6 Replies Latest reply: Feb 27, 2017 6:19 AM by cstreck RSS

I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"

pratikkayastha Apprentice

# (C) 2015-2016 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
# $Revision$
# $Date$
#
# Description : This .audit is designed against the CIS Security Configuration Benchmark For
#               Microsoft Windows Server 2012 Version 2.0.0 May 16, 2016.
#
# Ref         : https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf
#
# NOTE        : Some queries in this .audit require site-specific data to be known to the query in order to function properly.
#               Please note the following queries and edit their values accordingly.
#
#               2.3.7.4 Configure 'Interactive logon: Message text for users attempting to log on'
#               2.3.7.5 Configure 'Interactive logon: Message title for users attempting to log on'
#               2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'
#               2.2.21 Ensure 'Deny log on through Remote Desktop Services'
#
#<ui_metadata>
#<display_name>CIS Windows Server 2012 DC L1 v2.0.0</display_name>
#<spec>
#  <type>CIS</type>
#  <name>Windows Server 2012 DC L1</name>
#  <version>2.0.0</version>
#  <link>https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf</link>
#</spec>
#<labels>windows,cis,microsoft,server,server_2012,domain_controller</labels>
#<variables>
#<variable>
#<name>LOGON_TEXT</name>
#<default>All activites performed on this system will be monitored.</default>
#<description>Login Window Text</description>
#<info>This is the body text of the login warning a user receives when logging onto the system</info>
#</variable>
#<variable>
#<name>LOGON_CAPTION</name>
#<default>WARNING!!!</default>
#<description>Logon Window Caption</description>
#<info>This is the caption text for the login warning a user receives when logging onto the system</info>
#</variable>
#<variable>
#<name>ANON_NAMED_PIPES</name>
#<default>'LSARPC' && 'NETLOGON' && 'SAMR'</default>
#<description>Anonymous Named Pipes</description>
#<info>This is the list of named pipes can be accessed by anonymous users (NullSessionPipes). If multiple pipes are required place them in quotes joined by two ampersands</info>
#</variable>
#<variable>
#<name>SE_DENY_REMOTE_INTERACTIVE_LOGON</name>
#<default>'Guests' && 'Local account'</default>
#<description>SeDenyRemoteInteractiveLogonRight</description>
#<info>These are the users which should be granted the 'Deny log on through Remote Desktop Services' user right. If multiple users/groups are required place them in quotes joined by two ampersands</info>
#</variable>
#</variables>
#</ui_metadata>

<check_type : "Windows" version:"2">
<group_policy : "MS Windows Server 2012">

  <if>
   <condition type: "AND">
    <custom_item>
     type        : REGISTRY_SETTING
     description : "Windows Server 2012 is installed"
     value_type  : POLICY_TEXT
     value_data  : "^[a-zA-Z0-9\(\)\s]*2012[\s]*[a-zA-Z0-9\(\)\s]*$"
     reg_key     : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
     reg_item    : "ProductName"
     check_type  : CHECK_REGEX
    </custom_item>

</condition>
   <then>

    <report type : "INFO">
     description : "CIS Security Benchmark For Microsoft Windows Server 2012"
    </report>

 

 

<custom_item>
type        : REGISTRY_SETTING
description : "Crash detection is an error analysis program that examines the state of Internet explorer process. Windows starts the Add-on Crash detection program whenever IE stops unexpectedly."
info        : "Ensure that crash detection feature is disabled. To configure this setting."
Rationale   : "IE Crash report information could contain sensitive information from computers memory."
reference   : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S"
see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf"
solution    : "Ensure that crash detection feature is disabled. To configure this setting
1.Click Start > Run and type gpedit.msc.
2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”
NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM).
value_type  : REG_DWORD
reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria"
reg_item    : "Turn off Crash Detection"
value_data  : [1]
</custom_item>

 

 

</then>
   <else>
    <report type : "INFO" >
     description : "Windows Server 2012 is not installed"
     info        : "Windows Server 2012 is not installed or Remote Registry Service is disabled."
    </report>
   </else>
  </if>

</group_policy>
</check_type>

 

Please help me to correct above script in order it to scan / check the following "  1) Click Start >Run and type gpedit.msc. 2)Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection"


  • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
    cstreck Guru

    Items that are breaking the audit:

    - 'Rationale' is not a valid field.  Remove that line as a field and add it as a part of the 'info'.

