AuditPro v4.0.0

Description:
It is highly essential that you have the latest service pack installed on your critical systems. This probe determines if you have the latest service pack for your given system. Also, the patch analysis probe will only check for updates released after the latest service pack.

CVE Reference No.: CVE-NO-MATCH

Severity	Name	Value
	Caption	Microsoft Windows XP Professional
	ServicePackMajorVersion	2
	SystemDirectory	C://WINDOWS//system32
	Version	5.1.2600

Solution:
If a violation has been marked, make sure you download and install the latest service pack from :
http://windowsupdate.microsoft.com

Description:
This probe determines the list of software installed on the system. It allows you to specifiy case insensitive regular expressions or complete names of software in the list of Disallowed software. You could also specify a list of Allowed software, which are those that you wish to ensure are installed on the target system. The default list of disallowed software checks for over 500 known backdoors, Trojans and spyware. These range from old favorites such as BackOrifice and SubSeven to the new breed of Spyware such as Gator and P2P software such as Kazaa. Additionally, security assessment tools such as Ethereal, L0phtcrack, WinPCap, Cain and Abel, etc. are also checked for, just to make sure no unauthorized activity is taking place.

CVE Reference No.: CVE-NO-MATCH

Severity	Software Name	Registry Key
	3D Windows XP Screen Saver	3D Windows XP
	3Planesoft Screensaver Manager 1.1	3Planesoft Screensaver Manager_is1
	N/A	AddressBook
	Adobe Acrobat 7.0 Professional	Adobe Acrobat 7.0 Professional
	Adobe Flash Player Plugin	Adobe Flash Player Plugin
	Adobe Shockwave Player	Adobe Shockwave Player
	avast! Antivirus	avast!
	N/A	Branding
	CCleaner (remove only)	CCleaner
	N/A	Connection Manager
	Convert Doc	Convert Doc_is1
	N/A	DirectAnimation
	N/A	DirectDrawEx
	N/A	DXM_Runtime
	eMule	eMule
	N/A	Fontcore
	Foxit Reader	Foxit Reader
	N/A	ICW
	N/A	IE40
	N/A	IE4Data
	N/A	IE5BAKEX
	N/A	IEData
	N/A	InstallShield Uninstall Information
	PowerQuest PartitionMagic 8.0	InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
	Internet Download Manager	Internet Download Manager
	IP Messenger for Win	IPMSG for Win32
	N/A	KB884016
	N/A	KB893803
	Windows Installer 3.1 (KB893803)	KB893803v2
	K-Lite Codec Pack 3.4.5 Full	KLiteCodecPack_is1
	The Matrix Trilogy 3D Code Screen Saver v3.4	Matrix3D
	Mechanical Clock 3D Screensaver 1.0	Mechanical Clock 3D Screensaver_is1
	Microsoft .NET Framework 2.0	Microsoft .NET Framework 2.0
	N/A	MobileOptionPack
	Mozilla Firefox (2.0.0.11)	Mozilla Firefox (2.0.0.11)
	Mozilla Thunderbird (2.0.0.9)	Mozilla Thunderbird (2.0.0.9)
	N/A	MPlayer2
	N/A	MSI30-Beta1
	N/A	MSI30-Beta2
	N/A	MSI30-KB884016
	N/A	MSI30-RC1
	N/A	MSI30-RC2
	N/A	MSI30a-KB884016
	N/A	MSI31-Beta
	N/A	MSI31-RC1
	Nero 6 Ultra Edition	Nero - Burning Rom!UninstallKey
	N/A	NetMeeting
	N/A	OutlookExpress
	N/A	PCHealth
	PowerISO	PowerISO
	PuTTY version 0.60	PuTTY_is1
	N/A	SchedulingAgent
	Setup Factory 7.0	Setup Factory 7.0 Trial
	Shockwave Director 10.2	Shockwave
	Adobe Flash Player 9 ActiveX	ShockwaveFlash
	Tweak UI	Tweak UI 2.10
