Control Compliance Suite

 View Only
Back to Library

Implementing HKEY_USERS check in CCS “CIS Microsoft Windows Server 2012 V 1.0.0” standard 

Jun 24, 2016 11:37 AM

As of SCU2016-1 there is only “CIS Microsoft Windows Server 2012 V 1.0.0” standard in Predefined folder which is currently few years old and lagging behind latest CIS benchmarks:

CIS Microsoft Windows Server 2012 non-R2 Benchmark v2.0.0
CIS Microsoft Windows Server 2012 R2 Benchmark v2.2.0

In this article I’ll focus on implementing following checks from above CIS benchmarks which can extend existing predefined standard:

  • 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' (Scored)

  • 19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr' (Scored)

  • 19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' (Scored)

  • 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' (Scored)

  • 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' (Scored)

  • 19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' (Scored)

  • 19.7.37.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (Scored)

Common for above controls is that they are all related to GPO User Configuration settings which pose some specific challenges due the way Windows registry and CCS works. Since the GPO settings apply to User object, after enabling/setting it, corresponding registry key will be placed under HKEY_USERS\<SID>\ hive and loaded also under HKCU hive. In my testing I was not able to get CCS to scan HKCU so I focused on how to scan HKEY_USERS\<SID>\ for specific registry key and I’ve accomplished this with “Key/Value Name Matches Pattern” filter statement.

So let’s start with the technical details:

  1. Here is the summary of the GPO settings and corresponding keys we want to check
    Check id Policy Policy value GPO path Registry path Registry value
    19.1.3.1 Enable screen saver Enabled User Configuration/Administrative Templates/Control Panel/Personalization HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ ScreenSaveActive REG_SZ=1
    19.1.3.2 Force specific screen saver Enabled:
    scrnsave.scr    		 User Configuration/Administrative Templates/Control Panel/Personalization HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ SCRNSAVE.EXE REG_SZ=scrnsave.scr
    19.1.3.3 Password protect screen saver Enabled User Configuration/Administrative Templates/Control Panel/Personalization HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ ScreenSaverIsSecure REG_SZ=1
    19.1.3.4 Screen saver timeout 900 or less but not 0 User Configuration/Administrative Templates/Control Panel/Personalization HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut REG_SZ=900 or less but not 0
    19.7.37.1 Do not preserve zone information in file attachments Disabled or Not Configured User Configuration/Administrative Templates/Windows Components/ Attachment Manager HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ SaveZoneInformation REG_DWORD=2
    19.7.4.1 Notify antivirus programs when opening attachments Enabled User Configuration/Administrative Templates/Windows Components/ Attachment Manager HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ ScanWithAntiVirus REG_DWORD=3
    19.7.4.2 Always install with elevated privileges Disabled or Not Configured

    User Configuration/Administrative Templates/Windows Components/ Windows Installer

    Computer Configuration/Administrative Templates/Windows Components/Windows Installer

    HKCU\Software\Policies\Microsoft\Windows\Installer\ AlwaysInstallElevated

    HKLM\Software\Policies\Microsoft\Windows\Installer    		 REG_DWORD=0
  2. Below is information necessary to create the checks together with description and remediation info.
    One challenge here is how to configure check in case of missing data item (registry key does not exist). I’ve opted for Unknown (Manual review required) since if key does not exist it could be due to fact that no user is logged at the time CCS was performing the scan, so no key was loaded, which does not mean the settings are not configured at the GPO level. Another problem with this solution is in case there is stalled user (or user that never logs off) registry hive loaded under HKEY_USERS which might have different settings than expected and also conflicting settings with the GPO. We will leave that as room for improving the current solution.

    Check name

    Description

    Formula

    Remediation

    19.1.3.1 Ensure 'Enable screen saver' is set to 'Enabled'

    This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive" is set to 1

    [Value as String Equal To '1' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaveActive/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
    4. Open the Enable screen saver policy.
    5. In the Properties dialog box, on the Setting tab, click Enabled.
    6. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
    4. If the ScreenSaveActive does not exist, do the following:
    * Right-click the Desktop key and click New -> String.
    * Name as ScreenSaveActive.
    5. Right-click ScreenSaveActive and click Modify.
    6. In the Value data box, type 1 and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.1.3.2 Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'

    This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE" is set to scrnsave.scr

    [Value as String Matches Pattern '/scrnsave.scr/' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE/i' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
    4. Open the Force specific screen saver policy.
    5. In the Properties dialog box, on the Setting tab, click Enabled.
    6. in the Screen saver executable name field: type scrnsave.scr
    7. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
    4. If the scrnsave.exe does not exist, do the following:
    * Right-click the Desktop key and click New -> String.
    * Name as scrnsave.exe.
    5. Right-click scrnsave.exe and click Modify.
    6. In the Value data box, type scrnsave.scr and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.1.3.3 Ensure 'Password protect the screen saver' is set to 'Enabled'