    - Close the 'solution' tag with a quote on the end.

    - 'value_type' is 'POLICY_DWORD', not 'REG_DWORD'.

    - 'value_data' is just the value '1', not a range with a single element'[1]'  Not even sure if the value_data can be a range.

     

    After that, it should be all about getting the registry path and reg_item correct.

        <custom_item>

          type        : REGISTRY_SETTING

          description : "Crash detection is an error analysis program that examines the state of Internet explorer process. Windows starts the Add-on Crash detection program whenever IE stops unexpectedly."

          info        : "Ensure that crash detection feature is disabled. To configure this setting.

     

    Rationale: IE Crash report information could contain sensitive information from computers memory."

          reference   : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S"

          see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf"

          solution    : "Ensure that crash detection feature is disabled. To configure this setting

    1.Click Start > Run and type gpedit.msc.

    2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”

    NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

          value_type  : POLICY_DWORD

          reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria"

          reg_item    : "Turn off Crash Detection"

          value_data  : 1

        </custom_item>

    -chad

    • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
      pratikkayastha Apprentice

      I used the above script with CIS Default Template for Policy Compliance but the Host is not being detected after I run the Nessus Scan for Policy Compliance.

      Can you please run the above script on your system and share the results if any, either it is getting executed or not.

      • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
        cstreck Guru

        The above script gives me an ERROR on my test system with REG_ERROR_OPEN_KEY issue as my test system does not have that key available.

         

        What you may be looking for are the following:

        <custom_item>

          type        : REGISTRY_SETTING

          description : "Set 'Turn off Crash Detection' to 'Enabled'"

          value_type  : POLICY_DWORD

          value_data  : 1

          reg_item    : "NoCrashDetection"

          reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions"

          reg_option  : CAN_NOT_BE_NULL

        </custom_item>

         

        With that check, on a Windows 7 test system, I do get results....

        "Crash detection is an error analysis program that examines the state of Internet explorer process. Windows starts the Add-on Crash detection program whenever IE stops unexpectedly.": [FAILED]

         

        Ensure that crash detection feature is disabled. To configure this setting.

         

        Rationale: IE Crash report information could contain sensitive information from computers memory.

         

        Reference(s) :

         

        800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S

         

        See Also :

         

        https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf

         

        Solution :

         

        Ensure that crash detection feature is disabled. To configure this setting

        1.Click Start > Run and type gpedit.msc.

        2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”

        NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM).

         

        Remote value: NULL

        Policy value: 1

         

         

        -chad

        • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
          pratikkayastha Apprentice

          Hey Chad,

          Thanx for the help. Your very first response worked for me. The compliance scan got passed. Thank you for the help.crash_successs.JPG.jpg

        • Re: I want a .audit file that will be used to check the "Turn off crash detection policy needs to be enabled"
          pratikkayastha Apprentice

          But while I was working with Internet Security Zones Policies I came across the same error like you got.Security_Zones_error.JPG.jpg

           

          Can you please help to get this sorted.

           

          I am writing here the code of that audit file that I used for compliance scan. The error in the code is shown by bold format.

          ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

           

          # (C) 2015-2016 Tenable Network Security, Inc.

          #

          # This script is released under the Tenable Subscription License and

          # may not be used from within scripts released under another license

          # without authorization from Tenable Network Security, Inc.

          #

          # See the following licenses for details:

          #

          # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf

          #

          # @PROFESSIONALFEED@

          # $Revision$

          # $Date$

          #

          # Description : This .audit is designed against the CIS Security Configuration Benchmark For

          #               Microsoft Windows Server 2012 Version 2.0.0 May 16, 2016.

          #

          # Ref         : https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf

          #

          # NOTE        : Some queries in this .audit require site-specific data to be known to the query in order to function properly.

