Merge pull request #1365 from microsoft/hinderjd#1364

Update Powerstig to parse/apply Microsoft Edge STIG - Ver 2, Rel 1 #1364

CHANGELOG.md

@@ -17,9 +17,11 @@
 
 * Update Powerstig to parse\apply Microsoft Windows 10 STIG - Ver 3, Rel 1 [#1366](https://github.com/microsoft/PowerStig/issues/1366)
 
+* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 2, Rel 1 [#1364](https://github.com/microsoft/PowerStig/issues/1350)
+
 ## [4.22.0] - 2024-05-31
 
-* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
+* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1364)
 * Update PowerSTIG to Parse/Apply Microsoft Windows 11 STIG - Ver 1, Rel 6 [#1341](https://github.com/microsoft/PowerStig/issues/1341)
 * Update PowerSTIG to Parse/Apply Microsoft Windows 10 STIG - Ver 2, Rel 9 [#1342](https://github.com/microsoft/PowerStig/issues/1342)
 * Update PowerSTIG to Parse/Apply Microsoft Windows Server 2016 STIG - Ver 2, Rel 8 [#1340](https://github.com/microsoft/PowerStig/issues/1340)

FILEHASH.md

@@ -44,8 +44,8 @@ Hashes for **PowerSTIG** files are listed in the following table:
 | InternetExplorer-11-2.5.xml | C9F83548B41374FDEC86DC274B5BF0CD756C9968C04E0DF5880BF298ED22F3E2 | 331506 |
 | McAfee-8.8-VirusScan-5.16.org.default.xml | 28792D63E69F797CA02CCAE52F537B1001D9069BD7DE4F5A73375424C19FE660 | 777 |
 | McAfee-8.8-VirusScan-5.16.xml | 22CAEE788CA69690819D46548D19E40163FD8EB799F8EC7FAA4E5FB714C4F445 | 244268 |
-| MS-Edge-1.7.org.default.xml | C9F9FB4395B3D2FED0F2C37742396488167CC7D1E76DADE7943A2095270FEDC9 | 1057 |
-| MS-Edge-1.7.xml | 4B4FCE687416445ABFAF7D2FB4603D62867743664D92F721E3D77ADB11442FE2 | 115718 |
+| MS-Edge-2.1.org.default.xml | C9F9FB4395B3D2FED0F2C37742396488167CC7D1E76DADE7943A2095270FEDC9 | 1057 |
+| MS-Edge-2.1.xml | 4B4FCE687416445ABFAF7D2FB4603D62867743664D92F721E3D77ADB11442FE2 | 115718 |
 | MS-Edge-1.8.org.default.xml | 855E51BA09F4ABDEC200555443B2ADD2922FD71F207059E2F1AB11A524950A1D | 1057 |
 | MS-Edge-1.8.xml | A11903B541EDF5BD28569E9E1914DAE6B9FAFFFBF99BA775DD8A0435E9DF9872 | 121220 |
 | Office-365ProPlus-2.11.org.default.xml | D0F16611A925DC87CEEE57410763DBCA63AEB23B1AD041A697146BD306EFD3A3 | 2451 |
@@ -106,8 +106,8 @@ Hashes for **PowerSTIG** files are listed in the following table:
 | SqlServer-2012-Instance-1.19.xml | 1313489DECFD7B137F53C9A55DA8068075CDD8015DBE24AEC77CC4276D910185 | 725272 |
 | SqlServer-2012-Instance-1.20.org.default.xml | BB9345EFCFBDB1FDCF731620B233BBD6B1CFD8856A25422D753D9D668D850860 | 1098 |
 | SqlServer-2012-Instance-1.20.xml | 6E8F27FE02ACF7877AB36F90F8C2CADCD8A93A3500288D41EF06070E7C992C66 | 717809 |
-| SqlServer-2016-Instance-2.11.org.default.xml | 2DBF44494DE10F1FA437CA86ED5BB46B4B4D2580F214DA1BF311937CF43B425B | 624 |
-| SqlServer-2016-Instance-2.11.xml | 4EBF10C32E91ABFE37E68E68939C684A03536C8D521B96E499A210FF3B6A1F19 | 471144 |
+| SqlServer-2016-Instance-3.1.org.default.xml | 2DBF44494DE10F1FA437CA86ED5BB46B4B4D2580F214DA1BF311937CF43B425B | 624 |
+| SqlServer-2016-Instance-3.1.xml | 4EBF10C32E91ABFE37E68E68939C684A03536C8D521B96E499A210FF3B6A1F19 | 471144 |
 | SqlServer-2016-Instance-2.12.org.default.xml | 000912E234F2FB69307CEDA322588043A8DDAC796D6AEBA89A3F483E5D2A9958 | 617 |
 | SqlServer-2016-Instance-2.12.xml | 3855233D9EB5BDE3189D5A476C06D030F61C2F94FCF28FEF7B9B63B4CE03168B | 472461 |
 | Ubuntu-18.04-2.13.org.default.xml | 00C159706325AE5539AD725A5CA9E303FE04E5C9CE458E9DE676C7468BDFBA56 | 6921 |
