AnsweredAssumed Answered

QualysGuard PC - Control Parameter Configuration - CID 4528 Current list of 'Windows Shares (Local)' which are readable by the 'Everyone' group on the system

Question asked by Jason Creech on Jun 1, 2012

Hi All,

 

Occasionally, I receive requests on how to configure controls in the Policy Compliance service.  This discussion is an example of how to configure control (CID) 4528 so that it will "Fail" if any shares are discovered that are readable by the 'Everyone' group.  The default value is  a wild card so the control will pass on all conditions if not modified.

 

This is an actual example I received from a customer this week.  The technology used in this example is Windows 2008 but the process is applicable to the other Windows flavors for this control.

 

Simple Explanation: To configure control 4528 so that it fails if “any” share value is returned, you just need to paste, “No readable shares found”, (minus the double quotes) in the expected value of CID 4528 in the appropriate policy.  This is the text the PC scan returns when no shares are found that are readable by the everyone group.

 

Detailed Explanation:  I went ahead and tested the example so you can see the actual screen shots of how this works.

 

Here is what the default control looks like when shares exist, there were three shares returned for this Windows 2008 server, the default expected value is .* which will cause the control to pass no matter what isreturned by the scan:

 

CID 4528 Default Value.jpg

 

 

Here is what the control looks like if no shares exist, note that the text “No readable shares found” is returned. To configure the control,  you just need to paste that text in the expect value field for the control in the applicable policy.

 

Below you can see the control passes now because no shares were found that met the expected criteria:

 

CID 4528 Modified Value, no shares returned.jpg

 

 

To test the reverse logic to confirm the control will fail if a share is found that meets the criteria, for this system,  three shares were returned that are readable by everyone group so I can confirm the control did fail as expected:

 

CID 4528 Modified Value, shares returned fails.jpg

 

 

Best regards,

 

 

Jason Creech

Director, Policy Compliance Qualys, Inc. | On Demand Security | http://www.qualys.com
Blog:
http://news.qualys.comTwitter: http://twitter.com/qualysJoin our community: http://community.qualys.com

Outcomes