Sample Assessment Report
Redacted for confidentiality
Configuration Review
Security Configuration Assessment
Confidential Client — Mid-Market Enterprise
Firewall ruleset (2 FortiGate clusters), 45 Windows Server 2019/2022 instances, 12 network switches, Active Directory domain configuration
5 business days
CIS Benchmark v2.0 (Windows Server)
Executive Summary
UnlockSec conducted a security configuration assessment across the client's server, firewall, and network infrastructure. The assessment compared current configurations against CIS Benchmark Level 1 and Level 2 controls. 47% of controls were non-compliant, with the most critical finding being an overly permissive firewall ruleset containing 'any-any' rules that had been in place for 6+ years.
Methodology
Sample Findings
Firewall Any-Any Rules — Unrestricted Internal Traffic
Description
Four firewall rules with source: any, destination: any, service: any are present in the internal trust zone ruleset. These rules were identified as originating from a 2018 migration project and have never been reviewed. They effectively disable network segmentation between all internal subnets.
Recommendation
Conduct an immediate firewall rule review and cleanup exercise. Implement a deny-all default policy with explicit allow rules. Establish a quarterly firewall rule review process with business owner sign-off.
Windows Server — NTLM v1 Enabled Domain-Wide
Description
NTLMv1 authentication is enabled across the domain. NTLMv1 uses DES encryption with a 56-bit key that can be cracked in under 24 hours using cloud GPU resources. Any network capture of NTLMv1 challenge-response exchanges can lead to plaintext password recovery.
Recommendation
Set 'Network Security: LAN Manager Authentication Level' to 'Send NTLMv2 responses only. Refuse LM & NTLM' via Group Policy. Test application compatibility before domain-wide enforcement.
Active Directory — AdminSDHolder Misconfiguration
Description
The AdminSDHolder ACL has been modified to grant full control to the 'IT_Helpdesk' group. This propagates to all protected admin accounts every 60 minutes, giving 23 helpdesk users permanent write access to Domain Admin accounts, enabling password resets and group membership manipulation.
Recommendation
Reset AdminSDHolder ACL to default. Review and restrict the AdminSDHolder delegated permissions to minimum required. Implement Privileged Access Workstations (PAWs) for all administrative operations.
SSH — Password Authentication Enabled on All Servers
Description
All 45 Linux servers permit password-based SSH authentication in addition to key-based authentication. This exposes the servers to brute-force and credential stuffing attacks, particularly given that 12 servers have port 22 exposed to the internet via firewall rules.
Recommendation
Disable SSH password authentication (PasswordAuthentication no in sshd_config). Deploy SSH public keys for all administrators. Restrict SSH access to the management VLAN and implement SSH jump hosts.
* Showing 4 of 47 total findings. Full report provided upon engagement.
Risk Summary
Deliverables Included
- CIS Benchmark compliance report (per-control pass/fail)
- Firewall rule analysis and cleanup recommendations
- Active Directory security configuration review
- Remediation scripts (PowerShell/Bash) for common findings
- Post-remediation compliance verification scan
Ready for a real assessment?
Get a tailored Configuration Review engagement led by certified operators with unlimited retests.
Request AssessmentView All Services