	Unlocker 1.8.5	Unlocker
	Microsoft Visual Studio 6.0 Enterprise Edition	Visual Studio 6.0 Enterprise Edition
	VideoLAN VLC media player 0.8.1	VLC media player
	Microsoft Web Publishing Wizard 1.53	WebPost
	winpcap-nmap 3.1	winpcap-nmap
	WinRAR archiver	WinRAR archiver
	VNC 3.3.7	WinVNC_is1
	Yahoo! Install Manager	YInstHelper
	hppIOFiles	{01ADCC5D-45B4-45E4-AC5C-C06E044B16DF}
	GFI EventsManager	{0A1D52DC-3FC7-4501-8852-6E6A6BF38A87}
	hppLJ3390	{0EF45FEA-E3C1-4660-854A-810C1BA169E2}
	hppFaxUtility	{173D5E9E-8ABC-4EB2-B371-18AF8812A91D}
	Google Talk (remove only)	{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk
	J2SE Runtime Environment 5.0 Update 6	{3248F0A8-6813-11D6-A77B-00B0D0150060}
	hppToolBoxFX	{3F115F1A-A387-4B28-8552-DBCAA1C2EC28}
	hppFonts	{606E5C0D-6039-42A7-988E-9D51DE773AFF}
	HP Software Update	{64FC0C98-B035-4530-B15D-3D30610B6DF1}
	NET Installation Assistance for VB6 App (Runtime Only)	{66333C41-085E-4DA1-8273-E2BCA382D766}
	hppTooCool	{663D8AAF-CB71-4056-8C60-1D85BC576C6E}
	CmdHere Powertoy For Windows XP	{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
	PartitionMagic	{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
	hpzTLBXFX	{6DEA87DF-B074-417B-85A0-79F5EDE671A4}
	Microsoft .NET Framework 2.0	{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
	QFolder	{8777AC6D-89F9-4793-8266-DE406F343E89}
	Intel(R) Extreme Graphics Driver	{8A708DD8-A5E6-11D4-A706-000629E95E20}
	Microsoft Office Professional Edition 2003	{90110409-6000-11D3-8CFE-0150048383C9}
	VMware Workstation	{98D1A713-438C-4A23-8AB6-41B37C4A2D47}
	hppSendFax	{A0B42136-C813-4FB4-84A1-C41E6F12410B}
	hppManuals3390	{A5A93185-26A8-4F02-B021-D6E6A4396441}
	2in1 Coundition Zero 1.1&Counter-Strike 1.6(build 2738)	{A6B06FBE-783A-4322-9532-5BCC16CD8554}
	Adobe Acrobat 7.0 Professional	{AC76BA86-1033-0000-7760-000000000002}
	DivX Web Player	{B7050CBDB2504B34BC2A9CA0A692CC29}
	Microsoft .NET Framework 1.1	{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
	DivX Content Uploader	{D050D7362D214723AD585B541FFB6C11}
	hppscan3390	{D5E31EEE-CD8A-4E01-87F1-119C4A3201FD}
	hppFaxDrv3390	{DB7F1657-6164-40AE-8A94-8F785C0C3E3F}
	hppScanTo	{E69B85BC-8121-4D5C-8CA4-D688895671F4}
	HP LaserJet 3050/3052/3055/3390/3392 3.0	{E94E150C-762B-4cd1-8A54-7228A07C0710}
	Scan	{FE3F3C9B-2C29-4FEE-A74F-11E436729F2C}

Solution:
Ensure that only known and trusted software have been installed. Create an organizational security policy that mandates the use of allowed software, and put a procedure in place for any user wanting to install new software on their systems.

Description:
This is the list of open ports along with the banners grabbed from the open ports. Any ports that are present in the disallowed list, and are found to be open are marked as high severity violations. Any ports that are in the allowed list and are found to be open are marked as compliance entries. The default disallowed list contains known Trojan and virus ports. The port scan also maps the open ports to known services. A port scan is typically the first stage in the security assessment exercise, and the output will help you determine the network exposure of your system.

