Ι am building CCS checks for Windows and I would like some advice on how to build the following check:
- User Rights for impersonating a client after authentication is set to Network Services, Local Services and Administrators
Therefore based on the ccs predefined check for "Replace a process level token is limited to NETWORK SERVICE and LOCAL SERVICE" with the expression:
[User Right (SIDs): Replace a process level token <LIST> =~ '/(S-1-5-19)|(S-1-5-20)/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
I created the following expression:
[User Right (Names): Impersonate a client after authentication <LIST> =~ '/(Administrators)|(LOCAL SERVICE)|(NETWORK SERVICE)/' with Missing Data Outcome being 'Manual Review' and Multiple Data Operator being 'AND' ]
however it doesn't seem to work (pass) despite the fact that in data collection the field contains the values Network Services, Local Services and Administrators
I want my check to pass only when Network Services, Local Services and Administrators are set and fail if there are less or more values.
I also tried other expressions like % and other forms but it doesn't seem to return the right results.
Any ideas on how to implement my check and which operator is the right one to use?
I would also appreciate it if someone could provide me with any further documenation on regular expressions and their meaning, apart from the relative section in User Guide.
Thank you very much!!!
Thank you for your reply. It was indeed helpful. In the meantime I have tested different expressions and formulas and I am quite confident that an expression like E0 is the right answer. I would also like to comment that the expression NOT E1 can be optional and used only to make sure that no other accounts exist; in my case just using the E0 seemed to work fine.
Thanks a lot again!!!
This check can be accomplished, but you have to turn it upside down a bit. Your logic is correct, but since you are dealing with multiple values you will need to do the following:
E0 : User rights (Names): Impersonate a Client after authentication <LIST> =~ /Administrators|Local\s*Service|Network\s*Service/i
E1: User rights (Names): Impersonate a Client after authentication <LIST> !~ /Administrators|Local\s*Service|Network\s*Service/i
E0 and Not E1 will be your formula.
You were close, but the first expression looks to make sure that any of the items in the regex will be found in the list [you needed to drop the parenthesis because that doesn't exist in the data collected]. Then you need to do a double negative to make sure that there are not any other accounts assigned to this user right. so expression E1 reads, User rights (names): Impersonate a client after authentication <List> no match /Administrators|Local\s*Service|Network\s*Service/i then you have to use the "Not" in the formula expression to make sure no other accounts exists for this User right. This is the only way I have been able to accomplish this. I haven't tried it in a while, but you may need to create a separate expression for each account that you want to verify is in the list as well
Hope this helps,