Customizing Windows Basic Compliance Benchmark
The basic compliance benchmark for Windows machines provides a simple overview of the security settings against security best practices.
Whilst it is possible to configure the basic compliance benchmark by using the benchmark settings additional flexibility can be gained by leveraging the dynamic code editor.
- Create a new dynamic agent plugin, ensuring that the plugin is configured to run after agent scan.
- Open the dynamic code editor and modify the code in the Execute() method.
/// <summary>
/// Provides the code executed by this plugin.
/// </summary>
public override void Execute()
{
Guid identifier = ComplianceBenchmarkWellKnownIdentifiers.WindowsBasic;
ComplianceBenchmark benchmark = Item.ComplianceBenchmarks.Items.FindByIdentifier(identifier);
if (benchmark == null || benchmark.IsComplete)
{
return;
}
ComplianceBenchmarkResult result = benchmark.Results.Items.FindByReferenceNumber(4, 1);
if (String.Equals(result.ConfiguredDisplayValue, "root", StringComparison.CurrentCultureIgnoreCase))
{
result.ResultType = ComplianceBenchmarkResultType.Failed;
}
}
- Firstly the benchmark is obtained using the well known identifier.
Guid identifier = ComplianceBenchmarkWellKnownIdentifiers.WindowsBasic;
ComplianceBenchmark benchmark = Item.ComplianceBenchmarks.Items.FindByIdentifier(identifier); - In the example the benchmark result "4.1 Rename the local Administrator account to a less easily identifiable account name (does not apply to domain controllers)" is obtained.
- In the example the configured value has already been evaluated but is be further evaluated against the word "root". If the administrator account has been named "root" this will also cause the benchmark result to fail.