With the MS12-020 RDP explit that was just announced, I wanted to be able to determine which of our servers have Network Level Authentication enabled for Remote Desktop, which will help reduce the risk until they are patched. I created a Configuration Item to determine if NLA is enabled based on the UserAuthentication value being set to “1” in the following registry key: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. After reviewing some comlpiance reports, I noticed some servers were showing up as not compliant even though a GPO was in place to enable NLA for them. Of course, I overlooked the fact that if you enable NLA using Group Policy, the UserAuthentication value is located in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services.
I have only used the DCM feature of SCCM once before, so I was not very familiar with it. I attempted to find a way to create a second Configuration Item for the second registry location, and create a baseline that reports compliance if one or the other items are validated. It appears this is not possible.
So – in order to get accurate compliance information (whether a server has NLA enabled manually or through Group Policy) I wrote a script to check both registry locations and report as compliant if NLA is enabled in either location.
————
REM This script will detect if Network Level Authentication is enabled either manually or by GPO
REM This script will return “Compliant” if NLA is enabledstrComputer = “.”
Const HKLM = &H80000002
Const PathManual = “System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp”
Const PathGPO = “Software\Policies\Microsoft\Windows NT\Terminal Services”
Const valueName = “UserAuthentication”
Set REG=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
REG.GetDWORDValue HKLM,PathManual,valueName,manualNLA
REG.GetDWORDValue HKLM,PathGPO,valueName,GPONLA
IF manualNLA = 1 THEN
wscript.echo “Compliant”
ELSEIF GPONLA = 1 THEN
wscript.echo “Compliant”
ELSE
wscript.echo “NOTCompliant”
END IF
————-
This is how the Configuration Item is configured:
On the Settings tab select New – Script.
- On the General tab provide a Name, specify VBScript as the Script language, and enter the following script:
- On the Validation tab set the Data Type to String, and create a new validation entry by clicking the New button.
The Validation Operator should be set to Equals, and the Value should be set to Compliant (because the script returns either “Compliant” or “NOTCompliant”)
Add this Configuration Item to a Baseline and assign it to a Collection.