Hidden registry settings

Question

Scenario: I'm performing a configuration audit on a server that's joined to the domain. For the mandatory security configuration settings, there are group policies defined and being pushed out to domain members, but not all of the settings. The remaining settings are supposed to be defined locally on the server through one of the many configuration interfaces. Some of the settings are easy to audit because there are registry keys that are created. Others... not so much.

For example, if I want to check that the 'Network access: Allow anonymous SID/Name translation' settings has been configured properly, I have to use a RSOP call (via Powershell, or another tool like BigFix/TEM). The problem is that settings defined by local GPE aren't reflected in RSOP.

So, ultimately, the question is: is there a hidden hive in the registry where that setting, and others similar to it, are stored?

Answer 1

According to this TechNet article it appear that the key for the policy in question is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

I can't think of any GPO settings that don't push down registry keys, so you can simply do something like:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

There is no "hidden" branch or anything like that. I'm not sure what you're talking about there. If a key doesn't exist, it is the same as not being configured.

Answer 2

UPDATE: there is a newer tool available here: http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

Also, I have found that not all items are enumerated by getting the registry based GPOs and instead require using secedit to audit and very specific and complicated registry parsing to detect the changes with BigFix relevance.

You can audit the Local GPO set on a system using a tool provided by someone from Microsoft called "LGPO_Utilities"

Read more here: http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx

This tool can be used to set Local GPO, but it can also be used to export all current Local GPOs to a text file.

I use this tool to set Local GPO for many things that either require the settings to be set through Local GPO, or settings I want to enforce on users using Local GPO, but deployed through BigFix / IBM Endpoint Manager.

See this example: http://bigfix.me/fixlet/details/3827

I have a few other examples as well posted to BigFix.me

This question gives me the idea of creating a task that would be set to run every few days that would export all Local GPO settings so that they can be audited with a BigFix analysis.

Related to Local GPO registry:

• https://forum.bigfix.com/t/parsing-registry-pol-local-group-policy-get-numeric-ascii-values-of-characters-in-a-string/16465/3
• https://bigfix.me/fixlet/details/3741

Related to special security related items:

• http://www.beginningtoseethelight.org/ntsecurity/index.htm
• https://bigfix.me/relevance/details/3007516
• https://bigfix.me/relevance/details/3007518
• https://bigfix.me/relevance/details/3007517

Answer 3

I know I'm late to the party, but I spent some time myself on this today.

This is how I was able to get the value for the settings Network access: Allow anonymous SID/Name translation

$null = secedit /export /cfg $env:temp/secexport.cfg
$(gc $env:temp/secexport.cfg | Select-String "LSAAnonymousNameLookup").ToString().Split('=')[1].Trim()

This should return 0 if disabled and 1 if enabled.

It looks like no regkey is created for this setting, at least not one I could track down with procmon.

Answer 4

The official list of GPO and registry key is here: Group Policy Settings Reference for Windows and Windows Server

That gives a big Excel file with information like:

MACHINE
Administrative Templates\System\User Profiles Add the Administrators security group to roaming user profiles At least Microsoft Windows XP Professional or Windows Server 2003 family This setting adds the Administrator security group to the roaming user profile share. Once an administrator has configured a users' roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator. For the Windows 2000 Professional and Windows XP Professional operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the administrators group. By configuring this setting, you can alter this behavior. If you enable this setting, the administrator group is also given full control to the user's profile folder. If you disable or do not configure it, only the user is given full control of their user profile, and the administrators group has no file system access to this folder. Note: If the setting is enabled after the profile is created, the setting has no effect. Note: The setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time. Note: In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions. Note: The behavior when this setting is enabled is exactly the same behavior as in Windows NT 4.0.
HKLM\Software\Policies\Microsoft\Windows\System!AddAdminGroupToRUP

So, find the key you want to audit from that document.