fixed merge conflict

2019-02-07 22:06:35 +01:00 · 2019-02-07 22:06:35 +01:00 · 31868aeb64
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,20 +2,39 @@
 ## Unreleased
-* Added the following STIGs
+## 2.4.0.0
  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
 * Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
 * Fixed [#246](https://github.com/Microsoft/PowerStig/issues/246): IIS Server rule V-76737 contains an incorrect value
 * Fixed [#225](https://github.com/Microsoft/PowerStig/issues/225): Update PowerStig integration tests to consolidate duplicate code.
 * Fixed [#160](https://github.com/Microsoft/PowerStig/issues/160): PowerStig.Convert needs to handle new registry rules without affecting existing code
 * Fixed [#201](https://github.com/Microsoft/PowerStig/issues/201): Update PowerStig integration tests to account for skips and exceptions.
 * Fixed [#260](https://github.com/Microsoft/PowerStig/issues/260): FireFox Composite Resource configuration applies correctly, but never passes a Test-DscConfiguration.
 * Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
 * Fixed [#265](https://github.com/Microsoft/PowerStig/issues/265): Fixed UserRightsAssignment split rule bug.
 * Fixed [#267](https://github.com/Microsoft/PowerStig/issues/267): Fixed winlogon registry path parser bug.
 * Fixed [#238](https://github.com/Microsoft/PowerStig/issues/238): Adds regex tracker for RegistryRule regex's.
 * Fixed [#274](https://github.com/Microsoft/PowerStig/issues/274): UserRightsAssignment composite resource does not leverage the Force Parameter.
 * Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource.
 * Windows Server 2012R2 Fixes
  * V-36707 is now an org setting
  * (DC only) V-2376 - V-2380 are migrated from manual to account policy rules.
 * Added the following STIGs
-  * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186): Update PowerSTIG to parse the SQL Server 2016 Instance STIG - V1R3
+  * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186)
-  * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues): Update PowerSTIG to parse the Windows Defender STIG with new Registry Rule
+  * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues/236)
  * Mozilla Firefox V4R24 [#261](https://github.com/Microsoft/PowerStig/issues/261)
  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
  * SQL Server 2012 Database V1R18 [#263](https://github.com/Microsoft/PowerStig/issues/263)
  * Windows Server 2012R2 DC V2R15 [#267](https://github.com/Microsoft/PowerStig/issues/267)
  * Windows 10 V1R16 [#269](https://github.com/Microsoft/PowerStig/issues/269)
  * IIS Server 8.5 V1R6 [#256](https://github.com/Microsoft/PowerStig/issues/266)
  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
  * Windows Server 2012R2 DNS V1R11 STIG [#265](https://github.com/Microsoft/PowerStig/issues/265)
  * AD Domain V2R12 [#270](https://github.com/Microsoft/PowerStig/issues/270)
 ## 2.3.2.0
--- a/DSCResources/IisServer/IisServer.schema.psm1
+++ b/DSCResources/IisServer/IisServer.schema.psm1
@ -89,7 +89,7 @@ Configuration IisServer
    Import-DscResource -ModuleName xWebAdministration -ModuleVersion 2.3.0.0
    . "$resourcePath\windows.xIisMimeTypeMapping.ps1"
-    . "$resourcePath\windows.WebConfigProperty.ps1"
+    . "$resourcePath\windows.xWebConfigProperty.ps1"
    . "$resourcePath\windows.xIisLogging.ps1"
 }
 #endregion Composite
--- a/DSCResources/Resources/firefox.ReplaceText.ps1
+++ b/DSCResources/Resources/firefox.ReplaceText.ps1
@ -35,7 +35,7 @@ ReplaceText DoNotObscureFile
 ReplaceText BeginFileWithComment
 {
    Path        = "$InstallDirectory\firefox.cfg"
-    Search      = '// FireFox preference file'
+    Search      = ('// FireFox preference file' + "`r")
    Type        = 'Text'
    Text        = ('// FireFox preference file' + "`r")
 }
@ -47,7 +47,7 @@ foreach ( $rule in $rules )
        Path        = "$InstallDirectory\FireFox.cfg"
        Search      = 'lockPref\("{0}", (.*)\);' -f $rule.Key
        Type        = 'Text'
-        Text        = ("`r`n" + 'lockPref("{0}", {1});' -f $rule.Key, (Format-FireFoxPreference -Value $rule.Value))
+        Text        = 'lockPref("{0}", {1});' -f $rule.Key, (Format-FireFoxPreference -Value $rule.Value)
        AllowAppend = $true
    }
 }
--- a/DSCResources/Resources/windows.UserRightsAssignment.ps1
+++ b/DSCResources/Resources/windows.UserRightsAssignment.ps1
@ -57,5 +57,6 @@ foreach ($rule in $rules)
    {
        Policy   = ($rule.DisplayName -replace " ", "_")
        Identity = $identityList
        Force    = [bool]$rule.Force
    }
 }
--- a/DSCResources/Resources/windows.WebConfigProperty.ps1
+++ b/DSCResources/Resources/windows.WebConfigProperty.ps1
@ -1,34 +0,0 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 $rules = $stig.RuleList | Select-Rule -Type WebConfigurationPropertyRule
 if ($WebsiteName)
 {
    foreach ($website in $WebsiteName)
    {
        foreach ($rule in $rules)
        {
            xWebConfigProperty "$(Get-ResourceTitle -Rule $rule -Instance $website)"
            {
                WebsitePath     = "IIS:\Sites\$website"
                Filter          = $rule.ConfigSection
                PropertyName    = $rule.Key
                Value           = $rule.Value
            }
        }
    }
 }
 else
 {
    foreach ( $rule in $rules )
    {
        xWebConfigProperty "$(Get-ResourceTitle -Rule $rule)"
        {
            WebsitePath     = "MACHINE/WEBROOT/APPHOST"
            Filter          = $rule.ConfigSection
            PropertyName    = $rule.Key
            Value           = $rule.Value
        }
    }
 }
--- a/DSCResources/Resources/windows.WindowsFeature.ps1
+++ b/DSCResources/Resources/windows.WindowsFeature.ps1
@ -16,7 +16,7 @@ foreach ( $rule in $rules )
        future if WindowsOptionalFeature is updated to allow it to run a on DC
        lines 17-31 can be removed.
    #>
-    if ($stigData.DISASTIG.id -match 'Windows_10')
+    if ($stigData.DISASTIG.stigid -match 'Windows_10')
    {
        WindowsOptionalFeature (Get-ResourceTitle -Rule $rule)
        {
--- a/DSCResources/Resources/windows.xIisLogging.ps1
+++ b/DSCResources/Resources/windows.xIisLogging.ps1
@ -7,7 +7,6 @@ if ($rules)
 {
    $logFlags = Get-UniqueStringArray -InputObject $rules.LogFlags -AsString
    $logFormat = Get-UniqueString -InputObject $rules.LogFormat
    $logPeriod = Get-UniqueString -InputObject $rules.LogPeriod
    $logCustomField = Get-LogCustomField -LogCustomField $rules.LogCustomFieldEntry.Entry -Resource 'xIisLogging'
    $resourceTitle = "[$($rules.id -join ' ')]"
@ -18,7 +17,6 @@ if ($rules)
            LogPath         = '$LogPath'
            LogFlags        = @($logFlags)
            LogFormat       = '$logFormat'
            LogPeriod       = '$logPeriod'
            LogCustomFields = @($logCustomField)
        }"
    )
--- a/DSCResources/Resources/windows.xWebConfigProperty.ps1
+++ b/DSCResources/Resources/windows.xWebConfigProperty.ps1
@ -1,15 +1,40 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
-
+#region Header
 $rules = $stig.RuleList | Select-Rule -Type WebConfigurationPropertyRule
-foreach ($website in $WebsiteName)
+if ($WebsiteName)
 {
    foreach ($website in $WebsiteName)
    {
        foreach ($rule in $rules)
        {
            xWebConfigProperty "$(Get-ResourceTitle -Rule $rule -Instance $website)"
            {
                WebsitePath     = "IIS:\Sites\$website"
                Filter          = $rule.ConfigSection
                PropertyName    = $rule.Key
                Value           = $rule.Value
            }
        }
    }
 }
 else
 {
    foreach ($rule in $rules)
    {
-        xWebConfigProperty "$(Get-ResourceTitle -Rule $rule -Instance $website)"
+        if ($rule.ConfigSection -match '/system.web')
        {
-            WebsitePath     = "IIS:\Sites\$website"
+            $psPath = 'MACHINE/WEBROOT'
        }
        else
        {
            $psPath = 'MACHINE/WEBROOT/APPHOST'
        }
        xWebConfigProperty "$(Get-ResourceTitle -Rule $rule)"
        {
            WebsitePath     = $psPath
            Filter          = $rule.ConfigSection
            PropertyName    = $rule.Key
            Value           = $rule.Value
--- a/FILEHASH.md
+++ b/FILEHASH.md
@ -0,0 +1,88 @@
 # PowerSTIG File Hashes : Module Version 2.4.0.0
 Hashes for **PowerSTIG** files are listed in the following table:
 | File | SHA256 Hash | Size (bytes) |
 | :---- | ---- | ---: |
 | Mozilla-All-FireFox-4.23.org.default.xml | D8E45DC6E83499FF22CA90D417CD477A0DF4450F091117E766A57418BABA2CED | 302 |
 | Mozilla-All-FireFox-4.23.xml | A71E114C43CCD9C173EB0FBF3C3011971E11B99860826FB110027F2CE6D97C80 | 21652 |
 | Mozilla-All-FireFox-4.24.org.default.xml | 6BFB0DC668F689F81FD1D05A2F4EDCC1552FD37A765301AA6367F208108DC9D7 | 306 |
 | Mozilla-All-FireFox-4.24.xml | 44FB05D6F6FA5ED4CC986C333882C72F81E1BD9F19E8722D21215809CCA815A1 | 20730 |
 | SqlServer-2012-Database-1.17.org.default.xml | 57AA572AF80DE95D4BC5B8B9079AED3CA6BE63718B726D4FFEF631F017D23D9E | 305 |
 | SqlServer-2012-Database-1.17.xml | 7260BFEDE8FC3947B1A36F8A4AE1AA8CC4AF160D4C67CF7223C159CA5C2A5E99 | 37718 |
 | SqlServer-2012-Database-1.18.org.default.xml | 1095CEEAD18CBBAD9068326B97D520F7F76F1F71331618F17B2138DC8FE55ED4 | 306 |
 | SqlServer-2012-Database-1.18.xml | 18391A6F6314DCD36AE992319699A2AC16890E11A9B62944B44DE1C3DF9D5E79 | 38236 |
 | SqlServer-2012-Instance-1.16.org.default.xml | 0603777B3C8A380A7CC47766FF7A995E22F7988FCA56AA8EAB202CBE89C090CB | 302 |
 | SqlServer-2012-Instance-1.16.xml | 0B058581795678751D94D0C1E33290C8525318B7B32C7C07979F72D9D578C6EA | 355822 |
 | SqlServer-2012-Instance-1.17.org.default.xml | E7C6F909F78CA3BD5B77E417FBBDABBB1F5125A9D95939623AD720B7DA281BBB | 302 |
 | SqlServer-2012-Instance-1.17.xml | E8A66131927FA1879672FAC1BB4E2811F1393E1F50B4C5B7159A2C092AED6185 | 358721 |
 | SqlServer-2016-Instance-1.3.org.default.xml | 5C992B2F864BBA7A975A9F4FEC3535309BD2EC6CE10D6BD159C127B4AA4E24FE | 301 |
 | SqlServer-2016-Instance-1.3.xml | D8BB9463E4ADC6C19DC40BD1F10A4E844A728605EA231DAC8617A47795BB8844 | 177660 |
 | Windows-10-Client-1.15.org.default.xml | 85EE6D3F64483A1D77B1270839202A5EDDEF77A6B9462A9386E21806B6CD42B4 | 3237 |
 | Windows-10-Client-1.15.xml | BCF14643941EE133CAAF5A92C232F1E13B5E50B195810BA7746DAC41FF95A392 | 564883 |
 | Windows-10-Client-1.16.org.default.xml | FF2BB1BD364C1AC9AC5F51BC4AA1A48648C5F9C2B3C1B690A28E1280D59B7D7C | 3240 |
 | Windows-10-Client-1.16.xml | B671F8D497AEA16CC60DE09E7EF00324362092773010ECA85260D9EE0C1109C9 | 311595 |
 | Windows-2012R2-DC-2.14.org.default.xml | FC2D849C9645CDEDDB8810DBA7167C5CC3C396FA3B29B365CE5994AF60801396 | 3915 |
 | Windows-2012R2-DC-2.14.xml | 2D84F5A7F4A641FCAB30C44C6276EF15CB4D98D20E656BEF9C8859AB33E62205 | 417362 |
 | Windows-2012R2-DC-2.15.org.default.xml | 8CB79727392F0E0A26C61EC43E010702F8F8B2838F9AAC162FBDFD18EF7555ED | 3959 |
 | Windows-2012R2-DC-2.15.xml | AAD3535A2F3F85C01397EB0286C5B75E3F0315DFB92DC0797E7EE4D05B6882D0 | 418611 |
 | Windows-2012R2-DNS-1.10.org.default.xml | D7B3A3B7FCF8F0DBD5E70FFEA0E54B770C0E2CF228B6F13FCB692D14A6D6E013 | 302 |
 | Windows-2012R2-DNS-1.10.xml | B406CBF518FD7A704223F28EA3CCBC65918E78F548543B1FE4B8E3ABD9FA3A43 | 126089 |
 | Windows-2012R2-DNS-1.11.org.default.xml | 74831D43FD2564947D69D7EF8EECCC5F192FCA17DED3BA463341EDD20ED3BA58 | 306 |
 | Windows-2012R2-DNS-1.11.xml | 90C222999667B5FC1C861DBDA7A2BB300ED088027596C2906C14252251CF3093 | 126954 |
 | Windows-2012R2-IISServer-1.5.org.default.xml | 61F54F59B315DDD3EF5AD689B6AEC4F20BE3A83A4CE5DF70D33BCF9C9A0F1933 | 434 |
 | Windows-2012R2-IISServer-1.5.xml | 5DEC43CFE778A66EDE61BBEED906E60327C427F2E19607A466834E1F67D876B2 | 110033 |
 | Windows-2012R2-IISServer-1.6.org.default.xml | E1B3202DAA7135486885705F2C8C5648A13E8BF5BB7D9C23DA61790A81D9050B | 434 |
 | Windows-2012R2-IISServer-1.6.xml | 39E9ABD73A6A5998910DCA01C73CC49BEB0AA64CC9F4A985FDE290A16E748B4A | 111756 |
 | Windows-2012R2-IISSite-1.2.org.default.xml | E864D16D047B9586C8B2F82AA8746BBDE14442CC9AF10FFC17D4866A925320C4 | 1184 |
 | Windows-2012R2-IISSite-1.2.xml | E0867A97182E13959815590793DF2F27994B361E54EBACDDE75BB1A7521A0C1E | 61196 |
 | Windows-2012R2-IISSite-1.5.org.default.xml | 614DB2B38B949C78C0F56E0785BC1004516D19259F7BA3925E4622F833234B5A | 1083 |
 | Windows-2012R2-IISSite-1.5.xml | 268BCDDBB3F3996752713ADE2B6CE2D5665BB8CACC037797D0BB93A04ADFDEBA | 56252 |
 | Windows-2012R2-MS-2.13.org.default.xml | 8203C6EA1C481656CA08C3CC3008780E9ECF6079D2938ECD0347A1CFCE9A4A16 | 3639 |
 | Windows-2012R2-MS-2.13.xml | 0D028C7C40AEC102BBEB88A26C284216E69FE6054962B6D28E48C50203EE2EEC | 356243 |
 | Windows-2012R2-MS-2.14.org.default.xml | E8C8B34E88EBDE53A15B2567010E5328759CBD28981C43F115544A5A83657CA5 | 3199 |
 | Windows-2012R2-MS-2.14.xml | 764E9C41761E19BC94CCD2090B3CF4CC5D85E21EEEEC4C6A99611C26C30F0E95 | 355961 |
 | Windows-2016-DC-1.6.org.default.xml | CDD8F03A1520B07D6B0ECB1835BC2629D768EE48A36D86F550020922220AB9EC | 3999 |
 | Windows-2016-DC-1.6.xml | 7AC75FE3589B1078EA16684B1746A659E597990B51BAE8A1CD30965E23B10F3B | 542588 |
 | Windows-2016-DC-1.7.org.default.xml | 06BD9988D96E95B24DED9D6F4FBABD2ED617461C903E078810E2899128A9C777 | 3812 |
 | Windows-2016-DC-1.7.xml | 572DB4E88B89B3DC2F540825CA20AD3AE6A7C6D476B059783805415E48A133F1 | 542459 |
 | Windows-2016-MS-1.6.org.default.xml | CC13EBD7A4F8B89DBC4BD91BA52817B59692399EAD2B3F0F166FFEBD08C6477D | 3956 |
 | Windows-2016-MS-1.6.xml | 41C957C38E4A87C5BE70399C0D39F7BACE3FDA51865FA379B6BC67081413E6AC | 474892 |
 | Windows-2016-MS-1.7.org.default.xml | 94D88702D4D1A41278F39E21C3E322D15A5AE5861F74F5A82B5CE69E8515B4E2 | 3767 |
 | Windows-2016-MS-1.7.xml | A80D853F02EE3223C1B34FD9C075E9889A701212F3ACCAC32AE904143F824F00 | 474763 |
 | Windows-All-ADDomain-2.10.org.default.xml | C3335957BAB1A9F23E1495DAC49BCFF3F690F7EAD020EB456B8BEB375E9B5615 | 302 |
 | Windows-All-ADDomain-2.10.xml | D05147ED1FBC13B6933BE5049BA7FC0C249B13389FC00B37432003AB329EF5D2 | 37878 |
 | Windows-All-ADDomain-2.9.org.default.xml | 16A0AD798E655678FF4340ABEE31BE6BCC6A4C680E65263491E2E73D76183281 | 304 |
 | Windows-All-ADDomain-2.9.xml | 5E90ADD91336A93CCF8F0467AC8F6220013E78D32E3815E09C423E2E3AEB118C | 42174 |
 | Windows-All-ADForest-2.7.org.default.xml | 4C807A55F82C206FACFB7031F2F8989EF2C50845E913C4A598E3F6277B61B5E2 | 304 |
 | Windows-All-ADForest-2.7.xml | 7306BBFC38778E0CE1A514F06DBE61333113A536F7142DD5CB811F5F18B733CA | 7649 |
 | Windows-All-ADForest-2.8.org.default.xml | 4F9515E446D0ACF2A545820C8A16973BD5B888D4F8E979AF0B941E16931BB8F9 | 301 |
 | Windows-All-ADForest-2.8.xml | F8513063D964F3795A6CF3FE4AD0194792E79B6A16CECE90DA4F269B7D2FCC43 | 8200 |
 | Windows-All-Domain-2.11.org.default.xml | 395459A673BC80006E2F4B03E8FE84E89C36AAAF729B7A476623D3C4C8E3D7E3 | 302 |
 | Windows-All-Domain-2.11.xml | F90FFC7C5AD02FB25F3FBFC258929635212AE8AB0E62D519250BED3CF2786835 | 38337 |
 | Windows-All-Domain-2.12.org.default.xml | 973C2D3FC456F6979ACCC147CF772E3020EADFFC24070191517E2F703084CD30 | 306 |
 | Windows-All-Domain-2.12.xml | 9AB03AB34705C64064A3061ABD24465ED0A46E1ADC7F2D94D63784DB62542B5D | 38562 |
 | Windows-All-DotNet4-1.4.org.default.xml | FABD84CFEB2BC0659B72A8836F744EDA3F30CCC9DEB414380A16E98D82AC9F3D | 301 |
 | Windows-All-DotNet4-1.4.xml | 8A55BFE40DC9044FA28B4BC02F1166BC46819C2EADD38FCBAF05C0E6BCAD8FED | 22005 |
 | Windows-All-DotNet4-1.6.org.default.xml | AA83FB9224208C2546DD1DBE1555972A96A8BA4B916ECA6F0DF4BECBBD2E3FD8 | 301 |
 | Windows-All-DotNet4-1.6.xml | D07EB054E3C084D23939F6503A167BCB10C050197A5582074F969F561CEF9422 | 23167 |
 | Windows-All-Excel2013-1.7.org.default.xml | E263E5B184D2DE284E8E96CB333EF11EC8E92F49869DB072BCFD83FCD3662265 | 430 |
 | Windows-All-Excel2013-1.7.xml | 53B1485542CE27DCA6ADC12C5BD5420A58D6B0A999EFC07492E0D11A7B04AE29 | 51672 |
 | Windows-All-FW-1.6.org.default.xml | 38EE83A72D4A36D022853EAB9052CC129759C32692FBFC31E39A42FE2CCFA267 | 979 |
 | Windows-All-FW-1.6.xml | A9D4568FE2C91C71442442DCCF661BE63469E2A5E44203F85261255446713600 | 32506 |
 | Windows-All-IE11-1.15.org.default.xml | 4BDA2DC398D1CDFD8FD8C58A1ADF47AC7F072FC4CAD082B4168B6D801BB1EDF2 | 302 |
 | Windows-All-IE11-1.15.xml | 7F1EA8A198B9D8A32FACBFBAB9E165A5DDD8780B06FD135AAB9BCDCC0DF3D581 | 157289 |
 | Windows-All-IE11-1.16.org.default.xml | 0603777B3C8A380A7CC47766FF7A995E22F7988FCA56AA8EAB202CBE89C090CB | 302 |
 | Windows-All-IE11-1.16.xml | A532935FDAB976A95AA8814C718F15CF201763BD84415F882574C9ADE31A2C5C | 157330 |
 | Windows-All-OracleJRE8-1.5.org.default.xml | 05F665F8005E85FFA8568580F32472709F922FC06175AAAFFCED26EAC857FDA2 | 301 |
 | Windows-All-OracleJRE8-1.5.xml | 0B6D4C2DCB9522BE5EA8C4213474FDE70B1F59076C2E56D6A7195D39EAFE7BF1 | 15237 |
 | Windows-All-Outlook2013-1.12.org.default.xml | 369D5DE682FD78D37466EC2B36D43D844A76959829B81129C5033306602D4FD1 | 430 |
 | Windows-All-Outlook2013-1.12.xml | 3B8CB23E585C659B47A3EEE4B75B8DF94998CD8D95F96C7868485E4CA7E38872 | 88658 |
 | Windows-All-Outlook2013-1.13.org.default.xml | 14AC0A5769C8D7E3478E14065F301C74335A221CE21D1EAB99BFF687BE79A418 | 449 |
 | Windows-All-Outlook2013-1.13.xml | 98B85178E26523B05C192939739E0D704FDE5EE73B9F851FB02003522859C7A1 | 88540 |
 | Windows-All-PowerPoint2013-1.6.org.default.xml | AA83FB9224208C2546DD1DBE1555972A96A8BA4B916ECA6F0DF4BECBBD2E3FD8 | 301 |
 | Windows-All-PowerPoint2013-1.6.xml | CAFF4CCE68F80F9D61B6E33D0ACE487ADE8DC4A84472B00416BC479E10105612 | 44520 |
 | Windows-All-Word2013-1.6.org.default.xml | AA83FB9224208C2546DD1DBE1555972A96A8BA4B916ECA6F0DF4BECBBD2E3FD8 | 301 |
 | Windows-All-Word2013-1.6.xml | D784B8111CA2DE947FFFB47D88E263237B026332433EDB6AAD8227247C07AFFF | 38530 |
 | Windows-Defender-Antivirus-1.4.org.default.xml | 7B29E729DBAD5D0AA20904664916575A5E7A7444EFD630C3A49704AAF4A9C926 | 1037 |
 | Windows-Defender-Antivirus-1.4.xml | 6E36B8909B13CA21DE33D92ACC8A9053CEA165E33A26FECDA230C5040D87DBE2 | 49928 |
--- a/Module/Common/Convert/Function.RangeConversion.ps1
+++ b/Module/Common/Convert/Function.RangeConversion.ps1
@ -48,7 +48,8 @@ function Get-OrganizationValueTestString
            (Test-StringIsGreaterThanOrEqual -String $PSItem)       -or
            (Test-StringIsGreaterThanButNot -String $PSItem)        -or
            (Test-StringIsGreaterThanOrEqualButNot -String $PSItem) -or
-            (Test-StringIsBetweenTwoValues -String $PSItem)
+            (Test-StringIsBetweenTwoValues -String $PSItem)         -or
            (Test-StringHasOneValueOrDoesntExist -String $PSItem)
        }
        {
            ConvertTo-TestString -String $PSItem
@ -521,7 +522,7 @@ function Test-StringIsGreaterThanButNot
    .EXAMPLE
        This example returns $true
-        Test-StringIsBetweenTwoValues -String '30' and '132'
+        Test-StringIsBetweenTwoValues -String '1' and '132'
    .NOTES
        Sample STIG data
@ -550,6 +551,42 @@ function Test-StringIsBetweenTwoValues
        $false
    }
 }
 <#
    .SYNOPSIS
        Converts English textual representation of numeric ranges into PowerShell equivalent
        comparison statements.
