system
August 19, 2006, 2:50am
1
(imported topic written by makousks91)
Has anyone written any fixlets to check for the type of security settings found in the local security settings?
We need to check for compliance on all of our machines for things such as:
SENetworkLogonRight
SEBackupPrivilege
etc…
Can I do this via WMI? Is there a better way? If WMI, would someone share the solution?
Thanks,
Steve
BenKus
August 19, 2006, 4:35am
2
(imported comment written by BenKus)
Hi Steve,
Yes. We have found ways to retrieve many of these (and it is a huge pain).
Have you looked at our “Security Policy Manager” (SPM) Fixlet site?
It currently has an Analysis to give you information for the following:
Account Policies:
Enforce Password History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Password Must Match Complexity Requirements
Store Password Using Reversible Encryption for All Users in the Domain
Account Lockout Duration
Account Lockout Threshold
Reset Account Lockout Counter After
And we have developed and will soon be releasing more Analyses that deal with the following:
Audit Policies:
Audit account logon events
Audit directory service access
Audit process tracking
Audit account management
Audit policy change
Audit privilege use
Audit object access
Audit logon events
Audit system events
Driver and Hardware Policies:
Allowed to eject removable NTFS media
Audit the access of global system objects
Audit use of Backup and Restore privilege
Clear virtual memory pagefile when system shuts down
Prevent users from installing printer drivers
Recovery Console: Allow automatic administrative logon
Recovery Console: Allow floppy copy and access to all drives and all folders
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only
Shut down system immediately if unable to log security audits
Smart card removal behavior
Strengthen default permissions of global system objects (e.g. Symbolic Links)
Unsigned driver installation behavior
Unsigned non-driver installation behavior
Account and Logon Settings:
Allow server operators to schedule tasks (domain controllers only)
Allow system to be shut down without having to log on
Amount of idle time required before disconnecting session
Disable CTRL+ALT+DEL requirement for logon
Do not display last user name in logon screen
LAN Manager Authentication Level
Number of previous logons to cache (in case domain controller is not available)
Prevent system maintenance of computer account password
Prompt user to change password before expiration
Message title for users attempting to log on
Message text for users attempting to log on
Communication Settings:
Additional restrictions for anonymous connections
Digitally sign client communication (always)
Digitally sign client communication (when possible)
Digitally sign server communication (always)
Digitally sign server communication (when possible)
Secure channel: Digitally encrypt or sign secure channel data (always)
Secure channel: Digitally encrypt secure channel data (when possible)
Secure channel: Digitally sign secure channel data (when possible)
Secure channel: Require strong (Windows 2000 or later) session key
Send unencrypted password to connect to third-party SMB servers
And the SPM site also has a bunch more stuff to set policies, disable peripheral devices, run password checks, etc.
If you don’t have the Security Policy Manager site, please contact your sales representative for a demonstration or a trial.
Ben
system
August 21, 2006, 7:57pm
3
(imported comment written by makousks91)
Thanks Ben,
Do you have a tentitave release date for the additional security checks?
We do have the “Security Policy Manager” (SPM) Fixlet site, and we do want to check on some of the not yet available things you mentioned.
-Steve
system
September 6, 2006, 3:57am
4
(imported comment written by tim_tsai)
New analyses are now available in the “Security Policy Manager” site that allow retrieval of most Local Security Settings:
Security Settings - Account Policies (ID 71)
Security Settings - Audit Policies (ID 91)
Security Settings - Security Options: System and Device Settings (ID 92)
Security Settings - Security Options: Account and Logon Settings (ID 93)
Security Settings - Security Options: Network Settings (ID 96)
system
November 22, 2006, 1:05am
5
(imported comment written by makousks91)
Those new analyses are great.
Except they do not address my original question.
They do not provide which users are able to “Access Computer from Network” IE:SENetworkLogonRight, etc…
There are ~25-30 LSA rights which we would like to be able to check.
Can we get at this stuff through WMI, I don’t believe it’s located in the registry.
system
December 14, 2007, 9:41am
6
(imported comment written by cop3ccpotter91)
How can I get the SCm fixlet site. I would be interested in reviewing its information.
BenKus
December 14, 2007, 10:53am
7
(imported comment written by BenKus)
Hi cop3ccpotter,
Contact your sales or account representative and they can get you access to the information you need.
Ben
system
November 25, 2008, 10:33pm
8
(imported comment written by rajeshnyk91)
Hi Ben,
It would have been a very good solution/dashboard if BigFix could show the current system configuration info such as Local security policy or group policy. Currently tool covers partial values (as mentioned above) of local security setting values. If the tool is able to give all parameters of local security policy, we can adopt for creating server compliance report.
Looking forward for feature enhancement…
Rajesh Nayak
BenKus
November 26, 2008, 5:37am
9
(imported comment written by BenKus)
Please check our new SCM Fixlet sites. They provide much more expanded security checks.
Ben
system
December 14, 2008, 3:17am
10
(imported comment written by jeff_saxton91)
makousks
Those new analyses are great.
Except they do not address my original question.
They do not provide which users are able to “Access Computer from Network” IE:SENetworkLogonRight, etc…
There are ~25-30 LSA rights which we would like to be able to check.
Can we get at this stuff through WMI, I don’t believe it’s located in the registry.
Try this:
((names of keys whose (exists it whose ((bit 1 of (hexadecimal integer(it))) of (character 0 of it & character 1 of it)) of (default value of key “ActSysAc” of it as string)) of key “HKLM\Security\Policy\Accounts” of registry))
unfortunately it returns the users as SIDs.
system
January 6, 2009, 4:04am
11
(imported comment written by Jim_Hansen91)
Hi Rajesh,
Regarding…
rajeshnyk
It would have been a very good solution/dashboard if BigFix could show the current system configuration info such as Local security policy or group policy.
I would love to talk with you more about what you have in mind and get additional details on what you are looking for here. If you would be willing to discuss here on the forum, please do. If you’d prefer reaching out to me directly, please do: jim_hansen@bigfix.com .
Regards,
Jim