Equal assurance evaluation 2.0: windows security audit

Time:2020-11-26

1. The function of security audit should be enabled. The audit covers every user and audit important user behavior and important security events

Scheme:

Open the local security policy in the management tool, open the path: security settings / local policy / audit policy, and configure all audit policies as success, failure. It includes audit policy change, audit object access, audit process tracking, audit directory service access, audit account login event, audit privilege use, audit system event, audit account management, audit login event.

 

 

 

2. The identity identification and identification of the login user should be carried out. The identity identification is unique, and the identity identification information is complex and needs to be changed regularly

The identity identification and identification of the login user should be carried out

The identity identification function (user name), needless to say, belongs to the function of windows. But the user authentication, that is, the behavior that you need to input the user name and password when logging in, is not forced to open, and can be cancelled to some extent.

For local login, use Win + R to open the run box and enter netplwiz in it. The user account page will appear, as shown below:

  

 

 

In the local user list, select one of the users, such as administrator, and then remove the “to use this computer, the user must enter a user name and password” option. It means that the next time you log on, you will skip the process of identifying the user and log in to the computer directly as the user administrator that we selected.

But one thing is that the process of identifying users is not skipped in all cases. For example, if you log in again after switching accounts, sleeping, locking and logging off, you still need to input the user password. Therefore, the option here can only skip the user identification process at boot time.

In addition, if a user is an empty password, then naturally can not meet the requirements, this is needless to say.

For “remote login” (such as remote desktop or other third-party remote management software), it generally depends on whether the other party has checked the “remember password” option.

 

The identity is unique

That is, the user name or user ID can not be repeated, and it is automatically implemented by windows, which is consistent with the default.

 

Identity authentication information has complexity requirements

Whether the password complexity policy is set in windows, and the password is required to have certain complexity, that is, it is set in the password policy of windows

Open Control Panel > Administrative Tools > local security policy > account policy > password policy

 

 

 

The main concerns are “password must meet the complexity requirements”, “minimum password length” and “force password history”.

“The password must meet the complexity requirements”, which is as follows:

 

 

Request and replace regularly

Like password complexity, one aspect depends on the actual password change cycle.

The second method can be recommended by interviewing relevant personnel or directly checking the configuration. For simple and uncomplicated problems, it is better to check the configuration by yourself

For the password change cycle, use the following command in CMD to know the last password change time:

 

 

 

 

In other words, the value of “last set password” in the above figure can be changed within 90 days.

On the other hand, check the password policy of windows

In other words, the “maximum password life” in the above figure can be set to less than or equal to 90 days.

As for the “minimum password life”, it refers to the number of days that the password cannot be changed, which has nothing to do with the evaluation requirements.

However, for the password change policy, there is another place that needs to be looked at first, that is, in computer management local users and group users

 

If “password never expires” is checked here, the “maximum password life” in the password policy of windows will be invalid.