I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare &Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun or not. You’ll need to plan your 90-day qualification period and be ready to attest before the 2012 deadline. Don’t let the HIPAA Security Analysis become “the tall pole in the tent.”

If the $4 million dollars ($2m Medicare, $2m Medicaid) is not enough of an incentive, don’t forget that the new Federal HIPAA compliance and audit program has begun. The Department of Health and Human Services’ Office for Civil rights announced the specifics of the audit program last year, fulfilling the mandate from the HITECH Act (part of the overall ARRA bill passed in 2009). 150 organizations will be audited in 2012 by KPMG (under contract with OCR) and the first 20 covered entities have already been selected and notified.

Although the primary goal of the audit program is security improvement, significant corrective action and civil monetary policies resulting from these audits have not been ruled out. As Leon Rodriguez, OCR’s new chief, likes to say “enforcement improves compliance.” OCR officials have suggested that most of the remainder of the audits will be conducted in the 2^nd half of 2012. Even more reason for hospitals to get their HIPAA Security Risk Assessments completed as soon as possible. Better to have had a run-through with a 3^rd party, objective, IT security assessment company of your own choosing and taken corrective actionbefore the federal auditors arrive.

Lastly, some hospitals put off allocating resources to meaningful use efforts in 2011 until their individual states had begun their Medicaid EHR Incentive Programs. But the 2012 national landscape already looks much different. 41 of 50 states have now launched their programs with another 5 or 6 to commence in Q1/2012. In all likelihood, all 50 state programs will be in place and making payments by July 2012.

First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data.

The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:

• What confidential info might an employee obtain by gaining access to your internal HR database

• What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?

• What information could a rogue employee exploit?

• Can partner companies that have network level connectivity access more internal resources than you intended?

An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it’s important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test.

Of further note, the pilot program will be limited to 150  HIPAA covered entities and will not include business associates (BAs) although OCR stated that BAs will be subject to audits at a later date. This despite the fact that 55% of all major breach incidents since September 2009 (those involving 500 or more individual’s records) occurred at BAs. In addition, less than 50% of healthcare organizations conduct any kind of pre- or post- contract compliance assessments of their BAs.  But more on BAs later. First here’s the planned roll-out of the pilot program for covered entities:

The HIPAA auditors plan to notify covered entities that they are among the lucky 150 by mail. What we find most interesting is that they then have 10 days to provide the auditor with documented evidence of how they have complied with the HIPAA privacy and security standards, as well as breach notification rules, including a copy of their most recent HIPAA Risk Analysis. That’s right, their HIPAA Risk Analysis. As you may or may not recall, the  HIPAA Security Risk Analysis requirement is not just a Core Measure of attesting to meaningful use, it’s been a requirement under the HIPAA Security Rule since 2005.  If you’re at all concerned about making a good first impression on the auditor, we’d suggest you don’t send them a HIPAA Risk Analysis that is more than 2 years old.

OCR is also getting serious about enforcement. The KPMG contract itself requires their auditors to inform organizations in advance that “OCR may initiate further compliance enforcement action based on the content and findings of the audit.” Since taking office, the mantra of OCR’s new director, former prosecutor Leon Rodriguez,  has been “enforcement promotes compliance.”

Now onto business associates. While OCR opted not to include auditing business associates themselves in their pilot HIPAA program, covered entities are not relieved of their obligation to monitor PHI safeguards at their BAs.  In fact, a significant concern at hospitals should be business associate oversight, a complex and cumbersome, thus oft-neglected responsibility.

For business associates themselves, protecting the security and privacy of ePHI/PHI will shortly become both a fiduciary responsibility and potentially a competitive issue. The OCR has confirmed that direct liability for a breach will extend to BAs at the end of 2012 raising the likelihood of civil penalties. As hospitals begin to feel increased audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at their most severe.

Whether you’re a covered entity or a business associate, we recently published a list of 10 things we’d recommend to best prepare yourself for the inevitable day the HIPAA auditor arrives. You can download the full Audit Advisory here: http://www.redspin.com/resources/whitepapers-datasheets/request_HIPAA-security_audit_advisory.php

In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.

But the success of an information security program depends upon the ability of an organization to establish a set of controls based on a thoughtful and consistent design that was developed against carefully analyzed internal and external requirements. Relatively few companies approach the problem this way, so we thought we’d offer some guidance based on Redspin’s 10+ years of IT security experience.