    .PARAMETER string
        The String to test.
    .EXAMPLE
        This example returns $true
        Test-StringHasOneValueOrDoesntExist -String '30' or 'or if the Value Name does not exist'
    .NOTES
        Sample STIG data
 #>
 function Test-StringHasOneValueOrDoesntExist
 {
    [CmdletBinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true)]
        [string]
        $String
    )
    if ($string -match "^[0-9] \(or if the Value Name does not exist\)")
    {
        $true
    }
    else
    {
        $false
    }
 }
 #endregion
 #region GreaterThanorEqual
 <#
--- a/Module/Rule.Permission/Convert/Methods.ps1
+++ b/Module/Rule.Permission/Convert/Methods.ps1
@ -79,7 +79,7 @@ function Get-PermissionTargetPath
        # Get path that pertains to registry Winlogon key
        { $stigString -match $regularExpression.permissionRegistryWinlogon }
        {
-            $permissionTargetPath = 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Winlogon\'
+            $permissionTargetPath = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\'
            break
        }
--- a/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1
+++ b/Module/Rule.Permission/Convert/PermissionRule.Convert.psm1
@ -174,6 +174,7 @@ Class PermissionRuleConvert : PermissionRule
            $CheckContent -NotMatch "Interview the IAM" -and
            $CheckContent -NotMatch "InetMgr\.exe" -and
            $CheckContent -NotMatch "Register the required DLL module by typing the following at a command line ""regsvr32 schmmgmt.dll""." -and
            $CheckContent -NotMatch 'If any private assets' -and
            $CheckContent -NotMatch "roles.sql"
        )
        {
--- a/Module/Rule.Registry/Convert/Functions.SingleLine.ps1
+++ b/Module/Rule.Registry/Convert/Functions.SingleLine.ps1
@ -49,12 +49,12 @@ function Get-SingleLineRegistryPath
        [psobject]
        $CheckContent
    )
-    
+
    foreach ($item in $global:SingleLineRegistryPath.Values)
    {
        $value = Get-SLRegistryPath -CheckContent $CheckContent -Hashtable $item
        if ([String]::IsNullOrEmpty($value) -eq $false)
-        { 
+        {
            return $value | where-object {[string]::IsNullOrEmpty($_) -eq $false}
        }
    }
@ -66,7 +66,7 @@ function Get-SingleLineRegistryPath
    .Parameter CheckContent
        An array of the raw string data taken from the STIG setting.
-    
+
    .Parameter Hashtable
        The $SingleLineRegistryPath table taken from the Data.*.ps1 file(s).
 #>
@ -86,10 +86,10 @@ function Get-SLRegistryPath
    )
    $fullRegistryPath = $CheckContent
-    
+
-    foreach ($key in $Hashtable.Keys) 
+    foreach ($key in $Hashtable.Keys)
-    {  
+    {
-        if ($Hashtable.Item($key).GetType().Name -eq 'OrderedDictionary') 
+        if ($Hashtable.Item($key).GetType().Name -eq 'OrderedDictionary')
        {
            $innerValue = Get-SLRegistryPath -CheckContent $fullRegistryPath -Hashtable $Hashtable.Item($key)
            if ($innerValue)
@ -98,24 +98,24 @@ function Get-SLRegistryPath
            }
            continue
-        } 
+        }
        else
        {
            switch ($key)
            {
                Contains
-                { 
+                {
                    if (@($fullRegistryPath | Where-Object { $_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0)
                    {
                        continue
                    }
-                    else 
+                    else
-                    { 
+                    {
-                        return 
+                        return
                    }
                }
-                Match 
+                Match
-                { 
+                {
                    if ($fullRegistryPath -match $Hashtable.Item($key))
                    {
                        continue
@ -125,8 +125,8 @@ function Get-SLRegistryPath
                        return
                    }
                }
-                Select 
+                Select
-                { 
+                {
                    $regEx = '{0}' -f $Hashtable.Item($key)
                    $selectedRegistryPath = $CheckContent | Select-String -Pattern $regEx
                    if ([string]::IsNullOrEmpty($selectedRegistryPath))
@ -145,7 +145,6 @@ function Get-SLRegistryPath
    if (-not [String]::IsNullOrEmpty($matchedRegistryPath))
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Found path : $true"
        switch -Wildcard ($matchedRegistryPath)
        {
            "*HKLM*" {$matchedRegistryPath = $matchedRegistryPath -replace "^HKLM", "HKEY_LOCAL_MACHINE"}
@ -158,6 +157,7 @@ function Get-SLRegistryPath
        $result = $matchedRegistryPath.ToString().trim(' ', '.')
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Trimmed path : $result"
        Set-RegistryPatternLog -Pattern $regEx
        return $result
    }
    else
@ -191,10 +191,10 @@ function Get-RegistryValueTypeFromSingleLineStig
    {
        $value = Get-RegistryValueTypeFromSLStig -CheckContent $CheckContent -Hashtable $item
        if ([String]::IsNullOrEmpty($value) -eq $false)
-        { 
+        {
            return $value
        }
-    } 
+    }
 }
 <#
@ -203,7 +203,7 @@ function Get-RegistryValueTypeFromSingleLineStig
    .Parameter CheckContent
        An array of the raw string data taken from the STIG setting.
-    
+
    .Parameter Hashtable
        The $SingleLineRegistryValueType table taken from the Data.*.ps1 file(s).
 #>
@ -221,26 +221,26 @@ function Get-RegistryValueTypeFromSLStig
        [psobject]
        $Hashtable
    )
-   
+
    $valueName = Get-RegistryValueNameFromSingleLineStig -CheckContent $CheckContent
-    
+
-    foreach ($key in $Hashtable.Keys) 
+    foreach ($key in $Hashtable.Keys)
-    {  
+    {
        switch ($key)
        {
            Contains
-            { 
+            {
-                if (@($fullRegistryPath | Where-Object {$_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0) 
+                if (@($fullRegistryPath | Where-Object {$_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0)
                {
                    continue
                }
-                else 
+                else
-                { 
+                {
-                    return 
+                    return
                }
            }
-            Match 
+            Match
-            { 
+            {
                $regEx = $Hashtable.Item($key) -f [regex]::escape($valueName)
                $matchedValueType = [regex]::Matches($CheckContent.ToString(), $regEx)
@ -253,18 +253,18 @@ function Get-RegistryValueTypeFromSLStig
                    return $null
                }
            }
-            Select 
+            Select
-            { 
+            {
                if ($valueName)
                {
                    $regEx = $Hashtable.Item($key) -f [regex]::escape($valueName)
                    $selectedValueType = Select-String -InputObject $CheckContent -Pattern $regEx
                }
-               
+
                if (-not $selectedValueType.Matches)
                {
                    return
-                } 
+                }
                else
                {
                    $valueType = $selectedValueType.Matches[0].Value
@ -272,15 +272,16 @@ function Get-RegistryValueTypeFromSLStig
                    {
                        $valueType = $selectedValueType.Matches.Groups[$Hashtable.Item('Group')].Value
                    }
                    Set-RegistryPatternLog -Pattern $Hashtable.Item($key)
                }
-            } 
+            }
        } # Switch
    } # Foreach
    if ($valueType)
    {
        $valueType = $valueType.Replace('=', '').Replace('"', '')
-    
+
        if (-not [String]::IsNullOrWhiteSpace($valueType.Trim()))
        {
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] Found Type : $valueType"
@ -321,10 +322,10 @@ function Get-RegistryValueNameFromSingleLineStig
    {
        $value = Get-RegistryValueNameFromSLStig -CheckContent $CheckContent -Hashtable $item
        if ([String]::IsNullOrEmpty($value) -eq $false)
-        { 
+        {
-            return $value 
+            return $value
        }
-    } 
+    }
 }
 <#
    .SYNOPSIS
@ -350,25 +351,25 @@ function Get-RegistryValueNameFromSLStig
        [psobject]
        $Hashtable
    )
-    
+
    $valueName = $CheckContent
-    
+
-    foreach ($key in $Hashtable.Keys) 
+    foreach ($key in $Hashtable.Keys)
-    {  
+    {
        switch ($key)
        {
            Contains
-            { 
+            {
-                if (@($CheckContent | Where-Object { $_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0) 
+                if (@($CheckContent | Where-Object { $_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0)
                {
                    continue
                }
-                else 
+                else
-                { 
+                {
-                    return 
+                    return
                }
            }
-            Match 
+            Match
            {
                if ($CheckContent -match $Hashtable.Item($key))
                {
@ -379,7 +380,7 @@ function Get-RegistryValueNameFromSLStig
                    return
                }
            }
-            Select 
+            Select
            {
                $regEx = '{0}' -f $Hashtable.Item($key)
                $valueName = Select-String -InputObject $CheckContent -Pattern $regEx
@ -389,15 +390,16 @@ function Get-RegistryValueNameFromSLStig
    if ($valueName)
    {
-        $valueName = $valueName.Matches.Value -replace '["“”<EFBFBD>]', ''
+        $valueName = $valueName.Matches.Value -replace '["<EFBFBD><EFBFBD><EFBFBD>]', ''
        if ($valueName.Count -gt 1)
        {
            $valueName = $valueName[0]
        }
-        
+
        $result = $valueName.trim()
-        
+        Set-RegistryPatternLog -Pattern $regEx
        if (-not [String]::IsNullOrEmpty($result))
        {
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] Found Name : $result"
@ -439,7 +441,7 @@ function Get-RegistryValueDataFromSingleStig
        {
            return $value
        }
-    }     
+    }
 }
 <#
@ -470,28 +472,28 @@ function Get-RegistryValueDataFromSLStig
    )
    $valueType = Get-RegistryValueTypeFromSingleLineStig -CheckContent $CheckContent
-    
+
    if ($valueType -eq "Does Not Exist")
    {
        return
    }
-    foreach ($key in $Hashtable.Keys) 
+    foreach ($key in $Hashtable.Keys)
    {
        switch ($key)
        {
            Contains
            {
-                if (@($CheckContent | Where-Object { $_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0) 
+                if (@($CheckContent | Where-Object { $_.ToString().Contains($Hashtable.Item($key))}).Count -gt 0)
                {
                    continue
                }
-                else 
+                else
                {
-                    return 
+                    return
                }
            }
-            Match 
+            Match
            {
                if ($CheckContent -match $Hashtable.Item($key))
                {
@ -502,7 +504,7 @@ function Get-RegistryValueDataFromSLStig
                    return
                }
            }
-            Select 
+            Select
            {
                $regEx = $Hashtable.Item($key) -f [regex]::escape($valueType)
                $result = $CheckContent | Select-String -Pattern $regEx
@ -510,6 +512,7 @@ function Get-RegistryValueDataFromSLStig
                if ($result.Count -gt 0)
                {
                    $valueData = $result[0]
                    Set-RegistryPatternLog -Pattern $Hashtable.Item($key)
                }
            }
        } # Switch
@ -524,7 +527,7 @@ function Get-RegistryValueDataFromSLStig
        if (-not [String]::IsNullOrEmpty($result))
        {
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] Found Name : $result"
-            return $result 
+            return $result
        }
        else
        {
--- a/Module/Rule.Registry/Convert/Methods.ps1
+++ b/Module/Rule.Registry/Convert/Methods.ps1
@ -1141,4 +1141,189 @@ function Split-MultipleRegistryEntries
    return $registryEntries
 }
 <#
    .SYNOPSIS
        Creates a registry pattern table and increments the pattern count from the single line functions
    .PARAMETER Pattern
        A registry rule pattern that has been applied
    .PARAMETER Rule
        Specifies a rule to include in output
    .NOTES
        Rules are not currently being captured in the results
        It is an optional parameter that can be included in the future
 #>
 function Set-RegistryPatternLog
 {
    [CmdletBinding()]
    [OutputType([Object])]
    param
    (
        [Parameter(Mandatory = $true)]
        [string]
        $Pattern, 
        [Parameter()]
        [string]
        $Rule
    )
    # Load table with patterns from Core data file.
    # Build the in-memory table of patterns
    if(-not $global:patternTable)
    {
        $nonestedItems = $global:SingleLineRegistryPath.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -ne $null }
        $nestedItems = $global:SingleLineRegistryPath.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -eq $null } | Select-Object {$_.Value } -ExpandProperty Value
        $regPathTable = $nonestedItems.GetEnumerator() | 
        ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='RegistryPath'}}
        $regPathTable += $nestedItems.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -ne $null } | 
        ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='RegistryPath'}}
        $regValueTypeTable = $global:SingleLineRegistryValueType.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -ne $null } | 
        ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueType'}}
        $regValueNameTable = $global:SingleLineRegistryValueName.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -ne $null } | 
        ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueName'}}
        $regValueDataTable = $global:SingleLineRegistryValueData.GetEnumerator() | 
        Where-Object { $_.Value['Select'] -ne $null } | 
        ForEach-Object { New-Object -TypeName PSObject -Property @{Pattern=$_.Value['Select']; Count=0; Type='ValueData'}}
        $valueTypeTable = $regValueTypeTable | 
        Group-Object -Property "Pattern" | 
        ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1}
        $valueNameTable = $regValueNameTable | 
        Group-Object -Property "Pattern" | 
        ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1}
        $valueDataTable = $regValueDataTable | 
        Group-Object -Property "Pattern" | 
        ForEach-Object{ $_.Group | Select-Object 'Pattern','Count', 'Type' -First 1}
        $global:patternTable = $regPathTable + $valueTypeTable + $valueNameTable + $valueDataTable
    }
    # Find pattern in table and increment count
    $searchResult = $global:patternTable | Where-Object { $_.Pattern -eq $Pattern}
    if ($searchResult)
    {
        $searchResult.Count ++
    }
 }
 <#
    .SYNOPSIS
        Lists registry rule patterns along with counts for the number of rules that use each pattern.
    .PARAMETER Path
        Specifies a path to a directory with (unprocessed) xccdf.xml files or a specific xccdf.xml file.
        Path should be StigData\Archive\{Directory Name} or StigData\Archive\{DirectoryName}\{*.xccdf.xml} 
    .Notes
        Expression patterns are only for Registry Rules, this could change in the future
 #>
 function Get-RegistryPatternLog
 {
    [CmdletBinding()]
    [OutputType([Object])]
    param
    (
        [Parameter(Mandatory = $true)]
        [string]
        $Path
    )
    try
    {
        # If $Path is a directory, get all files contained in it
        $isFolder = Test-Path $Path -pathType Container
        if ($isFolder)
        {
            $files = Get-ChildItem -Path $Path -Filter '*.xml'
            foreach ($file in $files)
            {
                if (Test-StigProcessed $file.FullName)
                {
                    ConvertFrom-StigXccdf -Path $file.FullName | Out-Null
                }
            }
        }
        # If $Path is a file, process it
        $isFile = Test-Path $Path -pathType Leaf
        if ($isFile)
        {
            if (Test-StigProcessed $Path)
            {
                ConvertFrom-StigXccdf -Path $Path | Out-Null
            }
        }
    }
    catch [System.IO.DirectoryNotFoundException],[System.IO.FileNotFoundException]
    {
        Write-Output "The path or file was not found: [$Path]"
    }
    catch [System.IO.IOException]
    {
        Write-Output "Error accessing path or file at: [$Path]"
    }
    # Return patterns table with counts
    return $global:patternTable
 }
 <#
    .SYNOPSIS
        Test if the check-content contains mitigations polices to enable.
    .PARAMETER Path
        Specifies the check-content element in the xccdf
    .Notes
        Currently all rules in the STIG state the policies referenced need to be enabled.