CVE Reference No.: CVE-NO-MATCH

Solution:
Make sure that only trusted services are keeping ports open. For instance, HTTP ports 80 or 443 should not be found open on a workstation. Ensure that there is a functional justification for keeping the ports open. If you wish to investigate a port, the first step would be to issue a 'netstat -an' command on the target system, and determine ports that are in 'LISTENING' mode. To determine, which software or services are responsible for keeping ports open, you could use the 'fport' utility from Foundstone, which maps open ports to services. Make sure only known and fully patched services are responsible for the open ports. Also make sure that the services do not reveal the type and version of the software in the banner.

Description:
This probe simply enumerates the network adapters configured on the system.This is purely for informational purposes.

CVE Reference No.: CVE-NO-MATCH

Solution:
You can check the output to see that the IP address and the default gateway are properly configured.

Description:
This probe captures a snapshot of the running processes on the target system. It displays the Process ID, the Name of the process and the path where the executable is located. This is where we check for the presence of virus executables, as well as those related to malware and spyware. You could also add your own executables here to check for your own list of disallowed executables. This probe supports regular expressions. So you could enter the pattern against which a case insensitive match will be done, or simply enter the name of the executable to check for. The default list contains over 100 known malware and spyware executables.

CVE Reference No.: CVE-NO-MATCH

Solution:
If any processes have been marked as violations of your policy, investigate those executables. Suggested steps include using fport from Foundstone to check for executables that keep ports open. Use utilities such as regmon and filemon from Sysinternals to see what kind of registry keys and files are being accessed by the executable. Also, you could check for ASCII strings present within the binary using the Unix 'strings' or Foundstone's BinText utility. Finally, you could simply type in the name of executable into Google and see if the results show it to be some sort of malware or spyware.

Description:
Windows services are controlled through the Services applet. In a default Windows installation, a large number of services are configured to be Running by default. Since most of these services run with Local System privileges, a vulnerability in any of them would allow an attacker to typically execute arbitrary code with the highest possible privilege levels. For instance, there have been buffer overflow vulnerabilities found in the Messenger and Workstation services, among others. Best security practices dictate that services which are not required should be Stopped and kept Disabled. This probe allows you to set two lists to compare with. The Allowed Services list contains those services, which you mandate must be running. And the Disallowed Services list contains those services that must be specifically stopped. This probe support regular expression matching. So if you want to mandate that an anti-virus software should be running, irrespective of whether it is Symantec or Norton or something else, you could add to the Allowed Services list the string 'antivirus', which would do a case insensitive regular expression match.

