locked
Issues retrieving settings from .cfg file RRS feed

  • Question

  • So I am trying to check where the settings in localsecpol.cfg matched with the required settings, but it doesn't seem to work in which if I change the all the value in localsecpol.cfg to be 60 (or similar numbers), it will still comes out as desired. 

    Inside localsecpol.cfg (so if I change the value in here, it would still be desired)

    PasswordHistory = 24

    MaximumPasswordAge = 60

    MinimumPasswordAge = 1

    MinimumPasswordLength = 14

    LockoutDuration = 15

    LockoutBadCount = 60

    This is my code.

    secedit /export /cfg C:\localSecPol.cfg

    $text = Get-Content C:\localSecPol.cfg
    $pattern = @("PasswordHistorySize", "MaximumPasswordAge =", "MinimumPasswordAge", "MinimumPasswordLength", "LockoutDuration", "LockoutBadCount")
    foreach ($element in $pattern) {
        $securitySetting = $text | Select-String -Pattern $element
        $desired = "$securitySetting is set to a desired setting"
        $notDesired = "$securitySetting is not set to a desired setting"
        if($securitySetting -match "24"){
            Write-Host $desired
            $score ++
        }elseif($securitySetting -match "60"){
            Write-Host $desired
            $score ++
        }elseif($securitySetting -match "1"){
            Write-Host $desired
            $score ++
        }elseif($securitySetting -match "14"){
            Write-Host $desired
            $score ++
        }elseif($securitySetting -match "15"){
            Write-Host $desired
            $score ++
        }elseif($securitySetting -match "10"){
            Write-Host $desired
            $score ++
        }else{
            Write-Host $notDesired
        }    
    }



    • Edited by BobbyTan Monday, July 24, 2017 6:54 PM
    Monday, July 24, 2017 6:29 PM

Answers

  • We can also do it this way:

    $lines = Get-Content localSecPol.cfg
    foreach($line in $lines) {
    	switch -regex ($line) {
    		'PasswordHistory = (\d+)' 		{$matches[1]}
    		'MaximumPasswordAge = (\d+)' 	{$matches[1]}
    	}
    }



    \_(ツ)_/


    • Edited by jrv Monday, July 24, 2017 7:28 PM
    • Marked as answer by BobbyTan Tuesday, July 25, 2017 4:14 PM
    Monday, July 24, 2017 7:27 PM

All replies

  • What is the question?  Why do you think you can change that file?

    \_(ツ)_/

    Monday, July 24, 2017 6:31 PM
  • Not to change the file but to do like an audit check to see whether the value in the file -matches with the value stated in the script. But it seems that if I we're to change the value in the file (to simulate other systems that might have different values), it still output as desired.
    Monday, July 24, 2017 6:38 PM
  • Security templates are XML files.  Where did you get this file?


    \_(ツ)_/

    Monday, July 24, 2017 6:39 PM
  • Extracted the local policy group settings as object and exported it into .txt to do a security auditing and hardening script. 
    Monday, July 24, 2017 6:45 PM
  • How are you extracting the gp settings?


    \_(ツ)_/

    Monday, July 24, 2017 6:48 PM
  • secedit /export /cfg C:\localSecPol.cfg

    Missed it out in the original post. Just updated it.


    • Edited by BobbyTan Monday, July 24, 2017 6:55 PM
    Monday, July 24, 2017 6:51 PM
  • Ok.  You will have to write a RegEx or just case the matches and test the current line.

    Example:

    $lines = Get-Content localSecPol.cfg
    foreach($line in $lines) {
    	switch -regex ($line) {
    		'PasswordHistory' 		{ ($line -split ' = ')[1] }
    		'MaximumPasswordAge ' 	{ ($line -split ' = ')[1] }
    	}
    }


    \_(ツ)_/

    Monday, July 24, 2017 7:24 PM
  • We can also do it this way:

    $lines = Get-Content localSecPol.cfg
    foreach($line in $lines) {
    	switch -regex ($line) {
    		'PasswordHistory = (\d+)' 		{$matches[1]}
    		'MaximumPasswordAge = (\d+)' 	{$matches[1]}
    	}
    }



    \_(ツ)_/


    • Edited by jrv Monday, July 24, 2017 7:28 PM
    • Marked as answer by BobbyTan Tuesday, July 25, 2017 4:14 PM
    Monday, July 24, 2017 7:27 PM