Fixlet: The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems, and from unauthenticated access
The relevance for this fixlet is very complex. The intention is to deny various privileged accounts from accessing domain systems from the network. My issue is that I need it to check for BUILTIN\Guests and NT AUTHORITY\ANONYMOUS LOGON only. I don’t need what is there by default. Any advice on how to do this? I’ve placed the default configuration below.
not exists 1 whose (((exists (concatenation “, " of (it as string) of ((type of it = “REG_SZ”) of it and ((if type of it = “REG_EXPAND_SZ” or type of it = “REG_MULTI_SZ” then preceding text of first “%00” of (it as string) else it as string) of it = (”"))) of values “Domain” of keys “System\CurrentControlSet\Services\TCPIP\Parameters” of keys “HKEY_LOCAL_MACHINE” of native registry) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) and exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts it) of “Guests”) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0))) or (((((exists (concatenation ", " of (it as string) of ((type of it = “REG_SZ”) of it and exist matches (regex “^.+$”) of (if type of it = “REG_EXPAND_SZ” or type of it = “REG_MULTI_SZ” then preceding text of first “%00” of (it as string) else it as string) of it) of values “Domain” of keys “System\CurrentControlSet\Services\TCPIP\Parameters” of keys “HKEY_LOCAL_MACHINE” of native registry) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) and exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts it) of “Guests”) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)) and exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (exist matches (regex “^.\Domain Admins$|^Domain Admins$") of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it)) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)) and exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (exist matches (regex "^.\Enterprise Admins$|^Enterprise Admins$”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it)) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)) and (((((((exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (exist matches (regex “DenyNetworkAccess”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it)) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) and 0 = number of local users whose (exist matches (regex “.+”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it = 0) of concatenation ", " of (it as string) of (it = “Administrators”) of names of items 0 of (item 0 of it, set of account names of sids of members of item 0 of it, item 1 of it) whose (item 1 of it contains name of item 2 of it) of (local groups, it) of it)) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it > 0) of concatenation ", " of (it as string) of (exist matches (regex “DenyNetworkAccess”) of it) of names of items 0 of (item 0 of it, set of account names of sids of members of item 0 of it, item 1 of it) whose (item 1 of it contains name of item 2 of it) of (local groups, it) of it)))) or ((exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (exist matches (regex “^S-1-5-[0-9-]±500$”) of component string of sid of it)) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) and exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts it) of ((if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it) of local users whose (exist matches (regex “.+”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it = 0) of concatenation ", " of (it as string) of (it = “Administrators”) of names of items 0 of (item 0 of it, set of account names of sids of members of item 0 of it, item 1 of it) whose (item 1 of it contains name of item 2 of it) of (local groups, it) of it)) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of ((if exist matches (case insensitive regex “^BUILTIN”) of it then “” & following text of first “” of it else it) of (it as string) of sid of item 1 of it = item 0 of it) of (((if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (True) whose (exist matches (regex “^S-1-5-[0-9-]±500$”) of component string of sid of it), (it))))) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)))) or exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts it) of “Local account and member of Administrators group”) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)) or exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts it) of “Local account”) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0)) or ((exists (concatenation ", " of (it as string) of (exist privileges whose (it as lowercase = (it as lowercase) of “sedenynetworklogonright”) of it = (it != 0) of 1) of (security accounts (names of local users); local groups; security accounts (“Everyone”; “LOCAL”; “CREATOR OWNER”; “CREATOR GROUP”; “CREATOR OWNER SERVER”; “CREATOR GROUP SERVER”; “NT Pseudo Domain\NT Pseudo Domain”; “NT AUTHORITY\DIALUP”; “NT AUTHORITY\NETWORK”; “NT AUTHORITY\BATCH”; “NT AUTHORITY\INTERACTIVE”; “NT AUTHORITY\SERVICE”; “NT AUTHORITY\ANONYMOUS LOGON”; “NT AUTHORITY\PROXY”; “NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS”; “NT AUTHORITY\SELF”; “NT AUTHORITY\Authenticated Users”; “NT AUTHORITY\RESTRICTED”; “NT AUTHORITY\TERMINAL SERVER USER”; “NT AUTHORITY\REMOTE INTERACTIVE LOGON”; “NT AUTHORITY\SYSTEM”; “NT AUTHORITY\LOCAL SERVICE”; “NT AUTHORITY\NETWORK SERVICE”; “Domain Admins”; “Enterprise Admins”; “Local account”; “Local account and member of Administrators group”)) whose (exist matches (regex “DeniedNetworkAccess”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it)) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) and 0 = number of local users whose (exist matches (regex “.+”) of (if (it starts with “” or it starts with “NT AUTHORITY” or it starts with “BUILTIN”) then following text of first “” of it else it) of (it as string) of sid of it) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it = 0) of concatenation ", " of (it as string) of (it = “Administrators”) of names of items 0 of (item 0 of it, set of account names of sids of members of item 0 of it, item 1 of it) whose (item 1 of it contains name of item 2 of it) of (local groups, it) of it)) whose (not ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean) of it > 0) of concatenation ", " of (it as string) of (exist matches (regex “DeniedNetworkAccess”) of it) of names of items 0 of (item 0 of it, set of account names of sids of members of item 0 of it, item 1 of it) whose (item 1 of it contains name of item 2 of it) of (local groups, it) of it)))))))))