1 2 Previous Next 22 Replies Latest reply on Jul 3, 2014 10:04 AM by Mike Reider Branched to a new discussion.

    Local group compliance using BSA.

    Roy Ong

      Hi,

       

      Im using BSA 8.3. Im trying to do GPO: Local Group Policy compliance on win2012 server. Specifically with these checks.

       

      Enable Screen Saver - Enabled

      Enabled Password protect for Screen Saver  - Enabled

      Enabled Screen Saver Timeout                    900 seconds (15 minutes)   

       

      Understand that BSA cannot drill down to HKCU of the registry, so that rules out using registry key for compliance.

      Is there anyway to derive this? Im trying out using Extended Objects using gpresult /z, but im not able to output it from EO to do compliance check on it.

       

      Can anyone help?

       

      Thanks

      Roy

        • 1. Re: Local group compliance using BSA.
          Joe Piotrowski

          I don't have a Windows 2012 server up right now to check. Do these get set anyway in the Security Settings? If gpresult /z does spit this info out, we can help you right an EXO and Rules to check against that.

          • 2. Re: Local group compliance using BSA.
            Roy Ong

            Hi Joe,

             

            You can set this via gpedit.msc on both win2k8 and win2012.

             

            User Configuration > Administrative Templates > Control Panel > Personalization

             

            I have attached a gpresult /z example to show I enabled the screen saver policy.

            • 3. Re: Local group compliance using BSA.
              Barry McQuillan

              I have built a Win2012 server but I'm not sure where you are setting these entries?

              If you can provide either:

              1. the location to set this settings.

              2. an export of the policy

               

              I will replicate it and get back to you with a solution.

              • 4. Re: Local group compliance using BSA.
                Roy Ong

                Hi Barry,

                 

                You can set it by running gpedit.msc on the command line

                 

                User Configuration > Administrative Templates > Control Panel > Personalization


                Thanks

                Roy

                • 5. Re: Local group compliance using BSA.
                  Barry McQuillan

                  Hi Roy,

                   

                  Where are they located in the registry please.

                  • 6. Re: Local group compliance using BSA.
                    Roy Ong

                    Hi Barry,

                     

                    For this policy->Enable Screen Saver - Enabled

                     

                    Located here in the registry

                     

                    HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive

                     

                    Thanks !

                    • 7. Re: Local group compliance using BSA.
                      Barry McQuillan

                      Hi Roy,

                       

                      Unfortunately I’ve run out of time to investigate further on this.

                      However you can use the following command to get the values.

                       

                      I couldn’t get this to run as an EO command, obviously I need to edit the syntax slightly to make it work as an EO.

                      However as you have several I’d create a script to run all the commands and grab the output.

                      I normally have the output in XML so that I can easily use the XML grammar file to pass the EO.

                       

                      Command is:

                      reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive|findstr /V HKEY

                      • 8. Re: Local group compliance using BSA.
                        Mike Jones

                        Roy,

                         

                        The problem with User entires it is just that, a single user so the BladeLogicRSCD user if run through BSA. It doesn't tell you if the Group Policy is applied just that it is set for the single user.

                         

                        If you can find where it is stored in the registry "policies" then you can read that but I don't think it is for Screen Saver settings they are just applied directly

                        • 9. Re: Local group compliance using BSA.
                          Roy Ong

                          However as you have several I’d create a script to run all the commands and grab the output.

                          I normally have the output in XML so that I can easily use the XML grammar file to pass the EO.

                           

                          Command is:

                          reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive|findstr /V HKEY

                           

                           

                          Command works in commandline but i have no idea how to output it to an XML file for EO to parse it. Any help here?

                           

                          Thanks

                          • 10. Re: Local group compliance using BSA.
                            Joe Piotrowski

                            The total gpresult is in a pretty ugly format. So if you can add arguments to narrow it down, that's better. Also, it doesn't have to be parsed into a format like XML. It can just be plain text, and we can create a Rule to check for the proper string you're looking for.

                            • 11. Re: Local group compliance using BSA.
                              Bill Robinson

                              exactly mike.  HKCU is the *current user* which will be localsystem actually iirc (i don't think we load the BladeLogicRSCD hive) - and i'm assuming this check would want you to look at all users on the target ?  or could you just set the master setting ?  it used to be stored in the NTUSER.dat somewhere and there was a way to mount that, but that was back in 2003.

                              • 12. Re: Local group compliance using BSA.
                                Roy Ong

                                I noticed the out of box compliance template for DISA STIG  for Win 2008 had this compliance rule which is exactly what i want! Does anyone know how i can use the EO for this?

                                 

                                "Extended Object Entry:HKCU Windows 2008//findings/V0001122/Status"."Value1 as String (All OS)" = "Not a Finding"

                                 

                                Display (Screen Saver) 3.8.2.1

                                CAT II : Password Protected Screen Savers

                                The policy values for User Configuration -> Administrative Templates -> Control Panel -> Display will be configured as follows:

                                 

                                 

                                Screen Saver will be set to Enabled

                                Password protect the screen saver will be set to Enabled

                                Screen Saver timeout will be set to Enabled: 900 seconds

                                 

                                 

                                If the any of the registry values dont exist or are not configured as follows, then this is a finding

                                 

                                Tried Gpresults via EO but i got this error, "The user <service acc> does not have RSOP data" Not sure what went wrong?

                                • 13. Re: Local group compliance using BSA.
                                  Bill Robinson

                                  Open the template.

                                  In the local cfos find the EO.

                                  In the command of the EO it should show what is being run, which is probably a script.  go find that script.

                                  Create the same EO in your template referencing the same script.

                                  • 14. Re: Local group compliance using BSA.
                                    Roy Ong

                                    . I tried the out of box DISA EO's script to check for the screensaver active, couldn’t get it to work for compliance.

                                    nsh -c "//bbsa/c/storage/extended_objects/disawin-hku.nsh" test2012

                                     

                                    <V0001122>

                                    <finding>"Screen saver" is not Enabled</finding> <finding>"Password protect the screen saver" is not Enabled</finding> <finding>"ScreenSaver timeout is not enabled and not set to 900 seconds" </findi

                                    ng>

                                    <finding>"Screen saver" is not Enabled</finding> <finding>"Password protect the screen saver" is not Enabled</finding> <finding>"ScreenSaver timeout is not enabled and not set to 900 seconds" </findi

                                    ng>

                                    <finding>"Screen saver" is not Enabled</finding> <finding>"Password protect the screen saver" is not Enabled</finding> <finding>"ScreenSaver timeout is not enabled and not set to 900 seconds" </findi

                                    ng>

                                    <Status>Open</Status>

                                    </V0001122>

                                     

                                    I tried changing the screensaver active settings on the windows 2012, the <Status>Open</status> doesn’t change.

                                    it doesn’t seem to be reflected on the compliance test check.

                                    1 2 Previous Next