Windows Admin Users Compliance Status
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Windows Admin Users Compliance Status9/15/2018 9:15:36 PM
2Windows Admin Users Compliance Status9/17/2018 9:29:14 PM

Description

Note:

1.  If the task "Deploy ComplianceWhitelist File" has not yet been run, the Status may show "No Compliance Whitelist on Endpoint"
2.  The file ComplianceWhitelist.txt should be created on the BES Server prior to running the above task
3.  If the names of the files in the "Deploy Compliance Whitelist File" task and the "Enforce Compliance" Fixlet have been changed, those changes should also be made in this analysis otherwise the analysis may show a status of "No Whitelist File on Endpoint"

 

 

Properties Description:

Status

Unauthorized

Admins 

Name/PWD Age of Admins

Whitelist files Match

Compliant: All users in the Administrators group are in the ComplianceWhitelist.txt file

Not-Compliant: There are users in the local Administrators group that are NOT in the ComplianceWhitelist.txt file.

 If the status shows Not-Compliant this field will show which users are in the endpoint's local Administrators group that are NOT in the ComplianceWhitelist.txt file.

 

Displays the members of local Administrators group as well as the age of the passwords for each of those users.  This can be useful in determining if any admin-user is violating corporate password policy and creating a potential vulnerability.

Compares the hash of the ComplianceWhitelist.txt file on that endpoint with the hash of the backup file created by the 'Deploy Whitelist' task.  If there is a mismatch then it is likely someone has modified the primary Whitelist file to fool the policy

Primary File hash

Backup File hash

Primary File Date

Backup File Date

The sha1 hash of the primary ‘whitelist’ file.  A difference between this and the hash on other clients or this client’s backup file likely indicates that someone has made unauthorized changes to this file.

The sha1 hash of the backup ‘whitelist’ file.  If someone makes unauthorized changes to the primary whitelist file there will likely be a difference between the hashes of the primary and the backup files.

The modification date of the primary whitelist file.  If the file has a different date than the ‘official’ whitelist file, it will allow an operator to detect that the file on this computer may not be the same as the 'official' version.

The modification date of the backup whitelist file.  If the file has a different date than the ‘official’ whitelist file or the primary whitelist file, it will allow an operator to detect that the file(s) on this computer may not be the same as the 'official' version.


Property Details

ID2998597
StatusBeta - Preliminary testing ready for more
TitleWindows Admin Users Compliance Status
DomainBESC
KeywordsManage Local Windows Administrators
Added by on 9/17/2018 9:29:14 PM
Last Modified by on 9/17/2018 9:29:14 PM
Counters 325 Views / 6 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Status
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt") then if number of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt"))))) = 0 then "Compliant" else "Not-Compliant" else "No Compliance Whitelist on Endpoint"
Unauthorized Admins
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt") then "[" & concatenation "] - [" of (elements of (set of ((following texts of firsts "\" of unique values of ((members of local group "Administrators") as string) as lowercase)) - set of (unique values of (lines of file (parent folder of regapp "besclient.exe" as string & "\ComplianceWhitelist\ComplianceWhitelist.txt"))))) & "]" else "No Compliance Whitelist on Endpoint"
Whitelist Files Match
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt") then if exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt") then (sha1 of file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt") = sha1 of file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt")) as string else "Primary Whitelist File Missing" else "Whitelist Backup File Missing"
Backup File hash
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt") then (sha1 of file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")) else "Backup Whitelist File Missing"
Primary File hash
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt") then sha1 of file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt") else "Primary Whitelist File Missing"
Primary File Date
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt") then (modification time of file ((parent folder of regapp "BESClient.exe" as string) & "\ComplianceWhitelist\ComplianceWhitelist.txt")) as string else "Primary Whitelist File Missing"
Backup File Date
Period Every Report
 
  * Results in a true/false
Show indented relevance
if exists file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt") then (modification time of file (((data folder of client) as string) & "\__Global\__Download\actionsite\_listbackup.txt")) as string else "Backup Whitelist File Missing"
Name/Pwd Age of Admins
Period 1 day
 
  * Results in a true/false
Show indented relevance
"[" & concatenation "] - [" of (((names of it, password age of it) of users whose (admin privilege of it as string contains "True")) as string) & "]"

Relevance

isWindows (Relevance 274)
Used in 220 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
name of operating system starts with "Win"

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!