        However that could change in the future or in other STIGs so we need to check for both conditions (Enabled|Disabled)
 #>
 function Test-StigProcessed
 {
    [CmdletBinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true)]
        [string[]]
        $Path
    )
    # Setup, check $Path for Processed
    [xml]$XmlDocument = Get-Content -Path $Path
    $id = $XmlDocument.Benchmark | Select-Object id
    $version = $Path | Select-String -Pattern '(?<=_)V.*(?=_)' | 
    ForEach-Object { $_.Matches[0] -replace "V", "" -replace "R","\." }
    $conversionPath = Get-Item "$($PSScriptRoot)..\..\..\StigData\Processed"
    #Write-Host $testPath
    $hasConversion = Get-ChildItem -Path $conversionPath -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } 
    #$hasConversion = Get-ChildItem -Path ..\..\..\StigData\Processed -recurse | Where-Object { $_ | Select-String -Pattern $id.id } | Where-Object { $_ | Select-String -Pattern $version } 
    if ($hasConversion)
    {
        return $true
    }
    else 
    {  
        return $false      
    }
 }
 #endregion
--- a/Module/Rule.SqlScriptQuery/Convert/Methods.ps1
+++ b/Module/Rule.SqlScriptQuery/Convert/Methods.ps1
@ -811,7 +811,7 @@ function Get-SQLQuery
    [boolean] $scriptInitiated = $false
    [boolean] $scriptTerminated = $false
    [boolean] $inScriptClause = $false
-    [int] $parenthesesLeftCount = 0 
+    [int] $parenthesesLeftCount = 0
    [int] $parenthesesRightCount = 0
    [int] $iParenthesesOffset = 0
@ -825,7 +825,7 @@ function Get-SQLQuery
        {
            $scriptInitiated = $true
            $collection += $line
-            
+
            # Get the parentheses offset by accumulating match counters
            $leftParenResults = $line | Select-String '\(' -AllMatches
            $parenthesesLeftCount += $leftParenResults.Matches.Count
@ -833,9 +833,9 @@ function Get-SQLQuery
            $parenthesesRightCount += $rightParenResults.Matches.Count
            $iParenthesesOffset = $parenthesesLeftCount - $parenthesesRightCount
        }
-        # If a SQL script is started, let's see what we have to add to it, if anything 
+        # If a SQL script is started, let's see what we have to add to it, if anything
        elseif ($scriptInitiated)
-        { 
+        {
            # Get the parentheses offset by accumulating match counters
            $leftParenResults = $line | Select-String '\(' -AllMatches
            $parenthesesLeftCount += $leftParenResults.Matches.Count
@ -853,7 +853,7 @@ function Get-SQLQuery
                    # Start of a group IN clause
                    $inScriptClause = $true
                }
-            } 
+            }
            # If we are inside of a group IN clause, we need to collect statements until the IN clause terminates
            elseif ($inScriptClause)
            {
--- a/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1
+++ b/Module/Rule.SqlScriptQuery/Convert/SqlScriptQueryRule.Convert.psm1
@ -35,7 +35,7 @@ Class SqlScriptQueryRuleConvert : SqlScriptQueryRule
    SqlScriptQueryRuleConvert ([xml.xmlelement] $XccdfRule) : Base ($XccdfRule, $true)
    {
        $ruleType = $this.GetRuleType($this.splitCheckContent)
-        $fixText = [SqlScriptQueryRule]::GetFixText($XccdfRule)
+        $fixText = [SqlScriptQueryRule]::GetFixText($StigRule)
        $this.SetGetScript($ruleType)
        $this.SetTestScript($ruleType)
@ -168,7 +168,6 @@ Class SqlScriptQueryRuleConvert : SqlScriptQueryRule
        {
            return $true
        }
        return $false
    }
--- a/Module/Rule.UserRight/Convert/Methods.ps1
+++ b/Module/Rule.UserRight/Convert/Methods.ps1
@ -112,7 +112,7 @@ function Get-UserRightIdentity
            if
            (
-                $line.Trim() -notmatch ":|^If|^Microsoft|^Organizations|^Vendor|^The|^(Systems|Workstations)\sDedicated" -and
+                $line.Trim() -notmatch ":|^If|^Microsoft|^Organizations|^Vendor|^The|^(Systems|Workstations)\sDedicated|Privileged Access" -and
                -not [string]::IsNullOrEmpty( $line.Trim() )
            )
            {
--- a/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1
+++ b/Module/Rule.UserRight/Convert/UserRightRule.Convert.psm1
@ -66,7 +66,7 @@ Class UserRightRuleConvert : UserRightRule
                $byte ++
                $copyRule.rule.Check.('check-content') = $splitRule
-                $ruleList += [UserRightRuleConvert]::New($StigRule).AsRule()
+                $ruleList += [UserRightRuleConvert]::New($copyRule).AsRule()
            }
        }
        else
--- a/Module/Rule.WebConfigurationProperty/Convert/Methods.ps1
+++ b/Module/Rule.WebConfigurationProperty/Convert/Methods.ps1
@ -453,7 +453,7 @@ function Get-OrganizationValueTestString
        }
        { $PsItem -match 'timeout' }
        {
-            return "[TimeSpan]{0} -le [TimeSpan]'00:20:00'"
+            return "'{0}' -le '00:20:00'"
        }
        default
        {
--- a/Module/Rule/Rule.psm1
+++ b/Module/Rule/Rule.psm1
@ -55,6 +55,7 @@ Class Rule : ICloneable
    [string] $RawString
    hidden [string[]] $SplitCheckContent
    <#
        .SYNOPSIS
            Default constructor
--- a/Module/STIG/Convert/Data.Core.ps1
+++ b/Module/STIG/Convert/Data.Core.ps1
@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 <#
-    Instructions:  Use this file to add/update/delete regsitry expressions that are used accross
+    Instructions:  Use this file to add/update/delete regsitry expressions that are used accross 
    multiple technologies files that are considered commonly used.  Enure expressions are listed
    from MOST Restrive to LEAST Restrictive, similar to exception handling.  Also, ensure only
    UNIQUE Keys are used in each hashtable to prevent errors and conflicts.  Within each table there
@ -96,7 +96,7 @@ $global:SingleLineRegistryValueData += [ordered]@{
        Select = '((?<=value\sof).*(?=for))'
    }
    Three = @{
-        Select = '((?<=set\sto).*(?=\(true\)))'
+        Select = '((?<=set\sto).*(?=\(true\)))' 
    }
    Four  = @{
        Select = "((?<=is\sset\sto\s)(`'|`")).*(?=(`'|`"))"
--- a/Module/STIG/Convert/Data.Windows.Defender.ps1
+++ b/Module/STIG/Convert/Data.Windows.Defender.ps1
@ -0,0 +1,23 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 <#
    Instructions:  Use this file to add/update/delete regsitry expressions that are used accross 
    Windows Defender files.  Ensure expressions are listed from MOST Restrive to LEAST Restrictive, 
    similar to exception handling.  Also, ensure only UNIQUE Keys are used in each hashtable to 
    prevent errors and conflicts.
 #>
 $global:SingleLineRegistryValueName += [ordered]@{
    Defender1 = [ordered]@{
        Select = '((?<=If the value\s)(.*)(?=is\sR))'
    }
 }
 $global:SingleLineRegistryValueData += [ordered]@{
    # Added for Windows Defender Stig rule V-75237
    Defender1 = [ordered]@{
        Match  = 'ScheduleDay'
        Select = '(\d[x]\d)\sthrough\s(\d[x]\d)'
    }
 }
--- a/Module/STIG/Convert/Functions.XccdfXml.ps1
+++ b/Module/STIG/Convert/Functions.XccdfXml.ps1
@ -311,6 +311,14 @@ function Get-StigRuleList
        [System.Collections.ArrayList] $global:stigSettings = @()
        [int] $stigGroupCount = @($StigGroupList).Count
        [int] $stigProcessedCounter = 1
        # Global added so that the stig rule can be referenced later
        if (-not $exclusionRuleList)
        {
            $exclusionFile = Resolve-Path -Path $PSScriptRoot\..\Common\Data.ps1
            . $exclusionFile
        }
    }
    process
    {
--- a/PowerStig.psd1
+++ b/PowerStig.psd1
@ -6,7 +6,7 @@
 RootModule = 'PowerStig.psm1'
 # Version number of this module.
-ModuleVersion = '2.3.2.0'
+ModuleVersion = '2.4.0.0'
 # ID used to uniquely identify this module
 GUID = 'a132f6a5-8f96-4942-be25-b213ee7e4af3'
@ -96,11 +96,37 @@ PrivateData = @{
        ProjectUri = 'https://github.com/Microsoft/PowerStig'
        # ReleaseNotes of this module
-        ReleaseNotes = '* Fixed [#215](https://github.com/Microsoft/PowerStig/issues/215): Org settings wont apply for DotNet STIG
+        ReleaseNotes = '* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
-* Fixed [#216](https://github.com/Microsoft/PowerStig/issues/216): DotNet STIGs are misnamed
+* Fixed [#246](https://github.com/Microsoft/PowerStig/issues/246): IIS Server rule V-76737 contains an incorrect value
-* Fixed [#207](https://github.com/Microsoft/PowerStig/issues/207): SQL Server Database rules fail to apply
+* Fixed [#225](https://github.com/Microsoft/PowerStig/issues/225): Update PowerStig integration tests to consolidate duplicate code.
-* Fixed [#208](https://github.com/Microsoft/PowerStig/issues/208): Update PowerSTIG to use SQLServerDsc 12.1.0.0
+* Fixed [#160](https://github.com/Microsoft/PowerStig/issues/160): PowerStig.Convert needs to handle new registry rules without affecting existing code
-* Fixed [#220](https://github.com/Microsoft/PowerStig/issues/220): Update PowerSTIG to use xWebAdministration 2.3.0.0'
+* Fixed [#201](https://github.com/Microsoft/PowerStig/issues/201): Update PowerStig integration tests to account for skips and exceptions.
 * Fixed [#260](https://github.com/Microsoft/PowerStig/issues/260): FireFox Composite Resource configuration applies correctly, but never passes a Test-DscConfiguration.
 * Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
 * Fixed [#265](https://github.com/Microsoft/PowerStig/issues/265): Fixed UserRightsAssignment split rule bug.
 * Fixed [#267](https://github.com/Microsoft/PowerStig/issues/267): Fixed winlogon registry path parser bug.
 * Fixed [#238](https://github.com/Microsoft/PowerStig/issues/238): Adds regex tracker for RegistryRule regex''s.
 * Fixed [#274](https://github.com/Microsoft/PowerStig/issues/274): UserRightsAssignment composite resource does not leverage the Force Parameter.
 * Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource.
 * Windows Server 2012R2 Fixes
  * V-36707 is now an org setting
  * (DC only) V-2376 - V-2380 are migrated from manual to account policy rules.
 * Added the following STIGs
  * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186)
  * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues/236)
  * Mozilla Firefox V4R24 [#261](https://github.com/Microsoft/PowerStig/issues/261)
  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
  * SQL Server 2012 Database V1R18 [#263](https://github.com/Microsoft/PowerStig/issues/263)
  * Windows Server 2012R2 DC V2R15 [#267](https://github.com/Microsoft/PowerStig/issues/267)
  * Windows 10 V1R16 [#269](https://github.com/Microsoft/PowerStig/issues/269)
  * IIS Server 8.5 V1R6 [#256](https://github.com/Microsoft/PowerStig/issues/266)
  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
  * Windows Server 2012R2 DNS V1R11 STIG [#265](https://github.com/Microsoft/PowerStig/issues/265)
  * AD Domain V2R12 [#270](https://github.com/Microsoft/PowerStig/issues/270)'
        } # End of PSData hashtable
    } # End of PrivateData hashtable
 }
--- a/README.md
+++ b/README.md
@ -66,7 +66,7 @@ The PowerStig.Data classes provide methods to:
 1. Exclude a rule if it is already defined in another STIG (de-duplication) and automatically document the exception to policy
 1. Exclude an entire class of rules (intended for testing and integration) and automatically document the exception to policy
-For detailed information, please see the [StigData Wiki](https://github.com/Microsoft/PowerStig/wiki/Stig)
+For detailed information, please see the [StigData Wiki](https://github.com/Microsoft/PowerStig/wiki/Stig).  For STIG xml file hashes please refer to [File Hashes](https://github.com/Microsoft/PowerStig/FILEHASH.md).
 ## PowerStig.DSC
--- a/Directory/U_Active_Directory_Domain_STIG_V2R12_Manual-xccdf.xml
+++ b/Directory/U_Active_Directory_Domain_STIG_V2R12_Manual-xccdf.xml
--- a/Server/U_MS_SQL_Server_2012_Database_STIG_V1R18_Manual-xccdf.xml
+++ b/Server/U_MS_SQL_Server_2012_Database_STIG_V1R18_Manual-xccdf.xml
--- a/Server/U_MS_IIS_8-5_Server_STIG_V1R6_Manual-xccdf.xml
+++ b/Server/U_MS_IIS_8-5_Server_STIG_V1R6_Manual-xccdf.xml
--- a/StigData/Archive/Windows.Client/U_Windows_10_STIG_V1R16_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Client/U_Windows_10_STIG_V1R16_Manual-xccdf.xml
--- a/StigData/Archive/Windows.DNS/U_MS_Windows_2012_Server_DNS_STIG_V1R11_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.DNS/U_MS_Windows_2012_Server_DNS_STIG_V1R11_Manual-xccdf.xml
--- a/StigData/Archive/Windows.DNS/U_MS_Windows_2012_Server_DNS_STIG_V1R6_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.DNS/U_MS_Windows_2012_Server_DNS_STIG_V1R6_Manual-xccdf.xml
--- a/StigData/Archive/Windows.Server.2012R2/U_Windows_2012_and_2012_R2_DC_STIG-xccdf.md
+++ b/StigData/Archive/Windows.Server.2012R2/U_Windows_2012_and_2012_R2_DC_STIG-xccdf.md
@ -8,6 +8,14 @@ Updates are listed in the following format:
 RuleId::LineNumber(ZeroIndex)::Updated line
 ## V2R15
 * V-2377::8::If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.
 * V-2378::8::If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.
 * V-2379::8::If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.
 * V-2380::8::If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding.
 * V-36707::8::Value:  1 (Give user a warning…) Or 2 (Require approval…)
 ## V2R14
 * V-2377::8::If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.
--- a/StigData/Archive/Windows.Server.2012R2/U_Windows_2012_and_2012_R2_DC_STIG_V2R15_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Server.2012R2/U_Windows_2012_and_2012_R2_DC_STIG_V2R15_Manual-xccdf.xml
--- a/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_DC_STIG_V1R7_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_DC_STIG_V1R7_Manual-xccdf.xml
@ -3224,7 +3224,7 @@ For each folder, view the Properties.
 Select the "Security" tab and the "Advanced" button.
 Default permissions:
-\Windows
+C:\Windows
 Type - "Allow" for all
 Inherited from - "None" for all
@ -8150,11 +8150,11 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPath
 Value Name: \\*\NETLOGON
 Value Type: REG_SZ
-Value: RequireMutualAuthentication=1, RequireIntegrity=1
+Value: RequireMutualAuthentication=1,RequireIntegrity=1
 Value Name: \\*\SYSVOL
 Value Type: REG_SZ
-Value: RequireMutualAuthentication=1, RequireIntegrity=1
+Value: RequireMutualAuthentication=1,RequireIntegrity=1
 Additional entries would not be a finding.</check-content>
      </check>
@ -8406,7 +8406,7 @@ Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\
 Value Name: DriverLoadPolicy
 Value Type: REG_DWORD
-Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist)
+Value: 0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8) (or if the Value Name does not exist)
 Possible values for this setting are:
 8 - Good only
@ -8759,7 +8759,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\
 Value Name: AllowTelemetry
 Type: REG_DWORD
-Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)</check-content>
+Value: 0x00000000 (0) (Security) or 0x00000001 (1) (Basic)</check-content>
      </check>
    </Rule>
  </Group>
@ -9426,7 +9426,7 @@ Enabling PowerShell script block logging will record detailed information from t
        <check-content>If the following registry value does not exist or is not configured as specified, this is a finding.
 Registry Hive: HKEY_LOCAL_MACHINE
-Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
+Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
 Value Name: EnableScriptBlockLogging
@ -11487,8 +11487,7 @@ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 Value Name: ConsentPromptBehaviorAdmin
 Value Type: REG_DWORD
-Value: 0x00000002 (2) (Prompt for consent on the secure desktop)
+Value: 0x00000001 (1) (Prompt for credentials on the secure desktop) or 0x00000002 (2) (Prompt for consent on the secure desktop)</check-content>
 0x00000001 (1) (Prompt for credentials on the secure desktop)</check-content>
      </check>
    </Rule>
  </Group>
--- a/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R7_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R7_Manual-xccdf.xml
@ -3237,7 +3237,7 @@ For each folder, view the Properties.
 Select the "Security" tab and the "Advanced" button.
 Default permissions:
-\Windows
+C:\Windows
 Type - "Allow" for all
 Inherited from - "None" for all
@ -6459,11 +6459,11 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPath
 Value Name: \\*\NETLOGON
 Value Type: REG_SZ
-Value: RequireMutualAuthentication=1, RequireIntegrity=1
+Value: RequireMutualAuthentication=1,RequireIntegrity=1
 Value Name: \\*\SYSVOL
 Value Type: REG_SZ
-Value: RequireMutualAuthentication=1, RequireIntegrity=1
+Value: RequireMutualAuthentication=1,RequireIntegrity=1
 Additional entries would not be a finding.</check-content>
      </check>
@ -6715,7 +6715,7 @@ Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\
 Value Name: DriverLoadPolicy
 Value Type: REG_DWORD
-Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist)
+Value: 0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8) (or if the Value Name does not exist)
 Possible values for this setting are:
 8 - Good only
@ -7134,7 +7134,7 @@ Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\
 Value Name: AllowTelemetry
 Type: REG_DWORD
-Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)</check-content>
+Value: 0x00000000 (0) (Security) or 0x00000001 (1) (Basic)</check-content>
      </check>
    </Rule>
  </Group>
@ -7801,7 +7801,7 @@ Enabling PowerShell script block logging will record detailed information from t
        <check-content>If the following registry value does not exist or is not configured as specified, this is a finding.
 Registry Hive: HKEY_LOCAL_MACHINE
-Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
+Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
 Value Name: EnableScriptBlockLogging
@ -9667,8 +9667,7 @@ Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 Value Name: ConsentPromptBehaviorAdmin
 Value Type: REG_DWORD
-Value: 0x00000002 (2) (Prompt for consent on the secure desktop)
+Value: 0x00000001 (1) (Prompt for credentials on the secure desktop) or 0x00000002 (2) (Prompt for consent on the secure desktop)</check-content>
 0x00000001 (1) (Prompt for credentials on the secure desktop)</check-content>
      </check>
    </Rule>
  </Group>
--- a/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_STIG_V1R7_Manual-xccdf.md
+++ b/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_STIG_V1R7_Manual-xccdf.md
@ -0,0 +1,13 @@
 # Formatting updates
 ## Changes
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73521::0x00000001 (1), 0x00000003 (3), or 0x00000008 (8)::0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8)
 V-73591::\SOFTWARE\ Policies::\SOFTWARE\Policies
 V-73551::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0x00000000 (0) (Security) or 0x00000001 (1) (Basic)
 V-73711::0x00000002 (2) (Prompt for consent on the secure desktop)
 0x00000001 (1) (Prompt for credentials on the secure desktop)::Value: 0x00000001 (1) (Prompt for credentials on the secure desktop) or 0x00000002 (2) (Prompt for consent on the secure desktop)
 V-73251::\Program Files and \Program Files (x86)::C:\Program Files and C:\Program Files (x86)
 V-73253::\Windows::C:\Windows
--- a/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_STIG_V1R7_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_STIG_V1R7_Manual-xccdf.xml
--- a/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_DC_STIG_V1R6_Manual-xccdf.xml
+++ b/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_DC_STIG_V1R6_Manual-xccdf.xml
@ -4948,7 +4948,7 @@ Inherited from - "None" for all
 Principal - Access - Applies to
 Authenticated Users - Read &amp; execute - This folder, subfolder, and files
-Server Operators - Read &amp; execute - This folder, subfolder, and files
+Server Operators - Read &amp; execute- This folder, subfolder, and files
 Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)
 CREATOR OWNER - Full control - Subfolders and files only
 Administrators - Full control - Subfolders and files only
@ -5008,7 +5008,7 @@ Inherited from - "None" for all
 Principal - Access - Applies to
 Authenticated Users - Read &amp; execute - This folder, subfolder, and files
-Server Operators - Read &amp; execute - This folder, subfolder, and files
+Server Operators - Read &amp; execute- This folder, subfolder, and files
 Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)
 CREATOR OWNER - Full control - Subfolders and files only
 Administrators - Full control - Subfolders and files only
--- a/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_STIG_V1R4_Manual-xccdf.md
+++ b/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_STIG_V1R4_Manual-xccdf.md
@ -0,0 +1,16 @@
 # Windows Server 2016 formatting updates
 xccdf files are formated to ease reading the raw content using the following VS Code extension
 https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml
 Updates are listed in the following format:
 RuleId::LineNumber(ZeroIndex)::Updated line
 ## Changes
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73521::0x00000001 (1), 0x00000003 (3), or 0x00000008 (8)::0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8)
 V-73591::\SOFTWARE\ Policies::\SOFTWARE\Policies
--- a/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_STIG_V1R6_Manual-xccdf.md
+++ b/StigData/Archive/Windows.Server.2016/U_Windows_Server_2016_STIG_V1R6_Manual-xccdf.md
@ -0,0 +1,36 @@
 # Windows Server 2016 formatting updates
 xccdf files are formated to ease reading the raw content using the following VS Code extension
 https://marketplace.visualstudio.com/items?itemName=DotJoshJohnson.xml
 Updates are listed in the following format:
 Here is an example of how to extract the changes and auto update new files as they are released to create a new change markdown file.
