Beruflich Dokumente
Kultur Dokumente
Students -
Registration No.
Index No.
M.A.S.S Malwattha
2010/ICT/052
10020527
W.A.L.T.C Weliwita
2010/ICT/072
10020721
This report is an outcome of the risk assessment conducted on Domain Controller System, at
Alliance Finance Co PLC. Ward pl. Colombo.
Acknowledgement
Firstly, we would like to thank Mr. Athula Samarasinghe for giving us the opportunity to
participate in this assessment and providing us with the knowledge, guidance and motivation
to successfully complete this task. Secondly, would like to show our gratitude to the Alliance
Finance employees who supported us in carrying out the risk assessment. Finally, our sincere
gratitude goes to all the parties who aided and motivated us in this regard.
Table of Contents
Acknowledgement ..................................................................................................................... 1
List of Tables ............................................................................................................................. 3
1. Introduction ............................................................................................................................ 4
1.1 Purpose ............................................................................................................................. 4
1.2 Scope ................................................................................................................................ 4
1.3 Audience........................................................................................................................... 4
2. Risk Assessment Approach and Methodology ...................................................................... 6
2.1 Risk Assessment Process ................................................................................................. 6
2.1.1 Phase 1 - Pre-Assessment .......................................................................................... 6
2.1.2 Phase 2- Assessment .................................................................................................. 7
2.1.3 Phase 3 Post Assessment ...................................................................................... 11
3. System Characterization ...................................................................................................... 12
3.1 Functional Description ................................................................................................... 12
3.2 System Environment ...................................................................................................... 12
3.3 System Users .................................................................................................................. 14
3.4 System Dependencies ..................................................................................................... 14
3.5 Supported Programs and Applications ........................................................................... 15
4. Information Sensitivity ........................................................................................................ 16
4.1 Sensitivity ....................................................................................................................... 16
4.2 Protection Requirements ................................................................................................ 17
4.2.1 Protection Requirement findings ............................................................................. 17
5. Identification of Vulnerabilities, Threats and Risks ............................................................ 19
6. Control Analysis .................................................................................................................. 26
7. Risk Likelihood & Impact Determination ........................................................................... 27
8. Overall Risk Determination & Recommendations .............................................................. 38
List of Tables
Table 2.1 Risk Likelihood Definitions (1) ................................................................................. 8
Table 2.2 Risk Likelihood Definitions (2) ................................................................................. 9
Table 2.3 Risk Impact Definitions ............................................................................................. 9
Table 2.4 Risk Level Definitions ............................................................................................. 10
Table 2.5 Overall Risk Rating Matrix...................................................................................... 10
Table 3.2 Host Characterization Components ......................................................................... 13
Table 3.3 Domain Controller System Users ............................................................................ 14
Table 4.1 Domain Controller Information Type ...................................................................... 16
Table 4.2 Definitions for C/I/A Ratings .................................................................................. 16
Table 5.1 Vulnerabilities, Threats, and Risks .......................................................................... 19
Table 6.1 Risk Controls in place/planned for domain controller ............................................. 26
Table 7.1 Risk Likelihood & Impact ratings ........................................................................... 27
Table 8.1 Overall Risk Rating ................................................................................................. 38
1. Introduction
Information systems are vital elements in most businesses since they are essential to carry out
business operations smoothly. If there are disruptions to these information systems, the
business couldnt be able to continue as it was. Due to the disruptions to the business, there
will be tangible losses such as financial/profit loss as well as intangible losses like loss of
customer goodwill. Thus, it is critical that these systems are able to operate effectively
without excessive interruption.
IT contingency planning supports by reactively and proactively safeguarding the information
systems and related assets from wide range of risks. IT contingency planning refers to a
coordinated strategy involving plans, procedures, and technical measures that enable the
recovery of information systems, operations, and data after a disruption. Risk assessment is
one of the critical activity in IT contingency planning where the system characteristics and
risks are identified and evaluated. Remedial measures are suggested based on the type of the
risk and their impact.
1.1 Purpose
The purpose is to identify how Alliance Finance has implemented their IT contingency
plans. In addition, we hope to identify the existing vulnerabilities of the domain controller
system and suggest preventive controls and strategies as well as discuss their effectiveness.
1.2 Scope
This report examines the current hardware, software, operating systems and critical data in
domain controller system. Furthermore, identify the vulnerabilities and suggest remedial
measures and reflect on their effectiveness.
