Hi All,
We’ve been Rapid7 IVM users for roughly four years, and we’re still experiencing significant issues with Agent-Based Policies. I couldn’t find any existing posts discussing this, so I figured I’d share our experience and ask for potential solutions.
Our number one complaint is the tool’s inability to correctly and consistently report registry values across our environment, which is the primary use case for us. Is anyone else experiencing similar issues (more info below)?
Issues:
- Consistently reporting on the true configuration of the device.
- The tool will report that a rule is failing, but when we check the associated Group Policy and registry key for that specific rule, the device is actually configured correctly.
- This is an issue I’ve discussed with Support and my Customer Advisor many times. A device may show compliance with 96% of rules one day, then drop to 35% the next, without any configuration changes. The tool is clearly capable of reporting the correct state at times; however, getting it to do so consistently has recently become impossible.
- This behavior is impacting roughly 20% of our environment at any given time. As a result, using this tool to troubleshoot enforcement or configuration issues isn’t practical or reliable.
- Most often, when this occurs, the Proof section will simply state the expected registry value and mark the asset as failing, without displaying the actual value currently set on the system. When this happens, it’s been our strongest indicator that the device is configured correctly and is instead being evaluated incorrectly by the tool.
- This is an issue I’ve discussed with Support and my Customer Advisor many times. A device may show compliance with 96% of rules one day, then drop to 35% the next, without any configuration changes. The tool is clearly capable of reporting the correct state at times; however, getting it to do so consistently has recently become impossible.
- The tool will report that a rule is failing, but when we check the associated Group Policy and registry key for that specific rule, the device is actually configured correctly.
- User Based rules or rules which reference User rights assignments.
- We’ve had support cases open regarding Rapid7’s ability to correctly report on user-based rules since day one. Ultimately, we’ve had to resort to overriding any rules that check HKEY_USERS, due to the presence of the correctly configured local administrator account (SID-500).
- Using HKEY_CURRENT_USER would be the logical next step to address this; however, through multiple support cases, we’ve been informed that there are limitations with the agent’s ability to query that registry location.
- We’ve had support cases open regarding Rapid7’s ability to correctly report on user-based rules since day one. Ultimately, we’ve had to resort to overriding any rules that check HKEY_USERS, due to the presence of the correctly configured local administrator account (SID-500).
- Poper Communication regarding new version releases
- When a new CIS policy is released within Rapid7 the tool just enables the latest version, doesn’t migrate any overrides, and doesn’t provide any notice the new version is released or anything.
- I’ve chatted with my CA regarding this and they shared there were a lot of complaints and open tickets on this
Also, are any of you who use the agent based policies tool in a heavily regulated environment (Healthcare, FI, etc.)?
I’ve asked a prior Customer Advisor to help identify peer organizations that are using Agent-Based Policies in a similar compliance-focused capacity, and we were told that we’re essentially alone in this use case, which I find hard to believe. That said, there also don’t seem to be many community discussions or shared experiences around this particular tool.
Any feedback on your issues or experiences would be appreciated.