          #               Please note the following queries and edit their values accordingly.

          #

          #               2.3.7.4 Configure 'Interactive logon: Message text for users attempting to log on'

          #               2.3.7.5 Configure 'Interactive logon: Message title for users attempting to log on'

          #               2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously'

          #               2.2.21 Ensure 'Deny log on through Remote Desktop Services'

          #

          #<ui_metadata>

          #<display_name>CIS Windows Server 2012 DC L1 v2.0.0</display_name>

          #<spec>

          #  <type>CIS</type>

          #  <name>Windows Server 2012 DC L1</name>

          #  <version>2.0.0</version>

          #  <link>https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_non-R2_Benchmark_v2.0.0.pdf</link>

          #</spec>

          #<labels>windows,cis,microsoft,server,server_2012,domain_controller</labels>

          #<variables>

          #<variable>

          #<name>LOGON_TEXT</name>

          #<default>All activites performed on this system will be monitored.</default>

          #<description>Login Window Text</description>

          #<info>This is the body text of the login warning a user receives when logging onto the system</info>

          #</variable>

          #<variable>

          #<name>LOGON_CAPTION</name>

          #<default>WARNING!!!</default>

          #<description>Logon Window Caption</description>

          #<info>This is the caption text for the login warning a user receives when logging onto the system</info>

          #</variable>

          #<variable>

          #<name>ANON_NAMED_PIPES</name>

          #<default>'LSARPC' && 'NETLOGON' && 'SAMR'</default>

          #<description>Anonymous Named Pipes</description>

          #<info>This is the list of named pipes can be accessed by anonymous users (NullSessionPipes). If multiple pipes are required place them in quotes joined by two ampersands</info>

          #</variable>

          #<variable>

          #<name>SE_DENY_REMOTE_INTERACTIVE_LOGON</name>

          #<default>'Guests' && 'Local account'</default>

          #<description>SeDenyRemoteInteractiveLogonRight</description>

          #<info>These are the users which should be granted the 'Deny log on through Remote Desktop Services' user right. If multiple users/groups are required place them in quotes joined by two ampersands</info>

          #</variable>

          #</variables>

          #</ui_metadata>

           

          <check_type : "Windows" version:"2">

          <group_policy : "MS Windows Server 2012">

           

            <if>

             <condition type: "AND">

              <custom_item>

               type        : REGISTRY_SETTING

               description : "Windows Server 2012 is installed"

               value_type  : POLICY_TEXT

               value_data  : "^[a-zA-Z0-9\(\)\s]*2012[\s]*[a-zA-Z0-9\(\)\s]*$"

               reg_key     : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"

               reg_item    : "ProductName"

               check_type  : CHECK_REGEX

              </custom_item>

           

          </condition>

             <then>

           

              <report type : "INFO">

               description : "CIS Security Benchmark For Microsoft Windows Server 2012"

              </report>

           

           

           

           

           

           

              <custom_item>

                type        : REGISTRY_SETTING

                description : "Crash detection is an error analysis program that examines the state of Internet explorer process.

                       Windows starts the Add-on Crash detection program whenever IE stops unexpectedly."

                info        : "Ensure that crash detection feature is disabled. To configure this setting.

                       Rationale:IE Crash report information could contain sensitive information from computers memory."

                reference   : "800-53|AC-11,800-171|3.1.10,ISO/IEC-27001|A.11.2.8,ITSG-33|AC-11,CCE|CCE-37993-3,LEVEL|1S"

                see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf"

                solution    : "Ensure that crash detection feature is disabled. To configure this setting

                      1.Click Start > Run and type gpedit.msc.

                      2.Expand Computer configuration>Administrative Templates>Windows components>Internet explorer and Enable “Turn off Crash Detection”

                               NOTE: This Group Policy path does not exist by default.

