Update PowerSTIG to successfully parse/apply Microsoft IIS 10 Server/…

…Site STIG - V1R1 (#641)

* added IIS 10.0 Server

* updated IIS 10 site stig

* updated based on tests

* updated based on tests

* updated log file

CHANGELOG.md

@@ -2,10 +2,11 @@
 
 ## [Unreleased]
 
+* Update PowerSTIG to successfully parse Microsoft IIS Server/Site 10.0 STIG STIG V1R1: [#632](https://github.com/microsoft/PowerStig/issues/632)
 * Update PowerSTIG to successfully parse Microsoft Visio 2013 STIG V1R4: [#629](https://github.com/microsoft/PowerStig/issues/629)
 * Update PowerSTIG to successfully parse/apply Windows Defender Antivirus STIG - V1R8: [#625](https://github.com/microsoft/PowerStig/issues/625)
 * Update PowerSTIG to successfully parse Microsoft SQL Server 2012 Database STIG V1R20: [#618](https://github.com/microsoft/PowerStig/issues/618)
-* Update PowerSTIG to successfully parse/apply Microsoft IIS Server/Site STIG - Ver 1, Rel10: [#622](https://github.com/microsoft/PowerStig/issues/622)
+* Update PowerSTIG to successfully parse/apply Microsoft IIS Server/Site 8.5 STIG - Ver 1, Rel10: [#622](https://github.com/microsoft/PowerStig/issues/622)
 * Update PowerSTIG to use Azure Pipelines and DSC Community based build logic: [#600](https://github.com/microsoft/PowerStig/issues/600)
 * Update PowerSTIG to parse/convert the Vmware Vsphere 6.5 STIG V1R3: [#604](https://github.com/microsoft/PowerStig/issues/604)
 * Fixed [#616](https://github.com/microsoft/PowerStig/issues/616): Unable to Import PowerSTIG 4.4.0 Due to cyclic dependency Error

source/Module/Common/Functions.XccdfXml.ps1

@@ -406,6 +406,16 @@ function Split-BenchmarkId
             $returnId = 'IISSite_8.5'
             continue
         }
+        {$PSItem -match "IIS_10-0_Site"}
+        {
+            $returnId = 'IISSite_10.0'
+            continue
+        }
+        {$PSItem -match "IIS_10-0_Server"}
+        {
+            $returnId = 'IISServer_10.0'
+            continue
+        }
         {$PSItem -match "Domain_Name_System"}
         {
             # The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2

source/Module/Rule.IISLogging/Convert/IISLoggingRule.Convert.psm1

@@ -195,7 +195,7 @@ class IisLoggingRuleConvert : IisLoggingRule
         if
         (
             $CheckContent -Match 'Logging' -and
-            $CheckContent -Match 'IIS 8\.5' -and
+            $CheckContent -Match 'IIS 8\.5|IIS 10\.0' -and
             $CheckContent -NotMatch 'review source IP' -and
             $CheckContent -NotMatch 'verify only authorized groups' -and
             $CheckContent -NotMatch 'Confirm|Consult with the System Administrator' -and

source/Module/Rule.MimeType/Convert/MimeTypeRule.Convert.psm1

@@ -154,7 +154,7 @@ class MimeTypeRuleConvert : MimeTypeRule
         if
         (
             $CheckContent -Match 'MIME Types' -and
-            $CheckContent -Match 'IIS 8\.5'
+            $CheckContent -Match 'IIS 8\.5|IIS 10\.0'
         )
         {
             return $true

source/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1

@@ -163,7 +163,7 @@ class PermissionRuleConvert : PermissionRule
             $CheckContent -NotMatch 'Windows Registry Editor' -and
             $CheckContent -NotMatch '(ID|id)s? .* (A|a)uditors?,? (SA|sa)s?,? .* (W|w)eb (A|a)dministrators? .* access to log files?' -and
             $CheckContent -NotMatch '\n*\.NET Trust Level' -and
-            $CheckContent -NotMatch 'IIS 8\.5 web' -and
+            $CheckContent -NotMatch 'IIS 8\.5 web|IIS 10\.0 web' -and
             $CheckContent -cNotmatch 'SELECT' -and
             $CheckContent -NotMatch 'SQL Server' -and
             $CheckContent -NotMatch 'user\srights\sand\spermissions' -and

source/Module/Rule.WebConfigurationProperty/Convert/WebConfigurationPropertyRule.Convert.psm1

@@ -148,7 +148,7 @@ class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule
         (
             $CheckContent -Match '\.NET Trust Level' -or
             (
-                $CheckContent -Match 'IIS 8\.5 web|IIS 10\.0' -and
+                $CheckContent -Match 'IIS 8\.5 web|IIS 10\.0 web' -and
                 $CheckContent -NotMatch 'document'
             ) -and
             (
@@ -171,7 +171,8 @@ class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule
                 $CheckContent -NotMatch 'Authorization Rules' -and
                 $CheckContent -NotMatch 'regedit <enter>' -and
                 $CheckContent -NotMatch 'Enable proxy' -and
-                $CheckContent -NotMatch 'SSL Settings'
+                $CheckContent -NotMatch 'SSL Settings' -and
+                $CheckContent -NotMatch 'Strict-Transport-Security'
             )
         )
         {

source/StigData/Archive/Web Server/U_MS_IIS_10-0_Server_V1R1_Manual-xccdf.log

@@ -0,0 +1,3 @@
+V-100115::This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files::If an account associated with roles other than auditors
+V-100177::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'; ValueData = 0; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}
+V-100163::CREATOR OWNER: Full Control, Subfolders and files only::CREATOR OWNER: Full Control - Subfolders and files only

source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_V1R1_Manual-xccdf.log

@@ -0,0 +1,3 @@
+V-100191::System Administrator::""
+V-100223::System Administrator::""
+V-100229::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length documented and approved by the ISSO, this is a finding.::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length approved by the ISSO, this is a finding.

source/StigData/Processed/IISServer-10.0-1.1.org.default.xml

@@ -0,0 +1,11 @@
+<!--
+    The organizational settings file is used to define the local organizations
+    preferred setting within an allowed range of the STIG.
+
+    Each setting in this file is linked by STIG ID and the valid range is in an
+    associated comment.
+-->
+<OrganizationalSettings fullversion="1.1">
+  <!-- Ensure ''V-100145.b'' -le '00:20:00'-->
+  <OrganizationalSetting id="V-100145.b" Value="00:20:00" />
+</OrganizationalSettings>