malderman

Policy Compliance: Windows User Syntax using Regex

Discussion created by malderman on Feb 28, 2011

During a call last week, we were asked to provide some example syntaxes on how to evaluate Windows Users in Policy Compliance using regular expressions.  There seems to be some confusion with the various operators and how they are evaluated in policies.  To see a list of all operators for Policy Compliance, please visit the following help section within QualysGuard: https://qualysguard.qualys.com/qwebhelp/fo_help/module_pc/policies/control_values_strings.htm.

 

Windows Users are returned as a list string, therefore, the example belows will use the following operators:

 

CARDINALITY

YOU ARE COMPLIANT WHEN

contains

X contains all of Y

does not contain

X does not contain any of Y

intersect

any string in X matches any string in Y

matches

all strings in X match all strings in Y (listed in any order)

is contained in

all strings in X are contained in Y

 

Now for a few examples:

 

2184 Current list of Groups and User Accounts granted the 'Adjust memory quotas for a process' right     Failed

 

The 'Adjust memory quotas for a process' would allow an application, process, service, or user to increase the processor power assigned to a specific process' execution, thus preempting other jobs in the processor queue. (In the default installation, this right is given only to 'Administrators,' 'Local Service,' and 'Network Service.' As this privilege could easily be misused to create a DoS condition, this right should be limited as appropriate to the needs of the business. (See http://technet.microsoft.com/en-us/library/bb457125.aspx).


The following List String value(s) X indicate the current Groups and Users granted the Adjust memory quotas for a process user right.

 

 

Expected:Actual:

matches regular expression list

 

BUILTIN\.*

BUILTIN\Administrators

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\NETWORK SERVICE

 


This control fails since there are other Groups/Users besides BUILTIN\.*.  "Matches" requires the Actual value to match BUILTIN.

 

2186 Current list of Groups and User Accounts granted the 'Back up files and directories' right     Passed

 

The 'Back up files and directories' right allows the user to perform backups by circumventing file and directory permissions. (In the default installation, this right is granted to Administrators and Backup Operators.) As this right could be used to traverse and read attributes for all files and directories, Groups and User Accounts granted the 'Backup files and directories' right should be restricted as appropriate to the needs of the business.


The following List String value(s) X indicate the current Groups and Users granted the Back up files and directories user right.

 

 

Expected:Actual:

contains regular expression list

 

BUILTIN\.*

BUILTIN\Administrators

BUILTIN\Backup Operators

 

 

This control passes since there are only Groups/Users from BUILTIN\.*.

 

2187 Current list of Groups and User Accounts granted the 'Bypass Traverse Checking' right     Failed

 

The 'Bypass Traverse Checking' right allows users to pass through folders while navigating an object path within the file system or registry. As the user may not have access to such directories, this right allows the user to traverse the directories while not listing the contents of the directories. (In the default configuration, this right is granted to Administrators, Backup Operators, Power Users, Users, and Everyone). Groups and User Accounts granted the 'Bypass Traverse Checking' right should be restricted as appropriate to the needs of the business.


The following List String value(s) X indicate the current Groups and Users granted the Bypass Traverse Checking user right.

 

 

Expected:Actual:

does not contain regular expression list

 

Everyone

BUILTIN\Administrators

BUILTIN\Backup Operators

BUILTIN\Power Users

BUILTIN\Users

\Everyone

 

 

This control fails since \Everyone is in the list.  "Does not contain" requires the Actual value not to contaon Everyone.

 

2191 Current list of Groups and User Accounts granted the 'Change the system time' right     Failed

 

The 'Change the system time' user right allows users to alter the date/time on the system's internal clock. (The default configuration grants this right to Administrators and Power Users.) As this right would allow changes in the recording of times in the audit trail as stored by the Event Log, as well as being of critical importance for Kerberos authentication, Groups and User Accounts granted this right should be restricted as appropriate to the needs of the business.


The following List String value(s) X indicate the current Groups and Users granted the Change the system time user right.

 

 

Expected:Actual:

is contained in regular expression list

 

Administrators

BUILTIN\Administrators

BUILTIN\Power Users

 

 

This control fails since BUILTIN\Power Users is in the list.  "Is contained in" requires all strings in the Actual value to have Administrators.

Outcomes