Hi.
I need to do a relevance that verify is two register keys exists in servers and if them exist if the value is the right one. Basically I need to verify SSL 2.0 and SSL 3.0 is set in all our windows server.
I test some relevances, the one that I have now is this:
(name of it contains "Win20") of operating system and (not exists values "Enabled" whose (it = "0") of keys "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" of (x32 registry) or not exists values "Enabled" whose (it = "0") of keys "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" of (x32 registry))
What should be the right way to do it?
THanks in advance,
Angel.
Not very clear from your description but I would imagine you are aiming that at least the Enabled value of either 2.0 or 3.0 is set to “1”? If that is the case this is how I would write it - see below. Couple of pointers:
- Don’t need to specify x32 registry since HKLM\System is not redirected
- Relevance uses the notation key “HKLM…”, no “:” like Powershell would have
- I personally try to merge statements as much as possible instead of repeating the same inspectors with full paths, etc - find it much easier to read/troubleshoot and it can be much faster/better optimized (not an issue in your case but with heavier inspectors it is)
(name of it contains "Win20") of operating system and (exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
Hi Ageorgiev.
Thanks for your fast answer, your solution give me the servers that has the key configured with value different than 0. Now I need to add I need too the servers that don’t have the key, I added this to check if it exist bot doesn’t work:
(not exist key "SSL 2.0\Server" OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
The quetions are:
Server that don’t have any of these keys:
- “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\2.0\Server”
- “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\3.0\Server”
or those who these keys are configured with Enabled != 0
I’m still making test
.
Thanks in advance,
Angel.
Yes, I took a guess as I wasn’t clear what you are after but feel free to adjust as needed.
You are missing “of it” after SSL 2.0, nearly had it.
(not exist key "SSL 2.0\Server" of it OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
You can also make combination of it (check if the keys don’t exist and then check if they do, whether the values are what you want them to be too.
You are right, many thanks, it works
1 Like
Hi.
@ageorgiev can you help me here?
Now this is getting complicated, I need to relevenace by these register keys:
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client”
Where each of this does not has these Keys or the value of each is different of :
Enabled = 0 Dword
DisabledByDefault = 1 Dword
I did this but it doesn’t work as expected:
(name of it contains "Win2012") of operating system
AND (exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it
OR (exist key "SSL 2.0\Server" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it
OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it)
OR exist key "SSL 3.0\Server" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it)
of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
OR (not exist key "SSL 2.0\Server" of it OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
OR (exist key "SSL 2.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it) of it
OR (exist key "SSL 2.0\Client" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it
OR exist key "SSL 3.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it) of it)
OR exist key "SSL 3.0\Client" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it)
of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
OR (not exist key "SSL 2.0\Client" of it OR not exist key "SSL 3.0\Client" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
I will apreciate a lot your help.
Thanks in advance,
Angel.
Try this:
(name of it contains "Win20") of operating system and ((not exist key "SSL 2.0\Client" of it OR exist key "SSL 2.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 2.0\Server" of it OR exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 3.0\Client" of it OR exist key "SSL 3.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 3.0\Server" of it OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it)) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry
Hi @ageorgiev
Many thanks, it works, I’m learning a lot from you.
Have a nice weekend,
Angel
1 Like
Glad it’s working! You too.