    This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure" is set to 1

    [Value as String Equal To '1' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaverIsSecure/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Control Panel; Personalization.
    4. Open the Password protect screen saver policy.
    5. In the Properties dialog box, on the Setting tab, click Enabled.
    6. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
    4. If the ScreenSaverIsSecure does not exist, do the following:
    * Right-click the Desktop key and click New -> String.
    * Name as ScreenSaverIsSecure.
    5. Right-click ScreenSaveActive and click Modify.
    6. In the Value data box, type 1 and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.1.3.4 Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'

    This check passes if registry value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut" is set to 900 or less, but not 0 (zero)

    [Value as String Matches Pattern '/^([1-9]|[1-9][0-9]|[1-8][0-9][0-9]|900)$/' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\ScreenSaveTimeOut/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration ; Administrative Templates; Control Panel; Personalization.
    4. Open the Screen saver timeout policy.
    5. In the Properties dialog box, on the Setting tab, click Enabled.
    6. In the Seconds field, ensure value is 900 or less, but not 0 (zero)
    7. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
    4. If the ScreenSaveTimeOut does not exist, do the following:
    * Right-click the Desktop key and click New -> String.
    * Name as ScreenSaveTimeOut
    5. Right-click ScreenSaveTimeOut and click Modify.
    6. In the Value data box, type 900 or less, but not 0 (zero), and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.7.4.1 Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'

    This check passes if registry value data "HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation" is not configured or set to 2

    [Value as DWORD Equal To '2' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\SaveZoneInformation/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Windows Components; Attachment Manager.
    4. Open the Do not preserve zone information in file attachments policy.
    5. In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
    6. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    4. If the SaveZoneInformation does exist, do the following:
    5. Right-click SaveZoneInformation and click Modify.
    6. In the Value data box, type 2 and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'

    This check passes if registry value data "HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus" is set to 3

    [Value as DWORD Equal To '3' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\ScanWithAntiVirus/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Windows Components; Attachment Manager.
    4. Open the Notify antivirus programs when opening attachments policy.
    5. In the Properties dialog box, on the Setting tab, click Enabled.
    6. Click Ok.

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    4. If the ScanWithAntiVirus does not exist, do the following:
    * Right-click the Attachments key and click New -> DWORD (32-bit) Value.
    * Name as ScanWithAntiVirus
    5. Right-click ScanWithAntiVirus and click Modify.
    6. In the Value data box, type 3 and click Ok.
    7. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

    19.7.37.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'

    This check passes if registry value data "HKLM\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated" is either not configured or set to 0 and if registry key value data "HKU\<SID>\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated" is either not configured or set to 0.

    [Windows Installer: Always install with elevated privileges Not Equal To '[Enabled]' with Missing Data Outcome being 'Pass' and Multiple Data Operator being 'AND' ] AND [Value as DWORD Equal To '0' Where Key/Value Name Matches Pattern '/HKU\\.*\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]

    1. Click Start ; Run.
    2. At the command prompt, execute gpedit.msc.
    3. Click User Configuration; Administrative Templates; Windows Components; Windows Installer.
    4. Open the Always install with elevated privileges policy.
    5. In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
    6. Click Ok.
    7. Click Computer Configuration ; Administrative Templates; Windows Components; Windows Installer.
    8. Open the Always install with elevated privileges policy.
    9.  In the Properties dialog box, on the Setting tab, click Disabled or Not Configured.
    10. Click Ok

    Alternatively, do the following:
    1. Click Start -> Run.
    2. In the Run dialog box, type regedit and click Ok.
    3. In the Registry Editor, navigate to HKCU\Software\Policies\Microsoft\Windows\Installer
    4. If the AlwaysInstallElevated does exist, do the following:

    5. Right-click AlwaysInstallElevated and click Modify.
    6. In the Value data box, type 0 and click Ok.
    7. Navigate to HKLM\Software\Policies\Microsoft\Windows\Installer
    8. If the AlwaysInstallElevated does exist, do the following:
    9. Right-click AlwaysInstallElevated and click Modify.
    10. In the Value data box, type 0 and click Ok.
    11. Close the Registry Editor.

    Warning: The system may be damaged severely if the registry is edited incorrectly. Back up any valued data before editing the registry.

Implemented checks are also attached as separate standard in this article: User Admin templates.Xml

$ md5sum "User Admin templates.zip"
5ac4b5ca545f7db43c401c7c8ce5c4c9 *User Admin templates.zip
 

Statistics
0 Favorited
1 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
zip file
User Admin templates.zip   4 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Related Entries and Links

No Related Resource entered.