1.3 Audience
This document is primarily aimed for system administrators responsible for information
systems or security at system and operational levels as well as for higher level managerial
personnel who coordinate and support information system contingency planning activities.
Managers
Personnel who hold the overall responsibility for the organizations information systems.
System administrators
The employees who are responsible for maintaining daily information system operations.
Questionnaire.
A questionnaire was designed to gather the information about the domain controller
system aimed on characteristics of the system as well as the management and operational
controls planned or used for the IT system. The questionnaire was aimed for operational
employees who are designated in maintaining the domain controller system.
On-site Interviews
In order to fill out the questionnaire, on site interview was conducted with the designated
system administrator of the domain controller system. Further, it allowed the auditors to
observe and gather information about the physical, environmental, and operational
security of the IT system.
Document Review
Policy documents were reviewed in addition to the questionnaire and interview, in order
to identify the security policies related to the domain controller system. These documents
provided information about the security controls used by and planned for the IT system.
Step 3: Threat Identification
The NIST SP 800-30 standard is used as the basis for threat identification. The threats which
are more likely to occur, was identified through interviews and questionnaire. A threat is
defined as the potential for a particular threat-source to successfully exercise a particular
7
vulnerability. It is important to identify the threat sources as well as motivations and actions
of these threats that are affected to the domain controller system.
Step 4: Vulnerability Identification
After the threat identification, vulnerability identification was carried out in order to list the
vulnerabilities related to the domain controller system. The NIST SP 800-53, Revision 2,
Security Baseline Worksheet used in documenting the vulnerabilities identified through
interview and the questionnaire.
Step 5: Risk Determination (Calculation/Valuation)
The risk assessment team determined the degree of risk upon a threat being exploited by
vulnerability in this step. The risk for a particular threat was expressed as a function of
likelihood and impact.
Likelihood Analysis
Likelihood is the probability that vulnerability might be exploited in the context of the
associated threat environment.
The following tables defines the likelihood definitions used.
of
Moderate
High
Moderate
High
High
Low
Moderate
High
Low
Low
Moderate
Impact Analysis
The second factor determining the level of a risk is the impact resulting from a successful
exploitation of a prevailing vulnerability. The adverse impact of such successful exploitation
can result in harm to any of the main security goals (Confidentiality, Integrity, and
Availability). Loss of confidentiality can occur from the disclosure of sensitive information
stored in the server. Integrity can be harmed through unauthorized changes to the data stored
in the server. Finally, loss of availability can result from disrupt to server functionality and
operational effectiveness. The following table defines the magnitudes of impacts used.
Table 2.3 Risk Impact Definitions
Magnitude Impact Definition
of Impact
Exercise of the vulnerability (1) may result in the highly costly loss of
High
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organizations mission, reputation, or interest; or (3) may result
in human death or serious injury.
Moderate Exercise of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm or impeded an organizations
mission, reputation, or interest; or (3) may result in human injury.
Exercise of the vulnerability (1) may result in the loss of some tangible
Low
assets or resources; (2) may noticeably affect an organizations mission,
reputation, or interest.
In determining the levels of risks the likelihood of a threat, the impact the threat might cause
if the vulnerability is exploited successfully and the adequacy of existing control measures
for reducing and eliminating risks were taken into consideration. According to that, the
following table defines the different levels of risks.
Low
(1)
Moderate
(5)
High
(10)
High
(10)
Low
1 x 10 = 10
Moderate
5 x 10 = 50
High
10 x 10 = 100
Moderate
(5)
Low
1x5=5
Moderate
5 x 5 = 25
Moderate
10 x 5 = 50
Low
(1)
Low
1x1=1
Low
5x1=5
Low
10 x 1 = 10
10
Risk Assumption
Accept the potential risk and continue operating the IT system or to implement controls to
lower the risk to an acceptable level.
Risk Avoidance
Risk Limitation
Limit the risk by implementing controls that minimize the adverse impact of an
exercising vulnerability.
Risk Planning
Develop a risk mitigation plan that prioritizes, implements, and maintains controls.
Risk Transference
Transfer the risk to a third party by using other options to compensate for the losses
Step 2: Ongoing Monitoring
The milestones to mitigate the risks will be defined and will be used to monitor the successful
completion of the milestones.
