Increase Code Coverage of PowerSTIG (#745)

* Fixed Missing OrgSettings for V-88203 - Win10 Client 1.19 and 1.21 (#672)

* fixed V-88203 to be org setting with Tenant Guid

* updated changelog.md

* fixed registry rule issue in sql 2016 (#671)

* Release Process Update: Ensure the nuget package uses explicit DSC Resource Module Versions (#670)

* dialy commit

* updated build task to leverage nuget

* added new line for Common.Data.ps1

* warning message to troubleshoot ADO pipeline

* updated package tasks

* updated release.module.build

* updated module

* updated release

* updated release

* updated release

* hard coded nuget.exe path

* fixed FilePath parameter

* dynamically detect nuget.exe

* nuget dynamic detection

* testing alternate nuget detection

* updated release to leverage get-command for nuget
detection

* updated code to replace only the task needed

* updated build funct. conform to style guideline

* updated New-NuspecFile funciton

* Update PowerSTIG to successfully parse/apply Windows 2012 R2 MS Version 2, Rev 19 (#679)

* added support for 2012 R2 V2R19

* added new line to xml

* added Server 2019 V1R5,removed V1R2 (#684)

* Update PowerSTIG to successfully parse/apply Windows 10 STIG - V1R23 (#682)

* Added Windows Client V1R23, Removed Windows CLient V1R19

* Added Windows Client V1R23, Removed Windows CLient V1R19

* removed random tabs

* removed tabs from converted

* updated based on feedback

Co-authored-by: Brian Wilhite <bcwilhite@live.com>

* added support for 2016 V1R12 DC/MS (#685)

* Fixed: IIS Sever 10.0 STIG hardening rule V-100163 fails with error in Windows Server 2019 while using PowerSTIG 4.4.2 (#689)

* updated PowerSTIG to use AccessControlDsc 1.4.1

* updated composites with AccessControlDsc 1.4.1

* Update PowerSTIG to successfully parse/apply IIS 10.0 Site/Server V1R2 STIGs (#701)

* added support for IIS 10 Site/Server V1R2

* updated IISServer 10 V1R1 org settings file

* Revert "updated IISServer 10 V1R1 org settings file"

This reverts commit 54d4e82.

* added Firefox V4R29 STIG, remove V4R27 (#700)

Co-authored-by: Brian Wilhite <bcwilhite@live.com>

* Update PowerSTIG to successfully parse/apply SQL Server 2016 Instance V1R10 (#705)

* added SQL 2016 Instance V1R10, removed V1R8

* Updated changelog.md

Co-authored-by: Brian Wilhite <bcwilhite@live.com>

* added dns V1R15 (#697)

squash/merge

* Update PowerSTIG To Use xDnsServer version 1.16.0.0 (#703)

* Updated xDnsServer version

* update module version

* updated changelog.md

* upgrade xWebadministration to 3.2.0 (#714)

* added IE 11 STIG - V1R19 (#708)

* Removed Windows Server 2016 DC/MS V1R9 from processed STIGs folder (#710)

* removed old 2016 DC/MS processed STIGs

* updated changelog.md

* Update PowerSTIG to successfully parse/apply IIS Site/Server V1R11 STIGs (#706)

* added support for IIS site/server V1R11

* removed old processed STIGs

* updated AuditPolicyDsc to 1.4.0.0 (#716)

* Allow application of applicable user rights assignments for non-domain and disconnected systems (#719)

* updated based on community feedback

* update based on feedback

* update powerstig to use SecurityPolicyDsc 2.10.0.0 (#717)

* updated PowerSTIG to use ComputerMgmtDsc to 8.4.0 (#721)

* Added SkipRuleCategory support to PowerSTIG

* updating test to be compat with new feature

* updated test configs with dynamic logic

* updated test logic to run get-dscresource once

* updated to disallow skipping doc/man rules

* updated integration dscresource tests

* testing code coverage

* updated registryrule test to include more coverage

* updated sqlscriptqueryrule tests

* updated setScript in Get-ShutdownOnError function

* updated permissionrule tests with add. test case

* updated permRule test to increase code coverage

* updated changelog

* updated test and code coverage threshold

* updated code coverage threshold to 81

* updated CC threshold to 80

Co-authored-by: Eric Jenkins <erjenkin@microsoft.com>

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ## [Unreleased]
 
-* Update PowerSTIG to increase code coverage of unit tests: [#737](https://github.com/microsoft/PowerStig/issues/737)
+* Update PowerSTIG to Increase Code Coverage of Unit Tests: [#737](https://github.com/microsoft/PowerStig/issues/737)
 * Update PowerSTIG with new SkipRuleSeverity Parameter to skip entire STIG Category/Severity Level(s): [711](https://github.com/microsoft/PowerStig/issues/711)
 
 ## [4.5.0] - 2020-09-01

Tests/Unit/Module/.tests.header.ps1

@@ -108,7 +108,8 @@ if ($global:moduleName -ne 'STIG.Checklist' -and $global:moduleName -ne 'STIG.Do
 }
 else
 {
-    import-module $script:moduleRoot\Module\Common\Common.psm1
+    $commonModulePath = Join-Path -Path $script:moduleRoot -ChildPath 'Module\Common\Common.psm1'
+    Import-Module -Name $commonModulePath
 }
 
 <#

Tests/Unit/Module/PermissionRule.tests.ps1

@@ -40,7 +40,7 @@ try
             The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory.  They may have been moved to another folder.
 
