So, I have a relevance statement that I would really like to simplify - it contains a lot of negations, which makes it somewhat hard to understand…
Anyway, here’s the statement:
not (((not exists (substrings separated by “%00” whose (it != “”) of (values “NullSessionPipes” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” of native registry as string))whose (not exists match (regex ("^$")) of (it as string as lowercase)))))
Well, you can remove the first “not” as that’s obviously redundant, along with some of the extra parentheses.
It would be helpful to know what this is trying to achieve (and whether it actually works), as it seems to be enumerating the results of the multi-value registry key, strip out any empty entries, splitting it from a single result into multiple elements (and then removing blank entries again - not removed previously?) and finally checking if a result (not) exists.
Not a very useful query, IMO, but then again, I don’t know how/why it’s being used.
This particular query looks to see if Null Session Pipes are allowed on a given machine. The registry key that is being checked is supposed to be empty, and if it’s not, the relevance would be true and the machine would report this relevance statement as being true (i.e. they have named Null Session Pipes configured).
So, the query as written may not be terribly useful (i.e. it may be reporting false information) - but the information its supposed to be checking for is very important in a security conscious organization. In short, Null Sessions allow for users to anonymously connect to a server… which can be a problem because Microsoft has historically granted too much power to null session users (i.e. enumerating local user accounts) - so it’s good security practice to disable their use.
Well, I certainly may be missing something, but having had a quick look at a couple of sites on the web, checking just this registry key value may not be enough. Regardless, I think I can suggest an alternative to the relevance you’ve posted which, to me, seems to perform the same check while being easier to read.
Q: exists substrings separated by “%00” whose (it !="") of (values “NullSessionPipes” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters” of native registry as string)
A: True
The relevance pulls the multi-valued key values, splits them (allow us to discard any blank entries) and checks if anything is returned. You may want to add a “not” to the beginning of the query, depending on what you’re expecting the relevance to reflect (compliance or non-compliance).