Fixlets that check Local Policy and/or GPO

(imported topic written by SystemAdmin)

Hello,

I’ve been tasked to pull back information on fixlets in the FDCC and USGCB Windows sites. What I need to gather is what fixlets check local policy and/or GPO. I see a lot of them clearly state this in the the description tab but I have over a 1000 to check.

Is there an easy way to gather this info? or am I stuck drilling into each of them to find this out?

any info will be appreciated.

thanks,

Baraq

Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597

(imported comment written by SystemAdmin)

I’ve not found a simply way to accomplish this but what I did do was export all the tasks into a .bes file and opened that up in notepad++. Using one of the parsing plugins I was able to extract out the text which indicated how the check was done.

If there’s an easier way to do this I’m all ears.

thanks,

Baraq

Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597

(imported comment written by jeremylam)

You can probably use session relevance, depending on how you are selecting the fixlets.

Here’s an example query that checks in BES Support for all Fixlets that specifically target Windows XP:

(id of it, name of it) of fixlets whose (relevance of it contains “WinXP”) of bes sites whose (name of it = “BES Support”)

75, Restart BES Clients

131, Internet Connection Firewall is Blocking BES Traffic - BES Client

140, Internet Connection Firewall is Blocking BES Traffic - BES Client (WSH disabled)

288, Windows Firewall is Blocking BES Traffic - BES Client

For all the properties of the bes fixlet object, run:

properties of type “bes fixlet”

(imported comment written by SystemAdmin)

You could also create a Custom Filter on Fixlets that Include ‘Name or Description’ containing ‘GPO’

Mark.

(imported comment written by Eric Walker)

Hi bisbell,

What is the purpose of the report that you’re putting together?

In general the content is only trying to look at local policy; or, more specifically, the policy that the operating system and applications take into account, which is what is exposed through various Windows APIs. Depending on the operating system there are ways to control most or all of these local settings by way of group policy, and when a GPO is successfully applied it will generally update local policy. In a handful of cases the only known way to read a setting is through WMI, but reading information made available by way of WMI RSOP classes is not necessarily the same as determining what a domain controller is attempting to enforce as group policy, since there may be replication errors and so on.

So I think it will be hard to do what you’re trying to do, unless I’ve misunderstood your question.

Eric

(imported comment written by SystemAdmin)

Thanks everyone for the replies, they’ve been very helpful. I’m not trying to create a report, I’m trying to validate the results our security team put together against the agencies in our company. They have a number of machines that are applicable for a local policy change which makes them out of compliance. The agencies insist they are in compliance because the GPO is set correctly. The old version of these checks looked at the GPO and local policy, while the new checks only look at local policy. What I’m trying to prove to them is that even if GPO is set correctly they can still be out of compliance because of the local policy.

I believe I’ve achieved this and validated my results. I was a bit confused at first because the new checks are not looking at GPO. So when these machines came back as out of compliance I initially blamed the GPO.

So, I think we’re good now. Again, thanks for the info.

-Baraq

Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597