Registry Vulnerabilities Reporting Incorrectly?

(imported topic written by jonathontaylor91)

Hello,

We have several Windows 2003 R2 servers showing at least two registry vulnerabilities that are incorrect. The first Q315231, “Automatic Logon Enabled”. We have the key set via GPO to disabled but BES is showing this as requiring resolution. The only difference is that in the fixlet relevance the key is mixed case whereas on the server they are all lower case. Any reason why the default relevancies are not using lowercase() on these comparisons?

The second issue is Q147706 “LM Authentication Enabled”. We have our key set to 4 which is more secure than the value of 2 the fixlet wants to change it to. The fixlet seems to be designed around NT4 and should be checking to see if the value is already higher than what it wants to set everything to. Furthermore, one of the SANS vulnerability checks wants to set the value to 5 so it would override the BES fixlet.

Anyone else seen this or have recommendations?

Thanks!

(imported comment written by MY6591)

We will investigate these.

Thanks

(imported comment written by MY6591)

Hi,

We haave the second problem solved. And we modified our content.

However, we need some help figuring out the first problem. Could you tell me the actual value for

“AutoAdminLogon”

of registry key

“HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon”

is on computers that are showing up as relevant?

(imported comment written by jonathontaylor91)

Excellent, thank you!

For the first problem our key looks like this

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon and the value is 0

(imported comment written by rwest23)

Could you also check what type of value “AutoAdminLogon” is? The relevance is expecting a string (REG_SZ) value and may be generating a false positive if “AutoAdminLogon” is actually a DWORD (REG_DWORD) value. Thank you!

(imported comment written by jonathontaylor91)

It is in fact a REG_DWORD on all of our servers and we are setting the value with Group Policy.

(imported comment written by rwest23)

Well, that would be the problem then. We’ll have a new version that supports both string and dword values out shortly. Thank you for the help debugging, and please let us know if you find any other issues with our products.

(imported comment written by jonathontaylor91)

Sounds good, we’ll keep an eye out for the update.