11
3. System Characterization
3.1 Functional Description
The domain controller system is a server that responds to security authentication requests
within the server domain in order to allow host access to Windows domain resources. It runs
as a part of the Windows Server 2003 operating system. Access to the domain controller
system is only granted to a few of the selected users who maintain the system. The system
doesnt have interfaces to other systems.
12
Location
Alliance
Finance Co.
PLC
Wardplace,
Colombo
Status
IP Address
Operational Not provided
Platform
Windows server
2003
Software
Eset File Security
Comments
-
13
Access Level
Read /
Write/Full
Number
(Estimate)
Home
Organization
Geographic
Location
System
Administrator
Read/Write
Alliance Finance
Ward Pl,
Colombo
Admin User
Read
Alliance Finance
Ward Pl,
Colombo
14
15
4. Information Sensitivity
This section provides details on different types of information handled and processed by the
domain controller and their sensitivity. Sensitivity of the information handled by a system is a
major factor in risk management.
The risk management team used FIPS 199 to reflect on the impact levels and magnitude of
the harm that loss of confidentiality, integrity and availability would have on the operations,
assets and individuals of at Alliance Finance Co. PLC. FIPS 199 have three potential impact
levels (Low, Mid, High) for each of the security objectives.
Domain controller handles mainly one type of information (Personal Identity and
Authentication). Table 4.1 lists information type characterization for the domain controller.
NIST SP
800-60
Reference
Volume II,
Appendix
C.2
Overall Rating
Confidentiality
Integrity
Availability
Low/Moderate/
High
Low/Moderate/
High
Low/Moderate/
High
Moderate
Moderate
Moderate
Moderate
Moderate
Moderate
4.1 Sensitivity
The following table provides the definitions for C/I/A ratings for domain controller
Table 4.2 Definitions for C/I/A Ratings
Security Objective
Confidentiality
Preserving
authorized
restrictions on
information access
and disclosure,
including means
for protection
personal privacy
and proprietary
information
Low
Moderate
High
The unauthorized
disclosure of
information could be
expected to have a
limited adverse effect
on organizational
operations,
organizational assets,
or individuals.
The unauthorized
disclosure of
information could be
expected to have a
serious adverse effect
on organizational
operations,
organizational assets,
or individuals.
The unauthorized
disclosure of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
organizational assets, or
individuals.
3542]
Integrity
Guarding against
improper
information
modification or
destruction, and
includes ensuring
information nonrepudiation and
authenticity.
The modification or
destruction of
information could be
expected to have a
limited adverse effect
on organizational
operations,
organizational assets,
or individuals.
The modification or
destruction of
information could be
expected to have a
serious adverse effect
on organizational
operations,
organizational assets,
or individuals.
The modification or
destruction of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
organizational assets, or
individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a limited
adverse effect on
organizational
operations,
organizational assets,
or individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a serious
adverse effect on
organizational
operations,
organizational assets,
or individuals.
The disruption of
access to or use of
information or an
information system
could be expected to
have a severe or
catastrophic adverse
effect on organizational
operations,
organizational assets, or
individuals.
Confidentiality
Domain controller contains sensitive information that is being used to authenticate users
of different systems in Alliance Finance. This data needs protection from unauthorized
access. If this data were to be exposed to public or even within the organization it could
result in unauthorized and malicious users gaining access to data that should otherwise be
out of their knowledge. It also risks sensitive data being leaked and changed. Therefore,
the unauthorized disclosure of domain controller information could be expected to have a
serious adverse effect on organizational operations, organizational assets, or individuals
and the information and protection measures are rated as Moderate.
17
Integrity
Availability
If domain controller were unavailable even for a shorter period of time, it would have an
immediate impact and would affect the efficiency with which domain controller as well
as other systems typically operates. Therefore, the unavailability of domain controller
information could be expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals and the information and protection
measures are rated as High.
18
Vulnerability
Threat
Patches to correct
flaws in operating
system software
could fail to
successfully install.
Computer crime
Loss of firewall
protection.
Computer crime
Malicious use
Malicious use
System compromise
Risk of
Compromise of
Confidentiality
and integrity of
authentication
data.
The system is
protected through
gateprotect hardware
firewall; failure of
this firewall can result
in increasing the
likelihood of other
risks being exploited.
Confidentiality
and integrity of
authentication
data
Loss or theft of
personal identity and
authentication data in
domain controller
could affect the
confidentiality and
integrity of the data.
