registry_object and HKEY_USERS problem

Hi,
I have to test an user specific registry value (in HKEY_CURRENT_USER)
for all users that uses the system.
After some search I've found a way in the Forum to accomplish this
with "pattern match".

For instance:
<registry_object (...)>
<hive>HKEY_USERS</hive>
<key operation="pattern match">S-1-5-21-[0-9-]+\\Software\\...</key>
<name>(...)/name>
</registry_object>

The problem with this method is that only logged users SIDs are shown
in the HKEY_USERS hive.
Are there any other way to do this?

Thanks in advance,
Danilo Nascimento

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

From an OVAL Definition authoring perspective I think you have the correct solution. I don't know of any other way to express a check for a user specific registry value.

User specific registry key present a challenge for configuration checking. It is a bit difficult to properly examine user specific registry keys for any user that the evaluation engine is not running as. This issue is really a challenge for vendors to support on windows systems. Of course this is a known challenge that many others have faced and developed solutions for. I believe that there are some Microsoft articles on this issue too.

I think that most solutions take the approach of searching for the set of users that have logged on to the system. Then for each user dynamically load the user's registry data, assess the data, and then unload the data.

Perhaps some of the vendors that have worked through these problems can provide more guidance as to how best to author content for user specific registry values and support the proper evaluation of checks against all user specific registry values.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

This topic was discussed at the IT Security Automation Conference during the "Understanding the Greatest FDCC Technical Challenges" presentation by Kurt Dillard.  Kurt discussed the fact that user-specific registry values stored in the HKEY_CURRENT_USER hive are only loaded into the registry when the user logs into the system.  This makes it much more challenging for a configuration compliance scanner to check these user-specific registry values.  The major challenges that Kurt discussed were that 1) the HKEY_CURRENT_USER hive only exists when a user is logged into the system, 2) a scanner cannot access the HKEY_CURRENT_USER hive if a user is logged into the system, and 3) a user cannot log into the system if the scanner is using the NTUSER.DAT file which is where the user-specific registry values are stored.  Kurt then presented two solutions to these problems which were 1) to impersonate the logged in user to access their user-specific registry values and 2) to make copies of each user's NTUSER.DAT file such that the scanner could access the user-specific registry values in the NTUSER.DAT file while still allowing users to still log into the system.  The slides from this presentation can be found at http://scap.nist.gov/events/2009/itsac/presentations/day3/Day3_Compliance_Dillard.pdf.

-Danny

________________________________________
From: Baker, Jon [[hidden email]]
Sent: Thursday, October 29, 2009 5:55 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] registry_object and HKEY_USERS problem

From an OVAL Definition authoring perspective I think you have the correct solution. I don't know of any other way to express a check for a user specific registry value.

User specific registry key present a challenge for configuration checking. It is a bit difficult to properly examine user specific registry keys for any user that the evaluation engine is not running as. This issue is really a challenge for vendors to support on windows systems. Of course this is a known challenge that many others have faced and developed solutions for. I believe that there are some Microsoft articles on this issue too.

I think that most solutions take the approach of searching for the set of users that have logged on to the system. Then for each user dynamically load the user's registry data, assess the data, and then unload the data.

Perhaps some of the vendors that have worked through these problems can provide more guidance as to how best to author content for user specific registry values and support the proper evaluation of checks against all user specific registry values.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Thanks Dan, great summary!

-----Original Message-----
From: Haynes, Dan [mailto:[hidden email]]
Sent: Friday, November 06, 2009 6:26 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] registry_object and HKEY_USERS problem

This topic was discussed at the IT Security Automation Conference during the
"Understanding the Greatest FDCC Technical Challenges" presentation by Kurt
Dillard.  Kurt discussed the fact that user-specific registry values stored
in the HKEY_CURRENT_USER hive are only loaded into the registry when the
user logs into the system.  This makes it much more challenging for a
configuration compliance scanner to check these user-specific registry
values.  The major challenges that Kurt discussed were that 1) the
HKEY_CURRENT_USER hive only exists when a user is logged into the system, 2)
a scanner cannot access the HKEY_CURRENT_USER hive if a user is logged into
the system, and 3) a user cannot log into the system if the scanner is using
the NTUSER.DAT file which is where the user-specific registry values are
stored.  Kurt then presented two solutions to these problems which were 1)
to impersonate the logged in user to access their user-specific registry
values and 2) to make copies of each user's NTUSER.DAT file such that the
scanner could access the user-specific registry values in the NTUSER.DAT
file while still allowing users to still log into the system.  The slides
from this presentation can be found at
http://scap.nist.gov/events/2009/itsac/presentations/day3/Day3_Compliance_Di
llard.pdf.

-Danny

________________________________________
From: Baker, Jon [[hidden email]]
Sent: Thursday, October 29, 2009 5:55 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] registry_object and HKEY_USERS problem

From an OVAL Definition authoring perspective I think you have the correct
solution. I don't know of any other way to express a check for a user
specific registry value.

User specific registry key present a challenge for configuration checking.
It is a bit difficult to properly examine user specific registry keys for
any user that the evaluation engine is not running as. This issue is really
a challenge for vendors to support on windows systems. Of course this is a
known challenge that many others have faced and developed solutions for. I
believe that there are some Microsoft articles on this issue too.

I think that most solutions take the approach of searching for the set of
users that have logged on to the system. Then for each user dynamically load
the user's registry data, assess the data, and then unload the data.

Perhaps some of the vendors that have worked through these problems can
provide more guidance as to how best to author content for user specific
registry values and support the proper evaluation of checks against all user
specific registry values.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to
[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to
[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].