I hope this is an easy answer for someone, but I created a baseline a little while ago and when I was putting it together I could not find a fixlet/task within BigFix that was already created to disable remote registry in Windows XP. As a result I created a custom fixlet that appeared to work on all my test machines but now I realize it is only working about 50% of the time at most. Does BF already have one and I am just missing it? If not, how have others been able to resolve this when attempting to meet FDCC compliance? (Also, just to note we do have the BigFix Vulnerability/Security module and I have used other existing fixlets to manage other services).
how did you do it? I’d use the Windows Registry Wizard to edit the HKLM\System\CurrentControlSet\services\RemoteRegistry Start DWORD to ‘3’ or ‘4’. That’s manual or disabled. Then I’d add
waithidden cmd /c “net stop remoteregistry”
to the end of my action.
Looks like the UI of the registry wizard suggests using ‘0x3’ or ‘0x4’ for DWORDS, which doesn’t work for me.
Yes that is exactly how I did it (using DWORD of 4), but I didn’t include the stop remoteregistry line at the end. I was just rebooting each system after applying the baseline under the assumption that the service would then be stopped afterwards. I spent some more time on this yesterday and I am begining to suspect that another management tool that some of our people still use might be turning the service back on. I will be running some tests on a group of our boxes and if it lookes like it’s my fixlet thats the problem I will make sure to report back.
On a side note: I could not find a corresponding fixlet to Disable Anonymous SID Translation as well. Any advice on that one?
Hey, in messing with this I realized that the UI of the registry wizard is misleading for DWORDs – it says to enter in hexadecimal form, but the relevance it produces converts back to integer, so it doesn’t turn relevant when it should. I’ve entered a bug to change this UI text.
# REG_DWORD value exists and contains 3 # False negative q: (exists value
"Start" whose (
"0x3" != it as integer as hexadecimal) of key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteRegistry" of
native registry) A: True T: 0.064 ms # Accurate relevance q: (exists value
"Start" whose (
"3" != it as integer as hexadecimal) of key
"HKLM\SYSTEM\CurrentControlSet\services\RemoteRegistry" of
native registry) A: False T: 0.089 ms
I believe you can disable anonymous SID translation with this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
Ok, maybe I should backtrack a little here . . . I have been using BF for about 10 months and I am the only one at my work who manages it. I have not created much “custom” content until I had to create a security baseline to help our desktops reach FDCC compliance. In creating this it seems that BF does not have an already made fixlet for all of the FDCC requirements and some of the fixlets do not set the correct values for the corresponding registry entry. We were under the assumption that we would be able to create and deploy an “out-of-the-Box” baseline that would match the FDCC, but this issue in addition to others that I have posted are adding up and it is starting to appear that if you were to rely on only the supplied FDCC fixlets that a system would not actually meet the configuration requirements? (Not trying to bash on BF, I am just hoping someone can shed some light on this).
Thanks for your help,
Dan
In addition, the following is what I changed my relevance to and so far it seems to be working, but it seems to be what your mentioned above as being incorrect?
(name of operating system = “WinXP”) AND ((name of operating system = “WinXP”) and not (((((name of operating system as string) starts with “Win”) AND (exists (values “CurrentVersion” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion” of registries as string)whose (it as string as lowercase=(“5.1”)))) AND ((not exists (values “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry” of registries as string)) OR (exists (values “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry” of registries as string)whose (it as integer = 4))))))
We have subscriptions to about 17 sites including 7 for SCM such as “SCM Checklist for FDCC on Windows XP” and 99% of our systems are XP so I don’t think that is an issue.
I guess what I am wondering is (for example) if Disabling Remote Registry is part of the FDCC baseline, then why wouldn’t BF have this as one of the 206 fixlets/tasks under the SCM Checklist for FDCC on Windows XP? Or were you implying that there should be a specific fixlet already in that content?
Thank you for the reply Noah. However, the fixlet you specified is for the actual specified paths that are allowed to be accessible remotely and does not turn off the service itself. I think a problem I am having is that I am using a set of “interpreted†FDCC configuration guidelines which seem to require slightly different settings than what you guys are using directly from the FDCC. Would you be able to provide a link to a source which would illustrate exactly what guidelines BigFix uses when creating the fixlets for the FDCC baseline? I assume you are using something directly from NIST but if possible it would be great to know the exact document you guys use as a source. If the case is that I have been given a set of documentation that is not exactly what the FDCC guidelines stipulate, then that explains why I can’t find a fixlet for the requirement I have because it would not actually be part of the FDCC. (Hopefully that information makes sense)
. Those documents are used as the basis for our FDCC Scanner certification.
To ensure we are talking about the same thing – which specific CCE are you interested in? – using the security settings tabs in the
prose excel document
.
It’s the same doc for XP SP3 and for XP Firewall. It occurs to me that you might be looking for “Windows Firewall: Allow remote administration exception” fixlet in the XP Firewall site (CCE-2476-0, which also seems to be CCE-771 in the spreadsheet).
Thanks for the reply. Yes, the links you provided are what I thought you guys used to create the fixlets. I think the root of my issue is that the documentation I was given by an internal source includes extra criteria not directly outlined in the NIST guidelines, which is obviously why there isn’t a directly related fixlet in BF to disable the remote registry service. In fact, through further review, I have found that some vulnerability scanners need this service running in order to accurately scan a system and will most likely just turn it back on in order to do so. I blindly assumed that the guidelines I received were created directly from the FDCC documentation, but now I know that is not the case. Sorry for wasting any of your guys time and hopefully some good came out of this in Jack finding the issue with the Reg Wiz UI.