             If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.'
-            }
+            },
             @{
                 Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\'
                 AccessControlEntry = @(
@@ -84,7 +84,7 @@ try
                 Administrators - Full Control - This key and subkeys
                 Backup Operators - Read - This key only
                 LOCAL SERVICE - Read - This key and subkeys'
-            }
+            },
             @{
                 # Windows 10 STIG V-63593
                 Path = 'HKLM:\SECURITY'
@@ -118,6 +118,154 @@ try
             permission.
 
             If the defaults have not been changed, these are not a finding.'
+            },
+            @{
+                Path = '%windir%\sysvol'
+                AccessControlEntry = @(
+                    [pscustomobject]@{
+                        Rights         = 'ReadAndExecute'
+                        Inheritance    = 'This folder subfolders and files'
+                        Principal      = 'Authenticated Users'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    },
+                    [pscustomobject]@{
+                        Rights         = 'ReadAndExecute'
+                        Inheritance    = 'This folder subfolders and files'
+                        Principal      = 'Server Operators'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    },
+                    [pscustomobject]@{
+                        Rights         = 'AppendData,ChangePermissions,CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,ExecuteFile,ListDirectory,Modify,Read,ReadAndExecute,ReadAttributes,ReadData,ReadExtendedAttributes,ReadPermissions,Synchronize,TakeOwnership,Traverse,Write,WriteAttributes,WriteData,WriteExtendedAttributes'
+                        Inheritance    = 'This folder only'
+                        Principal      = 'Administrators'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    },
+                    [pscustomobject]@{
+                        Rights         = 'FullControl'
+                        Inheritance    = 'Subfolders and files only'
+                        Principal      = 'CREATOR OWNER'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    },
+                    [pscustomobject]@{
+                        Rights         = 'FullControl'
+                        Inheritance    = 'Subfolders and files only'
+                        Principal      = 'Administrators'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    },
+                    [pscustomobject]@{
+                        Rights         = 'FullControl'
+                        Inheritance    = 'This folder subfolders and files'
+                        Principal      = 'SYSTEM'
+                        ForcePrincipal = $false
+                        Type           = 'Allow'
+                    }
+                )
+                Force = $true
+                OrganizationValueRequired = $false
+                CheckContent = "Verify the permissions on the SYSVOL directory.
+
+                Open a command prompt.
+                Run `"net share`".
+                Make note of the directory location of the SYSVOL share.
+
+                By default this will be \Windows\SYSVOL\sysvol.  For this requirement, permissions will be verified at the first SYSVOL directory level.
+
+                Open File Explorer.
+                Navigate to \Windows\SYSVOL (or the directory noted previously if different).
+                Right click the directory and select properties.
+                Select the Security tab.
+                Click Advanced.
+
+                If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement.
+
+                Type - Allow
+                Principal - Authenticated Users
+                Access - Read & execute
+                Inherited from - None
+                Applies to - This folder, subfolder and files
+
+                Type - Allow
+                Principal - Server Operators
+                Access - Read & execute
+                Inherited from - None
+                Applies to - This folder, subfolder and files
+
+                Type - Allow
+                Principal - Administrators
+                Access - Special
+                Inherited from - None
+                Applies to - This folder only
+                (Access - Special - Basic Permissions: all selected except Full control)
+
+                Type - Allow
+                Principal - CREATOR OWNER
+                Access - Full control
+                Inherited from - None
+                Applies to - Subfolders and files only
+
+                Type - Allow
+                Principal - Administrators
+                Access - Full control
+                Inherited from - None
+                Applies to - Subfolders and files only
+
+                Type - Allow
+                Principal - SYSTEM
+                Access - Full control
+                Inherited from - None
+                Applies to - This folder, subfolders and files
+
+                Alternately, use Icacls.exe to view the permissions of the SYSVOL directory.
+                Open a command prompt.
+                Run `"icacls c:\Windows\SYSVOL
+                The following results should be displayed:
+
+                NT AUTHORITY\Authenticated Users:(RX)
+                NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
+                BUILTIN\Server Operators:(RX)
+                BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
+                BUILTIN\Administrators:(M,WDAC,WO)
+                BUILTIN\Administrators:(OI)(CI)(IO)(F)
+                NT AUTHORITY\SYSTEM:(F)
+                NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
+                BUILTIN\Administrators:(M,WDAC,WO)
+                CREATOR OWNER:(OI)(CI)(IO)(F)
+
+                (RX) - Read & execute
+                Run `"icacls /help`" to view definitions of other permission codes."
+            },
+            @{
+                Path = '%windir%\NTDS\*.*'
+                AccessControlEntry = @(
+                    [pscustomobject]@{
+                        Rights         = 'FullControl'
+                        Inheritance    = ''
+                        Principal      = 'NT AUTHORITY\SYSTEM'
+                        ForcePrincipal = $false
+                    }
+                )
+                Force = $true
+                OrganizationValueRequired = $false
+                CheckContent = 'Verify the permissions on the content of the NTDS directory.
+                Open the registry editor (regedit).
+                Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters.
+                Note the directory locations in the values for:
+                Database log files path
+                DSA Database file
+                By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each.
+                Open an elevated command prompt (Win+x, Command Prompt (Admin)).
+                Navigate to the NTDS directory (\Windows\NTDS by default).
+                Run "icacls *.*".
+                If the permissions on each file are not at least as restrictive as the following, this is a finding.
+                NT AUTHORITY\SYSTEM:(I)(F)
+                (I) - permission inherited from parent container
+                (F) - full access
+                Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder.'
             }
         )
         #endregion

