pc user rights controls newui 20110909
TRANSCRIPT
-
8/3/2019 PC User Rights Controls NewUI 20110909
1/7
Copyright 2011 by Qualys, Inc. All Rights Reserved. 1
This document describes best practices for setting control values for Windows user rights controls in
QualysGuard compliance policies.
About Windows User Rights Controls
Windows user rights controls in the Controls Library check the list of groups and user accounts that have
been granted the particular user right that the control pertains to. For a Windows user rights control,
customizing the control value to match expected user rights in the compliance policy is a necessary step
for making your compliance reports accurate and useful.
Controls Library Showing Windows User Rights Controls
-
8/3/2019 PC User Rights Controls NewUI 20110909
2/7
QualysGuard Tips and Techniques 2
Tip: To search for Windows user rights controls, select Search above the list and select the following
criteria: 1) the text right, 2) category Access Control Requirements, and 3) Windows technologies.
Best Practices
Here are best practices for setting control values for Windows user rights controls.
Generate a compliance report before setting the control value in the policyCreating a policy withdefault control values and generating a policy report in PDF format allows you to see how the data is
returned before attempting to modify the control value.
Use copy/paste from the Actual Value when possibleIt is often faster to copy/paste the actual value
from your policy report first into your text editor (such as Notepad or TextPad) and then into the
expected value field in your policy. After the copy/paste, make minor modifications, such as adding a
backslash to escape special characters in the expected value field.
Use a larger sample size of assetsReviewing a policy report for many systems might enable you to seeadditional conditions you need to account for when specifying acceptable account entries. In the example
below, we are matching just three common default accounts. If you run the compliance policy report for
an asset group with 200+ systems, you may see many other accounts that could conceivably be authorized
for the user right. Thus, using a larger sample size can be beneficial.
Pay attention to the cardinalityThe cardinality selection in your policy determines how the controlwill be evaluated for pass/fail status. The default cardinality for CID 2184 (used in the example below) is
contains. If we were to specify the three default accounts with contains, the control will pass if thosethree accounts or more are present. So, the actual value might have dozens of accounts but as long as
those three are present, the control will pass which is not good security. By changing the cardinality to is
contained in, only the three accounts or less can be present for the control to pass. In this case, the actual
value may have 0-3 entries listing only the three default accounts.
Be as explicit as possibleIn the example below, we entered the full path and account name(BUILTIN\\Administrators) for the control value rather than just Administrators which is a commondefault value for these controls. Using Administrators on its own might cause issues if you have a naming
convention where Administrators is used frequently (for example, Joes Administrators would also pass).
Use lists of regular expressionsSome customers try to do everything on a single line, creating a verycomplex regular expression for the control value. The Policy Editor supports lists of regular expressions,
which can greatly improve readability of the report.
Example for Setting the Control Value for a User Rights ControlThe steps below describe how to set the control value for CID 2184 Current list of Groups and UserAccounts granted the Adjust memory quotas for a process right. You can follow these same steps to set
the control value for any Windows user rights control.
In this example, we want to confirm that the user right adjust memory quotas is enabled for appropriate
use by matching against three common default accounts that are usually present on each system and
ensure that only those accounts are granted the user right.
-
8/3/2019 PC User Rights Controls NewUI 20110909
3/7
QualysGuard Tips and Techniques 3
The three default accounts we want to match are:
BUILTIN\Administrators
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
Step 1: Create a policy with control ID 2184
Make these selections in the Policy Editor:
a) Add one or more asset groups to the policy that have already been scanned for compliance.Remember, when you run a compliance scan, all controls in the Controls Library are included in
the scan, so you already have compliance data for your scanned hosts.
b) Keep the default control value as is for now. Its recommended that you first generate a policyreport to see how the value is returned before you change the control value in the policy.
b) keep the
default control
value for now
a) assign asset groups
that have already been
scanned
-
8/3/2019 PC User Rights Controls NewUI 20110909
4/7
QualysGuard Tips and Techniques 4
Step 2: Generate a Policy Report to see the Actual Value returned for the control
Its recommended that you generate the Policy Report in PDF format because all fields are expanded bydefault which will make it easier to see all the values returned and copy/paste the actual value.
-
8/3/2019 PC User Rights Controls NewUI 20110909
5/7
QualysGuard Tips and Techniques 5
Step 3: In the Policy Report, go to Detailed Results and copy the Actual Value
Scroll down to the Detailed Results section of the Policy Report and follow these steps:
1. Select (highlight) and copy the three required accounts from the Actual Value field for the
control. (Do not copy any additional accounts that might have been found.)
2. Paste the Actual Value text into your text editor (such as Notepad or TextPad). This step isrecommended to be sure that unseen artifacts from the UI are stripped out.
copy these 3
required accounts
and paste into a
text editor
-
8/3/2019 PC User Rights Controls NewUI 20110909
6/7
QualysGuard Tips and Techniques 6
Step 4: Edit the policy to change the expected value and cardinality
Make these selections in the Policy Editor:
a) Paste the Actual Value text from your text editor (copied from the PDF report) into the ExpectedValue field. If the value has a backslash in it (such as BUILTIN\Administrators) then you must
add another backslash before it in order to escape the special character (such as
BUILTIN\\Administrators).
b) Change the cardinality from contains to is contained in. Using the cardinality is containedin ensures that the control will only pass if the three required accounts are the only ones
detected. If any other account is found, the control will fail.
a) paste in the
actual value and
add a backslash (\)b) change the
cardinality to is
contained in
-
8/3/2019 PC User Rights Controls NewUI 20110909
7/7
QualysGuard Tips and Techniques 7
Step 5: Generate the Policy Report again and review the results
Review the Passed and Failed hosts to confirm that the control only passes if one of the three requiredaccounts are found and fails if any additional accounts are found.
In the example below, IP 10.10.25.203 failed because accounts other than the three required accounts
were found. IP 10.10.25.249 passed because only the three required accounts were found. The host would
also have passed if only one or two of the required accounts were found.
Additional Information
For complete information on QualysGuard Policy Compliance (PC) and its features, including
compliance policies and reports, please refer to the Policy Compliance (PC) section of the QualysGuardonline help (Help > Online Help). You can also refer to the QualysGuard Policy Compliance Getting
Started Guide, which is available for download from the Resources section (Help > Resources).