Tuesday, June 23, 2009

Gold Disk and password policies

The other day, a bunch of us were talking about the Gold Disk and how we mitigate for any false positives that are returned. One area that produced some discussion were password policies. Currently, I believe that the Gold Disk looks for 10-character passwords, as per policy. Army policy enforces 14 characters, at a minimum. So, while testing an Army system, Gold Disk could find a 12-character password, and pass the control. Without further review, the auditor would never know that the finding is actually a failure (with regards to the Army.)

That said, I created a little script that I'll try on my next engagement. The script idea came from a posting on the phenomenal Command Line Kung Fu blog. At a prompt:

net accounts > %computername%-AcctSecPolicy.txt

Or, if you want domain-level policy:

net accounts /domain > %computername%-DomAcctSecPolicy.txt

A quick breakdown: net accounts returns the overall general security settings for all accounts. the /domain switch will grab the same information on the domain level. Then, I shoot the output to a file that starts with the name of the computer (that's the %computername% environment variable.) This way, I can grab the results from the computer, along with the Gold Disk data. Later, I'll have the data to analyze along with the Gold Disk data, and I'll know which system it came from.

No comments:

Post a Comment