8 Replies Latest reply on Aug 4, 2016 11:11 AM by Jegavelan Sargunan

    Create compliance rules from a live server registry

    Justan Suss

      Hi,

       

      I've got a server HKLM registry entries that I'd like to use as a compliance rule in a component template. I've figured out how to take this as a snapshot for audit job, and to export it to become a BL package, but not use as a model for compliance rules that I can use in a scheduled compliance job w/ auto-remediation enabled.

       

      For some context, what I'm doing to this 'GOLD' server is configuring HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL to reflect what we need for our encryption policies to meet our needs (very similar to recent PCI encryption standards). I've exported that key as a BL Package and it works as a deployment package. So rather than manually update all the entries we're adding, I'd like to just use those registry settings as compliance rules.

        • 1. Re: Create compliance rules from a live server registry
          Bill Robinson

          Well, you don’t use blpackages, snapshots or audits in a compliance rule…

           

          so what rule have you constructed for the registry key or values ?

           

          and how will writing compliance rules save you from updating the registry entries ?

          • 2. Re: Create compliance rules from a live server registry
            Justan Suss

            Hi Bill,

             

            I'm looking to create compliance rules that ensures everything matches the following:

             

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
            "EventLogging"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
            "Enabled"=dword:ffffffff

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
            "DisabledByDefault"=dword:00000001
            "Enabled"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
            "Enabled"=dword:00000000
            "DisabledByDefault"=dword:00000001

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
            "Enabled"=dword:ffffffff
            "DisabledByDefault"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
            "Enabled"=dword:ffffffff
            "DisabledByDefault"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
            "Enabled"=dword:ffffffff
            "DisabledByDefault"=dword:00000000

            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
            "Enabled"=dword:ffffffff
            "DisabledByDefault"=dword:00000000

             

            I just find it odd I can right click and snapshot this when live browsing a server, then add to depot as a BLPackage, but I can't use the snapshot results as the basis of a component template or set of compliance rules. That said, I plan to use the BL package for remediating non-compliant servers, so I have that so far.

            • 3. Re: Create compliance rules from a live server registry
              Bill Robinson

              Ok, so you create the compliance rules w/ whatever condition you want to check for.  have you tried creating compliance rules yet ?

              • 4. Re: Create compliance rules from a live server registry
                Justan Suss

                I have and having to itemize each and every line one at a time is really tedious and has zero value seeing as I've already done the research and gotten this set up on a server already. It seems odd to be able to capture exactly what I want in a snapshot and use in a package and audit but not in a component template / compliance rule. I've searched through documentation and online and I see no walkthroughs or instructions on how to set up compliance rules for registry entries. The MUST be a way to leverage snapshot info for this so I needn't spend all this time trying to capture every single line as it's own part just to be sure to get everything right when I create the rule.

                 

                All I need is IF SCHANNEL and everything within it doesn't equal precisely what I pasted above, then call it non-compliant..but why is it I have to define each and every line?

                • 5. Re: Create compliance rules from a live server registry
                  Bill Robinson

                  you setup rules for registry entries just like every other asset type - you add the parts to the template and then you create rules for each object.  same as looking at entries in an /etc/passwd file, files in a directory, local users, etc.

                   

                  in this particular use case it would seem to be nice to automatically populate the rule w/ a basic condition and the rule.  many times though, compliance rules are not that simple.

                   

                  if all you want is to compare to a 'gold master' why are you using compliance ?  you can use an audit job and sync w/ master or just blindly deploy the settings.

                  • 6. Re: Create compliance rules from a live server registry
                    Justan Suss

                    Thanks Bill,

                     

                    I feared / figured this would be the answer. My org bough BSA largely for the compliance jobs & results output that comes from it, so compliance jobs it is.

                    • 7. Re: Create compliance rules from a live server registry
                      Bill Robinson

                      that doesn't mean you can't use audit or the blind deploy to do this... 

                       

                      i agree though - it would be nice to have something like 'grab the values of X off this server and setup some basic rules' - even if you are doing something more complex it would be a good start.

                      • 8. Re: Create compliance rules from a live server registry
                        Jegavelan Sargunan

                        You can use the copy paste option in the template for creating the compliance rules you are going to change one letter or one word for every two lines once you copy paste the first one.

                         

                        I think you are doing it for RC4 remediation, for the remediation through BL package use the external command and use the following syntax and create for whole sets of keys and dwords first one will create the key and second will create the dword

                         

                        REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /ve /f

                        REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f

                        1 of 1 people found this helpful