Inability to access
the system.
Failure of hardware or
equipment may
impact the availability
of the domain
controller
Unauthorized use
Malicious use
Unauthorized use
Computer crime
Hardware
Issues/Equipment
Failure or loss
System Unavailable
Exploitation of flaws
in operating system
could result in
compromise of
confidentiality and
integrity of personal
identity and
authentication data.
Confidentiality
and integrity of
authentication
data.
Internal access to
server.
Risk Summary
19
Risk
No.
Vulnerability
Threat
Risk of
Compromise of
Inability to access
the system.
Single Point of
Failure
System Unavailable
Key Person
Dependency
System Unavailable
Inability to
adequately
support the
application.
Loss of Critical
Documentation,
Data or Software
Confidentiality
and integrity of
authentication
data.
Data Disclosure
Confidentiality
and integrity of
authentication
data.
Disclosure of
sensitive personal
information could
result in identity theft
and/or system access
control issues.
Software Issues
from Vendor
Confidentiality
and integrity of
authentication
data and ability to
provide service.
Poor Password
Practices
Confidentiality
and integrity of
authentication
data.
Poor password
practices could allow
improper system
access which could
result in data theft,
data corruption,
application system
alteration or
disruption.
10
Risk Summary
Failure in any part of
the domain controller
could affect other
systems being
properly functioning.
20
Risk
No.
Vulnerability
Threat
Malicious use,
Unauthorized access
Lack of Sufficient
Operational
Policies
Confidentiality
and integrity of
authentication
data.
Improper execution of
operational polices
can cause system
alteration, theft or
disruption.
Poor Physical
Security
Confidentiality
and integrity of
authentication
data.
Functional Lockout
System unavailability
Inability to access
the system.
If the infrastructure is
not accessible, the
staff will be unable to
access to the domain
controller system.
Natural Disaster
Hurricanes, floods,
and other weather
phenomenon.
Inability to access
the system.
Integrity checkups
are not done
Inability to identify
Unauthorized
modification to data
Integrity of
corporate data.
Logs stored in a
central location
Availability of log
data, indirectly
affects integrity of
the data
13
14
15
16
17
Risk Summary
System
Compromise
11
12
Risk of
Compromise of
Confidentiality
and integrity of
authentication
data.
If the system is
compromised, it can
cause data theft,
corruption, system
alteration and
disruption.
21
Risk
No.
Vulnerability
Threat
Risk of
Compromise of
Confidentiality
and Integrity of
data
Malicious use,
Unauthorized access
Media containing
sensitive data is not
destroyed
Malicious use
Confidentiality
DOS overflow
System unavailability
Confidentiality
and Availability
of authentication
data
Untrusted search
path vulnerability
Unauthorized access,
Confidentiality
and Integrity and
Availability of
authentication
data
Read AV
Vulnerability
Unauthorized access,
Confidentiality
and Integrity and
Availability of
authentication
data
18
19
20
Malicious use of
system components
21
22
Risk Summary
Malicious use of
system components
22
Risk
No.
Vulnerability
Threat
Race Condition
Vulnerability
Unauthorized access,
IPv6 Source
Address Spoofing
Vulnerability
Unauthorized access,
Disk Partition
Driver Elevation of
Privilege
Vulnerability
CSRSS Memory
Corruption
Vulnerability
23
Malicious use of
system components
Risk of
Compromise of
Confidentiality,
Integrity and
Availability of
authentication
data
Race condition in
windows server
kernel mode drivers
allow local users to
gain privileges
Confidentiality
and Integrity of
authentication
data
Malicious use of
system components
Confidentiality
and Integrity and
Availability of
authentication
data
Unauthorized access,
Confidentiality
and Integrity and
Availability of
authentication
data
The Client/Server
Run-time Subsystem
in Windows server
2003 service pack 2
does not properly
handle objects in
memory, which
allows local users to
gain privileges via a
crafted application
Malicious use of
system components
24
25
26
Risk Summary
Malicious use of
system components
23
Risk
No.
