Hello Mehul, thank you for the information, can you please
send me the link to the document that contains the statement
that Deny logon through Terminal Services should "only" be
denied to the Guests group.
John,
The settings are listed in an excel sheet which can be downloaded from
here http://fdcc.nist.gov/FDCC-SCAP-Content-Test-v1-0-1.xls or the .inf
file included with the GPO's
(http://fdcc.nist.gov/FDCC-Q3-2007-Final-GPO-20070730.zip).
Although I dont think there is harm in having additional members on Deny
user right settings. I think this is best handled by editing the .audit file
on your side.
So for e.g in your case, you may want to edit the .audit file as follows.
<item>
name: "Deny log on through Terminal Services"
value: "Guests" | ""renamed_guest"
</item>
Secutor Prime also reported the same problem, once Threat
Guard was aware of the issue Secutor Prime was corrected so
that it did not fail a check because additional user account
were restricted using the various deny user rights in group policy.
As I said earlier, our next version of compliance checks will be much
more flexible in handling such type of operations. But for now, this
should be handled by editing the .audit file.
The FDCC Q3 2007 XP Group Policy requires a password length
of 12 , if the organization requires a password length of 24
that check would fail. Secutor Prime use to fail this
check until it was correct so that the check passes if its
12 or greater.
I made some changes to .audit file so that system settings (passwd length,
passwd age etc...) will be much more tolerant
if the settings are stricter than the FDCC recommended settings. It should
be up on the portal in couple of hours.
Thanks
- Mehul
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
