How Risk Levels Are Estimated
As mentioned, dashboard and built-in reports give you a bird's eye view of the following high-risk areas:
- User and computer accounts
- Permissions
- Data
- Infrastructure
Within each area, Netwrix Auditor industry experts identified risk categories and suggested guidelines for them. For example, if the number of administrative accounts in your organization is less than 2%, the risk should be considered insufficient. If the value is between 2% and 3%, the risk is moderate, while any value that exceeds 3% should be considered a high risk. These guidelines are based on security best practices and analytical data.
The product compares your environment configuration against these metrics and assigns a risk level to each category. The risk levels in each category determine the overall risk level for the area you review. The following risk levels are used:
| Risk level | Color | Comments |
|---|---|---|
| Low | Green | Keep monitoring your environment on a regular basic. |
| Medium | Yellow | Proactively mitigate risks and adjust your workflows before a breach occurs. |
| High | Red | Respond to the threat as soon as possible. |
Calculation formulas for each metric are provided in the table below.
NOTE: The following signs are used to define risk level intervals and threshold values:
- > —More than, exclusive
- ≥ —This value or more, inclusive
- = —Equals
- < —Less than, exclusive
- ≤ —This value or less, inclusive
- [ ] —Inclusive interval
- ( ) —Exclusive interval
- [ ) or ( ] —Half-closed interval, where 1 value is inclusive and the other is exclusive or vice versa.
| Risk | Assessment formula | Default risk level thresholds |
|---|---|---|
|
Users and computers |
||
| User accounts with "Password never expires" | Number of enabled user accounts with Password never expires property set |
|
| User accounts with "Password not required" |
Number of enabled user accounts with Password not required property set NOTE: Interdomain trust accounts are excluded from total count. |
|
| Disabled computer accounts | Number of disabled computer accounts / Overall number of computer accounts (%) |
|
| Inactive user accounts |
Number of inactive but enabled users / Overall number of enabled user accounts (%) |
|
| Inactive computer accounts | Number of inactive but enabled computer accounts / Overall number of enabled computer accounts (%) |
|
| Servers with Guest account enabled* | Number of servers with enabled Guest account / Overall number of servers (%) |
|
| Servers that have local user accounts with "Password never expires"* | Servers that have local user accounts with Password never expires / Overall number of servers (%) |
|
| Permissions | ||
|
User accounts with administrative permissions |
Number of administrative accounts / Overall number of accounts (%)
|
|
|
Administrative groups |
Number of administrative groups / Overall number of groups (%)
|
|
| Administrative group membership sprawl* | Number of Windows servers whose Local Administrators Group members differ from those specified in the whitelist / Overall number of servers (%) |
|
|
Empty security groups |
Number of security groups without members / Overall number of security groups (%) |
|
| Site collections with the "Get a link" feature enabled | Number of site collections with the Get a link feature enabled / Total number of site collections (%) |
|
| Sites with the "Anonymous access" feature enabled | Number of sites with the Anonymous access feature enabled / Total number of sites (%) |
|
| Site collections with broken inheritance | Number of site collections with broken inheritance / Total number of site collections (%) |
|
|
Data |
||
|
Files and folders accessible by Everyone |
Files and folders shared with Everyone security group /Overall number of shared folders (%) |
|
|
File and folder names containing sensitive data |
Number of files and folders with names that suggest they contain sensitive data |
|
|
Potentially harmful files on file shares |
Number of detected harmful files |
|
|
Direct permissions on files and folders |
Number of shared objects with at least one direct permission / Overall number of shared objects (%) |
|
| Documents and list items accessible by Everyone and Authenticated Users | Number of documents and list items shared with the Everyone and Authenticated Users groups / Total number of documents and list items (%) |
|
| Infrastructure | ||
| Servers with inappropriate operating systems* | Number of Windows servers with OS not included in the whitelist / Overall number of servers (%) |
|
| Servers with under-governed Windows Update configurations* | Number of servers with Windows Update configuration source set to Local Settings AND/OR with auto-update set to Not configured or Disabled / Overall number of servers (%) |
|
| Servers with unauthorized antivirus software* | Number of Windows servers with antivirus tools not included in the whitelist / Overall number of servers (%) |
|
* -here the Overall number of servers means the number of Windows servers for which data collection was a success. That said, this count may vary across the risks. In such a case, it is recommended to examine Netwrix Auditor health log and omit lists.