Vulnerability
Threat
Malicious use of
system components
Remote Procedure
Call Vulnerability
Malicious use of
system components
Confidentiality
and Integrity and
Availability of
authentication
data
Microsoft Windows
Server 2003 SP2
allow remote
attackers to execute
arbitrary code via a
malformed
asynchronous RPC
request
Backups are
unencrypted
Unauthorized access
Confidentiality
and Integrity of
authentication
data
No direct network
link with the
Disaster Recovery
site
Unauthorized access
Confidentiality
and Integrity and
Availability of
authentication
data
Operating System
is not backed up
System unavailability
Availability of
authentication
data
The Operating
System image is not
backed up. Therefore
in case of OS failure,
OS image and all the
patch updates need to
be done from the
beginning
The Operating
System is not
updated to the
latest version
(Windows server
2012)
Malicious use of
system components
Confidentiality
and Integrity and
Availability of
authentication
data
28
29
31
32
Risk Summary
OLE Property
Vulnerability
27
30
Risk of
Compromise of
Confidentiality
and Integrity and
Availability of
authentication
data
Microsoft Windows
Server 2003 SP2
allow remote
attackers to execute
arbitrary code via a
crafted OLE object in
a file
24
Risk
No.
Vulnerability
Accounts that are
no longer needed
are not deleted in a
timely manner
33
Threat
Unauthorized access,
Malicious use of
system components
Risk of
Compromise of
Confidentiality
and Integrity of
authentication
data
Risk Summary
The current
procedure, user sends
a request through the
department head to
the IT department
manager to delete
user accounts of the
employee who left the
organization. This
process is time
consuming
25
6. Control Analysis
Table 6.1 Risk Controls in place/planned for domain controller
Control Area
In-Place/
Planned
1 Risk Management
1.1 IT Security Roles & Responsibilities
In Place
In Place
2 IT Contingency Planning
In Place
In Place
3 IT Systems Security
3.1 IT System Hardening
In Place
In Place
4 Logical Access Control
In Place
In Place
In Place
6 Facilities Security
In Place
7 Personnel Security
In Place
In Place
8 Threat Management
8.1 Threat Detection
In Place
In Place
In Place
9 IT Asset Management
9.1 IT Asset Control
In Place
In Place
In Place
26
Risk Summary
Risk
Likelihood
Rating
Low
Moderate
Risk Impact
Risk Impact
Rating
Unauthorized
disclosure or
modification
of data.
High
Unauthorized
disclosure or
modification
of data.
High
27
Risk
No.
Risk Summary
Loss or theft of personal identity and
authentication data in domain
controller could affect the
confidentiality and integrity of the
data.
Risk
Likelihood
Rating
Low
Risk Impact
Risk Impact
Rating
Unauthorized
disclosure or
modification of
data.
High
Moderate
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
Moderate
Inability to
access the
system.
Moderate
28
Risk
No.
Risk Summary
Risk
Likelihood
Rating
High
Risk Impact
Inability to
adequately
support the
system.
Risk Impact
Rating
Low
Low
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
Moderate
Confidentiality
of
authentication
data could be
compromised.
Moderate
29
Risk
No.
Risk Summary
Software issues by the vendor may
result in data corruption or mission
critical system disruption.
10
11
Risk
Likelihood
Rating
Moderate
Risk Impact
Risk Impact
Rating
Confidentiality
of
authentication
data could be
compromised.
Ability to
provide services
could be
compromised.
Moderate
Low
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
Low
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
30
Risk
No.
Risk Summary
Improper execution of operational
polices can cause system alteration,
theft or disruption.
12
13
14
Risk
Likelihood
Rating
Low
Risk Impact
Risk Impact
Rating
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
Low
Confidentialit
y and integrity
of
authentication
data could be
compromised.
Moderate
Low
Inability to
access the
system.
Moderate
31
Risk
No.
15
Risk Summary
Risk Impact
Risk Impact
Rating
Moderate
Moderate
Availability
and Integrity
of data could
be
compromised.
Moderate
Moderate
Confidentialit
y and integrity
of data in the
logs could be
compromised.
Moderate
Moderate
Confidentialit
y and Integrity
of data could
be
compromised.
Moderate
Low
Confidentialit
y of data
could be
compromised.
High
19
Risk
Likelihood
Rating
Low
Inability to
access the
system.
16
18
32
Risk
No.
20
21
22
Risk Summary
Risk
Likelihood
Rating
Moderate
Risk Impact
Risk Impact
Rating
Confidentiality,
Availability of
authentication
data could be
compromised.
High
Low
Confidentiality,
Integrity and
Availability of
authentication
data could be
compromised.
