Duane,
View this policy I have attached. Search for
Registry_NT_security_options_changed and you will see that the Winlogon key
is deleted. If you import this policy into the RealSecure Console, view the
policy, you will see the registry key winlogon is gone. After you import
the policy, you need to APPLY the policy to the sensor and then test it. It
works for me and it will not show Registry_NT_security_options_changed when
I unlock the NT machine. The policies you should be editing for OS Sensor
are located in program files\ISS\RealSecure 5.0\Host Policies
Audra
If you have further questions, contact [EMAIL PROTECTED]
-----Original Message-----
From: Duane E. Weldon [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 11, 2000 3:05 PM
To: '[EMAIL PROTECTED]'
Subject: RealSecure OS Sensor Policy customization
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I am trying to "customize" a OS Sensor policy. I am trying to edit out the
"false-positive" that I am getting with the
"Registry_NT_security_options_changed" event. I get this false-positive by
simply unlocking the box. The GUI of the policy does not have a method to
"uncheck" the Winlogon registry key that is causing this. I am trying to
edit the current.policy and the audit.policy files. I have had limited
success. Does anybody have experience modifying OS Sensor policies like
this? I also know that the RuleDef.policy plays a part but I do not know
exactly how. Is the RuleDef.policy used to create the other two? Or does
the RuleDef.policy play a part after the new policy is derived.
I have tried ISS Tech Support but have gotten nowhere. It is as though no
one have ever wanted to modify the OS Sensor RealSecure policies.
If anybody has any information it will be appreciated.
Thanks,
Duane Weldon
I/T Security Analyst
USAA
San Antonio, TX
tester.policy