 ```powershell
 $matcher = '(?<id>V-\d+)(?:::)(?<oldText>[^::]+)(?:::)(?<newText>.+)'
 $string = Get-Content -Path 'C:\Users\adamh\source\repos\PowerSTIG\PowerStig\StigData\Archive\Windows.Server.2016\U_Windows_Server_2016_STIG_V1R6_Manual-xccdf.md' -RAW
 $changes = [regex]::Matches($string, $matcher)
 foreach($change in $changes)
 {
    $change.Groups.Item('id').value
    $change.Groups.Item('oldText').value
    $change.Groups.Item('newText').value
 }
 ```
 ## Changes
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73509::RequireMutualAuthentication=1, RequireIntegrity=1::RequireMutualAuthentication=1,RequireIntegrity=1
 V-73521::0x00000001 (1), 0x00000003 (3), or 0x00000008 (8)::0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8)
 V-73591::\SOFTWARE\ Policies::\SOFTWARE\Policies
 V-73551::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0x00000000 (0) (Security) or 0x00000001 (1) (Basic)
 V-73711::0x00000002 (2) (Prompt for consent on the secure desktop)
 0x00000001 (1) (Prompt for credentials on the secure desktop)::Value: 0x00000001 (1) (Prompt for credentials on the secure desktop) or 0x00000002 (2) (Prompt for consent on the secure desktop)
 V-73251::\Program Files and \Program Files (x86)::C:\Program Files and C:\Program Files (x86)
 V-73253::\Windows::C:\Windows
--- a/StigData/Archive/browser/U_Mozilla_FireFox_STIG_V4R24_Manual-xccdf.xml
+++ b/StigData/Archive/browser/U_Mozilla_FireFox_STIG_V4R24_Manual-xccdf.xml
--- a/StigData/Processed/IISServer-8.5-1.5.org.default.xml
+++ b/StigData/Processed/IISServer-8.5-1.5.org.default.xml
@ -6,6 +6,6 @@
    associated comment.
 -->
 <OrganizationalSettings version="1.5">
-  <!-- Ensure [TimeSpan]'V-76727.b' -le [TimeSpan]'00:20:00'-->
+  <!-- Ensure ''V-76727.b'' -le '00:20:00'-->
-  <OrganizationalSetting id="V-76727.b" value="'00:20:00'" />
+  <OrganizationalSetting id="V-76727.b" value='00:20:00' />
 </OrganizationalSettings>
--- a/StigData/Processed/IISServer-8.5-1.5.xml
+++ b/StigData/Processed/IISServer-8.5-1.5.xml
@ -1,6 +1,9 @@
-<DISASTIG id="IIS_8-5_Server_STIG" version="1.5" created="11/5/2018">
+<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="IIS_8-5_Server_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_IIS_8-5_Server_STIG_V1R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 26 Oct 2018" title="IIS 8.5 Server Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.5" created="1/30/2019">
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-76679" severity="medium" conversionstatus="pass" title="SRG-APP-000015-WSR-000014" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Logging onto a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.
 An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -29,6 +32,9 @@ If remote management meets the criteria listed above, this is not a finding.
 If remote management is utilized and does not meet the criteria listed above, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76699" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000015" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other tasks like password complexity, locking users after a configurable number of failed logons, and management of temporary and emergency accounts; and all of this must be done enterprise-wide.
 The web server contains a minimal user management function, but the web server user management function does not offer enterprise-wide user management, and user management is not the primary function of the web server. User management for the hosted applications should be done through a facility that is built for enterprise-wide user management, like LDAP and Active Directory.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -43,6 +49,9 @@ If the IIS web server is performing user management for hosted applications, thi
 If the IIS 8.5 web server is hosting an application and the SA cannot provide supporting documentation on how the application's user management is accomplished outside of the IIS 8.5 web server, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76701" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000075" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
 The web server must provide the capability to disable, uninstall, or deactivate functionality and services that are deemed to be non-essential to the web server mission or can adversely impact server performance.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -59,6 +68,7 @@ Review the installed programs, if any programs are installed other than those re
 Note: If additional software is needed supporting documentation must be signed by the ISSO.</RawString>
    </Rule>
    <Rule id="V-76719" severity="high" conversionstatus="pass" title="SRG-APP-000211-WSR-000030" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -75,6 +85,9 @@ If undocumented privileged accounts are found, this is a finding.
 If undocumented non-administrator access to shell scripts and operating system functions are found, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76729" severity="medium" conversionstatus="pass" title="SRG-APP-000225-WSR-000074" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the possibility for security risks. The web server must offer, and not hinder, a method that allows for the quick and easy reinstallation of a verified and patched baseline to guarantee the production web server is up-to-date and has not been modified to add functionality or expose security risks.
 When the web server does not offer a method to roll back to a clean baseline, external methods, such as a baseline snapshot or virtualizing the web server, can be used.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -85,6 +98,7 @@ Ask for documentation on the disaster recovery methods tested and planned for th
 If documentation for a disaster recovery has not been established, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76735" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000142" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;The indexing service can be used to facilitate a search function for websites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -103,6 +117,7 @@ Review the Catalog keys to determine if directories other than web document dire
 If so, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76739" severity="high" conversionstatus="pass" title="SRG-APP-000315-WSR-000003" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -131,6 +146,11 @@ If remote management meets the criteria listed above, this is not a finding.
 If remote management is utilized and does not meet the criteria listed above, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76743" severity="medium" conversionstatus="pass" title="SRG-APP-000316-WSR-000170" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;During an attack on the web server or any of the hosted applications, the system administrator may need to disconnect or disable access by users to stop the attack.
 The web server must provide a capability to disconnect users to a hosted application without compromising other hosted applications unless deemed necessary to stop the attack. Methods to disconnect or disable connections are to stop the application service for a specified hosted application, stop the web server, or block all connections through web server access list.
 The web server capabilities used to disconnect or disable users from connecting to hosted applications and the web server must be documented to make certain that, during an attack, the proper action is taken to conserve connectivity to any other hosted application if possible and to make certain log data is conserved for later forensic analysis.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -155,8 +175,40 @@ If necessary, stop the IIS 8.5 web server by selecting the web server in the IIS
 In the "Actions" pane, under "Manage Server", click on "Stop".
 If the web server is not capable of or cannot be configured to disconnect or disable remote access to the hosted applications when necessary, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76747" severity="medium" conversionstatus="pass" title="SRG-APP-000357-WSR-000150" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record storage capacity.
 The task of allocating log record storage capacity is usually performed during initial installation of the logging mechanism. The system administrator will usually coordinate the allocation of physical drive space with the web server administrator along with the physical location of the partition and disk. Refer to NIST SP 800-92 for specific requirements on log rotation and storage dependent on the impact of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open the IIS 8.5 Manager.
 Click the IIS 8.5 web server name.
 Under "IIS" double-click on the "Logging" icon.
 In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written.
 Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging.
 Under "Log File Rollover", verify the "Do not create new log files" is not selected.
 Verify a schedule is configured to rollover log files on a regular basis.
 Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device.
 If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76749" severity="medium" conversionstatus="pass" title="SRG-APP-000380-WSR-000072" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability.
 To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access.
 The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators.
 Satisfies: SRG-APP-000380-WSR-000072, SRG-APP-000435-WSR-000147, SRG-APP-000033-WSR-000169&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -186,6 +238,9 @@ Compare the local documentation authorizing specific users, against the users ob
 If any other access is observed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76751" severity="medium" conversionstatus="pass" title="SRG-APP-000383-WSR-000175" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.
 The web server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -208,6 +263,7 @@ Review the installed programs, if any programs are installed other than those li
 Note: If additional software is needed and has supporting documentation signed by the ISSO, this is not a finding.</RawString>
    </Rule>
    <Rule id="V-76755" severity="medium" conversionstatus="pass" title="SRG-APP-000435-WSR-000148" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;A Denial of Service (DoS) can occur when the web server is so overwhelmed that it can no longer respond to additional requests. A web server not properly tuned may become overwhelmed and cause a DoS condition even with expected traffic from users. To avoid a DoS, the web server must be tuned to handle the expected traffic for the hosted applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -233,6 +289,9 @@ Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
 If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" and "UriScavengerPeriod", this is a finding.</RawString>
    </Rule>
    <Rule id="V-76761" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2-approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled.
 NIST SP 800-52 defines the approved TLS versions for government applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -241,6 +300,7 @@ If explicit settings are not configured for "URIEnableCache", "UriMaxUriBytes" a
 If the TLS version is not TLS 1.1 or higher, according to NIST SP 800-52, or if non-FIPS-approved algorithms are enabled, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76767" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Some Component Object Model (COM) components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware some programs may require this component (e.g., Commerce Server), so it is highly recommended this be tested completely before implementing on the production web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -255,6 +315,13 @@ Note: If the File System Object component is required for operations and has sup
  </DocumentRule>
  <IisLoggingRule dscresourcemodule="xWebAdministration">
    <Rule id="V-76681" severity="medium" conversionstatus="pass" title="SRG-APP-000092-WSR-000055" dscresource="xIISLogging">
      <Description>&lt;VulnDiscussion&gt;Log files are a critical component to the successful management of an IS used within the DoD. By generating log files with useful information web administrators can leverage them in the event of a disaster, malicious attack, or other site specific needs.
 Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety.
 Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
 Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000093-WSR-000053, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000097-WSR-000059&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogCustomFieldEntry />
      <LogFlags>Date,Time,ClientIP,UserName,Method,UriQuery,ProtocolVersion,Referer</LogFlags>
@ -276,6 +343,11 @@ Click "Select Fields", verify at a minimum the following fields are checked: Dat
 If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76683" severity="medium" conversionstatus="pass" title="SRG-APP-000092-WSR-000055" dscresource="xIISLogging">
      <Description>&lt;VulnDiscussion&gt;Internet Information Services (IIS) on Windows Server 2012 provides basic logging capabilities. However, because IIS takes some time to flush logs to disk, administrators do not have access to logging information in real-time. In addition, text-based log files can be difficult and time-consuming to process.
 In IIS 8.5, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW. This provides a significant advantage over parsing text-based log files that are not updated in real time.
 Satisfies: SRG-APP-000092-WSR-000055, SRG-APP-000108-WSR-000166, SRG-APP-000358-WSR-000063&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogCustomFieldEntry />
      <LogFlags />
@ -295,6 +367,11 @@ Under Log Event Destination, verify the "Both log file and ETW event" radio butt
 If the "Both log file and ETW event" radio button is not selected, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76687" severity="medium" conversionstatus="pass" title="SRG-APP-000099-WSR-000061" dscresource="xIISLogging">
      <Description>&lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
 Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the event occurred in other areas within the enterprise.
 Without sufficient information establishing the success or failure of the logged event, investigation into the cause of event is severely hindered. The success or failure also provides a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogCustomFieldEntry>
        <Entry>
@ -332,6 +409,11 @@ If any of the above fields are not selected, this is a finding.
 </RawString>
    </Rule>
    <Rule id="V-76689" severity="medium" conversionstatus="pass" title="SRG-APP-000100-WSR-000064" dscresource="xIISLogging">
      <Description>&lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
 Determining user accounts, processes running on behalf of the user, and running process identifiers also enable a better understanding of the overall event. User tool identification is also helpful to determine if events are related to overall user access or specific client tools.
 Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogCustomFieldEntry>
        <Entry>
@ -376,36 +458,14 @@ Response Header &gt;&gt; Content-Type
 If any of the above fields are not selected, this is a finding.
 </RawString>
    </Rule>
    <Rule id="V-76747" severity="medium" conversionstatus="pass" title="SRG-APP-000357-WSR-000150" dscresource="xIISLogging">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <LogCustomFieldEntry />
      <LogFlags />
      <LogFormat />
      <LogPeriod>daily</LogPeriod>
      <LogTargetW3C />
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open the IIS 8.5 Manager.
 Click the IIS 8.5 web server name.
 Under "IIS" double-click on the "Logging" icon.
 In the "Logging" configuration box, determine the "Directory:" to which the "W3C" logging is being written.
 Confirm with the System Administrator that the designated log path is of sufficient size to maintain the logging.
 Under "Log File Rollover", verify the "Do not create new log files" is not selected.
 Verify a schedule is configured to rollover log files on a regular basis.
 Consult with the System Administrator to determine if there is a documented process for moving the log files off of the IIS 8.5 web server to another logging device.
 If the designated logging path device is not of sufficient space to maintain all log files and there is not a schedule to rollover files on a regular basis, this is a finding.</RawString>
    </Rule>
  </IisLoggingRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-76685" severity="medium" conversionstatus="pass" title="SRG-APP-000098-WSR-000060" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Web server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
 Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source of events will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if events tied to the source occurred in other areas within the enterprise.
 A web server behind a load balancer or proxy server, when not configured correctly, will record the load balancer or proxy server as the source of every logable event. When looking at the information forensically, this information is not helpful in the investigation of events. The web server must record with each event the client source of the event.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -428,6 +488,7 @@ When the log file is displayed, review source IP information in log entries and
 If the log entries in the log file(s) reflect the IP address of the proxy server as the source, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76695" severity="medium" conversionstatus="pass" title="SRG-APP-000120-WSR-000070" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;A major tool in exploring the website use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -462,6 +523,7 @@ This check does not apply to service account IDs utilized by automated services
 </RawString>
    </Rule>
    <Rule id="V-76697" severity="medium" conversionstatus="pass" title="SRG-APP-000125-WSR-000071" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -486,6 +548,7 @@ If the paths of all log files are not part of the system backup and/or not backe
 </RawString>
    </Rule>
    <Rule id="V-76703" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000076" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very common attack making the attack anonymous.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -504,6 +567,7 @@ In the "Application Request Routing" settings window, verify whether "Enable pro
 If “Enable proxy" is selected under the "Application Request Routing" settings, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76705" severity="high" conversionstatus="pass" title="SRG-APP-000141-WSR-000077" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -516,6 +580,11 @@ Program Files (x86)\Common Files\System\msadc
 If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76707" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000078" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;When accounts used for web server features such as documentation, sample code, example applications, tutorials, utilities, and services are created even though the feature is not installed, they become an exploitable threat to a web server.
 These accounts become inactive, are not monitored through regular use, and passwords for the accounts are not created or updated. An attacker, through very little effort, can use these accounts to gain access to the web server and begin investigating ways to elevate the account privileges.
 The accounts used for web server features not installed must not be created and must be deleted when these features are uninstalled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -530,6 +599,9 @@ Review the local users listed in the middle pane.
 If any local accounts are present and were created by features which have been uninstalled or are not used, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76709" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000080" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and graphical editors are examples of such programs that are troublesome.
 Individual productivity tools have no legitimate place or use on an enterprise, production web server and they are also prone to their own security risks. The web server installation process must provide options allowing the installer to choose which utility programs, services, and modules are to be installed or removed. By having a process for installation and removal, the web server is guaranteed to be in a more stable and secure state than if these services and programs were installed and removed manually.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -542,6 +614,7 @@ If any utility programs, features or modules are installed which are not necessa
 If any unnecessary Operating System features are installed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76715" severity="medium" conversionstatus="pass" title="SRG-APP-000175-WSR-000095" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the website to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -556,6 +629,11 @@ Double-click each certificate and verify the certificate path is to a DoD root C
 If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76717" severity="medium" conversionstatus="pass" title="SRG-APP-000206-WSR-000128" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Mobile code in hosted applications allows the developer to add functionality and displays to hosted applications that are fluid, as opposed to a static web page. The data presentation becomes more appealing to the user, is easier to analyze, and navigation through the hosted application and data is much less complicated.
 Some mobile code technologies in use in today's applications are: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. The DoD has created policies that define the usage of mobile code on DoD systems. The usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.
 Source code for a Java program is, many times, stored in files with either .java or .jpp file extensions. From the .java and .jpp files the Java compiler produces a binary file with an extension of .class. The .java or .jpp file could therefore reveal sensitive information regarding an application's logic and permissions to resources on the server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -564,6 +642,9 @@ If not, this is a finding.</RawString>
 If files with .java or .jpp extensions are found, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76721" severity="medium" conversionstatus="pass" title="SRG-APP-000211-WSR-000129" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;The separation of user functionality from web server management can be accomplished by moving management functions to a separate IP address or port. To further separate the management functions, separate authentication methods and certificates should be used.
 By moving the management functionality, the possibility of accidental discovery of the management functions by non-privileged users during hosted application use is minimized.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -578,6 +659,9 @@ If the IIS 8.5 web server hosts applications, review the application's managemen
 If the IIS 8.5 web server management and the application's management functionality is not separated, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76741" severity="medium" conversionstatus="pass" title="SRG-APP-000315-WSR-000004" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions.
 A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through internal web server access list, the web server can stop or slow denial of service (DoS) attacks on the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -598,6 +682,7 @@ Verify only known, secure IP ranges are configured as "Allow".
 If "IP Address Restrictions" are not configured or IP ranges configured to be "Allow" are not restrictive enough to prevent connections from nonsecure zones, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76753" severity="medium" conversionstatus="pass" title="SRG-APP-000383-WSR-000175" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -618,6 +703,7 @@ Expand the roles node, then right-click “Print Services”, and then select
 If the Internet Printing option is enabled, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76763" severity="medium" conversionstatus="pass" title="SRG-APP-000456-WSR-000187" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Several vulnerabilities are associated with older versions of web server software. As hot fixes and patches are issued, these solutions are included in the next version of the server software. Maintaining the web server at a current version makes the efforts of a malicious user more difficult.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -631,6 +717,11 @@ If the version is more than one version behind the most recent patch level, this
 </RawString>
    </Rule>
    <Rule id="V-76765" severity="high" conversionstatus="pass" title="SRG-APP-000516-WSR-000079" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;During installation of the web server software, accounts are created for the web server to operate properly. The accounts installed can have either no password installed or a default password, which will be known and documented by the vendor and the user community.
 The first things an attacker will try when presented with a logon screen are the default user identifiers with default passwords. Installed applications may also install accounts with no password, making the logon even easier. Once the web server is installed, the passwords for any created accounts should be changed and documented. The new passwords must meet the requirements for all passwords, i.e., upper/lower characters, numbers, special characters, time until change, reuse policy, etc.
 Service accounts or system accounts that have no logon capability do not need to have passwords set or changed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -647,6 +738,7 @@ If any local accounts are present and are used by IIS 8.5 verify with System Adm
 If passwords have not been changed from the default, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76771" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="None">
      <Description>&lt;VulnDiscussion&gt;Authorization rules can be configured at the server, website, folder (including Virtual Directories), or file level. It is recommended that URL Authorization be configured to only grant access to the necessary security principals. Configuring a global Authorization rule that restricts access ensures inheritance of the settings down through the hierarchy of web directories. This will ensure access to current and future content is only granted to the appropriate principals, mitigating risk of unauthorized access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
@ -662,6 +754,11 @@ If any user other than “Administrator” is listed, this is a finding.
  </ManualRule>
  <MimeTypeRule dscresourcemodule="xWebAdministration">
    <Rule id="V-76711.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
      <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.
 A MIME tells the web server what type of program, various file types, and extensions are and what external utilities or programs are needed to execute the file type.
 A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Absent</Ensure>
      <Extension>.exe</Extension>
      <IsNullOrEmpty>False</IsNullOrEmpty>
@ -677,6 +774,11 @@ If any OS shell MIME types are configured, this is a finding.
 .exe</RawString>
    </Rule>
    <Rule id="V-76711.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
      <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.
 A MIME tells the web server what type of program, various file types, and extensions are and what external utilities or programs are needed to execute the file type.
 A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Absent</Ensure>
      <Extension>.dll</Extension>
      <IsNullOrEmpty>False</IsNullOrEmpty>
@ -692,6 +794,11 @@ If any OS shell MIME types are configured, this is a finding.
 .dll</RawString>
    </Rule>
    <Rule id="V-76711.c" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
      <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.
 A MIME tells the web server what type of program, various file types, and extensions are and what external utilities or programs are needed to execute the file type.
 A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Absent</Ensure>
      <Extension>.com</Extension>
      <IsNullOrEmpty>False</IsNullOrEmpty>
@ -707,6 +814,11 @@ If any OS shell MIME types are configured, this is a finding.
