Page Comparison

Problem

Solution

1. Check to make sure the policy is set correctly.

   1. The recommendation is to run gpresult -h on the system in question and check against what CIS-CAT is reporting. Make sure the UI paths in the assessor HTML report and the gpresult HTML report match.

   2. If they do not match, then follow the remediation steps in the CIS-CAT HTML report to make the UI path match.

   3. If the gpresult HTML report is not showing what you are looking for, the GPO is not set properly. For example, if the userRight section is missing that means that the userRight section is not applied correctly and you will most likely fail any checks related to userRights.

2. In the CIS HTML report, check the assessment evidence to make sure no extra policies are being applied. If there are extra policies in place, this will result in a fail. See the examples below:

PASS:

The first example passes because it matches the criterion and does not pull any extra policies.

FAIL:

The second example fails due to the extra GPO from the IIS APPPOOL. The recommendation will continue to fail until that GPO is removed. If the extra GPO is required, the Benchmark will need to be customized to pass the check.

Please also note:

Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative

Keywords; Unknown Windows false failure

Content by Label