The DCM feature supports a powerful way for data discovery by using scripting. By invoking AccessChk.exe from DCM scripts, the output of user rights assignment data from AccessChk.exe can be collected by the DCM scripting data discovery provider. The following procedure enables you to use Microsoft Visual Basic Scripting Edition (VBScript) in combination with the DCM feature to collect data about user rights assignments. To use this procedure, you must have access to a computer running Configuration Manager 2007.
To add a setting using the DCM feature that uses VBScript to collect user rights assignment data
1. In the left pane of the Configuration Manager Console, expand the Desired Configuration Management folder, right-click the folder to access the submenu, and then choose Configuration Item.
2. In the Create Operating System Configuration Item Wizard, choose to create a new operating system configuration item (CI), and then on the Identification tab, name it. For example, you could name it “User Rights Assignment by AccessChk.”
3. Type a description for the CI (optional), and then click Next.
4. On the Microsoft Windows Version page, select or type the corresponding Windows operating system version information, click Next to access the Objects page, and then on this page click Next to access the Settings page.
5. On the Settings page, select the Settings node, click New, and then in the drop-down menu, select Script to invoke the New Script Setting Properties dialog.
6. On the General tab of the New Script Setting Properties dialog, provide a setting Display Name. For example, Remove computer from docking station.
7. Provide Description (optional).
8. For Script Language, select VBScript (or your preferred language if you integrate AccessChk in another language).
9. Copy the VBScript from the next section of this article to the Script text box.
10. Change the second line in the script to the correct input parameters. For example, define the rule for “SeUndockPrivilege,” to “Allowed” in this case. (See the table in the previous section for all available input parameters.)
11. On the Validation tab of New Script Setting Properties dialog, ensure that Data Type is set to String.
12. Click New under the Details list box to create a new validation rule.
13. In the Name and Description fields, provide information for your new validation rule.
14. Ensure that Operator is set to Equals.
15. Defined the Value (account list) that you want to allow or deny for the user rights assignment.
16. Select Severity, and then determine the severity level of the new validation rule.
17. Click OK of New Script Setting Properties dialog to save the new setting
18. Click Finish button in Settings tab to Summary page.
19. Click Next after review the summary
20. Click Finish in Confirmation page.
Sample DCM Feature VBScript for User Rights Assignments
Here is a VBScript that you can use with the DCM feature to obtain user rights assignments:
option explicit
WScript.Echo ValidateSetting("SeNetworkLogonRight", "Allowed", "Administrators,Authenticated Users")
'WScript.Echo ValidateSetting("SeDenyBatchLogonRight", "Denied", "Authenticated Users")
Function ValidateSetting(userRightProperty, SeType, baselineValue)
on error resume next
' Get expected values and actual valuse we are testing against
Dim ExpectedValues, ActualValues
ExpectedValues = baselineValue
' Poll LSA data through accesschk
ActualValues = PollAccessChkForSettings (userRightProperty)
If ActualValues = "" Then
' below line assumes DCM rule value (OperandA) is "NO ONE" if no one is allowed for the user right privilege
ActualValues = "NO ONE"
End If
' do our validation
If SeType = "Allowed" Then
ValidateSetting = ValidateAllowedResults(ExpectedValues, ActualValues)
Else
ValidateSetting = ValidateDeniedResults(ExpectedValues, ActualValues)
End If
' do error checking, make sure our function return something.
If ValidateSetting = "" Then
ValidateSetting = "ValidateSetting return Nothing or Empty"
If Err.Number <> 0 Then
ValidateSetting = ValidateSetting & ", Error: " & Err.Number
ValidateSetting = ValidateSetting & ", Error (Hex): " & Hex(Err.Number)
ValidateSetting = ValidateSetting & ", Source: " & Err.Source
ValidateSetting = ValidateSetting & ", Description: " & Err.Description
Err.Clear
End If
End If
End Function
' Validate allowed results
Function ValidateAllowedResults(ExpectedValues, ActualValues)
on error resume next
' We are always in compliant if no one has the privilege
If UCase(Trim(ActualValues)) = "NO ONE" Then
ValidateAllowedResults = ExpectedValues
Exit Function
End If
' Everify that the actual list of users is a sub-set of the expected list of users.
Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result
ActualValueList = Split(UCase(ActualValues), ",")
ExpectedValueList = Split(UCase(ExpectedValues), ",")
' Verify all the actual users are in the list of expected users
For Each ActualValue in ActualValueList
' Find if actual value is in list of expected values
Result = false
For Each ExpectedValue in ExpectedValueList
If Trim(ActualValue) = Trim(ExpectedValue) Then
Result = true
Exit For
End If
Next
If Result = false Then
ValidateAllowedResults = ActualValues
Exit Function
End If
Next
' Passsed all tests
ValidateAllowedResults = ExpectedValues
End Function
' Validate denied results
Function ValidateDeniedResults(ExpectedValues, ActualValues)
on error resume next
' We are always in compliant if expected no one has been denied the privilege
If UCase(Trim(ExpectedValues)) = "NO ONE" Then
ValidateDeniedResults = ExpectedValues
Exit Function
End If
' We are always not in compliant if no one has been denied the privilege but expected someones.
If UCase(Trim(ActualValues)) = "NO ONE" Then
ValidateDeniedResults = ActualValues
Exit Function
End If
' Everify that the expected list of users is a sub-set of the actual list of users.
Dim ActualValueList, ExpectedValueList, ActualValue, ExpectedValue, Result
ActualValueList = Split(UCase(ActualValues), ",")
ExpectedValueList = Split(UCase(ExpectedValues), ",")
' Verify all the expected users are in the list of actual users
For Each ExpectedValue in ExpectedValueList
' Find if expected value is in list of actual values
Result = false
For Each ActualValue in ActualValueList
If Trim(ActualValue) = Trim(ExpectedValue) Then
Result = true
Exit For
End If
Next
If Result = false Then
ValidateDeniedResults = ActualValues
Exit Function
End If
Next
' Passsed all tests
ValidateDeniedResults = ExpectedValues
End Function
' Set ActualValues to a comma deliminated list of values defined by what settings we are polling.
Function PollAccessChkForSettings(userRightProperty)
on error resume next
Dim Result, timeout, accountArray, objWshell, oExec
Set objWshell = WScript.CreateObject("WScript.Shell")
Set oExec = objWshell.Exec("accesschk.exe -a " & userRightProperty)
If oExec is Nothing Then
PollAccessChkForSettings = "ERROR: objWshell.Exec return null, please check if accesschk.exe exists."
Exit Function
End if
' Wait for program to finish
timeout = 200
Do While oExec.Status = 0 And timeout > 0
WScript.Sleep 10
timeout = timeout - 1
Loop
If oExec.Status = 0 Then
PollAccessChkForSettings = "ERROR: Timed Out"
Exit Function
Else
Result = oExec.StdOut.ReadAll
If Result = "" Then
PollAccessChkForSettings = "ERROR: Get Data Failed"
Exit Function
Else
' not found any valid data
If InStr(Result, "No more data is available") > 0 Then
PollAccessChkForSettings = ""
Exit Function
End If
' concat the account to a string with comma delimiter
Dim i, value
accountArray = Split(Result, vbCrlf)
For i = 0 To UBound(accountArray) - 1
If PollAccessChkForSettings <> "" Then
PollAccessChkForSettings = PollAccessChkForSettings + ","
End If
value = Replace(accountArray(i), Chr(9), "")
value = Trim(value)
Dim j
j = InStrRev(value, "\")
If j = 0 Then
PollAccessChkForSettings = PollAccessChkForSettings + UCase(value)
Else
PollAccessChkForSettings = PollAccessChkForSettings + UCase(Right(value, Len(value) - j))
End if
Next
'WScript.Echo PollAccessChkForSettings
End If
End If
End Function
If you are intrested in the complete script listing for DCM you can download it from HERE
To improve accuracy/integrity of Security Compliance Management collecting user rights assignment data from the right location is critical for security compliance reports. Newly updated AccessChk.exe can be integrated into Desired Configuration Management feature of Microsoft Configuration Manager 2007 to achieve the purpose.