The following describes an accountability-driven and risk-based approach to address the information security expectations of leaders, customers, citizens, partners, and investors.

Creating an environment where operational units coordinate to achieve consistent and appropriate information security controls helps to ensure that the operation and security objectives of the organization are met. One way to do this is to assign accountability and responsibilities in a way that makes internal parties accountable to one another, with guidance and input from subject matter experts. The following mutual accountability can be used to drive decisions that align with your organization’s mission and goals:

A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal and external disclosure. There is one steward for each domain of data across the entire organization. Domains are generally broad and easily identifiable, organizations having on average between 10 to 15 core domains.

A Process Owner is a single person accountable for general processes (such as workforce acquisition and termination). These individuals establish the minimum process control requirements, which may then be implemented in a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s control requirements and one or more data steward’s control requirements.

System Sponsors are assigned to each application and system, from the department specific applications to general utility applications such as email. These system sponsors are responsible for meeting the availability and processing quality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrity requirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying the continued existence of an application or system.

Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically well established. For example, the senior public-relations official is accountable for responding to inquiries from the public and the press, and the senior legal official is accountable for addressing inquires from the courts and, depending on the organization, perhaps for inquiries from regulators and governments. Extending this concept to each unique audience creates internal accountability. Audiences may include consumers, vendors, business customers, partners, local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable to one or more data stewards.

Let’s run this through an example to see how it works. USB thumb drives are prevalent, with organizations taking stances that range from very loose to very tight. Policies commonly ban the devices, don’t mention them, or put IT in the role of deciding who gets one. The first two positions generally fail to serve the organization, and the last requires IT to make a business operations decision. To address this let’s step back to ask ourselves a few questions. Which process do the USB drives support and are the USB drives inherently required by those processes? Will the USB drive contain controlled information and are the data stewards requirements met?

Sales might use thumb drives to display presentations on client’s equipment. This is clearly a sales process, and would be under the purview of the most senior sales management position, perhaps a VP of Sales. The VP of Sales could responsibly and reasonably take a position that USB drives are required for external sales presentations. So long as that drive contains only sales information, then the data in question is also under the purview of the VP of Sales.

Changing the scenario for a moment, let’s say a salesperson wants to include very sensitive discount information. In this case, the VP of Sales may have a policy that discount data is only shared with key members of the client decision team. The VP of Sales in a process owner role still approves the use of USB thumb drives for sales presentations, but the VP of Sales in a data steward role requires that the data be distributed in a limited and controlled manner.

Changing the scenario even further, let’s say that the client requests key financial information. Again the use of USB drives is already approved by the VP of Sales. However, in this scenario the data in question is subject to the policies of the CFO, who has the requirement that key financial data be stored only on company owned equipment and be encrypted at all times when not within company facilities. In this case, the sales person must use a company owned and encrypted laptop for the presentation. If the VP of Sales doesn’t like this and still wants to use USB drives, the issue is not between Sales and IT, it’s between Sales and Finance. We are effectively taking IT out of  the middle, to a role where IT implements the decision of the parties who have the greatest stake in the decision.

IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.

IT has been put in the role of making business decisions, because organizations lack a framework for making data and system decisions. Providing a framework for decision making can become a key value that IT can provide. Even if your organization is not ready to formally adopt these concepts the thinking process, and the line of questions that result, will help you facilitate better security decision making within your organization.

The most consistent problem is that wireless networks are deployed with less than optimum security controls. For example, using WPA2 in personal mode rather than enterprise mode. The upside of personal mode – in which clients, such as laptops and iPhones, authenticate to the networks with a pre-shared key (PSK) – is that it’s easy to manage and configure. The downside of this approach that it is vulnerable to a password guessing attack, cached client credentials, system-wide risk in the event of a compromised key and rogue access points. This risk may be acceptable for access to a wireless network whose only purpose is to provide Internet access for guests or mobile devices. However, many wireless networks begin with this simple purpose in mind only to evolve into much more access into the internal network.

Wireless network signals travel well beyond your corporate office space. In a downtown office environment, dozens or even hundreds of other businesses or public areas are able to “see” these signals. It’s as if you are grabbing a hand full of network cables that are connected to your internal switch and lobbing them out into the street for everyone to use. This greatly extends the attack surface area for wireless networks, so it’s imperative that they are configured with security settings that are appropriate to the data they need to protect.

