Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update PowerSTIG to successfully parse/apply Windows 2019 MS/DC V1R5 #684

Merged
merged 1 commit into from
Jul 29, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## [Unreleased]

* Update PowerSTIG to successfully parse/apply Windows Server 2019 Instance Ver. 1 Rel. 5: [#683](https://github.com/microsoft/PowerStig/issues/683)
* Release Process Update: Ensure the nuget package uses explicit DSC Resource Module Versions: [#667](https://github.com/microsoft/PowerStig/issues/667)
* Fixed [#668](https://github.com/microsoft/PowerStig/issues/668): Incorrect key for SSL 3.0 rules in SqlServer-2016-Instance.*.xml
* Fixed [#669](https://github.com/microsoft/PowerStig/issues/669): Missing TLS 1.2 configuration for rule V-97521
Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?>
<Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="Windows_Server_2019_DC_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1">
<status date="2019-07-09">accepted</status>
<status date="2020-06-15">accepted</status>
<title>Windows Server 2019 Security Technical Implementation Guide</title>
<description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description>
<notice id="terms-of-use" xml:lang="en" />
<reference href="http://iase.disa.mil">
<reference href="https://cyber.mil">
<dc:publisher>DISA</dc:publisher>
<dc:source>STIG.DOD.MIL</dc:source>
</reference>
<plain-text id="release-info">Release: 2 Benchmark Date: 26 Jul 2019</plain-text>
<plain-text id="release-info">Release: 5 Benchmark Date: 17 Jun 2020</plain-text>
<version>1</version>
<Profile id="MAC-1_Classified">
<title>I - Mission Critical Classified</title>
Expand Down Expand Up @@ -317,6 +317,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-1_Public">
<title>I - Mission Critical Public</title>
Expand Down Expand Up @@ -624,6 +625,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-1_Sensitive">
<title>I - Mission Critical Sensitive</title>
Expand Down Expand Up @@ -931,6 +933,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-2_Classified">
<title>II - Mission Support Classified</title>
Expand Down Expand Up @@ -1238,6 +1241,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-2_Public">
<title>II - Mission Support Public</title>
Expand Down Expand Up @@ -1545,6 +1549,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-2_Sensitive">
<title>II - Mission Support Sensitive</title>
Expand Down Expand Up @@ -1852,6 +1857,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-3_Classified">
<title>III - Administrative Classified</title>
Expand Down Expand Up @@ -2159,6 +2165,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-3_Public">
<title>III - Administrative Public</title>
Expand Down Expand Up @@ -2466,6 +2473,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Profile id="MAC-3_Sensitive">
<title>III - Administrative Sensitive</title>
Expand Down Expand Up @@ -2773,6 +2781,7 @@
<select idref="V-93565" selected="true" />
<select idref="V-93567" selected="true" />
<select idref="V-93571" selected="true" />
<select idref="V-102625" selected="true" />
</Profile>
<Group id="V-92961">
<title>SRG-OS-000028-GPOS-00009</title>
Expand Down Expand Up @@ -6254,7 +6263,7 @@ Value: 0x00000001 (1)</check-content>
<Group id="V-93175">
<title>SRG-OS-000042-GPOS-00020</title>
<description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
<Rule id="SV-103263r1_rule" severity="medium" weight="10.0">
<Rule id="SV-103263r2_rule" severity="medium" weight="10.0">
<version>WN19-CC-000460</version>
<title>Windows Server 2019 PowerShell script block logging must be enabled.</title>
<description>&lt;VulnDiscussion&gt;Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.
Expand All @@ -6270,12 +6279,12 @@ Enabling PowerShell script block logging will record detailed information from t
<ident system="http://iase.disa.mil/cci">CCI-000135</ident>
<fixtext fixref="F-99421r1_fix">Configure the policy value for Computer Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; Windows PowerShell &gt;&gt; "Turn on PowerShell Script Block Logging" to "Enabled".</fixtext>
<fix id="F-99421r1_fix" />
<check system="C-92493r1_chk">
<check system="C-92493r3_chk">
<check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Windows_Server_2019_STIG.xml" />
<check-content>If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\

Value Name: EnableScriptBlockLogging

Expand Down Expand Up @@ -6853,12 +6862,12 @@ If the "Password Last Set" date is more than one year old, this is a finding.</c
<Group id="V-93211">
<title>SRG-OS-000480-GPOS-00227</title>
<description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
<Rule id="SV-103299r1_rule" severity="medium" weight="10.0">
<Rule id="SV-103299r3_rule" severity="medium" weight="10.0">
<version>WN19-DC-000430</version>
<title>The password for the krbtgt account on a domain must be reset at least every 180 days.</title>
<description>&lt;VulnDiscussion&gt;The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT).

The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
<reference>
<dc:title>DPMS Target Windows 2019</dc:title>
<dc:publisher>DISA</dc:publisher>
Expand Down Expand Up @@ -13705,6 +13714,55 @@ The configuration requirements will be determined by the applicable firewall STI
</check>
</Rule>
</Group>
<Group id="V-102625">
<title>WN19-CC-000451</title>
<description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
<Rule id="SV-111575r1_rule" severity="medium" weight="10.0">
<version>WN19-CC-000451</version>
<title>The Windows Explorer Preview pane must be disabled for Windows Server 2019.</title>
<description>&lt;VulnDiscussion&gt;A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane.

Organizations must disable the Windows Preview pane and Windows Detail pane.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
<reference>
<dc:title>DPMS Target Windows 2019</dc:title>
<dc:publisher>DISA</dc:publisher>
<dc:type>DPMS Target</dc:type>
<dc:subject>Windows 2019</dc:subject>
<dc:identifier>3483</dc:identifier>
</reference>
<ident system="http://iase.disa.mil/cci">CCI-000366</ident>
<fixtext fixref="F-108155r2_fix">Ensure the following settings are configured for Windows Server 2019 locally or applied through group policy.

Configure the policy value for User Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; File Explorer &gt;&gt; Explorer Frame Pane "Turn off Preview Pane" to "Enabled".

Configure the policy value for User Configuration &gt;&gt; Administrative Templates &gt;&gt; Windows Components &gt;&gt; File Explorer &gt;&gt; Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide".
</fixtext>
<fix id="F-108155r2_fix" />
<check system="C-101363r3_chk">
<check-content-ref name="M" href="DPMS_XCCDF_Benchmark_Windows_Server_2019_STIG.xml" />
<check-content>If the following registry values do not exist or are not configured as specified, this is a finding:

Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value Name: NoPreviewPane

Value Type: REG_DWORD

Value: 1

Registry Hive: HKEY_CURRENT_USER
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value Name: NoReadingPane

Value Type: REG_DWORD

Value: 1
</check-content>
</check>
</Rule>
</Group>
<Group id="V-92963">
<title>SRG-OS-000297-GPOS-00115</title>
<description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
Expand Down
Loading