This document describes best practices for setting control values for Windows user rights controls in QualysGuard

compliance policies.

About Windows User Rights Controls

Windows user rights controls in the Controls Library check the list of groups and user accounts that have been granted the particular user right that the control pertains to. For a Windows user rights control, customizing the control value to match expected user rights in the compliance policy is a necessary step for making your compliance reports accurate and useful.
Controls Library Showing Windows User Rights Controls

Copyright 2011 by Qualys, Inc. All Rights Reserved.

Tip: To search for Windows user rights controls, select Search above the list and select the following criteria: 1) the text right, 2) category Access Control Requirements, and 3) Windows technologies.

Best Practices
Here are best practices for setting control values for Windows user rights controls. Generate a compliance report before setting the control value in the policy Creating a policy with default control values and generating a policy report in PDF format allows you to see how the data is returned before attempting to modify the control value. Use copy/paste from the Actual Value when possible It is often faster to copy/paste the actual value from your policy report first into your text editor (such as Notepad or TextPad) and then into the expected value field in your policy. After the copy/paste, make minor modifications, such as adding a backslash to escape special characters in the expected value field. Use a larger sample size of assets Reviewing a policy report for many systems might enable you to see additional conditions you need to account for when specifying acceptable account entries. In the example below, we are matching just three common default accounts. If you run the compliance policy report for an asset group with 200+ systems, you may see many other accounts that could conceivably be authorized for the user right. Thus, using a larger sample size can be beneficial. Pay attention to the cardinality The cardinality selection in your policy determines how the control will be evaluated for pass/fail status. The default cardinality for CID 2184 (used in the example below) is contains. If we were to specify the three default accounts with contains, the control will pass if those three accounts or more are present. So, the actual value might have dozens of accounts but as long as those three are present, the control will pass which is not good security. By changing the cardinality to is contained in, only the three accounts or less can be present for the control to pass. In this case, the actual value may have 0-3 entries listing only the three default accounts. Be as explicit as possible In the example below, we entered the full path and account name (BUILTIN\\Administrators) for the control value rather than just Administrators which is a common default value for these controls. Using Administrators on its own might cause issues if you have a naming convention where Administrators is used frequently (for example, Joes Administrators would also pass). Use lists of regular expressions Some customers try to do everything on a single line, creating a very complex regular expression for the control value. The Policy Editor supports lists of regular expressions, which can greatly improve readability of the report.

Example for Setting the Control Value for a User Rights Control
The steps below describe how to set the control value for CID 2184 Current list of Groups and User Accounts granted the Adjust memory quotas for a process right. You can follow these same steps to set the control value for any Windows user rights control. In this example, we want to confirm that the user right adjust memory quotas is enabled for appropriate use by matching against three common default accounts that are usually present on each system and ensure that only those accounts are granted the user right.

QualysGuard Tips and Techniques

The three default accounts we want to match are: BUILTIN\Administrators NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE

Step 1: Create a policy with control ID 2184

Make these selections in the Policy Editor: a) Add one or more asset groups to the policy that have already been scanned for compliance. Remember, when you run a compliance scan, all controls in the Controls Library are included in the scan, so you already have compliance data for your scanned hosts. b) Keep the default control value as is for now. Its recommended that you first generate a policy report to see how the value is returned before you change the control value in the policy. a) assign asset groups that have already been scanned

b) keep the default control value for now

QualysGuard Tips and Techniques

Step 2: Generate a Policy Report to see the Actual Value returned for the control
Its recommended that you generate the Policy Report in PDF format because all fields are expanded by default which will make it easier to see all the values returned and copy/paste the actual value.

QualysGuard Tips and Techniques

Step 3: In the Policy Report, go to Detailed Results and copy the Actual Value
Scroll down to the Detailed Results section of the Policy Report and follow these steps: 1. Select (highlight) and copy the three required accounts from the Actual Value field for the control. (Do not copy any additional accounts that might have been found.) 2. Paste the Actual Value text into your text editor (such as Notepad or TextPad). This step is recommended to be sure that unseen artifacts from the UI are stripped out.

copy these 3 required accounts and paste into a text editor

QualysGuard Tips and Techniques

Step 4: Edit the policy to change the expected value and cardinality
Make these selections in the Policy Editor: a) Paste the Actual Value text from your text editor (copied from the PDF report) into the Expected Value field. If the value has a backslash in it (such as BUILTIN\Administrators) then you must add another backslash before it in order to escape the special character (such as BUILTIN\\Administrators). b) Change the cardinality from contains to is contained in. Using the cardinality is contained in ensures that the control will only pass if the three required accounts are the only ones detected. If any other account is found, the control will fail.

b) change the cardinality to is contained in

a) paste in the actual value and add a backslash (\)

QualysGuard Tips and Techniques

Step 5: Generate the Policy Report again and review the results
Review the Passed and Failed hosts to confirm that the control only passes if one of the three required accounts are found and fails if any additional accounts are found. In the example below, IP 10.10.25.203 failed because accounts other than the three required accounts were found. IP 10.10.25.249 passed because only the three required accounts were found. The host would also have passed if only one or two of the required accounts were found.

Additional Information
For complete information on QualysGuard Policy Compliance (PC) and its features, including compliance policies and reports, please refer to the Policy Compliance (PC) section of the QualysGuard online help (Help > Online Help). You can also refer to the QualysGuard Policy Compliance Getting Started Guide, which is available for download from the Resources section (Help > Resources).

QualysGuard Tips and Techniques