With wireless networks, there are a great many security configurations available to support a variety of business cases. It’s critical to ensure that usage scenarios are carefully evaluated before a network is deployed to ensure that appropriate security controls are implemented. Once deployed, wireless networks should be tested to verify that the controls are actually working effectively.

Relying solely on historical data has limitations, particularly in such dynamic, fast-moving arenas as healthcare and IT. Any conclusions drawn may turn out to be less predictive or prescriptive than as originally put forth. The old adage “if we don’t learn from history, we are doomed to repeat it,” is diluted by the pace of technological change. Relatively new innovations such as smart phones, iPads, and social media continue to alter the nature of human-machine interaction, workflow and social reach. With new modalities for patient care, such as genetic-driven personalized medicine and mobile consumer health applications, one can easily conclude that how a patient’s health record was breached in 2010 will have little relevance in 2014.

As a case-in-point, Bloomberg Businessweek recently reported on a new healthcare industry privacy and security report released by PwC’s Health Research Institute. The article was entitled: “Theft of Digital Health Data More Often Inside Job, Report Finds” (Sep 22, 2011).  Presumably, the editor relied on the following two statements from the report to support the title; “Theft accounted for 66 percent of publicly reported breaches” and “Thieves are most often ‘knowledgeable insiders.’”

Ah, the dangers of oversimplification. If I were a healthcare CIO or Chief Privacy Officer, I might conclude that my security risk would be markedly reduced with daily shakedowns of all staff and more extensive background checks of prospective new employees. Worse, based on history alone, I might dismiss external hackers as not much of a threat to electronic protected health information (ePHI).

Yet, just this same month, RSA re-released a re-formatted, modestly updated 2009 report entitled “Cybercrime and the Healthcare Industry.” This paper discusses the rise of underground cybercrime networks and explains why a stolen medical identity has 10 times the higher relative value than a “regular” identity theft. Looking into its encrypted crystal ball, RSA concludes: “Cybercrime in healthcare is just starting to evolve but could quickly become a devastating industry, economic and societal problem.”

Inside job or underground cybercriminals, most healthcare organizations are under prepared for data breaches. PwC’s report “Old Data Learns New Tricks: Managing Patient Privacy and Security on a New Data Sharing Playground,” (despite the wildly mixed metaphor) was supported by over 600 interviews with health care executives. The 40+ page document is an excellent treatise on the importance of healthcare IT security, only slightly self-serving, and accurately summarizes the health data breach problem as follows: “Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common.” (p3.)

Those in the healthcare IT industry face an increasingly complex challenge. Patients, providers, payers, business associates, researchers and industry economics will demand a significant increase in data sharing. At the same time, the threat surface for data breach will increase exponentially, exacerbated by personal and mobile communications devices and overall multiplicity of end-points. History can guide us only mildly. To borrow from Aldous Huxley and Shakespeare, it’s a brave new world and a world without data islands. Redspin will meet you there.

• Historical statistics show that the greatest risk to date (more than 50% of violations) has come from theft or loss of laptops, smart phones, and other electronic media and devices.
• 20% of all incidents took place at business associates (BA’s), showing the need for a covered entity to have deeper involvement with their vendors’ information security policies, procedures and a say in how frequency they conduct security testing and audits.

Adam Greene, a former OCR official who I met at last May’s Annual HIPAA Security Rule Conference, recently recommended that healthcare organizations focus more on their employees and how they physically safeguard hardware. Encryption is almost always brought up in this context as the potential damage caused by stolen or lost devices that have been encrypted can be minimized. But mandatory encryption still remains a controversial topic within the health care security rule-making bodies in D.C. The official position has been that the need for providers to have flexibility in their workflow to deliver optimal patient care has to be balanced against security risks, at least for now.