CVE Reference No.: CVE-NO-MATCH

Severity	DisplayName	State	StartMode	PathName
	Adobe LM Service	Stopped	Manual	/C://Program Files//Common Files//Adobe Systems Shared//Service//Adobelmsvc.exe/
	Alerter	Stopped	Disabled	C://WINDOWS//system32//svchost.exe -k LocalService
	Application Layer Gateway Service	Running	Manual	C://WINDOWS//System32//alg.exe
	Application Management	Running	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	ASP.NET State Service	Stopped	Manual	C://WINDOWS//Microsoft.NET//Framework//v2.0.50727//aspnet_state.exe
	avast! iAVS4 Control Service	Running	Auto	/C://Program Files//Alwil Software//Avast4//aswUpdSv.exe/
	Windows Audio	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	avast! Antivirus	Running	Auto	/C://Program Files//Alwil Software//Avast4//ashServ.exe/
	avast! Mail Scanner	Running	Manual	/C://Program Files//Alwil Software//Avast4//ashMaiSv.exe/ /service
	avast! Web Scanner	Running	Manual	/C://Program Files//Alwil Software//Avast4//ashWebSv.exe/ /service
	Background Intelligent Transfer Service	Stopped	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	Computer Browser	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Indexing Service	Stopped	Manual	C://WINDOWS//system32//cisvc.exe
	ClipBook	Stopped	Disabled	C://WINDOWS//system32//clipsrv.exe
	.NET Runtime Optimization Service v2.0.50727_X86	Stopped	Manual	C://WINDOWS//Microsoft.NET//Framework//v2.0.50727//mscorsvw.exe
	COM+ System Application	Running	Manual	C://WINDOWS//system32//dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
	Cryptographic Services	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	DCOM Server Process Launcher	Running	Auto	C://WINDOWS//system32//svchost -k DcomLaunch
	DHCP Client	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Logical Disk Manager Administrative Service	Stopped	Manual	C://WINDOWS//System32//dmadmin.exe /com
	Logical Disk Manager	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	DNS Client	Running	Auto	C://WINDOWS//system32//svchost.exe -k NetworkService
	DomainService	Running	Auto	C://WINDOWS//system32//ssjfqusl.exe /service
	Media Center Receiver Service	Stopped	Manual	C://WINDOWS//eHome//ehRecvr.exe
	Media Center Scheduler Service	Running	Manual	C://WINDOWS//eHome//ehSched.exe
	Error Reporting Service	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Event Log	Running	Auto	C://WINDOWS//system32//services.exe
	GFI EventsManager	Stopped	Auto	C://Program Files//GFI//EventsManager 7//esmproc.exe
	COM+ Event System	Running	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	Fast User Switching Compatibility	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	Help and Support	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Human Interface Device Access	Stopped	Disabled	C://WINDOWS//System32//svchost.exe -k netsvcs
	HTTP SSL	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k HTTPFilter
	IIS Admin	Running	Manual	C://WINDOWS//system32//inetsrv//inetinfo.exe
	IMAPI CD-Burning COM Service	Stopped	Manual	C://WINDOWS//system32//imapi.exe
	Server	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Workstation	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	TCP/IP NetBIOS Helper	Running	Auto	C://WINDOWS//system32//svchost.exe -k LocalService
	Messenger	Stopped	Disabled	C://WINDOWS//system32//svchost.exe -k netsvcs
	MHN	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	NetMeeting Remote Desktop Sharing	Stopped	Manual	C://WINDOWS//system32//mnmsrvc.exe
	Distributed Transaction Coordinator	Stopped	Manual	C://WINDOWS//system32//msdtc.exe
	FTP Publishing	Stopped	Manual	C://WINDOWS//system32//inetsrv//inetinfo.exe
	Windows Installer	Stopped	Manual	C://WINDOWS//system32//msiexec.exe /V
	Network DDE	Stopped	Disabled	C://WINDOWS//system32//netdde.exe
	Network DDE DSDM	Stopped	Disabled	C://WINDOWS//system32//netdde.exe
	Net Logon	Stopped	Manual	C://WINDOWS//system32//lsass.exe
	Network Connections	Running	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	Network Location Awareness (NLA)	Running	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	NT LM Security Support Provider	Stopped	Manual	C://WINDOWS//system32//lsass.exe
	Removable Storage	Stopped	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	Oracle OLAP 9.0.1.0.1	Stopped	Manual	C://oracle//ora90//bin//xsolap.exe
	Oracle OLAP Agent	Stopped	Manual	C://oracle//ora90//bin//xsaagent.exe
	OracleOraHome90Agent	Running	Manual	C://oracle//ora90//bin//agntsrvc.exe
	OracleOraHome90ClientCache	Stopped	Manual	C://oracle//ora90//BIN//ONRSD.EXE
	OracleOraHome90HTTPServer	Stopped	Manual	C://oracle//ora90//Apache//Apache//Apache.exe
	OracleOraHome90PagingServer	Stopped	Manual	C://oracle//ora90/bin/pagntsrv.exe