                       An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

                value_type  : POLICY_DWORD

                reg_key     : "HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions Criteria"

                reg_item    : "Turn off Crash Detection"

                value_data  : 1

              </custom_item>

           

           

           

           

           

             <custom_item>

                type        : REGISTRY_SETTING

                description : "Enable this policy setting to disable the site management settings for security zones.If this policy setting is disabled or not configured, users will be able to add or remove Web sites in the Trusted Sites and Restricted Sites zones,as well as alter settings in the Local Intranet zone."

                info        : "If you do not configure this policy setting, users will be able to add or remove sites from the Trusted Sites and Restricted Sites zones at will and change settings in the Local Intranet zone. This configuration could allow sites that host malicious mobile code to be added to these zones, which users could execute"

                reference   : "CCE-16469-9"

                see_also    : "https://benchmarks.cisecurity.org/tools2/CIS_Microsoft_Internet_Explorer_11_Benchmark_v1.0.0.pdf"

                solution    : "Ensure that proper security zone settings are made. To configure this setting Click Start > Run and type gpedit.msc.Expand Computer configuration > Administrative Templates > Windows components > Internet explorer:Enable “Security Zones: Do Not Allow Users to Add/Delete Sites””

                             

                       NOTE: This Group Policy path does not exist by default.

                       An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

                value_type  : POLICY_DWORD

                reg_key     : "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit"

                reg_item    : "Do not allow users to add/delete sites"

                value_data  : 1

              </custom_item>

           

           

           

           

           

           

            <custom_item>

                type        : REGISTRY_SETTING

                description : "If you enable this policy setting, you disable the Custom Level button and Security level for

                               this zone slider on the Security tab in the Internet Options dialog box. If this policy setting

                       is disabled or not configured, users will be able to change the settings for security zones."

                info        : "Users who change their Internet Explorer security settings could enable the execution of

                       dangerous types of code from the Internet and Web sites that were listed in the Restricted Sites zone in the browser."

                reference   : "CCE-16469-9"

                see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Internet_Explorer_9_Benchmark_v1.0.0.pdf"

                solution    : "Ensure that proper security zone settings are made. To configure this setting Click Start > Run and type gpedit.msc.

                      Expand Computer configuration > Administrative Templates > Windows components > Internet explorer:

                      Enable “Security Zones: Do Not Allow Users to Change Policies””

           

                               NOTE: This Group Policy path does not exist by default.

                       An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

                value_type  : POLICY_DWORD

                reg_key     : "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit"

                reg_item    : "Security Zones: Do not allow users to change policies"

                value_data  : 1

              </custom_item>

           

           

           

           

           

           

            <custom_item>

                type        : REGISTRY_SETTING

                description : "This policy setting affects how security zone changes apply to different users. If you enable

                       this policy setting, changes that one user makes to a security zone will apply to all users of that computer.

                       If this policy setting is disabled or not configured, users of the same computer are allowed to establish their own security zone settings."

                info        : "Users who change their Internet Explorer security settings could enable the execution of dangerous types of code

                       from the Internet and Web sites that were listed in the Restricted Sites zone in the browser."

                reference   : "CCE-16469-9"

                see_also    : "https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Internet_Explorer_9_Benchmark_v1.0.0.pdf"

                solution    : "Ensure that proper security zone settings are made. To configure this setting Click Start > Run and type gpedit.msc.

                      Expand Computer configuration > Administrative Templates > Windows components > Internet explorer:

                      Enable “Security Zones: Use only machine settings””

           

                               NOTE: This Group Policy path does not exist by default.

                       An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security. Compliance Manager (SCM)."

                value_type  : POLICY_DWORD

                reg_key     : "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only"

                reg_item    : "Security Zones: Use only machine settings' to 'Enabled'"

                value_data  : 1

              </custom_item>

           

           

           

           

           

           

          </then>

             <else>

              <report type : "INFO" >

               description : "Windows Server 2012 is not installed"

               info        : "Windows Server 2012 is not installed or Remote Registry Service is disabled."

              </report>

             </else>

            </if>

           

          </group_policy>

          </check_type>