Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update PowerSTIG to successfully parse/apply Microsoft IIS 10 Server/Site STIG - V1R1 #641

Merged
merged 6 commits into from
May 29, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@

## [Unreleased]

* Update PowerSTIG to successfully parse Microsoft IIS Server/Site 10.0 STIG STIG V1R1: [#632](https://github.com/microsoft/PowerStig/issues/632)
* Update PowerSTIG to successfully parse Microsoft Visio 2013 STIG V1R4: [#629](https://github.com/microsoft/PowerStig/issues/629)
* Update PowerSTIG to successfully parse/apply Windows Defender Antivirus STIG - V1R8: [#625](https://github.com/microsoft/PowerStig/issues/625)
* Update PowerSTIG to successfully parse Microsoft SQL Server 2012 Database STIG V1R20: [#618](https://github.com/microsoft/PowerStig/issues/618)
* Update PowerSTIG to successfully parse/apply Microsoft IIS Server/Site STIG - Ver 1, Rel10: [#622](https://github.com/microsoft/PowerStig/issues/622)
* Update PowerSTIG to successfully parse/apply Microsoft IIS Server/Site 8.5 STIG - Ver 1, Rel10: [#622](https://github.com/microsoft/PowerStig/issues/622)
* Update PowerSTIG to use Azure Pipelines and DSC Community based build logic: [#600](https://github.com/microsoft/PowerStig/issues/600)
* Update PowerSTIG to parse/convert the Vmware Vsphere 6.5 STIG V1R3: [#604](https://github.com/microsoft/PowerStig/issues/604)
* Fixed [#616](https://github.com/microsoft/PowerStig/issues/616): Unable to Import PowerSTIG 4.4.0 Due to cyclic dependency Error
Expand Down
10 changes: 10 additions & 0 deletions source/Module/Common/Functions.XccdfXml.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,16 @@ function Split-BenchmarkId
$returnId = 'IISSite_8.5'
continue
}
{$PSItem -match "IIS_10-0_Site"}
{
$returnId = 'IISSite_10.0'
continue
}
{$PSItem -match "IIS_10-0_Server"}
{
$returnId = 'IISServer_10.0'
continue
}
{$PSItem -match "Domain_Name_System"}
{
# The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ class IisLoggingRuleConvert : IisLoggingRule
if
(
$CheckContent -Match 'Logging' -and
$CheckContent -Match 'IIS 8\.5' -and
$CheckContent -Match 'IIS 8\.5|IIS 10\.0' -and
$CheckContent -NotMatch 'review source IP' -and
$CheckContent -NotMatch 'verify only authorized groups' -and
$CheckContent -NotMatch 'Confirm|Consult with the System Administrator' -and
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ class MimeTypeRuleConvert : MimeTypeRule
if
(
$CheckContent -Match 'MIME Types' -and
$CheckContent -Match 'IIS 8\.5'
$CheckContent -Match 'IIS 8\.5|IIS 10\.0'
)
{
return $true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ class PermissionRuleConvert : PermissionRule
$CheckContent -NotMatch 'Windows Registry Editor' -and
$CheckContent -NotMatch '(ID|id)s? .* (A|a)uditors?,? (SA|sa)s?,? .* (W|w)eb (A|a)dministrators? .* access to log files?' -and
$CheckContent -NotMatch '\n*\.NET Trust Level' -and
$CheckContent -NotMatch 'IIS 8\.5 web' -and
$CheckContent -NotMatch 'IIS 8\.5 web|IIS 10\.0 web' -and
$CheckContent -cNotmatch 'SELECT' -and
$CheckContent -NotMatch 'SQL Server' -and
$CheckContent -NotMatch 'user\srights\sand\spermissions' -and
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule
(
$CheckContent -Match '\.NET Trust Level' -or
(
$CheckContent -Match 'IIS 8\.5 web|IIS 10\.0' -and
$CheckContent -Match 'IIS 8\.5 web|IIS 10\.0 web' -and
$CheckContent -NotMatch 'document'
) -and
(
Expand All @@ -171,7 +171,8 @@ class WebConfigurationPropertyRuleConvert : WebConfigurationPropertyRule
$CheckContent -NotMatch 'Authorization Rules' -and
$CheckContent -NotMatch 'regedit <enter>' -and
$CheckContent -NotMatch 'Enable proxy' -and
$CheckContent -NotMatch 'SSL Settings'
$CheckContent -NotMatch 'SSL Settings' -and
$CheckContent -NotMatch 'Strict-Transport-Security'
)
)
{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
V-100115::This check does not apply to service account IDs utilized by automated services necessary to process, manage, and store log files::If an account associated with roles other than auditors
V-100177::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'; ValueData = 0; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 1; ValueName = 'DisabledByDefault'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server'; ValueData = 0; ValueName = 'Enabled'; ValueType = 'DWORD'}
V-100163::CREATOR OWNER: Full Control, Subfolders and files only::CREATOR OWNER: Full Control - Subfolders and files only

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
V-100191::System Administrator::""
V-100223::System Administrator::""
V-100229::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length documented and approved by the ISSO, this is a finding.::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length approved by the ISSO, this is a finding.
1,272 changes: 1,272 additions & 0 deletions source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_V1R1_Manual-xccdf.xml

Large diffs are not rendered by default.

11 changes: 11 additions & 0 deletions source/StigData/Processed/IISServer-10.0-1.1.org.default.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!--
The organizational settings file is used to define the local organizations
preferred setting within an allowed range of the STIG.

Each setting in this file is linked by STIG ID and the valid range is in an
associated comment.
-->
<OrganizationalSettings fullversion="1.1">
<!-- Ensure ''V-100145.b'' -le '00:20:00'-->
<OrganizationalSetting id="V-100145.b" Value="00:20:00" />
</OrganizationalSettings>
Loading