High
Low
Confidentiality,
Integrity and
Availability of
authentication
data could be
compromised.
High
33
Risk
No.
Risk Summary
23
24
25
Risk
Likelihood
Rating
Low
Risk Impact
Risk Impact
Rating
Confidentiality,
Integrity and
Availability of
authentication
data could be
compromised.
High
Low
Confidentiality
and Integrity of
authentication
data could be
compromised.
Moderate
Low
Confidentiality,
Integrity and
Availability of
authentication
data could be
compromised.
High
34
Risk
No.
Risk Summary
27
28
26
Risk
Likelihood
Rating
Low
Risk Impact
Risk Impact
Rating
Confidentiality
and Integrity
and Availability
of
authentication
data could be
compromised.
High
Low
Confidentiality
and Integrity
and Availability
of
authentication
data could be
compromised.
High
Low
Confidentiality
and Integrity
and Availability
of
authentication
data could be
compromised.
High
35
Risk
No.
Risk
Likelihood
Rating
High
Moderate
High
Availability of
authentication
data could be
compromised.
High
Confidentiality
and Integrity
and Availability
of
authentication
data could be
compromised.
29
30
31
32
Risk Impact
Risk Summary
Risk Impact
Rating
Confidentiality
and Integrity of
authentication
data could be
compromised.
High
Confidentiality
and Integrity
and Availability
of
authentication
data could be
compromised.
High
Moderate
High
36
Risk
No.
33
Risk Summary
The current procedure, user sends a
request through the department head
to the IT department manager to
delete user accounts of the employee
who left the organization. This
process is time consuming
Risk
Likelihood
Rating
Low
Risk Impact
Confidentiality
and Integrity of
authentication
data could be
compromised.
Risk Impact
Rating
High
37
Risk Summary
Risk
Likelihoo
d Rating
High
Risk
Impact
Rating
High
Overall Risk
Rating
Recommendation
High
Moderate
Moderate
High
High
High
38
Risk
No.
Risk Summary
Risk
Likelihoo
d Rating
Moderate
Risk
Impact
Rating
High
Overall Risk
Rating
High
Moderate
Moderate
7
Failure of hardware or equipment may
impact the availability of the domain
controller
Recommendation
Moderate
Moderate
Moderate
Moderate
39
Risk
No.
10
11
12
13
14
15
Risk Summary
Software issues by the vendor may result
in data corruption or mission critical
system disruption.
Integrity of data is not automatically tested
and unauthorized modification of data
might go unseen.
Logs are kept in the domain controller
server
Risk
Likelihoo
d Rating
Moderate
Moderate
Overall Risk
Rating
Recommendation
Moderate
Moderate
Risk
Impact
Rating
Low
Low
Moderate
Moderate
Moderate
High
High
40
Risk
No.
Risk Summary
16
17
18
19
Risk
Likelihoo
d Rating
High
Risk
Impact
Rating
Low
Overall Risk
Rating
Recommendation
Low
High
Low
Low
High
High
41
Risk
No.
20
21
22
Risk Summary
Risk
Likelihoo
d Rating
Low
Low
Risk
Impact
Rating
High
High
Overall Risk
Rating
Recommendation
Low
High
42
Risk
No.
Risk Summary
Risk
Likelihoo
d Rating
Risk
Impact
Rating
Overall Risk
Rating
23
Microsoft Windows Server 2003 SP2
allow remote attackers to execute arbitrary
code via a crafted OLE object in a file
24
25
26
Low
High
Recommendation
Low
High
Low
Low
High
Moderate
Low (Score 5)
43
Risk
No.
Risk Summary
27
28
29
30
31
32
Risk
Likelihoo
d Rating
Overall Risk
Rating
Recommendation
Moderate
Low (Score 5)
Conduct regular integrity checks
and review access logs regularly.
Low
Low
Moderate
Moderate
Low (Score 5)
Low (Score 5)
Low
Risk
Impact
Rating
Low
Moderate
Moderate
Moderate
Low (Score 5)
Low (Score 5)
Low (Score 5)
44
Risk
No.
33
Risk Summary
Risk
Likelihoo
d Rating
Low
Risk
Impact
Rating
Moderate
Overall Risk
Rating
Low (Score 5)
Recommendation
Configure the
DisableIPSourceRouting entry to
a value of 2
Fix is provided through Windows
update Windows Server 2003
KB978338
45
46