SCCM – Microsoft Vulnerability Assessment Configuration pack in a Multi-Language Environment?

Recently, we have to deploy the Microsoft Vulnerability Assessment Configuration pack in our environment and this to meet some standards from our security team. First, we start following this guide from Enhansoft; http://www.enhansoft.com/blog/how-to-install-vulnerability-assessment-configuration-pack which is excellent guide.

Of course, those baselines are really interesting from a security perspective, but one thing we noticed once start our deployment is … we got a lot of failure and this even using the bypass for PowerShell in our client settings. We start to troubleshoot the issue and it looks like some of the configuration items script are looking for specific value like Guest… So as we have to deal with a lot different languages, well it was just doesn’t work for us.

vulnerability_os_language

At this point my question was, why Microsoft doesn’t use the SID rather than the name in their CI script… So starting with this list of well known SIDs; https://support.microsoft.com/en-ca/kb/243330 , I’ve build my own script using PowerShell and user account SID. Ending with the following result;

guest_compatible

So if you are in the same situation as me, here an example of the script I used to fix the Guest account status check (btw, make sure to copy the CI before you do some change);

$LocalAccounts = Get-WmiObject win32_useraccount -Filter “LocalAccount=’True'” |
?{$_.sid -match ‘^[S][-][1][-][5][-].*[-][5][0][1]$’} |
Select-Object Name,Disabled

if($LocalAccounts){
foreach($Account in $LocalAccounts){
if($Account.Disabled -eq $False){Write-Host $($Account.Disabled)}
}
}

Hope that can help you to make those baselines work in your environment and Don’t forget to do some test before you target this to your production systems.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s