Let’s look deeper at the issue of business associates. If you sort the online breach notification database by number of individuals affected, you’ll find that 9 of the top 20 incidents occurred at the hands of business associates. This is a significant problem for covered entities today – as their responsibility and liability extends to companies and organizations that are beyond their direct control. At Redspin, we strongly recommend that hospitals adopt a stronger business associate oversight program. We’ve provided HIPAA Risk Analysis services for dozens of hospitals and we almost always cite risk and vulnerabilities in their business associate management programs. I’m not as confident as my friend Adam that they solution is simply that hospitals must take greater precautions in this area. Hospitals and their vendors have a business relationship – by definition, the business associate needs access to protected health information to perform its duties and fulfill its contractual obligation. To prompt real change in a third-party organization, hospitals need to insist, cajole, negotiate, discuss etc. within the bounds of an arm’s length relationship.

One thing we’d suggest is that hospitals point to their own Security Risk Analysis efforts and share with their vendors some of their findings and recommendation, and recommend companies like Redspin to do BA’s own IT security audits. OCR will soon provide some regulatory help in this regard as directly liability for breach will extend to business associates by the end of 2012. At that time, hospitals may even find their business associates coming to them, proactively asking for direction and guidance in the area of data privacy and security. In our opinion, it won’t be long before covered entities insist that business associates conduct an annual IT security assessment as part of the obligations of their business associate contract.

msf > db_status
[*] postgresql connected to msf_database

To start, you need Nmap output saved to a file. Do this by feeding Nmap the -oA flag when you scan which will save the results in all 3 major file formats: XML, Nmap and Grepable.
From within msfconsole import your scan data:

msf > db_import 192.168_scan.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.4.3.1'
[*] Importing host 192.168.1.1
[*] Importing host 192.168.1.2
[*] Importing host 192.168.1.3
[*] Importing host 192.168.1.4
[*] Importing host 192.168.1.7
[*] Importing host 192.168.1.9
[*] Importing host 192.168.1.10
[*] Importing host 192.168.1.13
[*] Importing host 192.168.1.15
[*] Importing host 192.168.1.16
[*] Importing host 192.168.1.22
[*] Importing host 192.168.1.100
[*] Successfully imported /home/mark/192.168_scan.xml

Once this completes successfully your Nmap data will be contained in the Postgresql database and fully accessible to Metasploit. This opens up all kinds of flexibility that will really save your bacon on large scans.
If you want to you can also perform Nmap scans directly from within the Metasploit Framework and have it automatically added to the database. To do this use the db_nmap command followed by the flags you wish to use and the hosts or subnets you want to scan. I typically like to do Nmap scanning outside of Metasploit in order to have more flexibility about the types of scans I perform and I may run many different scans and cat them together or otherwise manipulate them prior to feeding them into Metasploit. Obviously, do what makes sense for your situation.
Type ‘hosts’ to get a list of all hosts in the database. Use ‘hosts -u’ to get a list of only hosts that respond to ping and are believed to be up.

msf > hosts -u
Hosts
=====
address        mac  name             os_name  os_flavor  os_sp  purpose  info  comments
-------        ---  ----             -------  ---------  -----  -------  ----  --------
192.168.1.1                          Unknown                    device
192.168.1.10        goro.home        Unknown                    device

You can also query based on services. Execute ‘services’ with no parameters to dump all hosts and all services in the database. This isn’t particularly useful and can be quite huge depending on the scan data that you’re working with. Thankfully you can parse this further before it’s output to the console. Use the -p flag to only list specific ports you’re interested in.

msf > services -p 445 -u 
Services
========
host           port  proto  name          state  info
----           ----  -----  ----          -----  ----
192.168.1.10   445   tcp    microsoft-ds  open   Samba smbd 3.X workgroup: SKYNET
192.168.1.100  445   tcp    microsoft-ds  open
192.168.1.11   445   tcp    netbios-ssn   open
192.168.1.2    445   tcp    microsoft-ds  open
192.168.1.22   445   tcp    microsoft-ds  open
192.168.1.4    445   tcp    microsoft-ds  open   Microsoft Windows 2003 or 2008 microsoft-ds
192.168.1.6    445   tcp    netbios-ssn   open
192.168.1.9    445   tcp    microsoft-ds  open

Here i’m listing only hosts that have 445/tcp open. I’ve also added the -u flag to only show services that are open.
If you’re a narcissist, at this point you’re probably thinking “big whoop, I can do all this via a few grep strings on the Nmap output”. And you’re correct.
Now to do something useful with this.