	OracleOraHome90SNMPPeerEncapsulator	Stopped	Manual	C://oracle//ora90//BIN//ENCSVC.EXE
	OracleOraHome90SNMPPeerMasterAgent	Stopped	Manual	C://oracle//ora90//BIN//AGNTSVC.EXE
	OracleOraHome90TNSListener	Running	Manual	C://oracle//ora90//BIN//TNSLSNR
	OracleServiceORA9I	Running	Manual	c://oracle//ora90//bin//ORACLE.EXE ORA9I
	Office Source Engine	Stopped	Manual	/C://Program Files//Common Files//Microsoft Shared//Source Engine//OSE.EXE/
	Plug and Play	Running	Auto	C://WINDOWS//system32//services.exe
	Pml Driver HPZ12	Running	Auto	C://WINDOWS//system32//HPZipm12.exe
	IPSEC Services	Running	Auto	C://WINDOWS//system32//lsass.exe
	Protected Storage	Running	Auto	C://WINDOWS//system32//lsass.exe
	PServer Monitor Service	Stopped	Disabled	C://Program Files//BISF Revealer//PSMonitor.exe
	Remote Access Auto Connection Manager	Stopped	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	Remote Access Connection Manager	Running	Manual	C://WINDOWS//system32//svchost.exe -k netsvcs
	Remote Desktop Help Session Manager	Stopped	Manual	C://WINDOWS//system32//sessmgr.exe
	Routing and Remote Access	Stopped	Disabled	C://WINDOWS//system32//svchost.exe -k netsvcs
	Remote Registry	Running	Auto	C://WINDOWS//system32//svchost.exe -k LocalService
	Remote Procedure Call (RPC) Locator	Stopped	Manual	C://WINDOWS//system32//locator.exe
	Remote Procedure Call (RPC)	Running	Auto	C://WINDOWS//system32//svchost -k rpcss
	QoS RSVP	Stopped	Manual	C://WINDOWS//system32//rsvp.exe
	Security Accounts Manager	Running	Auto	C://WINDOWS//system32//lsass.exe
	Smart Card	Stopped	Manual	C://WINDOWS//System32//SCardSvr.exe
	Task Scheduler	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Secondary Logon	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	System Event Notification	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Windows Firewall/Internet Connection Sharing (ICS)	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Shell Hardware Detection	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Print Spooler	Running	Auto	C://WINDOWS//system32//spoolsv.exe
	System Restore Service	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	SSDP Discovery Service	Running	Manual	C://WINDOWS//system32//svchost.exe -k LocalService
	Windows Image Acquisition (WIA)	Running	Auto	C://WINDOWS//system32//svchost.exe -k imgsvc
	MS Software Shadow Copy Provider	Stopped	Manual	C://WINDOWS//system32//dllhost.exe /Processid:{BC7E5099-D6DF-4C15-A95E-2341DB8AF650}
	Performance Logs and Alerts	Stopped	Manual	C://WINDOWS//system32//smlogsvc.exe
	Telephony	Running	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	Terminal Services	Running	Manual	C://WINDOWS//System32//svchost -k DComLaunch
	Themes	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Telnet	Stopped	Disabled	C://WINDOWS//system32//tlntsvr.exe
	Distributed Link Tracking Client	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Windows User Mode Driver Framework	Stopped	Manual	C://WINDOWS//system32//wdfmgr.exe
	Universal Plug and Play Device Host	Stopped	Manual	C://WINDOWS//system32//svchost.exe -k LocalService
	Uninterruptible Power Supply	Stopped	Manual	C://WINDOWS//System32//ups.exe
	Visual Studio Analyzer RPC bridge	Stopped	Manual	C://Program Files//Microsoft Visual Studio//Common//Tools//VS-Ent98//Vanalyzr//varpc.exe
	VMware Authorization Service	Stopped	Auto	C://Program Files//VMware//VMware Workstation//vmware-authd.exe
	VMware DHCP Service	Running	Auto	C://WINDOWS//system32//vmnetdhcp.exe
	VMware Virtual Mount Manager Extended	Running	Auto	/C://Program Files//Common Files//VMware//VMware Virtual Image Editing//vmount2.exe/
	VMware NAT Service	Running	Auto	C://WINDOWS//system32//vmnat.exe
	Volume Shadow Copy	Stopped	Manual	C://WINDOWS//System32//vssvc.exe
	Windows Time	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	WebClient	Running	Auto	C://WINDOWS//system32//svchost.exe -k LocalService
	Windows Management Instrumentation	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Portable Media Serial Number Service	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	Windows Management Instrumentation Driver Extensions	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	WMI Performance Adapter	Stopped	Manual	C://WINDOWS//system32//wbem//wmiapsrv.exe
	Security Center	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Automatic Updates	Running	Auto	C://WINDOWS//system32//svchost.exe -k netsvcs
	Wireless Zero Configuration	Running	Auto	C://WINDOWS//System32//svchost.exe -k netsvcs
	Network Provisioning Service	Stopped	Manual	C://WINDOWS//System32//svchost.exe -k netsvcs
	Visibroker Smart Agent	Stopped	Manual	C://oracle//ora90//bin//osagent.exe

