Product Name
CIS-CAT Pro Assessor v4
Product Version
All
Date
Problem
I am getting a lot of unknown results in my Windows assessments.
Solution
Check to make sure the policy is set in the correct UI.
The recommendation is to run gpresult -h on the system in question and check against what CIS-CAT is reporting. Make sure the UI paths in the assessor HTML report and the gpresult HTML report match.
If they do not match, then follow the remediation steps in the CIS-CAT HTML report to make the UI path match.
In the CIS HTML report, check the assessment evidence to make sure no extra policies are being applied. If there are extra policies in place, this will result in a fail. See the examples below:
FAIL:
PASS:
The first example fails because it is pulling an extra policy from IIS APPPOOL and not adhering to the criterion. The second example passes because it matches the criterion and does not pull any extra policies.
Please also note:
Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative
Add Comment