GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » GFI LanGuard » Unusual security vulnerability reported (Medium security vulnerability)
Unusual security vulnerability reported [message #146764] Tue, 08 October 2019 17:24 Go to next message
estinson is currently offline  estinson
Messages: 3
Registered: February 2019
One laptop suddenly had a report of medium security vulnerabilities for the security and system event logs.
The suggested fix was to create a DWORD key named "RestrictGuestAccess".
I checked this manually, and found that Guest has no access to the file, the directory, or reg key(s) at all.
So is this alert just checking for the presence of that reg key? If so, this is not a standard way to restrict guest access as far as I know.
In fact, the guest account sjould never have access unless explicitly allowed to;
I can't post links so: docs.microsoft.com/en-us/windows/win32/eventlog/event-loggin g-security

So why the security vulnerability alert?

Report message to a moderator

Re: Unusual security vulnerability reported [message #146765 is a reply to message #146764] Tue, 08 October 2019 18:11 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
Hi

Without that specific registry key, Guest users have access to the EventLog, which may divulge important security information.

Ian Bugeja
GFI Software

Report message to a moderator

Re: Unusual security vulnerability reported [message #146766 is a reply to message #146765] Tue, 08 October 2019 18:23 Go to previous messageGo to next message
estinson is currently offline  estinson
Messages: 3
Registered: February 2019
Can you point to where Microsoft recommends setting this?
docs.microsoft.com/en-us/windows/win32/eventlog/event-loggin g-security

Report message to a moderator

Re: Unusual security vulnerability reported [message #146768 is a reply to message #146766] Tue, 08 October 2019 21:27 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
What Windows version is this please?

Ian Bugeja
GFI Software

Report message to a moderator

Re: Unusual security vulnerability reported [message #146778 is a reply to message #146768] Wed, 09 October 2019 19:48 Go to previous messageGo to next message
estinson is currently offline  estinson
Messages: 3
Registered: February 2019
For the server or the workstation?
If you mean workstation, it's Win 10 v1809.

Report message to a moderator

Re: Unusual security vulnerability reported [message #146779 is a reply to message #146778] Wed, 09 October 2019 22:24 Go to previous message
ian.bugeja is currently offline  ian.bugeja
Messages: 666
Registered: March 2017
Location: Malta
You can find more information about that registry key here:
https://docs.microsoft.com/en-us/openspecs/windows_protocols /ms-gpsb/0b9673a7-ce0a-49b4-912b-591efdb37cdf

RestrictGuestAccess

A flag that indicates whether or not users with Guest privileges can have access to System, Security, and Application logs.<3>
- A value of "0" indicates that guest access to System, Security, and Application logs is not restricted.
- A nonzero value indicates that guest access to System, Security, and Application logs is restricted.


The default value for that registry key is 1, so i confirm that GFI LanGuard is correct in reporting if this is 0.

Ian Bugeja
GFI Software

Report message to a moderator

Previous Topic: Synchronization can not proceed with workgroups - SERVER IS DOMAIN JOINED
Next Topic: Problem with scheduled scans
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Sep 27 21:43:35 CEST 2023

Total time taken to generate the page: 0.07304 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software