update for Windows
2000 (KB835732) | Critical |
Page 46
| MS04-022
2000 (KB841873) | Critical |
| MS04-016
(KB839643) | Moderate |
| MS04-016
(KB839643) | Moderate |
| MS04-016
(KB839643) | Moderate |
| Installed | Security Update for Windows
| Installed | Security Update for DirectX 7.0
| Installed | Security Update for DirectX 8.0
| Installed | Security Update for DirectX 8.1
Operating System Scan Results
Administrative Vulnerabilities
Issue: Local Account Password Test
Score: Check failed (critical)
Result: Some user accounts (4 of 7) have blank or simple
passwords, or could not be analyzed.
Detail:
| User | Weak Password | Locked Out | Disabled |
| Guest | Weak | - | - |
| dts1 | Weak | - | - |
| dts2 | Weak | - | - |
| dtsiso | Weak | - | - |
| ASPNET | - | - | - |
| Administrator | - | - | - |
| TsInternetUser | - | - | - |
Issue: File System
Score: Check failed (critical)
Result: Not all hard drives are using the NTFS file system.
Detail:
| Drive Letter | File System |
| H: | FAT32 |
| C: | NTFS |
| E: | NTFS |
| G: | NTFS |
Issue: Password Expiration
Score: Check failed (non-critical)
Result: Some user accounts (4 of 7) have non-expiring passwords.
Detail:
| User |
Page 47
| Administrator |
| Guest |
| dts1 |
| dts2 |
| ASPNET |
| TsInternetUser |
Issue: Guest Account
Score: Check failed (critical)
Result: The Guest account is not disabled on this computer.
Issue: Autologon
Score: Check passed
Result: Autologon is not configured on this computer.
Issue: Restrict Anonymous
Score: Check failed (critical)
Result: Computer is running with RestrictAnonymous = 0. This level
allows basic enumeration of user accounts, account policies, and system
information. Set RestrictAnonymous = 2 to ensure maximum security.
Issue: Administrators
Score: Check passed
Result: No more than 2 Administrators were found on this computer.
Detail:
| User |
| Administrator |
Issue: Windows Firewall
Score: Best practice
Result: Windows Firewall is not installed or configured properly, or is
not available on this version of Windows.
Issue: Automatic Updates
Score: Check failed (non-critical)
Result: Updates are not automatically downloaded or installed on
this computer.
Issue: Incomplete Updates
Score: Best practice
Result: No incomplete software update installations were found.
Additional System Information
Issue: Windows Version
Page 48
Score: Best practice
Result: Computer is running Windows 2000 or greater.
Issue: Auditing
Score: Best practice
Result: Enable auditing for specific events like logon/logoff. Be sure
to monitor your event log to watch for unauthorized access.
Issue: Shares
Score: Best practice
Result: 11 share(s) are present on your computer.
Detail:
| Share | Directory | Share ACL | Directory ACL |
| HPLaserJ | HP LaserJet 4L,LocalsplOnly | Print Queue
Share | Directory ACL can not be read. |
| testprinter | HP DeskJet,LocalsplOnly | Print Queue Share
| Directory ACL can not be read. |
| ADMIN$ | C:\WINNT | Admin Share | BUILTIN\Users RX, BUILTIN\Power Users - RWXD, BUILTIN\Administrators - F, NT
AUTHORITY\SYSTEM - F, Everyone - RX |
| C$ | C:\ | Admin Share | Everyone - F |
| E$ | E:\ | Admin Share | Everyone - F |
| G$ | G:\ | Admin Share | Everyone - F |
| dts | C:\dts | Everyone - F | Everyone - F |
| images | G:\images | Everyone - F | Everyone - F |
| polaris share | C:\Documents and
Settings\Administrator\Desktop\polaris share | Everyone - F |
TESTSERVER\Administrator - F, NT AUTHORITY\SYSTEM - F,
BUILTIN\Administrators - F |
| print$ | C:\WINNT\system32\spool\drivers | Everyone R, Administrators - F, Power Users - F | Everyone - RX, BUILTIN\Users RX, BUILTIN\Power Users - RWXD, BUILTIN\Administrators - F, NT
AUTHORITY\SYSTEM - F |
| pulse share | C:\Documents and
Settings\Administrator\Desktop\pulse share | Everyone - F |
TESTSERVER\Administrator - F, NT AUTHORITY\SYSTEM - F,
BUILTIN\Administrators - F |
Issue: Services
Score: Best practice
Result: Some potentially unnecessary services are installed.
Detail:
| Service | State |
Page 49
| Telnet | Stopped |
Internet Information Services (IIS) Scan Results
IIS is not running on this computer.
SQL Server Scan Results
SQL Server and/or MSDE is not installed on this computer.
Desktop Application Scan Results
Administrative Vulnerabilities
Issue: IE Zones
Score: Check failed (critical)
Result: Internet Explorer zones do not have secure settings for some
users.
Detail:
| User | Zone | Level | Recommended Level |
| TESTSERVER\Administrator | Restricted sites | Custom |
High |
Sub-Detail:
| Setting | Current | Recommended |
| Script ActiveX controls marked safe for scripting |
Enable | Disable |
Issue: Macro Security
Score: Check not performed
Result: No Microsoft Office products are installed
Page 50
Appendix 6: Network Upgrade Proposal
See file “55427 Hufford Mark BS ITNM CAPU Appendix 6.doc”.
Appendix 7: End User’s Security Manual
See file “55427 Hufford Mark BS ITNM CAPU Appendix 7a.doc”.
See file “55427 Hufford Mark BS ITNM CAPU Appendix 7b.doc”.
See file “55427 Hufford Mark BS ITNM CAPU Appendix 7c.pdf”.
Appendix 8: Capstone Proposal
See file “55427 Hufford Mark BS ITNM CAPU Appendix 8.doc”.