Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect check control in OS with spanish language #58

Open
CarlosM4 opened this issue Sep 19, 2024 · 6 comments
Open

Incorrect check control in OS with spanish language #58

CarlosM4 opened this issue Sep 19, 2024 · 6 comments
Assignees
@0x6d69636b

Comments

@CarlosM4
Copy link

Hello Team,

The controls that check local accounts or groups, such as Guest, Administrators, do not give the expected result when the OS language is in Spanish.

Default account names in spanish: Invitado, Administrador

Example of failed controls:

221 User Rights Assignment: Access Credential Manager as a trusted caller
222 User Rights Assignment: Access this computer from the network
223 User Rights Assignment: Act as part of the operating system
224 User Rights Assignment: Adjust memory quotas for a process
225 User Rights Assignment: Allow log on locally
226 User Rights Assignment: Allow log on through Remote Desktop Services
227 User Rights Assignment: Back up files and directories
228 User Rights Assignment: Change the system time
229 User Rights Assignment: Change the time zone

Is it possible to perform the check for 2 types of languages (English and Spanish) at the same time just by modifying the .CSV?

Regards
@0x6d69636b 0x6d69636b self-assigned this Sep 20, 2024
@0x6d69636b
Copy link
Member

It works for local and well-known groups on a Spanish system, doesn't it? So only local users like Invitado or Administrador are a problem?

@CarlosM4
Copy link
Author

The script works on a Spanish system, only the check is the one that does not give the expected result, because it validates only user in English.

I understand that I could modify the .CSV and change the corresponding users according to the language, but I wanted to know if there is a way to make it work for both languages?

@0x6d69636b
Copy link
Member

There is already a translation function in place for well-known groups, hence my question about groups already working. If only the local accounts (RID 500 and 501) are wrong, then I could extend the translation function. If everything is wrong then I need to debug it

@CarlosM4
Copy link
Author

Below is an example of a control check, in this case the expected result should be “Severity: Low” since the “Administrador” account has not been renamed.

Result is Passed:
[+] ID 2.3.1.4, Accounts: Rename administrator account, Result=Administrador, Recommended=Administrator, Severity=Passed

In the .CSV the condition is for any name other than “Administrator”, so it takes it as correct.

Template used: finding_list_cis_microsoft_windows_11_enterprise_22h2_machine

0x6d69636b added a commit to 0x6d69636b/windows_hardening that referenced this issue Sep 22, 2024
@0x6d69636b
Add translation for local accounts, try to fix /scipag/HardeningKitty…
44a3711 
…/issues/58
@0x6d69636b
Copy link
Member

I have added the translation of local accounts in the dev version, this should fix all items of User Rights Assignment checks.

However, it will not fix your last point, the Accounts: Rename administrator account check. Here you need to change the RecommendedValue in the CSV file, as you have already done.

@CarlosM4
Copy link
Author

Thank you very much for the support, I will try this version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0x6d69636b 0x6d69636b

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0x6d69636b @CarlosM4