Friday, April 15, 2011

Scripting the retrieval of the warning banner (legal notice) when pushed by Group Policy

As an auditor, one of the controls I constantly come up against is ECWM-1, which states:
All users are warned that they are entering a Government information system, and are
provided with appropriate privacy and security notices to include statements informing
them that they are subject to monitoring, recording and auditing.
All workstations, servers, applications, networking gear, and other hosts must have a specific banner.  (I'm aware of exceptions, but I'm discussing that first-line of defense to an asset, the warning banner.)  Gold Disk, in its latest incarnation does not appear to actively check for the banner; in the tests that I have run, it marks the check as NR and must be manually reviewed.  Doing this for a machine or two is not bad.  However, many times I am working an enterprise system where there man be many servers and hundreds of workstations.  To solve that issue I wrap up many tools (including Gold Disk and Oval) in a a script in order to deploy the script and collect the results automagically.  Usually, I'll set up a share on a server where all servers and workstations can automatically dump their results.

So, there is the question of how to look at all of those warning banners.  Or, at least, how to look at a representational sample.  There are many references on how to set a warning banner on a local host.  The text you want to display as a banner gets added to the following key:
hklm\software\microsoft\windows nt\current version\winlogon and the key is LegalNoticeText

However, in these enterprise systems and enclaves, the warning banner is almost always pushed down to the workstation by Group Policy.  That key is:  hklm\software\microsoft\Windows\CurrentVersion\Policies\system and the key is LegalNoticeText.

To script this out, I do:
objShell.Run "cmd /c reg query ""hklm\software\microsoft\Windows\CurrentVersion\Policies\system"" /v LegalNoticeText >" legalnotice.txt

Now, I have a copy of the warning banner which I can inspect for compliance later on.

No comments:

Post a Comment