SCA Windows 10 Benchmark not working as expected no Windows 10 Professional
229 views
Skip to first unread message
Jon Sereda
Jan 9, 2024, 7:01:02 AM1/9/24
to Wazuh | Mailing List
Hello Team,
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5
I'm a new Wazuh users and currently trying out the SCA feature.
In doing so I've setup a Windows 10 Professional Workstation and applied a large number of GPO's which should satisfy many of the default SCA tests.
A good number of them do pass the scan test. However, there appear to be many that fail even though they are met.
For example the following check fails even though it is satisfied on the Agent. :
Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'.
Checks (Condition: all)r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5
The default benchmark is "CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0".
If the problem being a slight difference in the Operating System?
Jon Sereda
Jan 11, 2024, 12:05:23 PM1/11/24
to Wazuh | Mailing List
Hi, I just want to know if these policies should work "Out of the box" for the version mentioned or do they require additional configuration to work as expected?
Thanks
Thanks
Jon Sereda
Jan 11, 2024, 3:55:58 PM1/11/24
to Wazuh | Mailing List
I've found almost the same exact question on another chat.
In this case (and my case for this single example) there is an extra space in the yml file on line 946 after LmCompatibilityLevel...
'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel '
I would now like to repair this and others that I discover on the rest of the file that is shared out to clients by default.
What would be the best way to accomplish this?
Federico Rodriguez
Apr 17, 2024, 3:08:00 AM4/17/24
to Wazuh | Mailing List
Hi Jon Sereda, hope you are doing well.
The extra space issue has been addressed in this pull request for Wazuh 4.8.0, which will be released very soon.
I'm very sorry for the delay in the answer, let me know if this helps you.
Reply all
Reply to author
Forward
0 new messages