added Server 2019 V1R5,removed V1R2 (#684)

microsoft · Jul 29, 2020 · 403d620 · 403d620
1 parent 559692f
commit 403d620
Show file tree

Hide file tree

Showing 10 changed files with 245 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 
+* Update PowerSTIG to successfully parse/apply Windows Server 2019 Instance Ver. 1 Rel. 5: [#683](https://github.com/microsoft/PowerStig/issues/683)
 * Release Process Update: Ensure the nuget package uses explicit DSC Resource Module Versions: [#667](https://github.com/microsoft/PowerStig/issues/667)
 * Update PowerSTIG to successfully parse/apply Windows 2012 R2 MS Version 2, Rev 19: [#676](https://github.com/microsoft/PowerStig/issues/676)
 * Fixed [#668](https://github.com/microsoft/PowerStig/issues/668): Incorrect key for SSL 3.0 rules in SqlServer-2016-Instance.*.xml

diff --git a/...Server_2019_DC_STIG_V1R2_Manual-xccdf.log → ...Server_2019_DC_STIG_V1R5_Manual-xccdf.log b/...Server_2019_DC_STIG_V1R2_Manual-xccdf.log → ...Server_2019_DC_STIG_V1R5_Manual-xccdf.log
diff --git a/...Server_2019_DC_STIG_V1R2_Manual-xccdf.xml → ...Server_2019_DC_STIG_V1R5_Manual-xccdf.xml b/...Server_2019_DC_STIG_V1R2_Manual-xccdf.xml → ...Server_2019_DC_STIG_V1R5_Manual-xccdf.xml
@@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="utf-8"?>
 <?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?>
 <Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="Windows_Server_2019_DC_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1">
-  <status date="2019-07-09">accepted</status>
+  <status date="2020-06-15">accepted</status>
   <title>Windows Server 2019 Security Technical Implementation Guide</title>
   <description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description>
   <notice id="terms-of-use" xml:lang="en" />
-  <reference href="http://iase.disa.mil">
+  <reference href="https://cyber.mil">
     <dc:publisher>DISA</dc:publisher>
     <dc:source>STIG.DOD.MIL</dc:source>
   </reference>
-  <plain-text id="release-info">Release: 2 Benchmark Date: 26 Jul 2019</plain-text>
+  <plain-text id="release-info">Release: 5 Benchmark Date: 17 Jun 2020</plain-text>
   <version>1</version>
   <Profile id="MAC-1_Classified">
     <title>I - Mission Critical Classified</title>
@@ -317,6 +317,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-1_Public">
     <title>I - Mission Critical Public</title>
@@ -624,6 +625,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-1_Sensitive">
     <title>I - Mission Critical Sensitive</title>
@@ -931,6 +933,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-2_Classified">
     <title>II - Mission Support Classified</title>
@@ -1238,6 +1241,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-2_Public">
     <title>II - Mission Support Public</title>
@@ -1545,6 +1549,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-2_Sensitive">
     <title>II - Mission Support Sensitive</title>
@@ -1852,6 +1857,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-3_Classified">
     <title>III - Administrative Classified</title>
@@ -2159,6 +2165,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-3_Public">
     <title>III - Administrative Public</title>
@@ -2466,6 +2473,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Profile id="MAC-3_Sensitive">
     <title>III - Administrative Sensitive</title>
@@ -2773,6 +2781,7 @@
     <select idref="V-93565" selected="true" />
     <select idref="V-93567" selected="true" />
     <select idref="V-93571" selected="true" />
+    <select idref="V-102625" selected="true" />
   </Profile>
   <Group id="V-92961">
     <title>SRG-OS-000028-GPOS-00009</title>
@@ -6254,7 +6263,7 @@ Value: 0x00000001 (1)</check-content>
   <Group id="V-93175">
     <title>SRG-OS-000042-GPOS-00020</title>
     <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
-    <Rule id="SV-103263r1_rule" severity="medium" weight="10.0">
+    <Rule id="SV-103263r2_rule" severity="medium" weight="10.0">
       <version>WN19-CC-000460</version>
       <title>Windows Server 2019 PowerShell script block logging must be enabled.</title>
       <description>&lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
@@ -6270,12 +6279,12 @@ Enabling PowerShell script block logging will record detailed information from t
       <ident system="http://iase.disa.mil/cci">CCI-000135</ident>
       <fixtext fixref="F-99421r1_fix">Configure the policy value for Computer Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; Windows PowerShell &gt;&gt; "Turn on PowerShell Script Block Logging" to "Enabled".</fixtext>
       <fix id="F-99421r1_fix" />
-      <check system="C-92493r1_chk">
+      <check system="C-92493r3_chk">
         <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Windows_Server_2019_STIG.xml" />
         <check-content>If the following registry value does not exist or is not configured as specified, this is a finding:
 
