Hi,
I am trying to write an analysis that looks at the registry key for Microsoft Remote Desktop. We use an alternate port, and I need to find those that are not configured properly. I have this, but it’s value doesn’t change when I modify the port number. It just evaluates to “false”, which isn’t right.
exists key whose (value "PortNumber" of it as string equals "3389" of (value "PortNumber" of it as string as version)) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry
Thanks
You can use this relevance to get the port number:
value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry
And this relevance will return true if the port is set to 3389:
(value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry) as string is "3389"
And this relevance will return false if the port is set to 3389:
(value "PortNumber" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry) as string is not "3389"
As for fixing your original query – here’s my best guess:
I guess I’m not sure what the purpose of this line was:
(value "PortNumber" of it as string equals "3389" of (value "PortNumber" of it as string as version))
It seems like you can just replace that with:
(value "PortNumber" of it as string equals "3389")
That leaves us with:
exists key whose (value "PortNumber" of it as string equals "3389") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry
I think the issue with this is the, Key whose part in the beginning. With this I think we are now looking at subkeys of the RDP-TCP key. That is, the keys inside of the RDP-TCP key. By getting rid of, key whose we now are checking to see if exists (a value called portnumber whose value is 3389) of key. Relevance:
exists (value "PortNumber" of it as string equals "3389") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry
The issue with this relevance is that it will return true no matter what. The (Value "portnumber of it as string equals "3389") returns false if the value is not 3389 it does not return an error. This means that an exists statement will always return true no matter what the port value is. Our final relevance is:
(value "PortNumber" of it as string equals "3388") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" of native registry
See this analysis: http://bigfix.me/analysis/details/2994595
Also, lately, I have been preferring to do it this way:
values "PortNumber" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of ( x64 registries; x32 registries )
To check if it is set to the default:
exists values "PortNumber" whose( it as string equals "3389" ) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" of ( x64 registries; x32 registries )
1 Like