Windows rights checking - SENetworkLogonRight

Usage and Config Security
1

(imported topic written by makousks91)

Has anyone written any fixlets to check for the type of security settings found in the local security settings?

We need to check for compliance on all of our machines for things such as:

SENetworkLogonRight

SEBackupPrivilege

etc…

Can I do this via WMI? Is there a better way? If WMI, would someone share the solution?

Thanks,

Steve

2

(imported comment written by BenKus)

Hi Steve,

Yes. We have found ways to retrieve many of these (and it is a huge pain).

Have you looked at our “Security Policy Manager” (SPM) Fixlet site?

It currently has an Analysis to give you information for the following:

Account Policies:

  • Enforce Password History
  • Maximum Password Age
  • Minimum Password Age
  • Minimum Password Length
  • Password Must Match Complexity Requirements
  • Store Password Using Reversible Encryption for All Users in the Domain
  • Account Lockout Duration
  • Account Lockout Threshold
  • Reset Account Lockout Counter After

And we have developed and will soon be releasing more Analyses that deal with the following:

Audit Policies:

  • Audit account logon events
  • Audit directory service access
  • Audit process tracking
  • Audit account management
  • Audit policy change
  • Audit privilege use
  • Audit object access
  • Audit logon events
  • Audit system events

Driver and Hardware Policies:

  • Allowed to eject removable NTFS media
  • Audit the access of global system objects
  • Audit use of Backup and Restore privilege
  • Clear virtual memory pagefile when system shuts down
  • Prevent users from installing printer drivers
  • Recovery Console: Allow automatic administrative logon
  • Recovery Console: Allow floppy copy and access to all drives and all folders
  • Restrict CD-ROM access to locally logged-on user only
  • Restrict floppy access to locally logged-on user only
  • Shut down system immediately if unable to log security audits
  • Smart card removal behavior
  • Strengthen default permissions of global system objects (e.g. Symbolic Links)
  • Unsigned driver installation behavior
  • Unsigned non-driver installation behavior

Account and Logon Settings:

  • Allow server operators to schedule tasks (domain controllers only)
  • Allow system to be shut down without having to log on
  • Amount of idle time required before disconnecting session
  • Disable CTRL+ALT+DEL requirement for logon
  • Do not display last user name in logon screen
  • LAN Manager Authentication Level
  • Number of previous logons to cache (in case domain controller is not available)
  • Prevent system maintenance of computer account password
  • Prompt user to change password before expiration
  • Message title for users attempting to log on
  • Message text for users attempting to log on

Communication Settings:

  • Additional restrictions for anonymous connections
  • Digitally sign client communication (always)
  • Digitally sign client communication (when possible)
  • Digitally sign server communication (always)
  • Digitally sign server communication (when possible)
  • Secure channel: Digitally encrypt or sign secure channel data (always)
  • Secure channel: Digitally encrypt secure channel data (when possible)
  • Secure channel: Digitally sign secure channel data (when possible)
  • Secure channel: Require strong (Windows 2000 or later) session key
  • Send unencrypted password to connect to third-party SMB servers

And the SPM site also has a bunch more stuff to set policies, disable peripheral devices, run password checks, etc.

If you don’t have the Security Policy Manager site, please contact your sales representative for a demonstration or a trial.

Ben

3

(imported comment written by makousks91)

Thanks Ben,

Do you have a tentitave release date for the additional security checks?

We do have the “Security Policy Manager” (SPM) Fixlet site, and we do want to check on some of the not yet available things you mentioned.

-Steve

4

(imported comment written by tim_tsai)

New analyses are now available in the “Security Policy Manager” site that allow retrieval of most Local Security Settings:

Security Settings - Account Policies (ID 71)

Security Settings - Audit Policies (ID 91)

Security Settings - Security Options: System and Device Settings (ID 92)

Security Settings - Security Options: Account and Logon Settings (ID 93)

Security Settings - Security Options: Network Settings (ID 96)

5

(imported comment written by makousks91)

Those new analyses are great.

Except they do not address my original question.

They do not provide which users are able to “Access Computer from Network” IE:SENetworkLogonRight, etc…

There are ~25-30 LSA rights which we would like to be able to check.

Can we get at this stuff through WMI, I don’t believe it’s located in the registry.

6

(imported comment written by cop3ccpotter91)

How can I get the SCm fixlet site. I would be interested in reviewing its information.

7

(imported comment written by BenKus)

Hi cop3ccpotter,

Contact your sales or account representative and they can get you access to the information you need.

Ben

8

(imported comment written by rajeshnyk91)

Hi Ben,

It would have been a very good solution/dashboard if BigFix could show the current system configuration info such as Local security policy or group policy. Currently tool covers partial values (as mentioned above) of local security setting values. If the tool is able to give all parameters of local security policy, we can adopt for creating server compliance report.

Looking forward for feature enhancement… :slight_smile:

Rajesh Nayak

9

(imported comment written by BenKus)

Please check our new SCM Fixlet sites. They provide much more expanded security checks.

Ben

10

(imported comment written by jeff_saxton91)

makousks

Those new analyses are great.

Except they do not address my original question.

They do not provide which users are able to “Access Computer from Network” IE:SENetworkLogonRight, etc…
There are ~25-30 LSA rights which we would like to be able to check.

Can we get at this stuff through WMI, I don’t believe it’s located in the registry.

Try this:

((names of keys whose (exists it whose ((bit 1 of (hexadecimal integer(it))) of (character 0 of it & character 1 of it)) of (default value of key “ActSysAc” of it as string)) of key “HKLM\Security\Policy\Accounts” of registry))

unfortunately it returns the users as SIDs.

11

(imported comment written by Jim_Hansen91)

Hi Rajesh,

Regarding…

rajeshnyk

It would have been a very good solution/dashboard if BigFix could show the current system configuration info such as Local security policy or group policy.

I would love to talk with you more about what you have in mind and get additional details on what you are looking for here. If you would be willing to discuss here on the forum, please do. If you’d prefer reaching out to me directly, please do: jim_hansen@bigfix.com.

Regards,

Jim