@@ -118,8 +118,8 @@ Hashes for **PowerSTIG** files are listed in the following table:
 | Vsphere-6.5-2.2.xml | E3A2F2D4C89416D14A8F3AB4DC6A5444DEA9683AFB2A21A653749995F289AD24 | 144122 |
 | Vsphere-6.5-2.3.org.default.xml | B8539D6118706486E3F451AC2466FE5BABC1C9DB30C1A48C80D3FFA32354056E | 797 |
 | Vsphere-6.5-2.3.xml | DE07939A8EC08F52E77FF411FF04359FCE02035C5038B70FBA2ADC42B994BEAA | 146293 |
-| WindowsClient-10-2.8.org.default.xml | D6B2BE56A048DAA4088F4B5DF411536634665ACA12714075243E4BD4367405B1 | 5942 |
-| WindowsClient-10-2.8.xml | 3719ECFCFFE9B00DA8943660F8036A818875F74B344B8D3C2A60C6ED665A7867 | 545651 |
+| WindowsClient-10-3.1.org.default.xml | D6B2BE56A048DAA4088F4B5DF411536634665ACA12714075243E4BD4367405B1 | 5942 |
+| WindowsClient-10-3.1.xml | 3719ECFCFFE9B00DA8943660F8036A818875F74B344B8D3C2A60C6ED665A7867 | 545651 |
 | WindowsClient-10-2.9.org.default.xml | 7864F653B324A5B71EAE976EB6B74ACFEBEAFB4EC0BDBDC3D266AD6A9EFC8BC9 | 5942 |
 | WindowsClient-10-2.9.xml | 075671F5E0C6F3D8B5946B848CAE5053715D8E73EFEDFD4DB188F4D45C945A3B | 545581 |
 | WindowsClient-11-1.5.org.default.xml | 38AF026B97AEB5F9072839C807B0A5F1E0D47C3996F419240DC6DDA90EC5F0CB | 6281 |
@@ -158,8 +158,8 @@ Hashes for **PowerSTIG** files are listed in the following table:
 | WindowsServer-2019-DC-2.8.xml | 7C91E0EC59770DF4E3629C6B847282FF144EC753B0A231A1A1DBA8B96379E146 | 564705 |
 | WindowsServer-2019-DC-2.9.org.default.xml | 3D9CAFAAF084E9C316B5E5C00089045E8059F252BEAAC6FB3BFF56A69AF1C797 | 5924 |
 | WindowsServer-2019-DC-2.9.xml | 5D94610872795C66281BD6FA6DE1FF0F48B48A507AD259D89B76E84A51453946 | 564808 |
-| WindowsServer-2019-MS-2.8.org.default.xml | DF47F2908380AD296D82A9E222A0D96C3FE99C770C3E2BBB34FD7716971C73E0 | 5856 |
-| WindowsServer-2019-MS-2.8.xml | 4217BDFF7B2248D343B560CD4A0FD94A6FE3EC5F0F765B49CA7669551AC0A50B | 489284 |
+| WindowsServer-2019-MS-3.1.org.default.xml | DF47F2908380AD296D82A9E222A0D96C3FE99C770C3E2BBB34FD7716971C73E0 | 5856 |
+| WindowsServer-2019-MS-3.1.xml | 4217BDFF7B2248D343B560CD4A0FD94A6FE3EC5F0F765B49CA7669551AC0A50B | 489284 |
 | WindowsServer-2019-MS-2.9.org.default.xml | 759FDF04674BC02CF56BFF44C3899E2C4A590949A39A65C2C5EC78DF54DC4E76 | 5856 |
 | WindowsServer-2019-MS-2.9.xml | BF1BCF10E1E2A7718E66F388A2B31C1505EF084A70188B676FEA57DBEF5CA6A0 | 489387 |
 | WindowsServer-2022-DC-1.4.org.default.xml | 553EA24B9D3AA214A69117F6E003FE20A267C756F09742DEE477271AE47523BA | 5825 |

source/StigData/Archive/Edge/U_MS_Edge_V2R1_STIG_Manual-xccdf.log

@@ -19,3 +19,4 @@ V-235729::HKLM\SOFTWARE\Policies\Microsoft\Edge\Recommended::HKLM\SOFTWARE\Polic
 V-235767::PaymentMethodQueryEnabled::"PaymentMethodQueryEnabled"
 V-235769::UserFeedbackAllowed::"UserFeedbackAllowed"
 V-251694::*::.
+V-260467::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge'; ValueData = '4'; ValueName = 'DefaultCookieSetting'; ValueType = 'Dword'}

source/StigData/Processed/MS-Edge-2.1.org.default.xml

@@ -5,7 +5,7 @@
     Each setting in this file is linked by STIG ID and the valid range is in an
     associated comment.
 -->
-<OrganizationalSettings fullversion="1.7">
+<OrganizationalSettings fullversion="2.1">
   <!-- Ensure 'V-235719' is reviewed for needed configuration settings -->
   <OrganizationalSetting id="V-235719" ValueData="" />
   <!-- Ensure all of the search URLs in the list begin with "https" -->

