/build/static/layout/Breadcrumb_cap_w.png
01/31/2019 775 views

Good morning!


I've just upgraded our SMA to 9.0.270 and have started to get more in-depth into our KACE products (also just upgraded our SDA to 6.0.425). So, the background: I'm looking to create a custom inventory rule that will check to see if the registry values to disable SMB1, and to require security signatures exist within the registry and to return the values. I understand if another CIR to return the values is necessary and that's not an issue.

The reason for this is that I recently pushed out a script domain-wide after testing on a couple groups of servers and workstations for these changes. In case we get audited, I need to be able to create a report that shows these values exist within the registry.  I technically have two CIRs since the registry keys are different for servers and workstations. Below is what I have so far, please correct my syntax if it is wrong.


Server CIR:

RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,SMB1,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters,RequireSecuritySignature,NUMBER)


Workstation CIR:

RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation,DependOnService,TEXT) AND
RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters,RequireSecuritySignature,NUMBER) AND RegistryValueReturn (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10,Start,NUMBER)


I believe I already have the reports created to show the values of the registry entries via the report wizard, so I just need to be sure these CIRs will return the values.


Thanks for your time!

Answer Summary:
0 Comments   [ + ] Show comments

Comments


Answer Chosen by the Author

2

OK you are on  the right track.

I would create 2 CIRS and not use the AND, that gives you 2 columns in your report that are separate for each entry.  Easier to filter the report that way also.

Put a space after your commas.

See if the keys are in the 32 bit or 64 bit area of the registry.  If they are in the 32 bit you are good, if they are in the 64 bit you need to use a trick.

Here is an example on how to retrieve 64 bit values:(CIR check intel me vunerabilty)

RegistryValueReturn(HKLM64\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status, System Risk, text)


Answered 02/01/2019 by: SMal.tmcc
Red Belt

  • Thank you, SMal! Now, another quick question, would there be a way to get the CIRs to say "true" or "false" instead of the registry value?
    For example, I'd like the report to have the "CIR - Server - SMB1 Disabled" column read true or false for each server.
    • Yes

      RegistryValueEquals(registryPath, valueName,
      value)

      Please review page 466:
      "Evaluating device settings (Equals rules)" of the 9.0 Administrator's guide.

      Source:
      https://support.quest.com/download/downloads?id=6089094

Community Chosen Answer

1

Please review this:

https://support.quest.com/kace-systems-management-appliance/kb/118892/scripts-or-custom-inventory-rules-not-running-as-expected-on-x64-64-bit-clients

Also I'm not sure if 'RegistryValueReturn' is compatible with AND.... I don't recall seeing it returning several values at once.

I would use AND for something like:

FileVersionGreaterThan  AND

FileVersionLessThan


e.g.

FileVersionGreaterThan(C:\Program Files\Adobe\Acrobat\7.0\Acrobat\Acrobat.exe, 6.99)

AND 

FileVersionLessThan(C:\Program Files\Adobe\Acrobat\7.0\

Acrobat\Acrobat.exe, 8.00)


Or to check for a registry key and a registry entry value on a Windows device use AND to combine the rules as

follows:

RegistryKeyExists(registryPath) 

AND 

RegistryValueEquals(registryPath, valueName, value)


What I'm saying is, AND is use to test conditions, not to return multiple values.

The Administrators guide says:

"AND operator: All the rules must return true in order for the results to return true and report the application

as an Installed Program\Registry Value Present."

Answered 01/31/2019 by: Channeler
Red Belt

All Answers

This content is currently hidden from public view.
Reason: Removed by member request For more information, visit our FAQ's.