Tests/Unit/Module/RegistryRule.tests.ps1

@@ -186,6 +186,88 @@ try
                 HKCU\Software\Policies\Microsoft\Office\16.0\excel\security\fileblock
 
                 Criteria: If the value XL4Workbooks is REG_DWORD = 2, this is not a finding.'
+            },
+            @{
+                Key                       = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition'
+                ValueName                 = 'Force_Tunneling'
+                ValueData                 = 'Enabled'
+                ValueType                 = 'String'
+                Ensure                    = 'Present'
+                OrganizationValueRequired = $false
+                CheckContent              = 'If the following registry value does not exist or is not configured as specified, this is a finding:
+
+                Registry Hive: HKEY_LOCAL_MACHINE
+                Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\
+
+                Value Name: Force_Tunneling
+
+                Type: REG_SZ
+                Value: Enabled'
+            },
+            @{
+                Key                       = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors'
+                ValueName                 = 'DisableLocation'
+                ValueData                 = '1'
+                ValueType                 = 'Dword'
+                Ensure                    = 'Present'
+                OrganizationValueRequired = $false
+                CheckContent              = 'If the following registry value does not exist or is not configured as specified, this is a finding:
+
+                Registry Hive: HKEY_LOCAL_MACHINE
+                Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\
+
+                Value Name: DisableLocation
+
+                Type: REG_DWORD
+                Value: 1 (Enabled)
+
+                If location services are approved for the system by the organization, this may be set to "Disabled" (0).  This must be documented with the ISSO.'
+            },
+            @{
+                Key                       = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'
+                ValueName                 = 'Machine'
+                ValueData                 = 'System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion'
+                ValueType                 = 'MultiString'
+                Ensure                    = 'Present'
+                OrganizationValueRequired = $false
+                CheckContent              = "If the following registry value does not exist or is not configured as specified, this is a finding:
+
+Registry Hive: HKEY_LOCAL_MACHINE
+Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\
+
+Value Name: Machine
+
+Value Type: REG_MULTI_SZ
+Value: see below
+System\CurrentControlSet\Control\ProductOptions
+System\CurrentControlSet\Control\Server Applications
+Software\Microsoft\Windows NT\CurrentVersion
+
+Legitimate applications may add entries to this registry value.  If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding.
+Documentation must contain supporting information from the vendor's instructions."
+            },
+            @{
+                Key                       = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'
+                ValueName                 = 'NullSessionPipes'
+                ValueData                 = 'netlogon;samr;lsarpc'
+                ValueType                 = 'MultiString'
+                Ensure                    = 'Present'
+                OrganizationValueRequired = $false
+                CheckContent              = "If the following registry value does not exist or is not configured as specified, this is a finding:
+
+                Registry Hive: HKEY_LOCAL_MACHINE
+                Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\
+
+                Value Name: NullSessionPipes
+
+                Value Type: REG_MULTI_SZ
+                Value: netlogon, samr, lsarpc
+
+                The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to `"netlogon`", `"samr`", and `"lsarpc`".  This will appear in the registry as a blank
+                entry when viewing the registry key summary; however the value data for `"NullSessionPipes`" will contain the default entries.
+
+                Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding.
+                Documentation must contain supporting information from the vendor's instructions."
             }
         )
         #endregion
@@ -300,6 +382,7 @@ try
                 }
             }
         }
+
         Describe 'Match Static method' {
 
             $stringsToTest = @(
@@ -317,6 +400,7 @@ try
                 [RegistryRuleConvert]::Match($stringsToTest.string) | Should -Be $false
             }
         }
+
         Describe 'Test-RegistryValueDataContainsRange' {
 
             $rangeStrings = @(