3 Replies Latest reply: Oct 12, 2017 6:57 AM by roadrunner RSS

Audit file only working with Windows 2008 R2 but not Windows 2012 R2

raytrace Novice
Visibility: Open to anyone

OK, this is a pretty simple audit file that collects users from Windows systems.  It first checks if the Windows computer is a domain controller and if it is, it queries domain users.  If it is not, it queries local users.

 

Oddly enough, it works fine against Windows 2008 servers but I get nothing back for Windows 2012.  Not even an empty results, just no result.

 

Any ideas how to get this to work for all Windows OSes?

 

<check_type:"Windows" version:"2">

<group_policy:"NERC CIP">

<if>

  <condition type:"AND">

  <custom_item> 

    type          : WMI_POLICY 

    description   : "Target is a Domain Controller" 

    wmi_namespace : "root/CIMV2" 

    wmi_request   : "select DomainRole from Win32_ComputerSystem" 

    wmi_attribute : "DomainRole" 

    wmi_key       : "DomainRole" 

    value_type    : POLICY_DWORD 

    value_data    : 4 || 5 

  </custom_item>

  </condition>

  <then>

    <custom_item>

      type            : WMI_POLICY

      description     : "NERC CIP Windows Users (Active Directory)"

      info            : "This audit collects all Active Directory users, both enabled and disabled, from domain controllers."

      value_type      : POLICY_TEXT

      value_data      : ""

      wmi_namespace   : "root/cimv2"

      wmi_request     : "SELECT AccountType, Disabled, Domain, FullName, LocalAccount, Name, Status from Win32_UserAccount"

      only_show_query_output: YES

    </custom_item>

  </then>

  <else>

    <custom_item>

      type            : WMI_POLICY

      description     : "NERC CIP Windows Users (Local)"

      info            : "This audit collects all locals users, both enabled and disabled, from member servers and workstations."

      value_type      : POLICY_TEXT

      value_data      : ""

      wmi_namespace   : "root/cimv2"

      wmi_request     : "SELECT AccountType, Disabled, Domain, FullName, LocalAccount, Name, Status from Win32_UserAccount where LocalAccount=TRUE"

      only_show_query_output: YES

    </custom_item>

  </else>

</if>

</group_policy>

</check_type>