I am wondering if someone has written relevance to dig into the Local Security Policy. The out of the box fixlet I am looking at is Interactive Logon: Do Not Display Last User Name, this fixlet looks into the registry and we do not set this in the registry we set it locally.
Any thoughts.
See attached screenshot
You mean you want to set this setting using Local GPO?
The setting is already set, we just need to validate it to make sure it is compliant.
Does this set the User registry, or the Local Machine registry?
If it effects the Local Machine registry, then it should just be a matter of ensuring in relevance that the registry key is set as it should be.
You could try to read the policies in the registry, but this is complicated.
You could use Microsoft’s LocalGPO utilities to dump out the current Local GPOs set in the registry.pol file and then read that result with relevance. This is a bit ugly, because you have to run a task every couple of hours to refresh the result to ensure that it is still there.
See this example: https://bigfix.me/fixlet/details/3747
I am checking the registry to see if the Local GPO is set as it should be. I’m checking for the result of the GPO rather than the GPO itself.
This example also uses the LGPO_Utilities to set the Local GPO, but it can also be used to dump out the current Local GPO settings.
Read more here: http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx
You shouldn’t need to set Local GPO by hand, it can be done through BigFix, like in this example
It’s not in the registry, that’s the main problem.
Can’t you just check the following registry key? :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
And the value:
dontdisplaylastusername
This should be the relevance to detect which machines DO NOT have this policy set:
not exists values "dontdisplaylastusername" whose(1 = it as string as integer) of keys "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" of (x64 registries; x32 registries)
If you want relevance to report on this setting in an analysis property, it would be:
unique values of (it as string as trimmed string) of values "dontdisplaylastusername" of keys "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" of (x64 registries; x32 registries)
Also, because this is in HKLM, you could just set the registry keys and completely ignore setting this through Local GPO, but the Local GPO option should also work.
Reference: http://www.maxi-pedia.com/do+not+display+last+user+name
Thanks for the info, I’ll give this a shot and check the results. I think the problem is this maybe set on some servers and not on the other. When our Security department checks the results they go to the local security policy to validate.
If this is just for validation, then this should be all you need:
unique values of (it as string as trimmed string) of values "dontdisplaylastusername" of keys "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" of (x64 registries; x32 registries)
If this returns a 1, then it is set.
BigFix is very good at auditing settings. You shouldn’t have to check the local security policy on each machine by hand if you can build relevance to detect the setting and validate it works as expected.
I did throw this into an analysis property on my end, and it does seem to do the right thing. Most of our machines seem to have this set to 1 which should be due to our Group Policies in AD, which would also be the case if it were set with Local GPO.
This is working and I like it! I can use as a template for registry settings. This is what I was using, I think it is from the canned DISA content:
not exists 1 whose (conjunction of (exist values “DontDisplayLastUserName” whose (type of it = “REG_DWORD”) of keys “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” of it) of (if x64 of operating system then (x64 registry; x32 registry) else x32 registry) and conjunction of (if exists key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” of it then (if exists values “DontDisplayLastUserName” of it then (concatenation of substrings separated by “%00” of (if it ends with “%00%00” then preceding text of last “%00%00” of it else if it ends with “%00” then preceding text of last “%00” of it else it) of (it as string) of it = “1”) of values “DontDisplayLastUserName” of it else false) of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System” of it else false) of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))
Thanks for your help James!