Solution:
Shut down those services that are not required. Also make sure the policy is accurate depending on your requirements.

Description:
Sharing of drives or folders, especially when they are shared with full access, can be a major security risk considering the way blended threats viz. Nimda, Klez, etc spread from system to system in a network using multiple modes for infection. These viruses replicate themselves by copying the source codes to other folders/drives, which are in shared mode. Also, Windows creates Administrative or Hidden shares by default, which are accessible only to users within the local Administrators group, but increase the surface area of exposure. The shares marked as non-compliant in this probe are those that match the regular expression patterns supplied in the policy.

CVE Reference No.: CVE-NO-MATCH

Solution:
Remove Administrative or Hidden shares. Also reduce the number of shares that are created on critical systems. Put NTFS or Share level permissions to restrict users that can access those shared folders. Finally, for critical shared folders, ensure an adequate audit policy is in place to monitor user activity on these folders.

Description:
Null sessions are a weakness that can be exploited through the various shares that are on the computer.

CVE Reference No.: CVE-NO-MATCH

Severity	Registry Key	Key Name	Value
	SYSTEM/CurrentControlSet/Services/LanmanServer/parameters	RestrictNullSessAccess	Not found

Solution:
Modify null session access to the shares on the computer by adding RestrictNullSessAccess, a Registry value that toggles null session shares on or off to determine whether the Server service restricts access to clients logged on to the system account without username and password authentication. Setting the value to 1 restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries.

Description:
Restricting such access helps prevents unauthorized access over the network.

CVE Reference No.: CVE-NO-MATCH

Severity	Registry Key	Key Name	Value
	SYSTEM/CurrentControlSet/Services/LanmanServer/parameters	NullSessionPipes	COMNAP COMNODE SQL/QUERY SPOOLSS LLSRPC browser
	SYSTEM/CurrentControlSet/Services/LanmanServer/parameters	NullSessionShares	COMCFG DFS$

Solution:
To restrict null session access over named pipes and shared directories, edit the Registry values in the following locations :
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LanmanServer/parameters/NullSessionPipes
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LanmanServer/parameters/NullSessionShares.

Description:
Windows NT/2000 systems allow support for alternate operating systems such as POSIX and OS/2. There are known vulnerabilities within the system files required for this support, and at least one of them allows a local user to elevate his privileges to Local System levels. This functionality is now generally redundantand if not specifically needed, it is suggested you remove the subsystems from Windows.

CVE Reference No.: CVE-NO-MATCH

Severity	Registry Key	Key Name	Value
	SYSTEM/CurrentControlSet/Control/Session Manager/Environment	Os2LibPath	Not found
	SYSTEM/CurrentControlSet/Control/Session Manager/SubSystems	Os2	Not found
	SYSTEM/CurrentControlSet/Control/Session Manager/SubSystems	Posix	C:/WINDOWS/system32/psxss.exe

Solution:
In the Windows registry go to the following key:
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Session Manager/SubSystems

Delete the OS2 and POSIX values.
Restart the computer for the changes to take effect.

Description:
Most viruses, Trojans, spyware and other types of malware place their executables in the startup folder or registry so that they can be executed automatically as soon as the system boots. If a proper check is not done, the system may be vulnerable to virus and worm attacks. Ensure that unauthorised/suspicious entries are not found in the above observation. The policy allows you to set the names of the exe files or regular expression patterns.

CVE Reference No.: CVE-NO-MATCH

Solution:
Regularly check this section and ensure that no suspicious entries are present in the observation shown above. Those entries that are unnecessary or suspicious, should be deleted from HKLM/Software/Microsoft/Windows/CurrentVersion/Run, Runonce, Runservices and the User's Startup folders.

Description:
NTFS offers the greatest number of benefits - especially in terms of security. It offers file and folder permissions, encryption, and disk quotas. This probe determines if your disks are NTFS formatted or not.

