in

eEye Digital Security

The endpoint to vulnerability starts here.

 
eEye Digital Security » Blink Forums » Vulnerability Assessment » Retina Audit ID 5329

Retina Audit ID 5329

Last post 11-05-2009 11:03 PM by SpaceAvailable. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next

  • 09-03-2009 8:00 AM

    • jaws
    • Top 75 Contributor
    • Joined on 09-01-2009
    • Posts 10

    Retina Audit ID 5329

    Reply Contact

     Hi,

    Audit ID 5329: Ensures that all keys under HKLM\Software\Classes\AppId do not have a "RunAs" value.

    Retina identifies all items that have "RunAs".

    I think this is only a problem if "RunAs" has a value other than Interactive User.

    If this is correct maybe a small modification to Audit 5329 --- RunAs exits and is not set to Interactive User.

    This would help eliminate false positives.

    Thanks,

    Jim

  • 09-10-2009 10:53 PM In reply to

    Re: Retina Audit ID 5329

    Reply Contact

    Brian,

         Do you have any further information on this audit or Jim's recommendations?

  • 09-11-2009 4:17 PM In reply to

    • bpatten
    • Top 10 Contributor
    • Joined on 09-24-2007
    • Irvine, CA
    • Posts 125

    Re: Retina Audit ID 5329

    Reply Contact

     It sounds like Jim is making a statement. The Fix info is: Ensure that all keys under HKLM\Software\Classes\Appid do not have a "RunAs" value.

    So it would be a good idea to check that this permission is pushed down to child objects as appropriate.

  • 11-04-2009 10:17 AM In reply to

    • jaws
    • Top 75 Contributor
    • Joined on 09-01-2009
    • Posts 10

    Re: Retina Audit ID 5329

    Reply Contact

     

    Hi,

    Here is the DISA statement.

    DCOM calls are executed under the security context of the calling user by default.  If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user.  If present, the RunAs value tells the COM Service Control Manager (SCM) the name of the account under which the server is to be activated.  In addition to the account name, the COM SCM must also have the password of the account.  The result of a successful logon is a security context (token) for the named account that is used as the primary token for the new COM server process.  Administrators should not use this method in the evaluated configuration if accountability is required, since accountability cannot be enforced.  RunAs values will be removed.

     

    Remove the following registry value:

    Hive:       HKLM

    Key:        \Software\Classes\AppID\

    Name:     “Each subkey listed”

    Value:      RunAs

    ---- My Comments Below

    "DCOM calls are executed under the security context of the calling user by default." is the first line of the DISA statement.  I don't think there is any difference between RunAs being "Interactive User" and not existing.  But I will most likely rename RunAs to RunAs.Retina so the higher authorities can check this box.

    Jim

  • 11-05-2009 11:03 PM In reply to

    Re: Retina Audit ID 5329

    Reply Contact

     The next release of Retina has been updated to not flag if "Interactive User" is the value for RunAs. This conforms to the latest STIG.

    Craig

     
Page 1 of 1 (5 items)
© 1995 - 2009 eEye Incorporated