6 Replies Latest reply on Aug 6, 2014 1:45 PM by Don Kim

Account for multiple entries in User Rights Policies

Don Kim Aug 1, 2014 9:51 AM

I would like to create a compliance rule for user rights policy such as "Change time zone". Policy defines there are only a few permitted entries. For example BUILTIN\Administrators and NT AUTHORITY\LOCAL SERVICE.

I have brought in the "Change time zone" user rights policy as a part and used both the effective and local setting and tried both list of string values and string value. In my case these are the same. When testing this rule, the output on the left looks like this:

"NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators"

If use "equals" operator, it will return non compliant because sometimes the order is different from above or a server may have one and not the other. "Is one of" also produces similar results.

"Contains" operator will return a compliant result when I create a rule for each entry; however, will still return compliant if another invalid entry was present. I would like to see if there an operator or perhaps different logic I can use that will give me the desired result before scripting this out.

1. Re: Account for multiple entries in User Rights Policies

Monoj Padhy Aug 5, 2014 9:01 AM (in response to Don Kim)

"NT AUTHORITY\LOCAL SERVICE,BUILTIN\Administrators" break this into two and then use "equal" operator. whats stopping you doing this way. My thinking may sound naive. Currently I have no access to BSA, will try to figure out this in a better way in couple of days.
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
2. Re: Account for multiple entries in User Rights Policies

Don Kim Aug 5, 2014 10:23 AM (in response to Monoj Padhy)

In order for the = operator to work, one would have define all possible values like this:
= null (a blue one) (or)
= NT AUTHORITY\LOCAL SERVICE (or)
= BUILTIN\Administrators (or)
= NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators (or)
= BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE (or)

This will work as above, but wont scale well if other users need to be added or the rule needs to be tweaked.
Like Show 0 Likes(0)

Actions
3. Re: Account for multiple entries in User Rights Policies

Joe Piotrowski Aug 5, 2014 12:49 PM (in response to Don Kim)

I think I wrote a Rule that does a similar check against a registry key like this. Does this help?

foreach
"Registry Value:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine"
"Multi Value (Windows)" contains "Software\Microsoft\OLAP Server" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Perflib" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Print" AND
"Multi Value (Windows)" contains "Software\Microsoft\Windows NT\CurrentVersion\Windows" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\ContentIndex" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Print\Printers" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\UserConfig" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Services\Eventlog" AND
"Multi Value (Windows)" contains "System\CurrentControlSet\Services\Sysmonlog"
end
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
4. Re: Account for multiple entries in User Rights Policies

Don Kim Aug 6, 2014 9:42 AM (in response to Joe Piotrowski)

I ended up dropping the Server Object part and creating an extended object that translates the comma to a return. (like Monoj Padhy and Joe Piotrowski suggested) this way I can use equals and check for each value like this:

= null (or)
= NT AUTHORITY\LOCAL SERVICE (or)
= BUILTIN\Administrators

to extended or add users it would be matter of adding a line instead of rewriting the rule:
+ (or)
= newuser

Not much difference, but it does solve the issue of multiple values being seen as a single value. I was hoping this was possible using the server objects parts but time to move on.
Like Show 0 Likes(0)

Actions
5. Re: Account for multiple entries in User Rights Policies

Joe Piotrowski Aug 6, 2014 10:48 AM (in response to Don Kim)

Can you share the EXO you wrote? I'm curious how you chose to handle it.

I think this can be done with another Loop type, but I don't have my environment up to verify.
Like Show 0 Likes(0)

Actions
6. Re: Account for multiple entries in User Rights Policies

Don Kim Aug 6, 2014 1:45 PM (in response to Joe Piotrowski)

Its not pretty - but it does the job. I have to create file on the server. Looks like this:

"nexec -e secedit /export /areas USER_RIGHTS /cfg (filename)"

gives me output like this:

Then use EO to parse output to = SID where I can match to a users/no user. Its a round-a-bout approach

There might be a way to parse directly from secedit, but I havent been able to make that happen yet.
Like Show 1 Likes(1)

Actions