Closed thijsvanbloemendaal closed 4 years ago
Hey, we actually found a fix for this. We have forked this repository and my colleague will be pushing the fix up.
In short, there's a switch
call three functions deep which doesn't cover all possibilities of users in a policy. The Local Security Policy associated with the problematic call is "Network Access: Restrict Clients allowed to make remote calls to SAM". If you look at that policy in secedit, you'll see a weird, seemingly incomprehensible series of parentheticals that look something like this:
(A;;RC;;;SY)(A;;RC;;;DA)
This is an esoteric, legacy language called SDDL, and the parentheticals refer to permission sets for local/domain user groups. At the end of each of these is an identifier that is used to identify the group (because the SID was too verbose for the byte constraints that they were working in when this language was created). This is converted to a SID, which is then converted to a friendly name that is used to construct an object using New-CimInstance. Because the only one noted in the switch statement is "BA" (i.e. Builtin\Administrators), it breaks.
We added support for all missing ones, including SY (NT AUTHORITY\SYSTEM) and DA (DOMAIN\Domain Administrators).
Cheers!
Hi,
I'm running into issues with a baseline in windows 2019. I receive the following error on multiple securityOptions:
Does anyone know how to resolve this?
Regards, Thijs