Security Configuration Fixlet relevance

I’m trying to customize the relevance for the following fixlet I want it to allow the Backup Operators group as well as the Administrators group.
The Restore files and directories user right must only be assigned to the Administrators group.

This is the original relevance:

not exists 1 whose (exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “serestoreprivilege”) of it = (it != 0) of 0) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (True) whose (not ((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "" of it else it) of (it as string) of sid of it = “Administrators”))) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0))

The following is the best I’ve been able to come up with but I can’t figure out how to get rid of the indicated error:

Q: not exists 1 whose (exists (concatenation “, " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “serestoreprivilege”) of it = (it != 0) of 0) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”; “Local account and member of Backup Operators group”)) whose (True) whose (not ((if (it starts with (”" or it starts with "NT AUTHORITY" or it starts with "BUILTIN")) then following text of first “" of it else it) of ((it as string) of sid of it = “Administrators”) OR (if (it starts with (”" or it starts with "NT AUTHORITY" or it starts with "BUILTIN")) then following text of first "" of it else it) of ((it as string) of sid of it = “Backup Operators”)))) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0))
E: A boolean expression is required.

I’ve not tested this, but perhaps you could try the following:

not exists 1 whose (exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of "serestoreprivilege") of it = (it != 0) of 0) of (security accounts (names of local users); local groups; security accounts ("Everyone"; "LOCAL"; "CREATOR OWNER"; "CREATOR GROUP"; "CREATOR OWNER SERVER"; "CREATOR GROUP SERVER"; "NT Pseudo Domain\NT Pseudo Domain"; "NT AUTHORITY\DIALUP"; "NT AUTHORITY\NETWORK"; "NT AUTHORITY\BATCH"; "NT AUTHORITY\INTERACTIVE"; "NT AUTHORITY\SERVICE"; "NT AUTHORITY\ANONYMOUS LOGON"; "NT AUTHORITY\PROXY"; "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"; "NT AUTHORITY\SELF"; "NT AUTHORITY\Authenticated Users"; "NT AUTHORITY\RESTRICTED"; "NT AUTHORITY\TERMINAL SERVER USER"; "NT AUTHORITY\REMOTE INTERACTIVE LOGON"; "NT AUTHORITY\SYSTEM"; "NT AUTHORITY\LOCAL SERVICE"; "NT AUTHORITY\NETWORK SERVICE"; "Domain Admins"; "Enterprise Admins"; "Local account"; "Local account and member of Administrators group"; "Backup Operators")) whose (True) whose (not ((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "" of it else it) of (it as string) of sid of it = "Administrators"))) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))

1 Like

Something still isn’t right. Relevant machines went up instead of down.

I think there is a \ dropped out somewhere…

then following text of first "" of it else it I think should be
then following text of first "\" of it else it

consider this subset of the relevance with the \ added back in

sids of (security accounts (names of local users); local groups; security accounts ("Everyone"; "LOCAL"; "CREATOR OWNER"; "CREATOR GROUP"; "CREATOR OWNER SERVER"; "CREATOR GROUP SERVER"; "NT Pseudo Domain\NT Pseudo Domain"; "NT AUTHORITY\DIALUP"; "NT AUTHORITY\NETWORK"; "NT AUTHORITY\BATCH"; "NT AUTHORITY\INTERACTIVE"; "NT AUTHORITY\SERVICE"; "NT AUTHORITY\ANONYMOUS LOGON"; "NT AUTHORITY\PROXY"; "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"; "NT AUTHORITY\SELF"; "NT AUTHORITY\Authenticated Users"; "NT AUTHORITY\RESTRICTED"; "NT AUTHORITY\TERMINAL SERVER USER"; "NT AUTHORITY\REMOTE INTERACTIVE LOGON"; "NT AUTHORITY\SYSTEM"; "NT AUTHORITY\LOCAL SERVICE"; "NT AUTHORITY\NETWORK SERVICE"; "Domain Admins"; "Enterprise Admins"; "Local account"; "Local account and member of Administrators group")) whose (True) whose (not (((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "\" of it else it) of (it as string) of sid of it = "Administrators") OR (((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "\" of it else it) of (it as string) of sid of it = "Backup Operators"))))

I tried this version and it appears to allow (but not require) Administrators and Backup Operators as permitted (False relevance). Adding any other accounts causes the relevance to transition to non-compliant (True relevance).

not exists 1 whose (exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of "serestoreprivilege") of it = (it != 0) of 0) of (security accounts (names of local users) ; local groups; security accounts ("Everyone"; "LOCAL"; "CREATOR OWNER"; "CREATOR GROUP"; "CREATOR OWNER SERVER"; "CREATOR GROUP SERVER"; "NT Pseudo Domain\NT Pseudo Domain"; "NT AUTHORITY\DIALUP"; "NT AUTHORITY\NETWORK"; "NT AUTHORITY\BATCH"; "NT AUTHORITY\INTERACTIVE"; "NT AUTHORITY\SERVICE"; "NT AUTHORITY\ANONYMOUS LOGON"; "NT AUTHORITY\PROXY"; "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"; "NT AUTHORITY\SELF"; "NT AUTHORITY\Authenticated Users"; "NT AUTHORITY\RESTRICTED"; "NT AUTHORITY\TERMINAL SERVER USER"; "NT AUTHORITY\REMOTE INTERACTIVE LOGON"; "NT AUTHORITY\SYSTEM"; "NT AUTHORITY\LOCAL SERVICE"; "NT AUTHORITY\NETWORK SERVICE"; "Domain Admins"; "Enterprise Admins"; "Local account"; "Local account and member of Administrators group")) whose (True) whose (not (((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "\" of it else it) of (it as string) of sid of it = "Administrators") OR ((if (it starts with "" or it starts with "NT AUTHORITY" or it starts with "BUILTIN") then following text of first "\" of it else it) of (it as string) of sid of it = "Backup Operators")))) whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))

2 Likes

That did it Brolly, Thank you!!

1 Like