 Registry Hive: HKEY_LOCAL_MACHINE
-Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
+Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
 
 Value Name: EnableScriptBlockLogging
 
@@ -6853,12 +6862,12 @@ If the "Password Last Set" date is more than one year old, this is a finding.</c
   <Group id="V-93211">
     <title>SRG-OS-000480-GPOS-00227</title>
     <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
-    <Rule id="SV-103299r1_rule" severity="medium" weight="10.0">
+    <Rule id="SV-103299r3_rule" severity="medium" weight="10.0">
       <version>WN19-DC-000430</version>
       <title>The password for the krbtgt account on a domain must be reset at least every 180 days.</title>
       <description>&lt;VulnDiscussion&gt;The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service.  The account and password are created when a domain is created and the password is typically not changed.  If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT).
 
-The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
+The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
       <reference>
         <dc:title>DPMS Target Windows 2019</dc:title>
         <dc:publisher>DISA</dc:publisher>
@@ -13705,6 +13714,55 @@ The configuration requirements will be determined by the applicable firewall STI
       </check>
     </Rule>
   </Group>
+  <Group id="V-102625">
+    <title>WN19-CC-000451</title>
+    <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
+    <Rule id="SV-111575r1_rule" severity="medium" weight="10.0">
+      <version>WN19-CC-000451</version>
+      <title>The Windows Explorer Preview pane must be disabled for Windows Server 2019.</title>
+      <description>&lt;VulnDiscussion&gt;A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane.
+
+Organizations must disable the Windows Preview pane and Windows Detail pane.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
+      <reference>
+        <dc:title>DPMS Target Windows 2019</dc:title>
+        <dc:publisher>DISA</dc:publisher>
+        <dc:type>DPMS Target</dc:type>
+        <dc:subject>Windows 2019</dc:subject>
+        <dc:identifier>3483</dc:identifier>
+      </reference>
+      <ident system="http://iase.disa.mil/cci">CCI-000366</ident>
+      <fixtext fixref="F-108155r2_fix">Ensure the following settings are configured for Windows Server 2019 locally or applied through group policy.
+
+Configure the policy value for User Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; File Explorer &gt;&gt; Explorer Frame Pane "Turn off Preview Pane" to "Enabled".
+
+Configure the policy value for User Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; File Explorer &gt;&gt; Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide".
+</fixtext>
+      <fix id="F-108155r2_fix" />
+      <check system="C-101363r3_chk">
+        <check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Windows_Server_2019_STIG.xml" />
+        <check-content>If the following registry values do not exist or are not configured as specified, this is a finding:
+
+Registry Hive: HKEY_CURRENT_USER
+Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
+Value Name: NoPreviewPane
+
+Value Type: REG_DWORD
+
+Value: 1
+
+Registry Hive: HKEY_CURRENT_USER
+Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
+Value Name: NoReadingPane
+
+Value Type: REG_DWORD
+
+Value: 1
+</check-content>
+      </check>
+    </Rule>
+  </Group>
   <Group id="V-92963">
     <title>SRG-OS-000297-GPOS-00115</title>
     <description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>

diff --git a/...Server_2019_MS_STIG_V1R2_Manual-xccdf.log → ...Server_2019_MS_STIG_V1R5_Manual-xccdf.log b/...Server_2019_MS_STIG_V1R2_Manual-xccdf.log → ...Server_2019_MS_STIG_V1R5_Manual-xccdf.log