Hi,
I suspect we have/had an unwanted visitor on our server. So I'm running all kind of security-checks to find malware. So far, the program's I ran haven't found anything, except MBSA (MIcrosoft Baseline Security Analyser) - it reports several things to examine.
I wonder if MBSA takes the differences between 'normal' Windows Server 2003 and SBS 2003 into account? Therefore, I would to know your opinion about the MBSA log, my comment in bold:
Scanned with MBSA version: 2.1.2104.0
Administrative Vulnerabilities
Issue: Administrators
Score: Check failed (non-critical)
Result: More than 2 Administrators were found on this computer.
Detail:
| User |
| \Administrator |
| \Ondernemingsadministrators |
Is Ondernemingsadministrators a valid account?
Issue: Windows Firewall
Score: Best practice
Result: Windows Firewall is not installed or configured properly, or is not available on this version of Windows.
Is the firewall by default disabled in SBS 2003?
Issue: Shares
Score: Best practice
Result: nn share(s) are present on your computer.
Detail:
| Share | Directory
| ADMIN$ | C:\WINDOWS
| Address | C:\Program Files\Exchsrvr\address
| C$ | C:\
| ClientApps | D:\ClientApps
| D$ | D:\
| .LOG | C:\Program Files\Exchsrvr\.log
| NETLOGON | C:\WINDOWS\SYSVOL\sysvol\.lan\SCRIPTS
| REMINST | d:\RemoteInstall
| Resources$ | C:\Program Files\Exchsrvr\res
| SYSVOL | C:\WINDOWS\SYSVOL\sysvol
| UpdateServicesPackages | S:\WSUS-updates\UpdateServicesPackages
| Users | D:\Users Shared Folders
| WSUSTemp | C:\Program Files\Update Services\LogFiles\WSUSTemp
| WsusContent | S:\WSUS-updates\WsusContent
| clients | C:\Programs\SBS\ClientSetup\Clients
| gebruikers | D:\sys\gebruikers
| print$ | C:\WINDOWS\system32\spool\drivers
| prnproc$ | C:\WINDOWS\system32\spool\PRTPROCS
| profielen | D:\sys\profielen
| tsclient | C:\WINDOWS\system32\clients\tsclient
| tsweb | C:\WINDOWS\web\tsweb
I removed shares I made myself; are the above valid?
SQL Server Scan Results
Instance (default)
Administrative Vulnerabilities
Issue: SQL Server/MSDE Account Password Test
Score: Check not performed
Result: The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode.
Issue: Service Accounts
Score: Best practice
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| (default) | MSSQLServer | SYSTEM | LocalSystem account. |
| (default) | SQLServerAgent | SYSTEM | LocalSystem account. |
If I'm right, SQL Server / MSDE service accounts are set to LocalSystem by default?
Instance BKUPEXEC
Administrative Vulnerabilities
Issue: SQL Server/MSDE Account Password Test
Score: Check not performed
Result: The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode.
Issue: Service Accounts
Score: Best practice
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| BKUPEXEC | MSSQL$BKUPEXEC | SYSTEM | LocalSystem account. |
| BKUPEXEC | SQLAgent$BKUPEXEC | SYSTEM | LocalSystem account. |
As above
Instance MICROSOFT##SSEE
Administrative Vulnerabilities
Issue: Folder Permissions
Score: Check failed (critical)
Result: Permissions on the SQL Server and/or MSDE installation folders are not set properly.
Detail:
| Instance | Folder | User |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn | INGEBOUWD\Prestatielogboekgebruikers |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn | INGEBOUWD\Prestatiemetergebruikers |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn | \SQLServer2005MSSQLUser$$MICROSOFT##SSEE |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn | \MAKER EIGENAAR |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data | \SQLServer2005MSSQLUser$$MICROSOFT##SSEE |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data | \SQLServer2005MSSQLUser$$MICROSOFT##SSEE |
| MICROSOFT##SSEE | C:\WINDOWS\SYSMSI\SSEE\MSSQL.2005\MSSQL\Data | \MAKER EIGENAAR |
Do I need to correct this?
Issue: Sysadmins
Score: Check failed (non-critical)
Result: More than 2 members of sysadmin role are present.
Issue: Service Accounts
Score: Unable to scan
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| MICROSOFT##SSEE | MSSQL$MICROSOFT##SSEE | NT AUTHORITY\NetworkService | This is a Domain Account. Baseline Security Analyzer cannot determine whether it belongs to the Domain Admins group due to the following error: 1212 De notatie van de opgegeven domeinnaam is ongeldig.
. |
As above
Issue: Password Policy
Score: Check failed (critical)
Result: Enable password expiration for the SQL server accounts.
If I do this, I have to change them regularly, or things won't work?
Issue: Sysdtslog
Score: Best practice
Result: Do not create sysdtslogs90 in the Master or MSDB database.It is recommended to create a seperate logging database.
??
Instance SBSMONITORING
Administrative Vulnerabilities
Issue: SQL Server/MSDE Account Password Test
Score: Check not performed
Result: The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode.
Issue: Service Accounts
Score: Best practice
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| SBSMONITORING | MSSQL$SBSMONITORING | SYSTEM | LocalSystem account. |
| SBSMONITORING | SQLAgent$SBSMONITORING | SYSTEM | LocalSystem account. |
As above
Instance SHAREPOINT
Administrative Vulnerabilities
Issue: SQL Server/MSDE Account Password Test
Score: Check not performed
Result: The check was skipped because SQL Server and/or MSDE is operating in Windows Only authentication mode.
Issue: Service Accounts
Score: Best practice
Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
Detail:
| Instance | Service | Account | Issue |
| SHAREPOINT | MSSQL$SHAREPOINT | SYSTEM | LocalSystem account. |
| SHAREPOINT | SQLAgent$SHAREPOINT | SYSTEM | LocalSystem account. |
As above
Desktop Application Scan Results
Administrative Vulnerabilities
Issue: IE Zones
Score: Check failed (critical)
Result: Internet Explorer zones do not have secure settings for some users.
Detail:
| User | Zone | Level | Recommended Level |
| \SBS Backup User | Internet | High | High |
Sub-Detail:
| Setting | Current | Recommended |
| Run components not signed with Authenticode | Enable | Disable |
| Run components signed with Authenticode | Enable | Disable |
| \Telefonie | Internet | High | High |
Sub-Detail:
| Setting | Current | Recommended |
| Run components not signed with Authenticode | Enable | Disable |
| Run components signed with Authenticode | Enable | Disable |
| \administrator | Internet | Medium | High |
I have to log in as the user to change this?
**** End ****
|