 .com</RawString>
    </Rule>
    <Rule id="V-76711.d" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
      <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.
 A MIME tells the web server what type of program, various file types, and extensions are and what external utilities or programs are needed to execute the file type.
 A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Absent</Ensure>
      <Extension>.bat</Extension>
      <IsNullOrEmpty>False</IsNullOrEmpty>
@ -722,6 +834,11 @@ If any OS shell MIME types are configured, this is a finding.
 .bat</RawString>
    </Rule>
    <Rule id="V-76711.e" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000081" dscresource="xIisMimeTypeMapping">
      <Description>&lt;VulnDiscussion&gt;Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.
 A MIME tells the web server what type of program, various file types, and extensions are and what external utilities or programs are needed to execute the file type.
 A shell is a program that serves as the basic interface between the user and the operating system, so hosted application users must not have access to these programs. Shell programs may execute shell escapes and can then perform unauthorized activities that could damage the security posture of the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Absent</Ensure>
      <Extension>.csh</Extension>
      <IsNullOrEmpty>False</IsNullOrEmpty>
@ -786,6 +903,7 @@ If any OS shell MIME types are configured, this is a finding.
          <Rights>ReadAndExecute,ListDirectory</Rights>
        </Entry>
      </AccessControlEntry>
      <Description>&lt;VulnDiscussion&gt;This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Force>True</Force>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -809,6 +927,9 @@ Creator/Owner: Special permissions to subkeys</RawString>
  </PermissionRule>
  <RegistryRule dscresourcemodule="xPSDesiredStateConfiguration">
    <Rule id="V-76759.a" severity="high" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="xRegistry">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
 FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server</Key>
@ -820,6 +941,9 @@ Creator/Owner: Special permissions to subkeys</RawString>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-76759.b" severity="high" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="xRegistry">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
 FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server</Key>
@ -831,6 +955,9 @@ Creator/Owner: Special permissions to subkeys</RawString>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-76759.c" severity="high" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="xRegistry">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
 FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server</Key>
@ -842,6 +969,9 @@ Creator/Owner: Special permissions to subkeys</RawString>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-76759.d" severity="high" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="xRegistry">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
 FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server</Key>
@ -853,6 +983,9 @@ Creator/Owner: Special permissions to subkeys</RawString>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-76759.e" severity="high" conversionstatus="pass" title="SRG-APP-000439-WSR-000156" dscresource="xRegistry">
      <Description>&lt;VulnDiscussion&gt;Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2-approved TLS version, and all non-FIPS-approved SSL versions must be disabled.
 FIPS 140-2-approved TLS versions include TLS V1.1 or greater. NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server</Key>
@ -867,6 +1000,10 @@ Creator/Owner: Special permissions to subkeys</RawString>
  <WebConfigurationPropertyRule dscresourcemodule="xWebAdministration">
    <Rule id="V-76727.a" severity="medium" conversionstatus="pass" title="SRG-APP-000223-WSR-000145" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.web/sessionState</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.
 Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection.
 &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>cookieless</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -879,10 +1016,14 @@ Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mod
    </Rule>
    <Rule id="V-76727.b" severity="medium" conversionstatus="pass" title="SRG-APP-000223-WSR-000145" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.web/sessionState</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.
 Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection.
 &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>timeout</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
-      <OrganizationValueTestString>[TimeSpan]{0} -le [TimeSpan]'00:20:00'</OrganizationValueTestString>
+      <OrganizationValueTestString>'{0}' -le '00:20:00'</OrganizationValueTestString>
      <RawString>Open the IIS 8.5 Manager.
 Click the IIS 8.5 web server name.
 Under the "ASP.NET" section, select "Session State".
@ -893,6 +1034,7 @@ If the "Use Cookies” mode is selected and Time-out (in minutes) is configured
    </Rule>
    <Rule id="V-76731" severity="medium" conversionstatus="pass" title="SRG-APP-000231-WSR-000144" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.web/machineKey</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;The Machine Key element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, forms authentication, membership and roles, and anonymous identification. Ensuring a strong encryption method can mitigate the risk of data tampering in crucial functional areas such as forms authentication cookies, or view state.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>decryption</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -911,6 +1053,7 @@ If "HMACSHA256" or stronger encryption is not selected for the Validation method
    </Rule>
    <Rule id="V-76733" severity="medium" conversionstatus="pass" title="SRG-APP-000251-WSR-000157" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.webServer/directoryBrowse</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>enabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -928,6 +1071,7 @@ If “Directory Browsing” is not disabled, this is a finding.</RawString>
    </Rule>
    <Rule id="V-76737" severity="medium" conversionstatus="pass" title="SRG-APP-000266-WSR-000159" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.webServer/httpErrors</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>errormode</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -945,6 +1089,7 @@ If any error message is not set to “Detailed errors for local requests and cus
    </Rule>
    <Rule id="V-76757" severity="medium" conversionstatus="pass" title="SRG-APP-000439-WSR-000152" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.webServer/asp/session</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>keepSessionIdSecure</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -966,6 +1111,7 @@ If the "keepSessionIdSecure" is not set to "True", this is a finding.</RawString
    </Rule>
    <Rule id="V-76769.a" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.webServer/security/isapiCgiRestriction</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>notListedCgisAllowed</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -979,6 +1125,7 @@ Verify the "Allow unspecified CGI modules" check box is not checked</RawString>
    </Rule>
    <Rule id="V-76769.b" severity="medium" conversionstatus="pass" title="SRG-APP-000516-WSR-000174" dscresource="xWebConfigKeyValue">
      <ConfigSection>/system.webServer/security/isapiCgiRestriction</ConfigSection>
      <Description>&lt;VulnDiscussion&gt;By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>notListedIsapisAllowed</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
@ -993,6 +1140,9 @@ Verify the "Allow unspecified ISAPI modules" check box is not checked</RawString
  </WebConfigurationPropertyRule>
  <WindowsFeatureRule dscresourcemodule="PSDesiredStateConfiguration">
    <Rule id="V-76713" severity="medium" conversionstatus="pass" title="SRG-APP-000141-WSR-000085" dscresource="WindowsFeature">
      <Description>&lt;VulnDiscussion&gt;A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. Allowing this functionality, development, and deployment is much easier for web authors.
 WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <FeatureName>Web-DAV-Publishing</FeatureName>
      <InstallState>Absent</InstallState>
      <IsNullOrEmpty>False</IsNullOrEmpty>
--- a/StigData/Processed/Mozilla-All-FireFox-4.24.org.default.xml
+++ b/StigData/Processed/Mozilla-All-FireFox-4.24.org.default.xml
@ -0,0 +1,8 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="4.24" />
--- a/StigData/Processed/Mozilla-All-FireFox-4.24.xml
+++ b/StigData/Processed/Mozilla-All-FireFox-4.24.xml
@ -0,0 +1,322 @@
 <DISASTIG version="4" classification="UNCLASSIFIED" customname="" stigid="Mozilla_FireFox_STIG" description="The Mozilla FireFox Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil" filename="U_Mozilla_FireFox_STIG_V4R24_Manual-xccdf.xml" releaseinfo="Release: 24 Benchmark Date: 25 Jan 2019" title="Mozilla FireFox Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="4.24" created="1/30/2019">
  <FileContentRule dscresourcemodule="FileContentDsc">
    <Rule id="V-15768" severity="medium" conversionstatus="pass" title="FireFox Preferences – Verification" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>security.default_personal_cert</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser address bar. Verify  Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering.
 Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.
 </RawString>
      <Value>Ask Every Time</Value>
    </Rule>
    <Rule id="V-15771" severity="medium" conversionstatus="pass" title="DTBF105 - FireFox Preferences – Shell Protocol" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>network.protocol-handler.external.shell</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Procedure: Open a browser window, type "about:config" in the address bar.
 Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding. </RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-15772" severity="medium" conversionstatus="pass" title="DTBF110 - FireFox Preferences – Open Confirmation" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>plugin.default_plugin_disabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open a browser window, type "about:config" in the address bar.
 Criteria: If the “plugin.default_plugin_disabled” value is not set to include the following external extensions and not locked, this is a finding:
 PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</RawString>
      <Value>PDF,FDF,XFDF,LSL,LSO,LSS,IQY,RQY,XLK,XLS,XLT,POT,PPS,PPT,DOS,DOT,WKS,BAT,PS,EPS,WCH,WCM,WB1,WB3,RTF,DOC,MDB,MDE,WBK,WB1,WCH,WCM,AD,ADP</Value>
    </Rule>
    <Rule id="V-15774" severity="medium" conversionstatus="pass" title="DTBF140 - FireFox Preferences – Autofill forms" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>browser.formfill.enable</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked.
 Criteria: If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.
 </RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-15775" severity="medium" conversionstatus="pass" title="DTBF150 - FireFox Preferences – Autofill passwords" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>signon.autofillForms</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>In About:Config, verify that the preference name “signon.autofillForms“ is set to “false” and locked.
 Criteria: If the parameter is set incorrectly, this is a finding.
 If the setting is not locked, this is a finding.</RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-15776" severity="medium" conversionstatus="pass" title="DTBF160 - FireFox Preferences – Password store" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>signon.rememberSignons</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”.
 Criteria: If the parameter is set incorrectly, then this is a finding.
 If the setting is not locked, then this is a finding.</RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-15778" severity="medium" conversionstatus="pass" title="DTBF180 - Pop-up windows" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>dom.disable_window_open_feature.status</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked.
 Criteria: If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.
 </RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-15779" severity="medium" conversionstatus="pass" title="DTBF181 - JavaScript move or resize windows" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>dom.disable_window_move_resize</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”.
 Criteria: If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.
 </RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-15983.a" severity="medium" conversionstatus="pass" title="DTBF030 - Firefox Preferences TLS Protocols" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>security.enable_tls</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify Preference Name "security.enable_tls" is set to the value "true" and locked.</RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-15983.b" severity="medium" conversionstatus="pass" title="DTBF030 - Firefox Preferences TLS Protocols" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>security.tls.version.min</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify Preference Name "security.tls.version.min" is set to the value "2" and locked.</RawString>
      <Value>2</Value>
    </Rule>
    <Rule id="V-15983.c" severity="medium" conversionstatus="pass" title="DTBF030 - Firefox Preferences TLS Protocols" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>security.tls.version.max</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify Preference Name "security.tls.version.max" is set to the value "3" and locked.</RawString>
      <Value>3</Value>
    </Rule>
    <Rule id="V-15985" severity="medium" conversionstatus="pass" title="DTBF182 - JavaScript raise or lower  windows" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>dom.disable_window_flip</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”.
 Criteria: If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.</RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-15986" severity="medium" conversionstatus="pass" title="DTBF183 - JavaScript Context Menus" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>dom.event.contextmenu.enabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the address bar of the browser.
 Verify that the preferences "dom.event.contextmenu.enabled" is set and locked to "false".
 Criteria: If the parameter is set incorrectly, then this is a finding.
 If the setting is not locked, this is a finding.</RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-15987" severity="medium" conversionstatus="pass" title="DTBF184 - JavaScript hiding or changing status bar" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>dom.disable_window_status_change</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the address bar of the browser. Verify that the preference “dom.disable_window_status_change" is set and locked to “true”.
 Criteria: If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.</RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-15989" severity="medium" conversionstatus="pass" title="DTBF130 - Non-secure Page Warning" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>security.warn_leaving_secure</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser window. Verify that the preference name “security.warn_leaving_secure" is set to “true” and locked.
 Criteria:  If the parameter is set incorrectly, then this is a finding.  If the setting is not locked, then this is a finding.
 </RawString>
      <Value>true</Value>
    </Rule>
    <Rule id="V-19742" severity="medium" conversionstatus="pass" title="DTBF090-Firefox Preferences-Addons\ plugin updates" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>extensions.update.enabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked.
 Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
 </RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-19744" severity="medium" conversionstatus="pass" title="DTBF085 - Firefox Preferences –Search update " dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>browser.search.update</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser window. Verify the preference "browser.search.update”  is set to "false" and locked.
 Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
 </RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-64891" severity="medium" conversionstatus="pass" title="DTBF186" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>xpinstall.enabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "xpinstall.enabled" and set the value to “false” and locked.
 Criteria: If the value of “xpinstall.enabled” is “false”, this is not a finding.
 If the value is locked, this is not a finding.
 </RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-79053.a" severity="medium" conversionstatus="pass" title="DTBF190 - Background data submission" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>datareporting.policy.dataSubmissionEnabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify that the preference "datareporting.policy.dataSubmissionEnabled" is set and locked to "false".</RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-79053.b" severity="medium" conversionstatus="pass" title="DTBF190 - Background data submission" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>datareporting.healthreport.service.enabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify that the preference "datareporting.healthreport.service.enabled" is set and locked to "false".</RawString>
      <Value>false</Value>
    </Rule>
    <Rule id="V-79053.c" severity="medium" conversionstatus="pass" title="DTBF190 - Background data submission" dscresource="ReplaceText">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>datareporting.healthreport.uploadEnabled</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify that the preference "datareporting.healthreport.uploadEnabled" is set and locked to "false".</RawString>
      <Value>false</Value>
    </Rule>
  </FileContentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-6318" severity="medium" conversionstatus="pass" title="DTBG010 - DoD Root Certificate is not installed" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Navigate to Tools &gt;&gt; Options &gt;&gt; Advanced &gt;&gt; Certificates tab &gt;&gt; View Certificates button. On the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4.
 If there are entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, select them individually.
 Click the "View" button.
 Verify the publishing organization is "US Government."
 If there are no entries for the DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, this is a finding.
 Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.</RawString>
    </Rule>
    <Rule id="V-15770" severity="medium" conversionstatus="pass" title="DTBF100 -FireFox Preferences–auto-download actions" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Use Method 1 or 2 to check if the following extensions are listed in the browser configuration:  HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC.   By default, most of these extensions will not show up on the Firefox listing.
 Criteria:
 Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column.
 If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension.  If the extension is associated with an unauthorized application, then this is a finding.
 If the extension exists but is not associated with an application, then this is a finding.
 Method 2:
 Use the Options User Interface Applications menu  to search for the prohibited extensions in the Content column of the table.
 If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding.
 If the entry exists and the "Action" is 'Save File' or 'Always Ask',  then this is not a finding.
 If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.
 </RawString>
    </Rule>
    <Rule id="V-15773" severity="medium" conversionstatus="pass" title="DTBF120 - FireFox Preferences – ActiveX controls" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open a browser window, type "about:plugins" in the address bar.
 Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.
 </RawString>
    </Rule>
    <Rule id="V-17988" severity="high" conversionstatus="pass" title="DTBF003 - Installed version of Firefox not supported" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Method 1: View the following registry key:
 HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion
 Method 2: Search for the firefox.exe file using the search feature of the operating system. Examine the files properties for the product version (not the file version. For Windows OS, determine the version of the file by examining navigating to Properties/Version/Product Version. Examine for all instances of firefox.exe that are present on the endpoint.
 Criteria: If the version number of the firefox.exe file is less than 50.1.x (or ESR 45.7.x), this is a finding.</RawString>
    </Rule>
    <Rule id="V-19741" severity="medium" conversionstatus="pass" title="DTBF080 - Firefox Preferences  Auto-update of Firefox" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Type "about:config" in the browser window.
 Verify that:
 1. The preference name "app.update.enabled" is set to ”true” and locked.
 2. Verify that "app.update.url", "app.update.url.details", and "app.update.url.manual" contain url information that point to a trusted internal server or the default setting of “Mozilla.com” or “Mozilla.org”.
 Criteria: If the parameter is set incorrectly, this is a finding.
 If this setting is not locked, this is a finding.</RawString>
    </Rule>
    <Rule id="V-19743" severity="medium" conversionstatus="pass" title="DTBF070 - Firefox Preferences - Lock settings" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify that required settings are marked as locked in "about:config".
 Verify that "mozilla.cfg" file is used to lock required security settings.
 If settings are enable, and not locked, this is a finding.
 Sample file:
 //
 lockPref("browser.download.dir", "N:");
 lockPref("browser.download.downloadDir", "N:");
 lockPref("app.update.enabled", false);
 lockPref("extensions.update.enabled", false);
 lockPref("browser.shell.checkDefaultBrowser", false);
 lockPref("browser.search.update", false);
 lockPref("dom.disable_open_during_load", true);
 lockPref("dom.disable_window_move_resize", true);
 lockPref("dom.event.contextmenu.enabled", false);
 lockPref("dom.disable_window_status_change", true);
 lockPref("security.warn_leaving_secure", true);
 lockPref("security.default_personal_cert", "Ask Every Time");
 lockPref("signon.rememberSignons", false);
 lockPref("xpinstall.whitelist.required", true);
 lockPref(“network.protocol-handler.external.shell”,false);
 Note: Append line into local-settings.js file to include in the Mozilla config file.</RawString>
    </Rule>
  </ManualRule>
 </DISASTIG>
--- a/StigData/Processed/SqlServer-2012-Database-1.18.org.default.xml
+++ b/StigData/Processed/SqlServer-2012-Database-1.18.org.default.xml
@ -0,0 +1,8 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="1.18" />
--- a/StigData/Processed/SqlServer-2012-Database-1.18.xml
+++ b/StigData/Processed/SqlServer-2012-Database-1.18.xml
@ -0,0 +1,578 @@
 <DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="MS_SQL_Server_2012_Database_Instance_STIG" description="The Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." filename="U_MS_SQL_Server_2012_Database_STIG_V1R18_Manual-xccdf.xml" releaseinfo="Release: 18 Benchmark Date: 25 Jan 2019" title="Microsoft SQL Server 2012 Database Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.18" created="2/4/2019">
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-41389" severity="medium" conversionstatus="pass" title="SRG-APP-000006-DB-000183" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines.
 If the labeling of sensitive data is not required, this is NA.
 Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. Spot check data and ensure the appropriate labels have been applied to stored data.
 If the labeling of sensitive data is required and is not being performed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41391" severity="medium" conversionstatus="pass" title="SRG-APP-000007-DB-000184" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines.
 If the labeling of sensitive data is not required, this is NA.
 Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool.
 If the labeling of sensitive information in process is not being performed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41392" severity="medium" conversionstatus="pass" title="SRG-APP-000008-DB-000185" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines.
 If the labeling of sensitive data is not required, this is NA.
 Obtain system configuration settings to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool.
 If the labeling of sensitive data in transmission is not being performed, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41393" severity="medium" conversionstatus="pass" title="SRG-APP-000012-DB-000192" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation to determine if the labeling of sensitive data is required under organization-defined guidelines.
 If the labeling of sensitive data is not required, this is NA.
 Obtain system configuration setting to determine how data labeling is being performed. This can be through triggers or some other SQL-developed means or via a third-party tool. Determine how authorized users associate security information to data. If authorized users are not able to associate security labels to data, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41394" severity="medium" conversionstatus="pass" title="SRG-APP-000085-DB-000038" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check for rights propagation assignment to database permissions by running the following query:
 USE &lt;name of database being reviewed&gt;;
 SELECT *
 FROM sys.database_permissions
 WHERE state_desc = 'GRANT_WITH_GRANT_OPTION';
 If any of the permissions listed have not been documented and approved as requiring GRANT_WITH_GRANT_OPTION, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41396" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000015" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Identify whether SQL Server contains both development and production databases from the system documentation.
 If SQL Server is not hosting both production and development databases, this is NA.
 If SQL Server is hosting both development and production databases, but this is not clearly documented in the system documentation, this is a finding.
 Check the list of SQL Server users against the list of developer accounts by running the following SQL Server query:
 SELECT name AS 'Account Name'
     , create_date AS 'Account Create Date'
     , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on'
  FROM sys.server_principals
 WHERE NOT TYPE IN ('C', 'R', 'U') -- ('C', 'G', 'K', 'R', 'S', 'U')
  AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##')
  AND sid &lt;&gt; CONVERT(VARBINARY(85), 0x01) -- no 'sa' account
  AND is_disabled &lt;&gt; 1
 ORDER BY name
 If no developer user account is listed, this is not a finding.
 Check each developer user account privilege listed above.
 Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'developer account name'&gt; &gt;&gt; Properties &gt;&gt; User &gt;&gt; Securables.
 If any item in the 'Permission' listing, for each highlighted item that exists in the 'Securables' listing, grants production privileges, this is a finding.
 Navigate from 'Securables' to 'Server Roles'.
 If any 'Server roles' are checked that grant production privileges, this is a finding.
 Navigate from 'Server Roles' to 'Users mapped to the login'.
 If any checked 'Database role membership' of each highlighted and checked 'Database' are determined to be granting production privileges, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41399" severity="medium" conversionstatus="pass" title="SRG-APP-999999-DB-000209" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check system documentation for procedures that are regularly implemented in an effort to detect unauthorized SQL Server job submissions.
