Documentation forServer Configuration Monitor

Permissions required to monitor the Windows Server 2016 STIG policy in SCM

A LOCAL_SYSTEM account is sufficient to run commands in the Domain Controller that give permissions to monitor the built-in policy for the Windows Server 2016 STIG policy (version 1, rel. 10) in Server Configuration Monitor (SCM). However, if domain administrators have policies against running services as LOCAL_SYSTEM on their domain controllers, they may choose to to have SCM polling run under a different account.

If a specific user is assigned in SCM so that the polling does not go through LOCAL_SYSTEM, that user should be in one of the following groups:

  • Domain admins -- Designated administrators of the domain, domain admins are members of every domain-joined computer's local administrators group, and they receive rights and permissions granted to that group.

  • Enterprise admins -- Like domain admins, enterprise admins are members of every domain-joined computer's local administrators group, and they receive rights and permissions granted to that group.

  • Administrator -- Administrators have complete, unrestricted access to the domain.

The following commands can be used to monitor the Windows Server 2016 STIG policy in SCM.

Windows Server 2016 STIG policy permissions

Permission Command

secedit

$FileName = $env:temp + "\secpol" + (New-Guid) + ".txt"
secedit /export /cfg $FileName | Out-Null

auditpol

AuditPol/get /category:*

Commands from various PowerShell modules can also be used.

From the Active Directory PowerShell module:

  • Get-ADForest -- Current LocalComputer

  • Get-ADDomain -- Identity $Domain

  • Get-ADDomainController -- DomainName $Domain -Discover

  • Get-ADObject -- Identity $ObjectDN -Server $DC

  • Get-Auditing -- $Domain "OU=Domain Controllers"

  • Get-ADUser -- Filter * -Properties SID, PasswordLastSet

  • Search-ADAccount -- AccountInactive -UsersOnly -TimeSpan 35.00:00:00


From the GroupPolicy PowerShell module:

  • Get-GPResultantSetOfPolicy -- ReportType xml -Path$FileName


From the SmbShare PowerShell module:

  • Get-SmbShare -- Special $false | Where-Object { $_.Name -ne "NETLOGON" -and $_.Name -ne "SYSVOL" }


Also noteworthy:

  • Get-Acl -- Path $Path -Audit