Category Archives: Audit

Verify Permissions on files (Windows)


  • Changes to the permissions on files could block security settings from being applied.
  • Changes to the permissions on files could leak sensitive information.
  • Changes to the permissions on files could lead to a system compromise.
  • Audit files.

Manual audit with powershell

View the permission on the application log file with powershell

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Access : NT SERVICE\EventLog Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;

Audit with Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"


Running this auditfile with this specific file results into an error because the file has a file lock.

Windows Compliance Checks, version 1.263
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx

Alternative approach

We can use the powershell command-let get-acl to perform the audit.
We run the command and filter out the known good values.

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" }

New Nessus Auditfile Check

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL


  • V-63533 – Permissions for the Application event log must prevent access by non-privileged accounts.
  • V-63537 – Permissions for the Security event log must prevent access by non-privileged accounts.
  • V-63541 – Permissions for the System event log must prevent access by non-privileged accounts

Server Message Block (SMB) Protocol Version 1 Unspecified RCE

Nessus Output

The remote Windows host supports Server Message Block (SMB) Protocol version 1. 
It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, 
remote attacker to execute arbitrary code.

Note that this vulnerability is one of multiple Equation Group vulnerabilities and 
exploits disclosed by a group known as the Shadow Brokers.

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. 
Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. 
For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Continue reading

Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

Nessus Description

The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to log in in the case of the failure of the PDC. Continue reading

MS15-124: Cumulative Security Update for Internet Explorer (3116180)

Nessus Output

ASLR hardening settings for Internet Explorer in KB3125869
have not been applied. The following DWORD keys must be
created with a value of 1:
  - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe
  - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe

Continue reading

Check Windows File Integrity with sfc and powershell


Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.
Critical Security Control #3: Secure Configurations for Hardware and Software – System 3.5

SFC and Powershell

Windows contains a build-in utility called sfc to verify and fix Windows File Integrity issues.
Lets have a quick look what this utility and some powershell can do for us.
The flags differ on older versions of Windows so check it’s options before running the commands below.

Continue reading

Active Directory


CIS Benchmarks:

CVE Details:


Nessus Plugins for Active Directory

Audit XML configuration files

A quick example to query a xml config file to retrieve a specific security setting


Select-Xml -path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config -XPath "/configuration/system.web/membership/providers/add" | 
Select-Object -ExpandProperty node | 
Select-Object passwordFormat


Cloud Security


  • Security Guidance for Critical Areas of Focus in Cloud Computing : Cloud Security Alliance
  • Cloud Computing Risk Assessment — ENISA
  • NIST Cloud Computing 6 Security Reference Architecture
  • Whitepaper Cloudcomputing | NCSC
  • Cloud Controls Matrix : Cloud Security Alliance

Websphere Application Server

Security Configuration Guides:

Websphere Application Server bevat IBM HTTP Server die zijn oorsprong vind in Apache HTTP Server.