 If procedures that are regularly implemented are not documented in the system documentation, this is a finding.
 If the procedures are not implemented regularly or do not detect for unauthorized SQL Server job submissions, this is a finding.
 Review Stored Procedures that are able to automatically execute jobs scheduled to start automatically at system startup by running the following query:
 SELECT name
  FROM master.sys.procedures
 WHERE is_auto_executed = 1
 If any Stored Procedures listed are not documented as authorized, this is a finding.
 Review the SQL Server job history by running the following query:
 SELECT *   FROM msdb.dbo.sysjobhistory
 If any jobs listed are not documented as authorized, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41407" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000200" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation to identify SQL Server accounts authorized to own database objects.
 If the SQL Server database ownership list does not exist or needs to be updated, this is a finding.
 Run the following SQL query to determine SQL Server ownership of all database objects:
 SELECT name AS 'Database name'
     , SUSER_SNAME(owner_sid) AS 'Database Owner'
     , state_desc AS 'Database state'
  FROM sys.databases
 </RawString>
    </Rule>
    <Rule id="V-41409" severity="medium" conversionstatus="pass" title="SRG-APP-000141-DB-000091" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the list of components or optional features installed with SQL Server.
 If optional features or components are NOT installed, this is not a finding.
 If unused components or features of SQL Server are installed, then review the system documentation to verify unused components or features are documented and authorized.
 If any are not documented and authorized, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41417" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>In a query tool:
 USE &lt;database name&gt;;
 GO
 SELECT s.name, k.crypt_type_desc
 FROM sys.symmetric_keys s, sys.key_encryptions k
 WHERE s.symmetric_key_id = k.key_id
 AND s.name &lt;&gt; '##MS_DatabaseMasterKey##'
 AND k.crypt_type IN ('ESKP', 'ESKS')
 ORDER BY s.name, k.crypt_type_desc;
 GO
 Review any symmetric keys that have been defined against the System Security Plan.
 If any keys are defined that are not documented in the System Security Plan, this is a finding.
 Review the System Security Plan to review the encryption mechanism specified for each symmetric key. If the method does not indicate use of certificates, this is a finding.
 If the certificate specified is not a DoD PKI certificate, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41421" severity="medium" conversionstatus="pass" title="SRG-APP-000243-DB-000128" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify there are proper procedures in place for the transfer of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test and verify copies of production data are not left in unprotected locations.
 If there is no documented procedure for data movement from production to development/test, this is a finding.
 If data movement code that copies from production to development/test does exist and leaves any copies of production data in unprotected locations, this is a finding.</RawString>
    </Rule>
    <Rule id="V-60671" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000200" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the database is owned by an account that is directly or indirectly a member of a fixed (built-in) server role, this is not applicable (NA).
 Run the query:
 USE &lt;database name&gt;;
 GO
 SELECT
       DB_NAME()                  AS [Database],
       SUSER_SNAME(D.owner_sid)   AS [Database Owner],
       CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END
                                  AS [Trustworthy]
 FROM
       sys.databases D
 WHERE
       D.[name] = DB_NAME()
 AND    DB_NAME() &lt;&gt; 'msdb'
 AND    D.is_trustworthy_on = 1;
 GO
 If the query returns a row indicating that the TRUSTWORTHY setting is OFF, or returns no rows, this is not a finding.
 Review the system security plan to determine whether the need for TRUSTWORTHY is documented and approved.  If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-70627" severity="low" conversionstatus="pass" title=" SRG-APP-000144-DB-000101" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review system documentation and/or organizational procedures to determine the threshold value for the storage used by the transaction log, above which staff must be alerted.  The threshold may be expressed as an absolute quantity, or a percentage of total available space.
 If this threshold has not been defined, this is a finding.
 If monitoring software is in use, and has been configured to alert system and database administrators when the threshold is exceeded, this is not a finding.
 If manual procedures exist for frequently checking the space used and alerting system and database administrators, and there is evidence that the procedures are adhered to, this is not a finding.
 Otherwise, this is a finding.</RawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-40911" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.
 If the application owner and Authorizing Official have determined that encryption of data at rest is required,
 ensure the data on secondary devices is encrypted. If full-disk encryption is being used, this is not a finding.
 If DBMS data encryption is required, ensure the data is encrypted before being put on the secondary device by executing:
 SELECT
    d.name AS [Database Name],
    CASE e.encryption_state
        WHEN 0 THEN 'No database encryption key present, no encryption'
        WHEN 1 THEN 'Unencrypted'
        WHEN 2 THEN 'Encryption in progress'
        WHEN 3 THEN 'Encrypted'
        WHEN 4 THEN 'Key change in progress'
        WHEN 5 THEN 'Decryption in progress'
        WHEN 6 THEN 'Protection change in progress'
    END AS [Encryption State]
 FROM sys.dm_database_encryption_keys e
 RIGHT JOIN sys.databases d ON DB_NAME(e.database_id) = d.name
 WHERE d.name NOT IN ('master','model','msdb')
 ORDER BY 1
 ;
 For each user database where encryption is required, verify that encryption is in effect. If not, this is a finding.
 Verify that there are physical security measures, operating system access control lists and organizational controls appropriate to the sensitivity level of the data in the database(s).  If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41395" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000014" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check the list of SQL Server users against the list of developer accounts by running the following SQL Server query:
 SELECT name AS 'Account Name'
     , create_date AS 'Account Create Date'
     , LOGINPROPERTY(name, 'PasswordLastSetTime') AS 'Password Last Set on'
 FROM sys.server_principals
 WHERE NOT TYPE IN ('C', 'R', 'U')
 AND NOT name IN ('##MS_PolicyEventProcessingLogin##', '##MS_PolicyTsqlExecutionLogin##')
 AND sid &lt;&gt; CONVERT(VARBINARY(85), 0x01) -- no 'sa' account
 AND is_disabled &lt;&gt; 1
 ORDER BY name;
 For each developer account found on a production machine, verify if the developer account can change or alter database objects or data in the production database. If any developer account can change or alter database objects or data in a production database, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41397" severity="medium" conversionstatus="pass" title="SRG-APP-000062-DB-000034" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check administrative accounts for direct database role membership:
 Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'administrator account name'&gt; &gt;&gt; Properties &gt;&gt; User Mapping &gt;&gt; &lt;'highlight database'&gt; &gt;&gt; review 'Database role membership' for each database.
 If any administration accounts have a direct privilege to any 'Database role membership' that is part of the SQL Server system, this is a finding.
 Check administrative accounts for direct server role membership:
 Navigate to SQL Server Management Studio &gt;&gt; Object Explorer &gt;&gt; &lt;'SQL Server name'&gt; &gt;&gt; Security &gt;&gt; Logins &gt;&gt; right click &lt;'administrator account name'&gt; &gt;&gt; Properties &gt;&gt; Server Roles.
 If any administration accounts have direct access to any 'Server roles' privilege that is part of the SQL Server system, this is a finding.
 The special database principal [dbo] is an exception.  It is mapped to the server login that is the database owner.  Some roles cannot be mapped to it or unmapped from it.  These role assignments are not a finding.
 The built-in server role "sysadmin" is a partial exception.  See the Vulnerability Discussion.</RawString>
    </Rule>
    <Rule id="V-41403" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check the SQL Server configuration for a timed job that automatically checks all system and user-defined Functions for being modified by running the following SQL Server query:
 EXEC msdb.dbo.sp_help_job  @job_name = '&lt;enter . . . job name&gt;';
 (Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
 If a timed job or some other method is not implemented to check for Functions being modified, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41404" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check the SQL Server configuration for the timed job that automatically checks all system and user-defined Triggers for being modified by running the following SQL Server query:
 EXEC msdb.dbo.sp_help_job  @job_name = '&lt;enter . . . job name&gt;';
 (Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
 If such a job, or an alternative method of monitoring triggers for modification, does not exist, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41406" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000179" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check for the existence of a job to monitor for changes to stored procedures:
 EXEC msdb.dbo.sp_help_job  @job_name = '&lt;enter . . . job name&gt;';
 (Alternatively, in SQL Server Management Studio, navigate to SQL Server Agent and examine the job from there.)
 If such a job, or an alternative method of monitoring stored procedures for modification, does not exist, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41411" severity="medium" conversionstatus="pass" title="SRG-APP-000188-DB-000121" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review SQL Server's cryptographic settings to determine whether data stored in databases is encrypted according to organizational requirements and the system owner.
 If all of the data on SQL Server is unclassified and encryption of information is not required, this requirement is NA.
 Ensure the data is encrypted by executing:
 USE &lt;databse name&gt;;
 IF NOT EXISTS
      (
      SELECT 1
      FROM sys.dm_database_encryption_keys
      WHERE DB_NAME(database_id) = DB_NAME()
      )
      SELECT
            DB_NAME() AS [Database Name],
            'No database encryption key present, no encryption' AS [Encryption State]
 ELSE
      SELECT
            DB_NAME(database_id) AS [Database Name],
            CASE encryption_state
                  WHEN 0 THEN 'No database encryption key present, no encryption'
                  WHEN 1 THEN 'Unencrypted'
                  WHEN 2 THEN 'Encryption in progress'
                  WHEN 3 THEN 'Encrypted'
                  WHEN 4 THEN 'Key change in progress'
                  WHEN 5 THEN 'Decryption in progress'
                  WHEN 6 THEN 'Protection change in progress'
            END AS [Encryption State]
      FROM sys.dm_database_encryption_keys
      WHERE DB_NAME(database_id) = DB_NAME()
 ;
 If any database that is supposed to have encryption enabled is not listed as such, this is a finding.
 If encryption is required by the information owner and an approved, NIST-certified cryptography is not used to encrypt stored sensitive information, this is a finding.
 Verify all sensitive information is encrypted: entire database, tables, columns and/or data elements, as required by the organization and the system owner.</RawString>
    </Rule>
    <Rule id="V-41412" severity="medium" conversionstatus="pass" title="SRG-APP-000196-DB-000140" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If encryption is not required for this database, this is not a finding.
 Run the following SQL queries to review SQL Server's cryptographic settings for the database:
 USE &lt;database name&gt; ;
 IF NOT EXISTS
       (
       SELECT 1
       FROM sys.dm_database_encryption_keys
       WHERE DB_NAME(database_id) = DB_NAME()
       )
       SELECT
             DB_NAME() AS [Database Name],
             'No database encryption key present, no encryption' AS [Encryption State],
                     NULL AS [Algorithm],
                     NULL AS [Key Length]
 ELSE
       SELECT
             DB_NAME(database_id) AS [Database Name],
             CASE encryption_state
                   WHEN 0 THEN 'No database encryption key present, no encryption'
                   WHEN 1 THEN 'Unencrypted'
                   WHEN 2 THEN 'Encryption in progress'
                   WHEN 3 THEN 'Encrypted'
                   WHEN 4 THEN 'Key change in progress'
                   WHEN 5 THEN 'Decryption in progress'
                   WHEN 6 THEN 'Protection change in progress'
             END AS [Encryption State],
                     key_algorithm AS [Algorithm],
                     key_length AS [Key Length]
       FROM sys.dm_database_encryption_keys
       WHERE DB_NAME(database_id) = DB_NAME()
 SELECT DB_NAME() AS [Database], name, algorithm_desc
 FROM sys.symmetric_keys
 ORDER BY name, algorithm_desc;
 Note:  The acceptable algorithms are:  "AES 128", "AES 192", "AES 256" and "Triple DES".
 If SQL Server cryptographic algorithms are not listed or are found not to be compliant with applicable federal laws, Executive Orders, directives, policies, regulations, standards and guidance, this is a finding.
 If the encryption state indicates that the database is unencrypted, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41415" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>From the query prompt:
 SELECT name
 FROM [master].sys.databases
 WHERE is_master_key_encrypted_by_server = 1
 AND owner_sid &lt;&gt; 1
 AND state = 0
 If no databases are returned, this is not a finding.
 For any databases returned, verify in the System Security Plan that encryption of the Database
 Master Key using the Service Master Key is acceptable and approved by the Information Owner, and the encrypted data does not require additional protections to deter or detect DBA access. If not approved, this is a finding.
 If approved and additional protections are required, then verify the additional requirements are in place in accordance with the System Security Plan. These may include additional auditing on access of the Database Master Key with alerts or other automated monitoring.
 If the additional requirements are not in place, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41416" severity="medium" conversionstatus="pass" title="SRG-APP-000231-DB-000154" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>From the query prompt:
 SELECT COUNT(credential_id)
 FROM [master].sys.master_key_passwords
 If count is not 0, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41420" severity="medium" conversionstatus="pass" title="SRG-APP-000232-DB-000155" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If this is a system database (master, msdb, resource, tempdb or model), this is not applicable (NA).
 If the application owner and authorizing official have determined that the database does not require encryption, this is not a finding.
 Ensure the data is encrypted by executing:
 USE &lt;database name&gt;;
 IF NOT EXISTS
    (
    SELECT 1
    FROM sys.dm_database_encryption_keys
    WHERE DB_NAME(database_id) = DB_NAME()
    )
    SELECT
        DB_NAME() AS [Database Name],
        'No database encryption key present, no encryption' AS [Encryption State]
 ELSE
    SELECT
        DB_NAME(database_id)  AS [Database Name],
        CASE encryption_state
            WHEN 0 THEN 'No database encryption key present, no encryption'
            WHEN 1 THEN 'Unencrypted'
            WHEN 2 THEN 'Encryption in progress'
            WHEN 3 THEN 'Encrypted'
            WHEN 4 THEN 'Key change in progress'
            WHEN 5 THEN 'Decryption in progress'
            WHEN 6 THEN 'Protection change in progress'
        END AS [Encryption State]
    FROM sys.dm_database_encryption_keys
    WHERE DB_NAME(database_id) = DB_NAME()
 ;
 For each user database, ensure that encryption is in effect.  If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41422" severity="medium" conversionstatus="pass" title="SRG-APP-000245-DB-000132" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check SQL Server settings for the number of concurrent Check SQL Server settings for the number of concurrent sessions by running the following script:
 USE MASTER
 GO
 EXEC sys.sp_configure N'show advanced options', N'1'  RECONFIGURE WITH OVERRIDE
 GO
 EXEC sys.sp_configure N'user connections'
 EXEC sys.sp_configure N'show advanced options', N'0'  RECONFIGURE WITH OVERRIDE
 GO
 If SQL Server settings for concurrent sessions is not lower than or equal to the organization-defined maximum number of sessions, this is a finding.</RawString>
    </Rule>
    <Rule id="V-41424" severity="medium" conversionstatus="pass" title="SRG-APP-000251-DB-000160" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review SQL Server field definitions, constraints, and foreign keys to determine whether or not data being input into the database is valid.
 If field definitions are not reflective of the data, this is a finding.
 If column data types are not assigned correctly where required within the database, this is a finding.
 If columns do not contain reasonable constraints based on column use, this is a finding.</RawString>
    </Rule>
    <Rule id="V-60781" severity="medium" conversionstatus="pass" title="SRG-APP-000133-DB-000200" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>USE &lt;database name&gt;;
 GO
 WITH FixedServerRoles(RoleName) AS
 (
    SELECT 'sysadmin'
    UNION SELECT 'securityadmin'
    UNION SELECT 'serveradmin'
    UNION SELECT 'setupadmin'
    UNION SELECT 'processadmin'
    UNION SELECT 'diskadmin'
    UNION SELECT 'dbcreator'
    UNION SELECT 'bulkadmin'
 )
 SELECT
    DB_NAME() AS [Database],
    SUSER_SNAME(D.owner_sid) AS [Database Owner],
    F.RoleName AS [Fixed Server Role],
    CASE WHEN D.is_trustworthy_on = 1 THEN 'ON' ELSE 'off' END
        AS [Trustworthy]
 FROM
    FixedServerRoles F
    INNER JOIN sys.databases D ON D.Name = DB_NAME()
 WHERE
    IS_SRVROLEMEMBER(F.RoleName, SUSER_SNAME(D.owner_sid)) = 1
 AND    DB_NAME()  &lt;&gt;  'msdb'
 AND    D.is_trustworthy_on = 1;
 GO
 If the query returns any rows, this is a finding.  </RawString>
    </Rule>
  </ManualRule>
  <SqlScriptQueryRule dscresourcemodule="SqlServerDsc">
    <Rule id="V-41402" severity="medium" conversionstatus="pass" title="SRG-APP-000089-DB-000064" dscresource="SqlScriptQuery">
      <GetScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END</GetScript>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Check to see that all required events are being audited.
 From the query prompt:
     SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0);
 All currently defined traces for the SQL server instance will be listed. If no traces are returned, this is a finding.
 Determine the trace(s) being used for the auditing requirement.
 In the following, replace # with a trace ID being used for the auditing requirements.
 From the query prompt:
     SELECT DISTINCT(eventid) FROM sys.fn_trace_geteventinfo(#);
 The following required event IDs should be listed:
     14, 15, 18, 20,
     102, 103, 104, 105, 106, 107, 108, 109, 110,
     111, 112, 113, 115, 116, 117, 118,
     128, 129, 130,
     131, 132, 133, 134, 135,
     152, 153,
     170, 171, 172, 173, 175, 176, 177, 178.
 If any of the audit event IDs required above is not listed, this is a finding.
 Notes:
 1. It is acceptable to have the required event IDs spread across multiple traces, provided all of the traces are always active, and the event IDs are grouped in a logical manner.
 2. It is acceptable, from an auditing point of view, to include the same event IDs in multiple traces.  However, the effect of this redundancy on performance, storage, and the consolidation of audit logs into a central repository, should be taken into account.
 3. It is acceptable to trace additional event IDs. This is the minimum list.
 4. Once this check is satisfied, the DBA may find it useful to disable or modify the default trace that is set up by the SQL Server installation process. (Note that the Fix does NOT include code to do this.)
 Use the following query to obtain a list of all event IDs, and their meaning:
     SELECT * FROM sys.trace_events;
 5. Because this check procedure is designed to address multiple requirements/vulnerabilities, it may appear to exceed the needs of some individual requirements.  However, it does represent the aggregate of all such requirements.