source/StigData/Processed/MS-Edge-2.1.xml

@@ -1,4 +1,4 @@
-<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="MS_Edge_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Edge_V1R7_STIG_Manual-xccdf.xml" releaseinfo="Release: 7 Benchmark Date: 26 Jul 2023 3.4.0.34222 1.10.0" title="Microsoft Edge Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.7" created="8/28/2023">
+<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="MS_Edge_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Edge_V2R1_STIG_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Edge Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.1" created="7/19/2024">
   <DocumentRule dscresourcemodule="None">
     <Rule id="V-235722" severity="low" conversionstatus="pass" title="SRG-APP-000073" dscresource="None">
       <Description>&lt;VulnDiscussion&gt;Configure the list of Microsoft Defender SmartScreen trusted domains. This means Microsoft Defender SmartScreen will not check for potentially malicious resources, such as phishing software and other malware, if the source URLs match these domains. The Microsoft Defender SmartScreen download protection service will not check downloads hosted on these domains.
@@ -1429,5 +1429,75 @@ If the value for "QuicAllowed" is not set to "REG_DWORD = 0", this is a finding.
       <ValueName>QuicAllowed</ValueName>
       <ValueType>Dword</ValueType>
     </Rule>
+    <Rule id="V-260465" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile">
+      <Description>&lt;VulnDiscussion&gt;Visual Search allows for quick exploration of more related content about entities in an image.
+
+If this policy is enabled or not configured, Visual Search will be enabled via image hover, context menu, and search in Sidebar.
+
+If this policy is disabled, Visual Search will be disabled and more information about images will not be available via hover, context menu, and search in Sidebar.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
+      <DuplicateOf />
+      <Ensure>Present</Ensure>
+      <IsNullOrEmpty>False</IsNullOrEmpty>
+      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge</Key>
+      <LegacyId>
+      </LegacyId>
+      <OrganizationValueRequired>False</OrganizationValueRequired>
+      <OrganizationValueTestString />
+      <RawString>Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Visual search enabled" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following key:
+HKLM\SOFTWARE\Policies\Microsoft\Edge
+
+If the value for "VisualSearchEnabled" is not set to "REG_DWORD = 0", this is a finding.</RawString>
+      <ValueData>0</ValueData>
+      <ValueName>VisualSearchEnabled</ValueName>
+      <ValueType>Dword</ValueType>
+    </Rule>
+    <Rule id="V-260466" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile">
+      <Description>&lt;VulnDiscussion&gt;The Sidebar is a launcher bar on the right side of Microsoft Edge's screen.
+
+If this policy is enabled or not configured, the Sidebar will be shown. If this policy is disabled, the Sidebar will never be shown.
+
+Disabling Sidebar will disable Copilot.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
+      <DuplicateOf />
+      <Ensure>Present</Ensure>
+      <IsNullOrEmpty>False</IsNullOrEmpty>
+      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge</Key>
+      <LegacyId>
+      </LegacyId>
+      <OrganizationValueRequired>False</OrganizationValueRequired>
+      <OrganizationValueTestString />
+      <RawString>Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Show Hubs Sidebar" is set to "Disabled".
+
+Use the Windows Registry Editor to navigate to the following key:
+HKLM\SOFTWARE\Policies\Microsoft\Edge
+
+If the value for "HubsSidebarEnabled" is not set to "REG_DWORD = 0", this is a finding.</RawString>
+      <ValueData>0</ValueData>
+      <ValueName>HubsSidebarEnabled</ValueName>
+      <ValueType>Dword</ValueType>
+    </Rule>
+    <Rule id="V-260467" severity="medium" conversionstatus="pass" title="SRG-APP-000080" dscresource="RegistryPolicyFile">
+      <Description>&lt;VulnDiscussion&gt;Cookies must only be allowed per session and only for approved URLs as permanently stored cookies can be used for malicious intent. 
+
+Approved URLs may be allowlisted via the "CookiesAllowedForUrls" or "SaveCookiesOnExit" policy settings, but these are not requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
+      <DuplicateOf />
+      <Ensure>Present</Ensure>
+      <IsNullOrEmpty>False</IsNullOrEmpty>
+      <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge</Key>
+      <LegacyId>
+      </LegacyId>
+      <OrganizationValueRequired>False</OrganizationValueRequired>
+      <OrganizationValueTestString />
+      <RawString>Verify the policy value for "Computer Configuration/Administrative Templates/Microsoft Edge/Content settings/Configure cookies" is set to "Enabled" with the option value set to "Keep cookies for the duration of the session, except ones listed in 'SaveCookiesOnExit'".
+
+Use the Windows Registry Editor to navigate to the following key:
+HKLM\SOFTWARE\Policies\Microsoft\Edge
+
+If the value for “DefaultCookiesSetting” is not set to "REG_DWORD = 4", this is a finding.</RawString>
+      <ValueData>4</ValueData>
+      <ValueName>DefaultCookieSetting</ValueName>
+      <ValueType>Dword</ValueType>
+    </Rule>
   </RegistryRule>
 </DISASTIG>