pc user rights controls newui 20110909

8/3/2019 PC User Rights Controls NewUI 20110909

1/7

Copyright 2011 by Qualys, Inc. All Rights Reserved. 1

This document describes best practices for setting control values for Windows user rights controls in

QualysGuard compliance policies.

About Windows User Rights Controls

Windows user rights controls in the Controls Library check the list of groups and user accounts that have

been granted the particular user right that the control pertains to. For a Windows user rights control,

customizing the control value to match expected user rights in the compliance policy is a necessary step

for making your compliance reports accurate and useful.

Controls Library Showing Windows User Rights Controls


2/7

QualysGuard Tips and Techniques 2

Tip: To search for Windows user rights controls, select Search above the list and select the following

criteria: 1) the text right, 2) category Access Control Requirements, and 3) Windows technologies.

Best Practices

Here are best practices for setting control values for Windows user rights controls.

Generate a compliance report before setting the control value in the policyCreating a policy withdefault control values and generating a policy report in PDF format allows you to see how the data is

returned before attempting to modify the control value.

Use copy/paste from the Actual Value when possibleIt is often faster to copy/paste the actual value

from your policy report first into your text editor (such as Notepad or TextPad) and then into the

expected value field in your policy. After the copy/paste, make minor modifications, such as adding a

backslash to escape special characters in the expected value field.

Use a larger sample size of assetsReviewing a policy report for many systems might enable you to seeadditional conditions you need to account for when specifying acceptable account entries. In the example

below, we are matching just three common default accounts. If you run the compliance policy report for

an asset group with 200+ systems, you may see many other accounts that could conceivably be authorized

for the user right. Thus, using a larger sample size can be beneficial.

Pay attention to the cardinalityThe cardinality selection in your policy determines how the controlwill be evaluated for pass/fail status. The default cardinality for CID 2184 (used in the example below) is

contains. If we were to specify the three default accounts with contains, the control will pass if thosethree accounts or more are present. So, the actual value might have dozens of accounts but as long as

those three are present, the control will pass which is not good security. By changing the cardinality to is

contained in, only the three accounts or less can be present for the control to pass. In this case, the actual

value may have 0-3 entries listing only the three default accounts.

Be as explicit as possibleIn the example below, we entered the full path and account name(BUILTIN\\Administrators) for the control value rather than just Administrators which is a commondefault value for these controls. Using Administrators on its own might cause issues if you have a naming

convention where Administrators is used frequently (for example, Joes Administrators would also pass).

Use lists of regular expressionsSome customers try to do everything on a single line, creating a verycomplex regular expression for the control value. The Policy Editor supports lists of regular expressions,

which can greatly improve readability of the report.

Example for Setting the Control Value for a User Rights ControlThe steps below describe how to set the control value for CID 2184 Current list of Groups and UserAccounts granted the Adjust memory quotas for a process right. You can follow these same steps to set

the control value for any Windows user rights control.

In this example, we want to confirm that the user right adjust memory quotas is enabled for appropriate

use by matching against three common default accounts that are usually present on each system and

ensure that only those accounts are granted the user right.


3/7


The three default accounts we want to match are:

BUILTIN\Administrators

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

Step 1: Create a policy with control ID 2184

Make these selections in the Policy Editor:

a) Add one or more asset groups to the policy that have already been scanned for compliance.Remember, when you run a compliance scan, all controls in the Controls Library are included in

the scan, so you already have compliance data for your scanned hosts.

b) Keep the default control value as is for now. Its recommended that you first generate a policyreport to see how the value is returned before you change the control value in the policy.

b) keep the

default control

value for now

a) assign asset groups

that have already been

scanned


4/7


Step 2: Generate a Policy Report to see the Actual Value returned for the control

Its recommended that you generate the Policy Report in PDF format because all fields are expanded bydefault which will make it easier to see all the values returned and copy/paste the actual value.


5/7


Step 3: In the Policy Report, go to Detailed Results and copy the Actual Value

Scroll down to the Detailed Results section of the Policy Report and follow these steps:

1. Select (highlight) and copy the three required accounts from the Actual Value field for the

control. (Do not copy any additional accounts that might have been found.)

2. Paste the Actual Value text into your text editor (such as Notepad or TextPad). This step isrecommended to be sure that unseen artifacts from the UI are stripped out.

copy these 3

required accounts

and paste into a

text editor


6/7


Step 4: Edit the policy to change the expected value and cardinality

Make these selections in the Policy Editor:

a) Paste the Actual Value text from your text editor (copied from the PDF report) into the ExpectedValue field. If the value has a backslash in it (such as BUILTIN\Administrators) then you must

add another backslash before it in order to escape the special character (such as

BUILTIN\\Administrators).

b) Change the cardinality from contains to is contained in. Using the cardinality is containedin ensures that the control will only pass if the three required accounts are the only ones

detected. If any other account is found, the control will fail.

a) paste in the

actual value and

add a backslash (\)b) change the

cardinality to is

contained in


7/7


Step 5: Generate the Policy Report again and review the results

Review the Passed and Failed hosts to confirm that the control only passes if one of the three requiredaccounts are found and fails if any additional accounts are found.

In the example below, IP 10.10.25.203 failed because accounts other than the three required accounts

were found. IP 10.10.25.249 passed because only the three required accounts were found. The host would

also have passed if only one or two of the required accounts were found.

Additional Information

For complete information on QualysGuard Policy Compliance (PC) and its features, including

compliance policies and reports, please refer to the Policy Compliance (PC) section of the QualysGuardonline help (Help > Online Help). You can also refer to the QualysGuard Policy Compliance Getting

Started Guide, which is available for download from the Resources section (Help > Resources).

pc user rights controls newui 20110909

Documents