 6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated.  They will be removed at some point after SQL Server 2014.  The replacement feature is Extended Events.  If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.</RawString>
      <SetScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount &gt; 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END</SetScript>
      <TestScript>BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END</TestScript>
    </Rule>
  </SqlScriptQueryRule>
 </DISASTIG>
--- a/StigData/Processed/Windows-10-Client-1.16.org.default.xml
+++ b/StigData/Processed/Windows-10-Client-1.16.org.default.xml
@ -0,0 +1,65 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="1.16">
  <!-- Ensure ''V-63329'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63329" value="0" />
  <!-- Ensure ''V-63405'' -ge '15' -or ''V-63405'' -eq '0'-->
  <OrganizationalSetting id="V-63405" value="15" />
  <!-- Ensure ''V-63409'' -le '3' -and ''V-63409'' -ne '0'-->
  <OrganizationalSetting id="V-63409" value="3" />
  <!-- Ensure ''V-63413'' -ge '15'-->
  <OrganizationalSetting id="V-63413" value="15" />
  <!-- Ensure ''V-63415'' -ge '24'-->
  <OrganizationalSetting id="V-63415" value="24" />
  <!-- Ensure ''V-63419'' -le '60' -and ''V-63419'' -ne '0'-->
  <OrganizationalSetting id="V-63419" value="60" />
  <!-- Ensure ''V-63421'' -ge '1'-->
  <OrganizationalSetting id="V-63421" value="1" />
  <!-- Ensure ''V-63423'' -ge '14'-->
  <OrganizationalSetting id="V-63423" value="14" />
  <!-- Ensure ''V-63519'' -ge '32768'-->
  <OrganizationalSetting id="V-63519" value="32768" />
  <!-- Ensure ''V-63523'' -ge '1024000'-->
  <OrganizationalSetting id="V-63523" value="1024000" />
  <!-- Ensure ''V-63527'' -ge '32768'-->
  <OrganizationalSetting id="V-63527" value="32768" />
  <!-- Ensure ''V-63581'' -match '1|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63581" value="1" />
  <!-- Ensure ''V-63595.b'' -match '1|3'-->
  <OrganizationalSetting id="V-63595.b" value="1" />
  <!-- Ensure ''V-63603'' -match '1|2'-->
  <OrganizationalSetting id="V-63603" value="1" />
  <!-- Ensure ''V-63607'' -match '1|3|8|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63607" value="1" />
  <!-- Ensure ''V-63619'' -ne 'Administrator'-->
  <OrganizationalSetting id="V-63619" value="xAdministrator" />
  <!-- Ensure ''V-63625'' -ne 'Guest'-->
  <OrganizationalSetting id="V-63625" value="xGuest" />
  <!-- Ensure ''V-63627'' -match '1|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63627" value="1" />
  <!-- Ensure ''V-63661'' -le '30' -and ''V-63661'' -gt '0'-->
  <OrganizationalSetting id="V-63661" value="30" />
  <!-- Ensure ''V-63669'' -le '900' -and ''V-63669'' -gt '0'-->
  <OrganizationalSetting id="V-63669" value="900" />
  <!-- Ensure ''V-63687'' -le '10'-->
  <OrganizationalSetting id="V-63687" value="10" />
  <!-- Ensure ''V-63689'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63689" value="0" />
  <!-- Ensure ''V-63691'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63691" value="0" />
  <!-- Ensure ''V-63695'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63695" value="0" />
  <!-- Ensure ''V-63697'' -match '1|2'-->
  <OrganizationalSetting id="V-63697" value="1" />
  <!-- Ensure ''V-63721'' -ge '6'-->
  <OrganizationalSetting id="V-63721" value="6" />
  <!-- Ensure ''V-63747'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63747" value="0" />
  <!-- Ensure ''V-63841'' -match '2|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63841" value="2" />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-10-Client-1.16.xml
+++ b/StigData/Processed/Windows-10-Client-1.16.xml
--- a/StigData/Processed/Windows-2012R2-DC-2.15.org.default.xml
+++ b/StigData/Processed/Windows-2012R2-DC-2.15.org.default.xml
@ -0,0 +1,79 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="2.15">
  <!-- Ensure ''V-1090'' -le '4'-->
  <OrganizationalSetting id="V-1090" value="4" />
  <!-- Ensure ''V-1097'' -le '3' -and ''V-1097'' -ne '0'-->
  <OrganizationalSetting id="V-1097" value="3" />
  <!-- Ensure ''V-1098'' -ge '15'-->
  <OrganizationalSetting id="V-1098" value="15" />
  <!-- Ensure ''V-1099'' -ge '15' -or ''V-1099'' -eq '0'-->
  <OrganizationalSetting id="V-1099" value="15" />
  <!-- Ensure ''V-1104'' -le '60' -and ''V-1104'' -ne '0'-->
  <OrganizationalSetting id="V-1104" value="60" />
  <!-- Ensure ''V-1105'' -ne '0'-->
  <OrganizationalSetting id="V-1105" value="1" />
  <!-- Ensure ''V-1107'' -ge '24'-->
  <OrganizationalSetting id="V-1107" value="24" />
  <!-- Ensure ''V-1114'' -ne 'Guest'-->
  <OrganizationalSetting id="V-1114" value="xGuest" />
  <!-- Ensure ''V-1115'' -ne 'Administrator'-->
  <OrganizationalSetting id="V-1115" value="xAdministrator" />
  <!-- Ensure ''V-1157'' -match '1|2'-->
  <OrganizationalSetting id="V-1157" value="1" />
  <!-- Ensure ''V-1172'' -ge '14'-->
  <OrganizationalSetting id="V-1172" value="14" />
  <!-- Ensure ''V-1174'' -le '15'-->
  <OrganizationalSetting id="V-1174" value="15" />
  <!-- Ensure ''V-2377'' -le '600' -and ''V-2377'' -ne '0'-->
  <OrganizationalSetting id="V-2377" value="600" />
  <!-- Ensure ''V-2378'' -le '10' -and ''V-2378'' -ne '0'-->
  <OrganizationalSetting id="V-2378" value="10" />
  <!-- Ensure ''V-2379'' -le '7'-->
  <OrganizationalSetting id="V-2379" value="7" />
  <!-- Ensure ''V-2380'' -le '5'-->
  <OrganizationalSetting id="V-2380" value="5" />
  <!-- Ensure ''V-3373'' -le '30' -and ''V-3373'' -gt '0'-->
  <OrganizationalSetting id="V-3373" value="30" />
  <!-- Ensure ''V-4108'' -le '90'-->
  <OrganizationalSetting id="V-4108" value="90" />
  <!-- Ensure ''V-4113'' -le '300000'-->
  <OrganizationalSetting id="V-4113" value="300000" />
  <!-- Ensure ''V-4438'' -le '3'-->
  <OrganizationalSetting id="V-4438" value="3" />
  <!-- Ensure ''V-4442'' -le '5'-->
  <OrganizationalSetting id="V-4442" value="5" />
  <!-- Ensure ''V-6836'' -ge '14'-->
  <OrganizationalSetting id="V-6836" value="14" />
  <!-- Ensure ''V-8322.b'' -match '^(NoSync|NTP|NT5DS|AllSync)$'-->
  <OrganizationalSetting id="V-8322.b" value="NT5DS" />
  <!-- Ensure ''V-8324'' -match '2|3'-->
  <OrganizationalSetting id="V-8324" value="3" />
  <!-- Ensure ''V-14235'' -le '4'-->
  <OrganizationalSetting id="V-14235" value="4" />
  <!-- Ensure ''V-15713'' -notmatch '1|2'-->
  <OrganizationalSetting id="V-15713" value="0" />
  <!-- Ensure ''V-21956'' -le '3'-->
  <OrganizationalSetting id="V-21956" value="3" />
  <!-- Ensure ''V-26359'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
  <OrganizationalSetting id="V-26359" value="DoD Notice and Consent Banner" />
  <!-- Ensure ''V-26482'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
  <OrganizationalSetting id="V-26482" value="Administrators" />
  <!-- Ensure ''V-26579'' -ge '32768'-->
  <OrganizationalSetting id="V-26579" value="32768" />
  <!-- Ensure ''V-26580'' -ge '196608'-->
  <OrganizationalSetting id="V-26580" value="196608" />
  <!-- Ensure ''V-26581'' -ge '32768'-->
  <OrganizationalSetting id="V-26581" value="32768" />
  <!-- Ensure ''V-26582'' -ge '32768'-->
  <OrganizationalSetting id="V-26582" value="32768" />
  <!-- Ensure ''V-36707'' -match '1|2'-->
  <OrganizationalSetting id="V-36707" value="2" />
  <!-- Ensure ''V-36773'' -le '900' -and ''V-36773'' -gt '0'-->
  <OrganizationalSetting id="V-36773" value="900" />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-2012R2-DC-2.15.xml
+++ b/StigData/Processed/Windows-2012R2-DC-2.15.xml
--- a/StigData/Processed/Windows-2012R2-DNS-1.11.org.default.xml
+++ b/StigData/Processed/Windows-2012R2-DNS-1.11.org.default.xml
@ -0,0 +1,8 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="1.11" />
--- a/StigData/Processed/Windows-2012R2-DNS-1.11.xml
+++ b/StigData/Processed/Windows-2012R2-DNS-1.11.xml
--- a/StigData/Processed/Windows-2012R2-IISServer-1.6.org.default.xml
+++ b/StigData/Processed/Windows-2012R2-IISServer-1.6.org.default.xml
@ -0,0 +1,11 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings version="1.6">
  <!-- Ensure ''V-76727.b'' -le '00:20:00'-->
  <OrganizationalSetting id="V-76727.b" value='00:20:00' />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-2012R2-IISServer-1.6.xml
+++ b/StigData/Processed/Windows-2012R2-IISServer-1.6.xml
--- a/StigData/Processed/Windows-2016-DC-1.6.md
+++ b/StigData/Processed/Windows-2016-DC-1.6.md
@ -0,0 +1,297 @@
 # TODO
 ## AccountPolicyRule
    V-73309 +
    V-73311 +
    V-73313 +
    V-73315 +
    V-73317 +
    V-73319 +
    V-73321 +
    V-73323 +
    V-73325 +
 ## AuditPolicyRule
    V-73413 +
    V-73415 +
    V-73417 +
    V-73419 +
    V-73423 +
    V-73427 +
    V-73429 +
    V-73431 +
    V-73433 +
    V-73435 +
    V-73437 +
    V-73439 +
    V-73441 +
    V-73443 +
    V-73445 +
    V-73447 +
    V-73449 +
    V-73451 +
    V-73453 +
    V-73455 +
    V-73457 +
    V-73459 +
    V-73461 +
    V-73463 +
    V-73465 +
    V-73467 +
    V-73469 +
    V-73471 +
    V-73473 +
    V-73475 +
    V-73477 +
    V-73479 +
    V-73481 +
    V-73483 +
    V-73489 +
    V-73491 +
 ## DocumentRule
    V-73233 +
    V-73245 +
    V-73257 +
    V-73259 +
    V-73271 +
    V-73375 +
    V-73377 +
    V-73377 +
    V-73383 +
    V-73389 +
    V-73391 +
    V-73393 +
    V-73395 +
    V-73397 +
    V-73399 +
    V-73605 +
    V-73615 +
 ## ManualRule
    V-73217 +
    V-73219 +
    V-73223 +
    V-73225 +
    V-73227 +
    V-73229 +
    V-73231 +
    V-73235 +
    V-73237 +
    V-73241 +
    V-73261 +
    V-73263 +
    V-73265 +
    V-73267 +
    V-73273 +
    V-73275 +
    V-73279 +
    V-73281 +
    V-73283 +
    V-73285 +
    V-73303 +
    V-73305 +
    V-73307 - Time config
    V-73359 +
    V-73361 +
    V-73363 +
    V-73365 +
    V-73367 +
    V-73381 +
    V-73385 +
    V-73387 +
    V-73401 +
    V-73403 +
    V-73607 - Interop cert
    V-73609 - Interop cert
    V-73611 +
    V-73613 +
    V-73617 +
    V-73685 + DONE SupportedEncryptionTypes (Should be registry rule)
    V-78127 +
 ## PermissionRule
    V-73249   +
    V-73251.a + DONE  path is wrong %ProgramFiles%;%ProgramFiles(x86)%
    V-73251.b + DONE  path is wrong %ProgramFiles%;%ProgramFiles(x86)%
    V-73253   +
    V-73255.a + DONE  path HKLM:\SECURITY;HKLM:\SOFTWARE;HKLM:\SYSTEM
    V-73255.b + DONE  Path HKLM:\SECURITY;HKLM:\SOFTWARE;HKLM:\SYSTEM
    V-73255.c + DONE  path HKLM:\SECURITY;HKLM:\SOFTWARE;HKLM:\SYSTEM
    V-73369   +
    V-73371   +
    V-73373   - no path Should be a manual RUle
    V-73405   +
    V-73407   +
    V-73409   +
    V-73411   +
 ## RegistryRule
    V-73487   +
    V-73493   +
    V-73497   +
    V-73499   +
    V-73501   +
    V-73503   +
    V-73505   +
    V-73507   +
    V-73509.a +
    V-73509.b +
    V-73511
    V-73513.a + DONE Clean up orgsetting test
    V-73513.b + DONE Clean up orgsetting test
    V-73515   + DONE Device guard Check Needed
    V-73517   + DONE Device guard Check Needed
    V-73521   + DONE Should be org setting
    V-73525   +
    V-73527   +
    V-73529   +
    V-73531   +
    V-73537   +
    V-73539   +
    V-73543   +
    V-73545   +
    V-73547   +
    V-73549   +
    V-73551   + DONE Should be Org setting
    V-73553   +
    V-73555   +
    V-73557   +
    V-73559   +
    V-73561   +
    V-73563   +
    V-73565   +
    V-73567   +
    V-73569   +
    V-73571   +
    V-73573   +
    V-73575   +
    V-73577   +
    V-73579   +
    V-73581   +
    V-73583   +
    V-73585   +
    V-73587   +
    V-73589   +
    V-73591   + ok but the path provided has a space in it.
    V-73593   +
    V-73595   +
    V-73597   +
    V-73599   +
    V-73601   +
    V-73603   +
    V-73621   +
    V-73627   +
    V-73629   +
    V-73631   +
    V-73633   +
    V-73635   +
    V-73637   +
    V-73639   +
    V-73641   +
    V-73643   +
    V-73645   + DONE OrganizationValueTestString is missing
    V-73647   + DONE Needs to be hard coded LegalNoticeText
    V-73649   + DONE needs hard coded LegalNoticeCaption
    V-73653   +
    V-73655   +
    V-73657   +
    V-73659   +
    V-73661   +
    V-73663   +
    V-73667   +
    V-73669   +
    V-73671   +
    V-73673   +
    V-73675   +
    V-73679   +
    V-73681   +
    V-73683   +
    V-73687   +
    V-73691   +
    V-73693   +
    V-73695   +
    V-73697   +
    V-73699   +
    V-73701   +
    V-73703   +
    V-73705   +
    V-73707   +
    V-73709   +
    V-73711   + DONE Should be an Org Setting | ConsentPromptBehaviorAdmin
    V-73713   +
    V-73715   +
    V-73717   +
    V-73719   +
    V-73721   +
    V-73723   +
    V-73725   +
    V-73727   +
    V-73807   +
    V-78123   +
    V-78125   +
 ## SecurityOptionRule
    V-73623 +
    V-73625 +
    V-73665 +
    V-73689 +
    V-73809 +
 ## UserRightRule
    V-73729 +
    V-73731 + DONE Need to trim identities
    V-73735 +
    V-73737 + DONE Need to trim identities
    V-73739 + DONE Need to trim identities
    V-73741 + DONE Need to trim identities
    V-73743 + DONE Need to trim identities
    V-73745 + DONE Need to trim identities
    V-73747 +
    V-73749 + DONE Need to trim identities
    V-73751 +
    V-73753 + DONE Need to trim identities
    V-73755 + DONE Need to trim identities
    V-73757 + DONE Need to trim identities
    V-73761 + DONE Need to trim identities
    V-73765 +
    V-73769 + DONE Need to trim identities
    V-73773 + DONE Need to trim identities
    V-73777 + DONE Need to trim identities
    V-73781 + DONE Need to trim identities
    V-73783 + DONE Need to trim identities
    V-73785 + DONE Need to trim identities
    V-73787 + DONE Need to trim identities
    V-73789 + DONE Need to trim identities
    V-73791 +
    V-73793 + DONE Need to trim identities
    V-73795 + DONE Need to trim identities
    V-73797 + DONE Need to trim identities
    V-73799 + DONE Need to trim identities
    V-73801 + DONE Need to trim identities
    V-73803 + DONE Need to trim identities
 ## WindowsFeatureRule
    V-73277 + DONE Needs to be a document rule
    V-73287 + DONE No role listed
    V-73289 + DONE No role listed
    V-73291 + DONE No role listed
    V-73293 + DONE No role listed
    V-73295 + DONE No role listed
    V-73297 + DONE No role listed
    V-73299 +
    V-73301 + DONE No role listed
 ## WmiRule
    V-73239 +
    V-73247 +
--- a/StigData/Processed/Windows-2016-DC-1.6.org.default.xml
+++ b/StigData/Processed/Windows-2016-DC-1.6.org.default.xml
@ -0,0 +1,77 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings version="1.6">
  <!-- Ensure ''V-73309'' -ge '15' -or ''V-73309'' -eq '0'-->
  <OrganizationalSetting id="V-73309" value="15" />
  <!-- Ensure ''V-73311'' -le '3' -and ''V-73311'' -ne '0'-->
  <OrganizationalSetting id="V-73311" value="3" />
  <!-- Ensure ''V-73313'' -ge '15'-->
  <OrganizationalSetting id="V-73313" value="15" />
  <!-- Ensure ''V-73315'' -ge '24'-->
  <OrganizationalSetting id="V-73315" value="24" />
  <!-- Ensure ''V-73317'' -le '60' -and ''V-73317'' -ne '0'-->
  <OrganizationalSetting id="V-73317" value="60" />
  <!-- Ensure ''V-73319'' -ne '0'-->
  <OrganizationalSetting id="V-73319" value="1" />
  <!-- Ensure ''V-73321'' -ge '14'-->
  <OrganizationalSetting id="V-73321" value="14" />
  <!-- Ensure ''V-73361'' -le '600' -and ''V-73361'' -ne '0'-->
  <OrganizationalSetting id="V-73361" value="600" />
  <!-- Ensure ''V-73363'' -le '10' -and ''V-73363'' -ne '0'-->
  <OrganizationalSetting id="V-73363" value="10" />
  <!-- Ensure ''V-73365'' -le '7'-->
  <OrganizationalSetting id="V-73365" value="7" />
  <!-- Ensure ''V-73367'' -le '5'-->
  <OrganizationalSetting id="V-73367" value="5" />
  <!-- Ensure ''V-73513.b'' -match '1|3'-->
  <OrganizationalSetting id="V-73513.b" value="1" />
  <!-- Ensure ''V-73515'' -match '1|2'-->
  <OrganizationalSetting id="V-73515" value="2" />
  <!-- Ensure ''V-73517'' -match '1|2'-->
  <OrganizationalSetting id="V-73517" value="2" />
  <!-- Ensure ''V-73521'' -match '1|3|8|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73521" value="8" />
  <!-- Ensure ''V-73551'' -match '0|1'-->
  <OrganizationalSetting id="V-73551" value="0" />
  <!-- Ensure ''V-73553'' -ge '32768'-->
  <OrganizationalSetting id="V-73553" value="32768" />
  <!-- Ensure ''V-73555'' -ge '196608'-->
  <OrganizationalSetting id="V-73555" value="196608" />
  <!-- Ensure ''V-73557'' -ge '32768'-->
  <OrganizationalSetting id="V-73557" value="32768" />
  <!-- Ensure ''V-73561'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73561" value="0" />
  <!-- Ensure ''V-73563'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73563" value="0" />
  <!-- Ensure ''V-73565'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73565" value="0" />
  <!-- Ensure ''V-73579'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73579" value="0" />
  <!-- Ensure ''V-73587'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73587" value="0" />
  <!-- Ensure ''V-73623'' -ne 'Administrator'-->
  <OrganizationalSetting id="V-73623" value="xAdministrator" />
  <!-- Ensure ''V-73625'' -ne 'Guest'-->
  <OrganizationalSetting id="V-73625" value="xGuest" />
  <!-- Ensure ''V-73641'' -le '30' -and ''V-73641'' -gt '0'-->
  <OrganizationalSetting id="V-73641" value="30" />
  <!-- Ensure ''V-73645'' -le '900' -and ''V-73645'' -gt '0'-->
  <OrganizationalSetting id="V-73645" value="900" />
  <!-- Ensure ''V-73649'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
  <OrganizationalSetting id="V-73649" value="DoD Notice and Consent Banner" />
  <!-- Ensure ''V-73659'' -le '15'-->
  <OrganizationalSetting id="V-73659" value="15" />
  <!-- Ensure ''V-73711'' -match '1|2'-->
  <OrganizationalSetting id="V-73711" value="1" />
  <!-- Ensure ''V-73727'' -match '2|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73727" value="2" />
  <!-- Ensure ''V-73753'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
  <OrganizationalSetting id="V-73753" value="Administrators" />
  <!-- Ensure ''V-73807'' -match '1|2'-->
  <OrganizationalSetting id="V-73807" value="1" />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-2016-DC-1.6.xml
+++ b/StigData/Processed/Windows-2016-DC-1.6.xml
--- a/StigData/Processed/Windows-2016-MS-1.6.md
+++ b/StigData/Processed/Windows-2016-MS-1.6.md
@ -0,0 +1,268 @@
 # TODO
 ## AccountPolicyRule
    V-73309 +
    V-73311 +
    V-73313 +
    V-73315 +
    V-73317 +
    V-73319 +
    V-73321 +
    V-73323 +
    V-73325 +
 ## AuditPolicyRule
    V-73413 +
    V-73415 +
    V-73419 +
    V-73423 +
    V-73427 +
    V-73429 +
    V-73431 +
    V-73433 +
    V-73443 +
    V-73445 +
    V-73447 +
    V-73449 +
    V-73451 +
    V-73453 +
    V-73455 +
    V-73457 +
    V-73459 +
    V-73461 +
    V-73463 +
    V-73465 +
    V-73467 +
    V-73469 +
    V-73471 +
    V-73473 +
    V-73475 +
    V-73477 +
    V-73479 +
    V-73481 +
    V-73483 +
    V-73489 +
    V-73491 +
 ## DocumentRule
    V-73233 + Should be manual
    V-73245 + Should be manual
    V-73257 + Should be manual
    V-73259 + Should be manual
    V-73271 + Should be manual
    V-73605 + Should be manual
 ## ManualRule
    V-73217 +
    V-73221 +
    V-73223 +
    V-73225 +
    V-73227 +
    V-73229 +
    V-73231 +
    V-73235 +
    V-73237 +
    V-73241 + A/V
    V-73261 +
    V-73263 +
    V-73265 +
    V-73267 +
    V-73273 +
    V-73275 +
    V-73279 + F/W
    V-73281 +
    V-73283 +
    V-73285 +
    V-73303 +
    V-73305 +
    V-73307 + Time settings
    V-73401 +
    V-73403 +
    V-73607 +
    V-73609 +
    V-78127 +
 ## PermissionRule
    V-73249   + DONE missing inheritance flags
    V-73251.a + DONE missing Inheritance flags
    V-73251.b + DONE missing Inheritance flags
    V-73253   + DONE missing Inheritance flags
    V-73255.a + DONE missing ACE (Administrator)
    V-73255.b +
    V-73255.c + Duplicate Creator Owner Entry
    V-73405   +
    V-73407   +
    V-73409   +
    V-73411   +
 ## RegistryRule
    V-73487   +
    V-73493   +
    V-73495   +
    V-73497   +
    V-73499   +
    V-73501   +
    V-73503   +
    V-73505   +
    V-73507   +
    V-73509.a + DONE Needs to be further split into multipe value entries
    V-73509.b + DONE Needs to be further split into multipe value entries
    V-73511   +
    V-73513.a + DONE Clean up orgsetting test
    V-73513.b + DONE Clean up orgsetting test
    V-73515   + DONE Device guard Check Needed
    V-73517   + DONE Device guard Check Needed
    V-73521   + DONE Should be an orgsetting
    V-73525   +
    V-73527   +
    V-73529   +
    V-73531   +
    V-73533   +
    V-73537   +
    V-73539   +
    V-73541   +
    V-73543   +
    V-73545   +
    V-73547   +
    V-73549   +
    V-73551   + DONE Should be orgsetting
    V-73553   +
    V-73555   +
    V-73557   +
    V-73559   +
    V-73561   +
    V-73563   +
    V-73565   +
    V-73567   +
    V-73569   +
    V-73571   +
    V-73573   +
    V-73575   +
    V-73577   +
    V-73579   +
    V-73581   +
    V-73583   +
    V-73585   +
    V-73587   +
    V-73589   +
    V-73591   +
    V-73593   +
    V-73595   +
    V-73597   +
    V-73599   +
    V-73601   +
    V-73603   +
    V-73621   +
    V-73627   +
    V-73633   +
    V-73635   +
    V-73637   +
    V-73639   +
    V-73641   +
    V-73643   +
    V-73645   +
    V-73647   +
    V-73649   + DONE Should be an orgsetting Banner title
    V-73651   +
    V-73653   +
    V-73655   +
    V-73657   +
    V-73659   +
    V-73661   +
    V-73663   +
    V-73667   +
    V-73669   +
    V-73671   +
    V-73673   +
    V-73675   +
    V-73677   +
    V-73679   +
    V-73681   +
    V-73683   +
    V-73685   +
    V-73687   +
    V-73691   +
    V-73693   +
    V-73695   +
    V-73697   +
    V-73699   +
    V-73701   +
    V-73703   +
    V-73705   +
    V-73707   +
    V-73709   +
    V-73711   + DONE Should be OrgSetting
    V-73713   +
    V-73715   +
    V-73717   +
    V-73719   +
    V-73721   +
    V-73723   +
    V-73725   +
    V-73727   +
    V-73807   +
    V-78123   +
    V-78125   +
 ## SecurityOptionRule
    V-73623 +
    V-73625 +
    V-73665 +
