Hi Alec§taar,
Thanks for your kind words about the Belarc Advisor, and for leading this "challenge" to get the best CIS benchmark score
No problem about the thanks from you - YOUR program is a good idea, & FREE!
Other forums have had a similar challenge, with some of the users easily getting 10 scores (using a security configuration template file to make the settings).
Well, I have questions on some of the scores it gave me (edit, more on next page with photos of each section & how I set them up, with what tools, & more - please answer the questions there as well, thanks)...
Now, you mention ACL's here: Does this mean going to the particular services' DLL or EXE & setting NTFS rights on them? Because afaik, doing the logon entity IS securing their ACL!
Some ideas of those templates don't 'fit' here though, I note 1 below (regarding NTFS on all diskdrives, & I have to make an exception on that note, see below, later in my P.S. why).
Let me warn all readers that incorrectly changing the security configuration of your Windows computer can make it completely unusable, requiring an OS reinstall or restore from backup. It's best to test these security settings on a test computer (Virtual PC is free) before applying them to any production computer.
Understood & I WARN FOLKS ABOUT THAT IN A SECURING SERVICES STICKY THREAD I AUTHORED IN THE GENERAL SOFTWARE SECTION HERE IN FACT... good move on your end too!
Securing Windows 2000/XP/Server 2003 services HOW TO:
http://forums.techpowerup.com/showthread.php?t=16097
First let me point out that the Center for Internet Security benchmarks are authored by a consortium of security experts from the US Government and industry.
I understand... it's impossible in ALL cases/circumstances, to fit every security scenario perfectly.
However - I hate to put it THIS way, but some PhD's & experts have taken a beating from me before & to the point they either RAN online, or did not reply vs. proofs I had made... Dr. Mark Russinovich being one example thereof.
Belarc is providing easy access to them in the Advisor, but is not the "authoritaty" behind these benchmarks.
Again, understood - there is no "uber" advisor in any field most likely... especially complex fields, like computers.
Agreed, 110%...
Here? I am just trying to point out things I noted in your program is all that I feel ARE off, & not just by my own view - vs. CIS tools as well!
See 4 posts above, or the URL I post in this page below...
The CIS benchmark documents (also accessible by clicking links within the Advisor's CIS benchmark report) provide reasonably complete justification for many of the security settings, so you should read those. However, do note that those documents can't completely reproduce the back-and-forth discussion between the consortium members on each of these settings.
http://forums.techpowerup.com/showthread.php?p=281278#post281278
I cite examples a few posts (the URL directly above posted for YOUR reference) up though, using THEIR CIS tool, that contradict what BELARC ADVISOR SHOWS... please, see above 2-3 posts, to see what I mean.
That said, I'll try to address your concerns below, interspersed with your posting:
All I ever wanted... let's go!
and have their ACLs set to prevent malicious applications from simply changing that run state and starting them up. See the security template editor for how to put ACLs on services.
Again:
Securing Windows 2000/XP/Server 2003 services HOW TO:
http://forums.techpowerup.com/showthread.php?t=16097
I have put that up here to do the ACL change on services. How to secure them. If you have time, take a peek there, it is, afaik, CORRECT!
The benchmark calls for the services to both be set to a specific run state (e.g. disabled)
Most of those noted here ARE... disabled (or manual) & additionally, set with LOWER than SYSTEM logon entities, THIS is done in case they are SOMEHOW turned on, even if set disabled, they cannot run out of the privelege token assigned of LOCAL SYSTEM (far weaker than system).
I set some manual, because at times? I use them... saves time. This is why I set some of them as LOCAL SERVICE too, some run ok that way.
I guess I had BEST CHECK if all of them are disabled... for sure.
There are many OS options that best practices recommend to be secured whether or not installed. Although a bit academic, this certainly helps keep a system from immediately becoming vulnerable upon enabling the option. In your case this setting could be made and when/if you ever plug in a smart card you'll be "ready".
Fair enough on that one, it is academic in my case, no smartcard...
Our licensed professional tools can also consider these blanked out registry values as more secure than the CIS recommended settings, however the free Advisor doesn't have that capability.
Got ya... so, I should be scored higher is what you are saying... a bug?
As you can imagine, it's not possible to compare an arbitrary set of registry paths to the CIS recommendations and determine if they are more or less secure. For that reason the Advisor requires an exact match to the CIS recommendations for these settings.
Understood, & I know that it is nearly impossible to be able to get ALL of the permutations in code & OS' down 100%, @ least not right away & especially IF they change (a program I have hosted here for others, good for security in many ways no less, had to take SOME changes to work on VISTA, & I spent part of my nite redong its config, not it's exe, unneeded, for it to work on VISTA), too much change in other words...
I know, because I've been coding for almost 20 years now, 15 as a pro.
Best of luck to you all getting your CIS score higher!
Trying my man... trying!
http://forums.techpowerup.com/showthread.php?p=281278#post281278
* See the list above, again for your reference the URL directly above, which is 4 posts up from this reply of mine in fact though!
It's where I noted exceptions in BELARC ADVISOR vs. CIS SCORING TOOL, the source who's tool you use, yes?
THANKS!
APK
P.S.=> I don't like acting the way I did above (about Dr. Mark R., he & I used to work for the same shop & he's GOOD @ this stuff) & other "experts" out there, because I know 1 thing about them: They're human, they DO ERR!
Heck, I do too, sometimes intentionally (like the NTFS rights on ALL disks, but I do that WITH GODO REASON (to not waste diskspace on a very small SSD I run here for added speed)).
However, in my statement about "running a few into the ground"? It's fact... Above all though - I am NOT out to 'show you up' or otherwise be an ass... I just want to make sure I am solid!
Basically, I am just trying to make this program of YOURS better, because it's a great idea, free, & works... but, by the same token?
I want to know I am doing the RIGHT thing for security here... so far, so good, but per the URL here (again):
http://forums.techpowerup.com/showthread.php?p=281278#post281278
I see contradictions... between BELARC & THE CIS SCORING TOOL... outright ones. Perhaps it is something to look at on your end, thanks, & good luck! apk
5/10 = 10/10 
what's happened ???