Relevance to check Register keys

abiurrunc 2023-09-08 08:00:36 UTC #1

Hi.
I need to do a relevance that verify is two register keys exists in servers and if them exist if the value is the right one. Basically I need to verify SSL 2.0 and SSL 3.0 is set in all our windows server.

I test some relevances, the one that I have now is this:

(name of it contains "Win20") of operating system and (not exists values "Enabled" whose (it = "0") of keys "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" of (x32 registry) or not exists values "Enabled" whose (it = "0") of keys "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" of (x32 registry))

What should be the right way to do it?

THanks in advance,

Angel.

ageorgiev 2023-09-08 08:34:24 UTC #2

Not very clear from your description but I would imagine you are aiming that at least the Enabled value of either 2.0 or 3.0 is set to “1”? If that is the case this is how I would write it - see below. Couple of pointers:

Don’t need to specify x32 registry since HKLM\System is not redirected
Relevance uses the notation key “HKLM…”, no “:” like Powershell would have
I personally try to merge statements as much as possible instead of repeating the same inspectors with full paths, etc - find it much easier to read/troubleshoot and it can be much faster/better optimized (not an issue in your case but with heavier inspectors it is)

(name of it contains "Win20") of operating system and (exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry

abiurrunc 2023-09-08 10:26:19 UTC #3

Hi Ageorgiev.

Thanks for your fast answer, your solution give me the servers that has the key configured with value different than 0. Now I need to add I need too the servers that don’t have the key, I added this to check if it exist bot doesn’t work:

(not exist key "SSL 2.0\Server" OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry

The quetions are:
Server that don’t have any of these keys:

“HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\2.0\Server”
“HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\3.0\Server”

or those who these keys are configured with Enabled != 0

I’m still making test .

Thanks in advance,
Angel.

ageorgiev 2023-09-08 10:41:10 UTC #4

Yes, I took a guess as I wasn’t clear what you are after but feel free to adjust as needed.

You are missing “of it” after SSL 2.0, nearly had it.

(not exist key "SSL 2.0\Server" of it OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry

You can also make combination of it (check if the keys don’t exist and then check if they do, whether the values are what you want them to be too.

abiurrunc 2023-09-08 11:01:31 UTC #5

You are right, many thanks, it works

abiurrunc 2023-09-13 09:37:19 UTC #6

Hi.

@ageorgiev can you help me here?

Now this is getting complicated, I need to relevenace by these register keys:
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client”
“HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client”

Where each of this does not has these Keys or the value of each is different of :
Enabled = 0 Dword
DisabledByDefault = 1 Dword

I did this but it doesn’t work as expected:

(name of it contains "Win2012") of operating system 
AND (exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it 
OR (exist key "SSL 2.0\Server" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it
OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it) of it) 
OR exist key "SSL 3.0\Server" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it) 
of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry 
OR (not exist key "SSL 2.0\Server" of it OR not exist key "SSL 3.0\Server" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry 
OR (exist key "SSL 2.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it) of it 
OR (exist key "SSL 2.0\Client" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it 
OR exist key "SSL 3.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it) of it) 
OR exist key "SSL 3.0\Client" whose (exist value "DisabledByDefault" whose (it as string != "1") of it) of it) 
of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry 
OR (not exist key "SSL 2.0\Client" of it OR not exist key "SSL 3.0\Client" of it) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry

I will apreciate a lot your help.

Thanks in advance,
Angel.

ageorgiev 2023-09-13 17:31:20 UTC #7

Try this:
(name of it contains "Win20") of operating system and ((not exist key "SSL 2.0\Client" of it OR exist key "SSL 2.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 2.0\Server" of it OR exist key "SSL 2.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 3.0\Client" of it OR exist key "SSL 3.0\Client" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it) OR (not exist key "SSL 3.0\Server" of it OR exist key "SSL 3.0\Server" whose (exist value "Enabled" whose (it as string != "0") of it or exist value "DisabledByDefault" whose (it as string != "1") of it) of it)) of key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" of registry

abiurrunc 2023-09-15 05:38:39 UTC #8

Hi @ageorgiev

Many thanks, it works, I’m learning a lot from you.

Have a nice weekend,
Angel

ageorgiev 2023-09-15 05:42:45 UTC #9

Glad it’s working! You too.