CVE Reference No.: CVE-NO-MATCH

Severity	Caption	FileSystem	VolumeName
	A:	N/A	N/A
	C:	NTFS	N/A
	D:	NTFS	N/A
	E:	NTFS	N/A
	G:	NTFS	N/A

Solution:
NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. It is highly recommended that all partitions on your server are formatted using NTFS. If necessary, use the convert utility to non-destructively convert your FAT partitions to NTFS. The format of this is 'convert Drive_name /FS:File_System'. So for instance, if you need to convert the D drive to NTFS, you would issue the following at a command prompt:
convert D: /FS:NTFS

Description:
This probe determines the patches that have been applied on the system. The supported systems are Windows 2003, Windows 2000, Windows XP, Internet Explorer, Outlook Express, MDAC, SQL Server, ISA Proxy, IIS, Microsoft Exchange, FrontPage Server Extensions, Windows Media Player and MSDE. Do note that the patch checking is restricted only to the latest service pack, and the patches released after that. Therefore, if you haven't applied the latest service pack, we strongly recommend that you do so, and then run this probe again.

CVE Reference No.: CVE-NO-MATCH

Severity	HotFixID	Description	ServicePackInEffect
	KB928090	Cumulative Security Update for Internet Explorer	N/A
	KB923694	Cumulative Security Update for Outlook Express	N/A
	KB927978	Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution	N/A
	KB929969	Vulnerability in Vector Markup Language Could Allow Remote Code Execution	N/A
	KB903235	Vulnerability in JView Profiler Could Allow Remote Code Execution	N/A
	KB917283	Vulnerability in ASP.NET Could Allow Information Disclosure	N/A
	KB922770	Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure	N/A
	KB917734	Vulnerability in Windows Media Player Could Allow Remote Code Execution	N/A
	KB925398	Vulnerability in Windows Media Format Could Allow Remote Code Execution	N/A
	KB911565	Vulnerability in Windows Media Player Could Allow Remote Code Execution	N/A
	KB911564	Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution	N/A
	KB887472		N/A
	KB873339	Vulnerability in HyperTerminal Could Allow Code Execution	N/A
	KB885835	Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege	N/A
	KB885836	Vulnerability in WordPad Could Allow Code Execution	N/A
	KB888302	Vulnerability in Windows Could Allow Information Disclosure.	N/A
	KB890859	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service	N/A
	KB891781	Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution.	N/A
	KB893756	Vulnerability in Telephony Service Could Allow Remote Code Execution	N/A
	KB896358	Vulnerability in HTML Help could allow remote code execution	N/A
	KB896423	Vulnerability in Print Spooler Service Could Allow Remote Code Execution	N/A
	KB896424	Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)	N/A
	KB896428	Vulnerability in Telnet Client Could Allow Information Disclosure	N/A
	KB899587	Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing	N/A
	KB899591	Vulnerability in Remote Desktop Protocol Could Allow Denial of Service	N/A
	KB900725	Vulnerabilities in Windows Shell Could Allow Remote Code Execution	N/A
	KB901017	ulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution	N/A
	KB901190	Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege	N/A
	KB901214	Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution	N/A
	KB902400	Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution	N/A
	KB904706	Vulnerability in DirectShow Could Allow Remote Code Execution	N/A
	KB905414	Vulnerability in Network Connection Manager Could Allow Denial of Service.	N/A
	KB905749	Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege	N/A
	KB908519	Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution	N/A
	KB908531	Vulnerability in Windows Explorer Could Allow Remote Code Execution	N/A
	KB911280	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution	N/A
	KB911280	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution	N/A
	KB911562	Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution	N/A
	KB911927	Vulnerability in Web Client Service Could Allow Remote Code Execution	N/A
	KB912919	Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution	N/A
	KB913580	Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service	N/A
	KB914388	Vulnerability in DHCP Client Service Could Allow Remote Code Execution	N/A
	KB914389	Vulnerability in Server Message Block Could Allow Elevation of Privilege	N/A
	KB917537	Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution	N/A
	KB917953	Vulnerability in TCP/IP Could Allow Remote Code Execution	N/A
	KB918118	Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution	N/A