In this article we invite Michael Tan, one of our senior program mangers, to introduce a new feature in the recently updated Sysinternals tool called AccessChk. His two part article looks at how the new AccessChk feature works and the benefits of using this Sysinternals tool. The second part takes a look at the using the tool with Configuration Manager’s DCM feature, and how the Security Compliance Management toolkit benefits from the efforts.
Microsoft released the Security Compliance Management toolkit on June 5, 2008, on TechNet and as a free download on the Microsoft Download Center. The toolkit enables organizations to monitor the security compliance state of their IT environments for computers running Windows operating systems by using the Desired Configuration Management (DCM) feature in Microsoft System Center Configuration Manager 2007 as mentioned in recent posts. Now let's look at a known issue for the toolkit using Resultant Set of Policy (RSOP) Windows Management Instrumentation (WMI) providers for data discovery. Solving this shortcoming of the toolkit can be accomplished by using the newly updated AccessChk.exe, with some custom DCM scripts to obtain the latest user rights assignment data from the Windows Local Security Authority (LSA) store. To make this simple, we include a working sample that customers can use to collect this data directly from the LSA store.
Background
The Security Compliance Management toolkit provides more than 300 security settings, including user rights assignment settings, such as Access this computer from the network, backup files and directories, and so on. The Release Notes in the toolkit include a list of settings. The data collected in the WMI repository from these settings may not synchronize with the data in the LSA store. This is because the data discovery process for the toolkit uses RSOP WMI providers to collect the setting data, and the data is queried from the WMI repository (CIMOM database) that represents existing policies or planned policies. For this reason, the data for these settings may not be consistent with user rights assignment data in the LSA store that is consumed directly by Windows components.
If customers want to obtain the actual security state of the user rights assignments on a target host machine, they must query the LSA store directly instead of using RSOP.
Only native application programming interfaces (APIs) or Win32 APIs are provided for LSA data queries, and these are not supported by the DCM feature in Configuration Manager 2007. To obtain this data, you can use the newly updated Sysinteranls tool, AccessChk.exe (version 4.2), with the DCM feature's scripting capability to get user rights assignment data directly from the LSA store.
AccessChk.exe
AccessChk.exe provides you with access to the files, registry keys or Windows services for the user or group that you specify. AccessChk.exe now supports a new option -a to query user rights assignment data directly from the LSA store.
First download AccessChk.exe 4.2 from SysInternals.
On a command prompt type AccessChk.exe /?
-a Name is a Windows account right. Specify '*' as the name to show all rights assigned to a user
Here is a partial list of all the user rights assignment that you can access directly from the LSA store:
|
User Right name in –a option list |
Type |
Setting name |
Description |
|
SeBatchLogonRight |
Allowed |
Logon as a batch job |
Required for an account to log on using the batch logon type. |
|
SeDenyBatchLogonRight |
Denied |
Deny logon as a batch job |
Explicitly denies an account the right to log on using the batch logon type. |
|
SeDenyInteractiveLogonRight |
Denied |
Deny Logon locally |
Explicitly denies an account the right to log on using the interactive logon type. |
|
SeDenyNetworkLogonRight |
Denied |
Deny access to this computer from the network |
Explicitly denies an account the right to log on using the network logon type. |
|
SeDenyRemoteInteractiveLogonRight |
Denied |
Deny Logon through Terminal Services |
Explicitly denies an account the right to log on remotely using the interactive logon type. |
|
SeDenyServiceLogonRight |
Denied |
Deny logon as a service |
Explicitly denies an account the right to log on using the service logon type. |
|
SeInteractiveLogonRight |
Allowed |
Allow Logon locally |
Required for an account to log on using the interactive logon type. |
|
SeNetworkLogonRight |
Allowed |
Access this computer from the network |
Required for an account to log on using the network logon type. |