I’ve been tasked to pull back information on fixlets in the FDCC and USGCB Windows sites. What I need to gather is what fixlets check local policy and/or GPO. I see a lot of them clearly state this in the the description tab but I have over a 1000 to check.
Is there an easy way to gather this info? or am I stuck drilling into each of them to find this out?
any info will be appreciated.
thanks,
Baraq
Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597
I’ve not found a simply way to accomplish this but what I did do was export all the tasks into a .bes file and opened that up in notepad++. Using one of the parsing plugins I was able to extract out the text which indicated how the check was done.
If there’s an easier way to do this I’m all ears.
thanks,
Baraq
Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597
What is the purpose of the report that you’re putting together?
In general the content is only trying to look at local policy; or, more specifically, the policy that the operating system and applications take into account, which is what is exposed through various Windows APIs. Depending on the operating system there are ways to control most or all of these local settings by way of group policy, and when a GPO is successfully applied it will generally update local policy. In a handful of cases the only known way to read a setting is through WMI, but reading information made available by way of WMI RSOP classes is not necessarily the same as determining what a domain controller is attempting to enforce as group policy, since there may be replication errors and so on.
So I think it will be hard to do what you’re trying to do, unless I’ve misunderstood your question.
Thanks everyone for the replies, they’ve been very helpful. I’m not trying to create a report, I’m trying to validate the results our security team put together against the agencies in our company. They have a number of machines that are applicable for a local policy change which makes them out of compliance. The agencies insist they are in compliance because the GPO is set correctly. The old version of these checks looked at the GPO and local policy, while the new checks only look at local policy. What I’m trying to prove to them is that even if GPO is set correctly they can still be out of compliance because of the local policy.
I believe I’ve achieved this and validated my results. I was a bit confused at first because the new checks are not looking at GPO. So when these machines came back as out of compliance I initially blamed the GPO.
So, I think we’re good now. Again, thanks for the info.
-Baraq
Console version 8.1.551.0 with DSS-SAM Version 1.3.1.597