Has anyone actually tested the check reg-passwd-01 on either a Win2K or Win2003 agent (with XPU 28)? This check is not correct. It is supposed to check for password complexity setting in Windows. However, it is still using the WinNT settings for the check. In WinNT there is a registry key \HKLM\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages. This key has in the value setting passfilt. That is what this check looks for. It corresponds with the reg-passwd-02 check which actually looks for the passfilt.dll file in \WinNT\System32.
However in Windows 2000 and 2003, the passfilt function is now builtin. So when you enable the local security policy for password complexity, the registry key from WinNT for password filters is not referenced. Instead the reg-passwd-01 check should be checking for the existence of the following registry key in Win2000 or 2003: HKLM\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit\EnforceEFSPolicy. Although this key does have some bearing to Encrypted Files Systems, it is the key that either exists or does not exist when you enable or disable the password complexity policy. So once again, I have had to customize a System Scanner Check (#46 so far) to make it actually work. If anyone has any other suggestions, I am open. By the way I used regmon to find the key that is modified/added/deleted when I change the local policy. Shelley -------------------------------------------------------------------- Shelley Coughlan Bell Canada Corporate Security Security Operations S�ret� de l'entreprise - Op�rations _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
