This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Howard_Gyton
Advisor
‎2019-07-23 04:00 AM
Jump to solution

SCV: Check for domain joined

Hi,

Does anyone know whether its possible to get SCV to check for keys outside of "Software".

We would like to be able to check for domain membership, so our SCV file has the following:

: (RegMonitor
:type (plugin)
:parameters (
:value ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain>='DOMAIN'")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("This is not a Unit machine. Connection is not allowed.")
:end (admin)
)
)

We would also have the following setting to stop non SCV clients from being blocked:

:allow_non_scv_clients (true)

Which I hope would take care of Macs?

Howard

0 Kudos
1 Solution

Accepted Solutions
Alisson_Lima
Contributor
‎2019-07-23 11:19 AM
Jump to solution

Hello Howard,

 

You can use the RegMonitor for block machines out of company domain. I made this same configuration in this week, the parameters configured were:

(RegMonitor
:type (plugin)
:parameters (
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=yourdomain.com")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You message for users")
:end (admin)

Don't forget configure this policy in SCVPolicy field. About macbook, according sk110975 you cannot use SCV file for macOS systems. If necessary, you have to use Compliance Blade prior to VPN connection.

Note to use Compliance Blade is necessary an adittional license for management server.

Thank you, good luck!

Alisson Lima

 

View solution in original post

0 Kudos
(1)
3 Replies
Alisson_Lima
Contributor
‎2019-07-23 11:19 AM
Jump to solution

Hello Howard,

 

You can use the RegMonitor for block machines out of company domain. I made this same configuration in this week, the parameters configured were:

(RegMonitor
:type (plugin)
:parameters (
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=yourdomain.com")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You message for users")
:end (admin)

Don't forget configure this policy in SCVPolicy field. About macbook, according sk110975 you cannot use SCV file for macOS systems. If necessary, you have to use Compliance Blade prior to VPN connection.

Note to use Compliance Blade is necessary an adittional license for management server.

Thank you, good luck!

Alisson Lima

 

0 Kudos
(1)
Howard_Gyton
Advisor
‎2019-07-24 03:38 AM
In response to Alisson_Lima
Jump to solution

Hi Alisson,

I noticed my schoolboy error myself this morning. I had cribbed an entry from the support site that was checking the value of an integer and not a string, and should have had "=" and not ">=".  It was weird in that when I manually malformed the domain string in the registry that it triggered non-compliance, but didn't block traffic and never switched back to compliance.

It's working quite well for me now, thanks.

Classic case of RTFM! 🙂

One thing I did notice is that on the firewall itself, and the copy of "local.scv" that it has there is an extra line in the section that contains the checks you wish to enforce.

:SCVPolicy (
: (RegMonitor)
: (ckp_scv)
)

I didn't add this but it does have its own section in that file.

: (ckp_scv
:type (plugin)
:parameters (
:protect_all_ifc (true)
:non_ip_protocols (true)
:send_log (true)
:send_warning (true)
)
)

Not sure why that got enabled.

Howard

0 Kudos
Prabulingam_N1
Advisor
‎2020-04-22 11:23 PM
In response to Alisson_Lima
Jump to solution

Dear Alisson,

 

I had tried this setup for my customer and noticed the below situations.

1) Non Domain computers where RA VPN client (latest E82.40 installed) able to connect GW and able to access internalresources.

  Also it shows "Compliant"

2) Domain computers where RA VPN client (latest E82.40 installed) Unable to connect GW , shows Compliant error.

 

The result looks for me is exact opposite which I had configured in SCV file for Registry

 

Any idea,

Regards, Prabu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events