	KB918439	Vulnerability in ART Image Rendering Could Allow Remote Code Execution	N/A
	KB919007	Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution	N/A
	KB920213	Vulnerability in Microsoft Agent Could Allow Remote Code Execution	N/A
	KB920670	Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution	N/A
	KB920683	Vulnerabilities in DNS Resolution Could Allow Remote Code Execution	N/A
	KB920685	Vulnerability in Indexing Service Could Allow Cross-Site Scripting	N/A
	KB922819	Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service	N/A
	KB923191	Vulnerability in Windows Explorer Could Allow Remote Execution	N/A
	KB923414	Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution	N/A
	KB923689		N/A
	KB923980	Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution	N/A
	KB924191	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution	N/A
	KB924270	Vulnerability in Workstation Service Could Allow Remote Code Execution	N/A
	KB924496	Vulnerability in Windows Object Packager Could Allow Remote Execution	N/A
	KB899591	Vulnerability in Remote Desktop Protocol Could Allow Denial of Service	N/A
	KB900725	Vulnerabilities in Windows Shell Could Allow Remote Code Execution	N/A
	KB901017	ulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution	N/A
	KB901214	Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution	N/A
	KB902400	Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution	N/A
	KB904706	Vulnerability in DirectShow Could Allow Remote Code Execution	N/A
	KB905414	Vulnerability in Network Connection Manager Could Allow Denial of Service.	N/A
	KB905749	Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege	N/A
	KB908519	Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution	N/A
	KB908531	Vulnerability in Windows Explorer Could Allow Remote Code Execution	N/A
	KB911280	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution	N/A
	KB911280	Vulnerability in Routing and Remote Access Could Allow Remote Code Execution	N/A
	KB911562	Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution	N/A
	KB911927	Vulnerability in Web Client Service Could Allow Remote Code Execution	N/A
	KB912919	Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution	N/A
	KB913580	Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service	N/A
	KB914388	Vulnerability in DHCP Client Service Could Allow Remote Code Execution	N/A
	KB914389	Vulnerability in Server Message Block Could Allow Elevation of Privilege	N/A
	KB917422	Vulnerability in Windows Kernel Could Result in Remote Code Execution	N/A
	KB917537	Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution	N/A
	KB917953	Vulnerability in TCP/IP Could Allow Remote Code Execution	N/A
	KB918118	Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution	N/A
	KB918439	Vulnerability in ART Image Rendering Could Allow Remote Code Execution	N/A
	KB919007	Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution	N/A
	KB920213	Vulnerability in Microsoft Agent Could Allow Remote Code Execution	N/A
	KB920670	Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution	N/A
	KB920683	Vulnerabilities in DNS Resolution Could Allow Remote Code Execution	N/A
	KB920685	Vulnerability in Indexing Service Could Allow Cross-Site Scripting	N/A
	KB922819	Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service	N/A
	KB923191	Vulnerability in Windows Explorer Could Allow Remote Execution	N/A
	KB923414	Vulnerability in Server Service Could Allow Denial of Service and Remote Code Execution	N/A
	KB923689		N/A
	KB923980	Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution	N/A
	KB924191	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution	N/A
	KB924270	Vulnerability in Workstation Service Could Allow Remote Code Execution	N/A
	KB924496	Vulnerability in Windows Object Packager Could Allow Remote Execution	N/A
	KB924667	Vulnerability in Microsoft MFC Could Allow Remote Code Execution	N/A
	KB926255	Vulnerability in Windows Could Allow Elevation of Privilege	N/A
	KB926436	Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution	N/A
	KB927779	Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution	N/A
	KB927802	Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege	N/A
	KB928255	Vulnerability in Windows Shell Could Allow Elevation of Privilege	N/A
	KB928843	Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution	N/A
	KB929969	Vulnerability in Vector Markup Language Could Allow Remote Code Execution	N/A
	KB890830	Microsoft Windows Malicious Software Removal Tool	N/A
	KB933579	Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution	N/A
	KB927978	Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution	N/A