Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
compliance policies.
Tip: To search for Windows user rights controls, select Search above the list and select the following criteria: 1) the text right, 2) category Access Control Requirements, and 3) Windows technologies.
Best Practices
Here are best practices for setting control values for Windows user rights controls. Generate a compliance report before setting the control value in the policy Creating a policy with default control values and generating a policy report in PDF format allows you to see how the data is returned before attempting to modify the control value. Use copy/paste from the Actual Value when possible It is often faster to copy/paste the actual value from your policy report first into your text editor (such as Notepad or TextPad) and then into the expected value field in your policy. After the copy/paste, make minor modifications, such as adding a backslash to escape special characters in the expected value field. Use a larger sample size of assets Reviewing a policy report for many systems might enable you to see additional conditions you need to account for when specifying acceptable account entries. In the example below, we are matching just three common default accounts. If you run the compliance policy report for an asset group with 200+ systems, you may see many other accounts that could conceivably be authorized for the user right. Thus, using a larger sample size can be beneficial. Pay attention to the cardinality The cardinality selection in your policy determines how the control will be evaluated for pass/fail status. The default cardinality for CID 2184 (used in the example below) is contains. If we were to specify the three default accounts with contains, the control will pass if those three accounts or more are present. So, the actual value might have dozens of accounts but as long as those three are present, the control will pass which is not good security. By changing the cardinality to is contained in, only the three accounts or less can be present for the control to pass. In this case, the actual value may have 0-3 entries listing only the three default accounts. Be as explicit as possible In the example below, we entered the full path and account name (BUILTIN\\Administrators) for the control value rather than just Administrators which is a common default value for these controls. Using Administrators on its own might cause issues if you have a naming convention where Administrators is used frequently (for example, Joes Administrators would also pass). Use lists of regular expressions Some customers try to do everything on a single line, creating a very complex regular expression for the control value. The Policy Editor supports lists of regular expressions, which can greatly improve readability of the report.
Example for Setting the Control Value for a User Rights Control
The steps below describe how to set the control value for CID 2184 Current list of Groups and User Accounts granted the Adjust memory quotas for a process right. You can follow these same steps to set the control value for any Windows user rights control. In this example, we want to confirm that the user right adjust memory quotas is enabled for appropriate use by matching against three common default accounts that are usually present on each system and ensure that only those accounts are granted the user right.
The three default accounts we want to match are: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE
Step 2: Generate a Policy Report to see the Actual Value returned for the control
Its recommended that you generate the Policy Report in PDF format because all fields are expanded by default which will make it easier to see all the values returned and copy/paste the actual value.
Step 3: In the Policy Report, go to Detailed Results and copy the Actual Value
Scroll down to the Detailed Results section of the Policy Report and follow these steps: 1. Select (highlight) and copy the three required accounts from the Actual Value field for the control. (Do not copy any additional accounts that might have been found.) 2. Paste the Actual Value text into your text editor (such as Notepad or TextPad). This step is recommended to be sure that unseen artifacts from the UI are stripped out.
Step 4: Edit the policy to change the expected value and cardinality
Make these selections in the Policy Editor: a) Paste the Actual Value text from your text editor (copied from the PDF report) into the Expected Value field. If the value has a backslash in it (such as BUILTIN\Administrators) then you must add another backslash before it in order to escape the special character (such as BUILTIN\\Administrators). b) Change the cardinality from contains to is contained in. Using the cardinality is contained in ensures that the control will only pass if the three required accounts are the only ones detected. If any other account is found, the control will fail.
Step 5: Generate the Policy Report again and review the results
Review the Passed and Failed hosts to confirm that the control only passes if one of the three required accounts are found and fails if any additional accounts are found. In the example below, IP 10.10.25.203 failed because accounts other than the three required accounts were found. IP 10.10.25.249 passed because only the three required accounts were found. The host would also have passed if only one or two of the required accounts were found.
Additional Information
For complete information on QualysGuard Policy Compliance (PC) and its features, including compliance policies and reports, please refer to the Policy Compliance (PC) section of the QualysGuard online help (Help > Online Help). You can also refer to the QualysGuard Policy Compliance Getting Started Guide, which is available for download from the Resources section (Help > Resources).