msf > services -p 445 -R

Services
========

host           port  proto  name          state  info
----           ----  -----  ----          -----  ----
192.168.1.10   445   tcp    microsoft-ds  open   Samba smbd 3.X workgroup: SKYNET
192.168.1.100  445   tcp    microsoft-ds  open
192.168.1.11   445   tcp    netbios-ssn   open
192.168.1.2    445   tcp    microsoft-ds  open
192.168.1.22   445   tcp    microsoft-ds  open
192.168.1.4    445   tcp    microsoft-ds  open   Microsoft Windows 2003 or 2008 microsoft-ds
192.168.1.6    445   tcp    netbios-ssn   open
192.168.1.9    445   tcp    microsoft-ds  open

RHOSTS => file:/tmp/msf-db-rhosts-20110909-32464-oyzbko

Looks the same as before, but by adding the -R flag, you’ve told Metasploit to set the RHOSTS variable to the output of the database query you’ve just performed. This is reflected in the last line of output which is the filename of the hosts that you’ve selected from the database which Metasploit created and populated.
Now select an exploit to use against these hosts

msf > use auxiliary/scanner/smb/smb_enumusers
msf  auxiliary(smb_enumusers) > show options

Module options (auxiliary/scanner/smb/smb_enumusers):

   Name       Current Setting                                Required  Description
   ----       ---------------                                --------  -----------
   RHOSTS     file:/tmp/msf-db-rhosts-20110909-32464-oyzbko  yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP                                      no        The Windows domain to use for authentication
   SMBPass                                                   no        The password for the specified username
   SMBUser                                                   no        The username to authenticate as
   THREADS    1                                              yes       The number of concurrent threads

As you can see Metapsloit has filled in the RHOSTS variable automatically for this exploit. You don’t need to have a pre-selected exploit in order for Metasploit to do this, and can choose an exploit after you’ve piped the output of a database query to the input of the RHOSTS variable.
Using Metasploit Framework 4 tied to a database is a great way to save time and effort while working with large projects and scans of several hundred to several thousand hosts and many more services.

Open a command prompt and enter the following command to see all GPO’s that are being applied to your system:

gpresult

This will show the most basic output

C:\Documents and Settings\billy>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2011 at 3:24:13 PM

RSOP results for MARS\billy on EARTH : Logging Mode
----------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 MARS
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\billy
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=EARTH,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users

USER SETTINGS
--------------
    CN=Billy,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL

To see additional detail including the specific settings within the applied GPO’s use the following command

gpresult /z

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/26/2011 at 3:35:13 PM

RSOP results for MARS\billy on EARTH : Logging Mode
----------------------------------------------------

OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 MARS
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\billy
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=EARTH,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:25 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users

    Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

        Audit Policy
        ------------
            GPO: Pasture.Rules
                Policy:            AuditPolicyChange
                Computer Setting:  Success

            GPO: Pasture.Rules
                Policy:            AuditDSAccess
                Computer Setting:  Success, Failure

            GPO: Pasture.Rules
                Policy:            AuditAccountLogon
                Computer Setting:  Success, Failure

            GPO: Pasture.Rules
                Policy:            AuditAccountManage
                Computer Setting:  Success

            GPO: Pasture.Rules
                Policy:            AuditLogonEvents
                Computer Setting:  Success, Failure

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Good.Goats
                Policy:            EnableGuestAccount
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

USER SETTINGS
--------------
    CN=Billy,OU=Goats,DC=mars,DC=local
    Last time Group Policy was applied: 8/26/2011 at 3:03:20 PM
    Group Policy was applied from:      phobos.mars.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Pasture.Rules
        Good.Goats
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL

    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Good.Goats
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled

            GPO: Pasture.Rules
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
                State:   Enabled

            GPO: Pasture.Rules
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Pasture.Rules
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Pasture.Rules
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
                State:   Enabled

            GPO: Good.Goats
                Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
                State:   Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A

Data of particular interest to an attacker is output of the security group information, which lists what security groups the user account you’re logged in as belongs to.

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL

In this example the user is just a member of the default groups and is fairly restricted.
Other information of note is the output of Account Policies which lists what password policies are in effect for the workstation as well as the domain.  This can help gauge what type of password guessing you can perform against other machines on the domain without locking accounts out.

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  24

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  30

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  7

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  42

All of this data can be accessed as a normal, limited user account and reveals a wealth of information about the configuration of the domain which the machine is joined to.  This info can aid greatly in a pentesters quest to gain further access into the network.