    V-73689 +
    V-73809 +
 ## UserRightRule
    V-73729 +
    V-73733 +
    V-73735 +
    V-73739 +
    V-73743 +
    V-73745 +
    V-73747 +
    V-73749 +
    V-73751 +
    V-73753 + DONE No org setting
    V-73755 + Trim ending String
    V-73759 + Should be an Org Setting
    V-73763 +
    V-73767 +
    V-73771 +
    V-73775 +
    V-73779 +
    V-73781 +
    V-73783 +
    V-73785 +
    V-73787 +
    V-73789 +
    V-73791 +
    V-73793 +
    V-73795 +
    V-73797 +
    V-73799 +
    V-73801 +
    V-73803 +
 ## WindowsFeatureRule
    V-73277 + DONE Manual Rule
    V-73287 +
    V-73289 +
    V-73291 +
    V-73293 +
    V-73295 +
    V-73297 +
    V-73299 +
    V-73301 +
 ## WmiRule
    V-73239 +
    V-73247 +
--- a/StigData/Processed/Windows-2016-MS-1.6.org.default.xml
+++ b/StigData/Processed/Windows-2016-MS-1.6.org.default.xml
@ -0,0 +1,74 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings version="1.6">
  <!-- Ensure ''V-73309'' -ge '15' -or ''V-73309'' -eq '0'-->
  <OrganizationalSetting id="V-73309" value="15" />
  <!-- Ensure ''V-73311'' -le '3' -and ''V-73311'' -ne '0'-->
  <OrganizationalSetting id="V-73311" value="3" />
  <!-- Ensure ''V-73313'' -ge '15'-->
  <OrganizationalSetting id="V-73313" value="15" />
  <!-- Ensure ''V-73315'' -ge '24'-->
  <OrganizationalSetting id="V-73315" value="24" />
  <!-- Ensure ''V-73317'' -le '60' -and ''V-73317'' -ne '0'-->
  <OrganizationalSetting id="V-73317" value="60" />
  <!-- Ensure ''V-73319'' -ne '0'-->
  <OrganizationalSetting id="V-73319" value="1" />
  <!-- Ensure ''V-73321'' -ge '14'-->
  <OrganizationalSetting id="V-73321" value="14" />
  <!-- Ensure ''V-73513.b'' -match '1|3'-->
  <OrganizationalSetting id="V-73513.b" value="1" />
  <!-- Ensure ''V-73515'' -match '1|2'-->
  <OrganizationalSetting id="V-73515" value="2" />
  <!-- Ensure ''V-73517'' -match '1|2'-->
  <OrganizationalSetting id="V-73517" value="2" />
  <!-- Ensure ''V-73521'' -match '1|3|8|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73521" value="8" />
  <!-- Ensure ''V-73551'' -match '0|1'-->
  <OrganizationalSetting id="V-73551" value="0" />
  <!-- Ensure ''V-73553'' -ge '32768'-->
  <OrganizationalSetting id="V-73553" value="32768" />
  <!-- Ensure ''V-73555'' -ge '196608'-->
  <OrganizationalSetting id="V-73555" value="196608" />
  <!-- Ensure ''V-73557'' -ge '32768'-->
  <OrganizationalSetting id="V-73557" value="32768" />
  <!-- Ensure ''V-73561'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73561" value="0" />
  <!-- Ensure ''V-73563'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73563" value="0" />
  <!-- Ensure ''V-73565'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73565" value="0" />
  <!-- Ensure ''V-73579'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73579" value="0" />
  <!-- Ensure ''V-73587'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73587" value="0" />
  <!-- Ensure ''V-73623'' -ne 'Administrator'-->
  <OrganizationalSetting id="V-73623" value="xAdministrator" />
  <!-- Ensure ''V-73625'' -ne 'Guest'-->
  <OrganizationalSetting id="V-73625" value="xGuest" />
  <!-- Ensure ''V-73641'' -le '30' -and ''V-73641'' -gt '0'-->
  <OrganizationalSetting id="V-73641" value="30" />
  <!-- Ensure ''V-73645'' -le '900' -and ''V-73645'' -gt '0'-->
  <OrganizationalSetting id="V-73645" value="900" />
  <!-- Ensure ''V-73649'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
  <OrganizationalSetting id="V-73649" value="DoD Notice and Consent Banner" />
  <!-- Ensure ''V-73651'' -le '4'-->
  <OrganizationalSetting id="V-73651" value="4" />
  <!-- Ensure ''V-73659'' -le '15'-->
  <OrganizationalSetting id="V-73659" value="15" />
  <!-- Ensure ''V-73711'' -match '1|2'-->
  <OrganizationalSetting id="V-73711" value="1" />
  <!-- Ensure ''V-73727'' -match '2|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-73727" value="2" />
  <!-- Ensure ''V-73753'' -match '^(Administrators,NT Virtual Machine\\Virtual Machines|Administrators)$'-->
  <OrganizationalSetting id="V-73753" value="Administrators" />
  <!-- Ensure ''V-73759'' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'-->
  <OrganizationalSetting id="V-73759" value="Enterprise Admins,Domain Admins,Local account and member of Administrators group,Guests" />
  <!-- Ensure ''V-73807'' -match '1|2'-->
  <OrganizationalSetting id="V-73807" value="1" />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-2016-MS-1.6.xml
+++ b/StigData/Processed/Windows-2016-MS-1.6.xml
--- a/StigData/Processed/Windows-All-Domain-2.12.org.default.xml
+++ b/StigData/Processed/Windows-All-Domain-2.12.org.default.xml
@ -0,0 +1,8 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings fullversion="2.12" />
--- a/StigData/Processed/Windows-All-Domain-2.12.xml
+++ b/StigData/Processed/Windows-All-Domain-2.12.xml
@ -0,0 +1,523 @@
 <DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Active_Directory_Domain" description="This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems.  These requirements apply to the domain and can typically be reviewed once per AD domain.  The separate Active Directory Forest STIG contains forest level requirements.  Systems must also be reviewed using the applicable Windows STIG.   Comments or proposed revisions to this document should be sent via e-mail to the following address:  disa.stig_spt@mail.mil. " filename="U_Active_Directory_Domain_STIG_V2R12_Manual-xccdf.xml" releaseinfo="Release: 12 Benchmark Date: 25 Jan 2019" title="Active Directory Domain Security Technical Implementation Guide (STIG)" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.12" created="2/6/2019">
  <DocumentRule dscresourcemodule="None">
    <Rule id="V-8521" severity="low" conversionstatus="pass" title="Object Ownership Delegation" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Interview the IAM or site representative and obtain the list of accounts that have been delegated AD object ownership or update permissions and that are not members of Windows built-in administrative groups.
 (This includes accounts for help desk or support personnel who are not Administrators, but have authority in AD to maintain user accounts or printers.)
 2. If accounts with delegated authority are defined and there is no list, then this is a finding.
 3. Count the number of accounts on the list.
 4. If the number of accounts with delegated authority is greater than 10, review the site documentation that justifies this number.  Validate that the IAM explicitly acknowledges the need to have a high number of privileged users.
 5. If the number of accounts with delegated authority is greater than 10 and there is no statement in the documentation that justifies the number, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8525" severity="low" conversionstatus="pass" title="Directory Service Architecture DR Documentation" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Determine the Availability categorization information for the domain.
 If the Availability categorization of the domain is low, this is NA.
 If the Availability categorization of the domain is moderate or high, verify the organization's disaster recovery plans includes documentation on the AD hierarchy (forest, tree and domain structure).
 (A chart showing forest hierarchy and domain names is the minimum suggested.)
 If the disaster recovery plans do not include directory hierarchy information, this is a finding.</RawString>
    </Rule>
    <Rule id="V-8526" severity="low" conversionstatus="pass" title="Cross-Directory Authentication INFOCON Procedures" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative.
 2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable.
 For AD, this includes external, forest, or realm trust relationship types.
 3. Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1.
 4. Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated.
 5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable.
 6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented.
 7. If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8530" severity="low" conversionstatus="pass" title="Cross-Directory Authentication Documentation" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc").
 Select the left pane item that matches the name of the domain being reviewed.
 Right-click the domain name and select "Properties".
 Select the "Trusts" tab.
 For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.)
 Compare the list of trusts identified with documentation maintained by the ISSO.
 For each trust, the documentation must contain the following:
 Type (external, forest, or realm)
 Name of the other party
 Confidentiality, Availability, and Integrity categorization
 Classification level of the other party
 Trust direction (inbound and/or outbound)
 Transitivity
 Status of the Selective Authentication option
 Status of the SID filtering option
 If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding.</RawString>
    </Rule>
    <Rule id="V-8533" severity="medium" conversionstatus="pass" title="Trusts - document need " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Before performing this check, perform V-8530  which validates the trusts within the documentation are current within AD.
 2. Obtain documentation of the site's approved trusts from the site representative.
 3. For each of the identified trusts, verify that the documentation includes a justification or explanation of the need-to-know basis of the trust.
 4. If the need for the trust is not documented, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8534" severity="high" conversionstatus="pass" title="Trust - Classification Levels" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Refer to the list of identified trusts and the trust documentation provided by the site representative. (Obtained in V-8530)
 2. For each of the identified trusts between DoD organizations, compare the classification level (unclassified, confidential, secret, and top secret) of the domain being reviewed with the classification level of the other trust party as noted in the documentation.
 3. If the classification level of the domain being reviewed is different than the classification level of any of the entities for which a trust relationship is defined, then this is a finding.
 </RawString>
    </Rule>
    <Rule id="V-8536" severity="high" conversionstatus="pass" title="Trust - Non-DoD" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Refer to the list of identified trusts obtained in a previous check (V8530).
 2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in “.mil”, the other party is probably not a DoD entity.
 3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA.
 4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG.
 5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8548" severity="medium" conversionstatus="pass" title="AD.0240" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc").
 Review the membership of the "Incoming Forest Trust Builders" group.
 Navigate to the "Built-in" container.
 Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab.
 If any accounts are not documented as necessary with the ISSO, this is a finding.
 Review the membership of the "Group Policy Creator Owner" group.
 Navigate to the "Users" container.
 Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab.
 If any accounts are not documented as necessary with the ISSO, this is a finding.
 It is possible to move some system-defined groups from their default locations.  If a group is not in the location noted, review other containers to locate.</RawString>
    </Rule>
    <Rule id="V-36431" severity="high" conversionstatus="pass" title="Enterprise Admins Group Members" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the Enterprise Admins group in Active Directory Users and Computers.  Any accounts that are members of the Enterprise Admins group must be documented with the IAO.  Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest.
 If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.</RawString>
    </Rule>
    <Rule id="V-36432" severity="high" conversionstatus="pass" title="Domain Admins Group Members" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the Domain Admins group in Active Directory Users and Computers.  Any accounts that are members of the Domain Admins group must be documented with the IAO.  Each Domain Administrator must have a separate unique account specifically for managing the Active Directory domain and domain controllers.
 If any account listed in the Domain Admins group is a member of other administrator groups including the Enterprise Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.</RawString>
    </Rule>
    <Rule id="V-36433" severity="medium" conversionstatus="pass" title="Domain Member Server Administrators Group Members" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the membership groups in Active Directory Users and Computers.  Membership groups must be designated at the domain level specifically for domain member server administrators. Domain member server administrator groups and any accounts that are members of the groups must be documented with the IAO.  Each member server administrator must have a separate unique account specifically for managing member servers.
 If any account listed in a domain member server administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain workstation administrator groups, this is a finding.</RawString>
    </Rule>
    <Rule id="V-36434" severity="medium" conversionstatus="pass" title="Domain Workstation Administrators Group Members" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the membership groups in Active Directory Users and Computers.  Membership groups must be designated at the domain level specifically for domain workstation administrators. Domain workstation administrator groups and any accounts that are members of the groups must be documented with the IAO.  Each domain workstation administrator must have a separate unique account specifically for managing domain workstations.
 If any account listed in a domain workstation administrator group is a member of other administrator groups including the Enterprise Admins group, the Domain Admins group, or domain member server administrator groups, this is a finding.</RawString>
    </Rule>
    <Rule id="V-53727" severity="medium" conversionstatus="pass" title="AD.0015" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify domain controllers are blocked from Internet access.  Various methods may be employed to accomplish this, such as restrictions at boundary firewalls, through proxy services, host based firewalls or IPsec.
 Review the Internet access restrictions with the administrator.  If Internet access is not prevented, this is a finding.
 If a critical function requires Internet access, this must be documented and approved by the organization.</RawString>
    </Rule>
  </DocumentRule>
  <ManualRule dscresourcemodule="None">
    <Rule id="V-8522" severity="medium" conversionstatus="pass" title="Directory Service Inter-Enclave VPN Usage" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Review the site's network diagram(s) to determine if domain controllers for the domain are located in multiple enclaves. The object is to determine if network traffic is traversing enclave network boundaries.
 2. Request information about RODC or ADAM instances are installed. In particular, request details of Active Diretory functionality installed or extended into the DMZ or configured/allowed to cross the sites outbound firewall boundary. Ensure communications and replication traffic is encrypted.
 3. If domain controllers are not located in multiple enclaves, then this check is not applicable.
 4. If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the network traffic (replication, user logon, queries, etc.).
 5. If a VPN solution is not used to transport directory network traffic across enclave boundaries, then this is a finding.
 6. If the ADAM mode is in use and a migration plan for converting to RODC is not in place, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8523" severity="medium" conversionstatus="pass" title="IDS Visibility of Directory VPN Data Transport" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Interview the site representative. Ask about the location of the domain controllers.
 2. If domain controllers are not located in multiple enclaves, then this check is not applicable.
 3. If domain controllers are located in multiple enclaves and a VPN is not used, then this check is not applicable.
 4. If domain controllers are located in multiple enclaves and a VPN is used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS.
 5. If the AD network traffic is not visible to a network or host IDS, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-8524" severity="medium" conversionstatus="pass" title="Directory Service Availability" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Determine the Availability categorization information for the domain.
 If the Availability categorization of the domain is low, this is NA.
 If the Availability categorization of the domain is moderate or high, verify the domain is supported by more than one domain controller.
 Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc").
 Expand the left pane item that matches the domain being reviewed.
 Select the Domain Controllers Organizational Unit (OU) in the left pane.
 If there is only one domain controller in the OU, this is a finding.</RawString>
    </Rule>
    <Rule id="V-8538" severity="medium" conversionstatus="pass" title="Trust - SID Filter Quarantining " dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".)
 Right click the domain in the left pane and select Properties.
 Select the Trusts tab.
 Note any existing trusts and the type.
 If no trusts exist, this is NA.
 If the trust type is External, run the following command on the trusting domain:
 "netdom trust &lt;trusting domain&gt; /d:&lt;trusted domain&gt; /quarantine"
 If the result does not specify "SID filtering is enabled for this trust.  Only SIDs from the trusted domain will be accepted for authorization data returned during authentication.  SIDs from other domains will be removed.", this is a finding.
 If the trust type is Forest, run the following command on the trusting domain:
 "netdom trust &lt;trusting domain&gt; /d:&lt;trusted domain&gt; /enablesidhistory"
 If the result does not specify "SID history is disabled for this trust", this is a finding.</RawString>
    </Rule>
    <Rule id="V-8540" severity="medium" conversionstatus="pass" title="Trust - Selective Authentication" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open "Active Directory Domains and Trusts".  (Available from various menus or run "domain.msc".)
 Right click the domain name in the left pane and select "Properties".
 Select the "Trusts" tab.
 For each outgoing forest trust, right-click the trust item and select "Properties".
 Select the "Authentication" tab.
 If the "Selective Authentication" option is not selected on every outgoing forest trust, this is a finding.</RawString>
    </Rule>
    <Rule id="V-8547" severity="medium" conversionstatus="pass" title="Pre-Windows 2000 Compatible Access Group" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
 Expand the domain being reviewed in the left pane and select the "Builtin" container.
 Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane.
 Select the "Members" tab.
 If the "Anonymous Logon" or "Everyone" groups are members, this is a finding.
 (By default, these groups are not included in current Windows versions.)</RawString>
    </Rule>
    <Rule id="V-8549" severity="medium" conversionstatus="pass" title="Privileged Group Membership - Cross-Directory" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”).
 2. Select and expand the left pane item that matches the name of the domain being reviewed.
 3. Select the Built-in container.
 a. If the Incoming Forest Trust Builders group is defined, double-click on the group, and select the Members tab
 b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed.
 4. Select the Users container
 a. For each group (Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners), double-click on the group, and select the Members tab.
 b. Examine the defined accounts to see if they are from a domain that is not in the forest being reviewed.
 5. If any account in a privileged group is from a domain outside the forest being reviewed and that outside forest is not maintained by the same organization (e.g., enclave) or subject to the same security policies, then this is a finding.
 Supplementary Notes:
 Note: An account that is from an outside domain appears in the format “outside-domain-NetBIOSname\account” or “account@outside-domain-fully-qualified-name”. Examples are “AOFN21\jsmith” or “jsmith@AOFN21.OST.COM”. It may be necessary to use the AD Domains and Trusts (domain.msc) console to determine if the domain is from another AD forest.
 Note:  It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check.</RawString>
    </Rule>
    <Rule id="V-8551" severity="medium" conversionstatus="pass" title="Domain Functional Level" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc").
 Right click in the left pane on the name of the Domain being reviewed.
 Select "Raise domain functional level…"
 The current domain functional level will be displayed (as well as the option to raise the domain functional level).
 Select "Cancel" to exit.
 Alternately, using PowerShell (Windows 2008 R2 or later).
 Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen.
 Run "Get-ADDomain".
 View the value for "DomainMode:"
 If the domain functional level is not Windows Server 2008 or later, this is a finding.
 Using the highest domain functional level supported by the domain controllers is recommended.</RawString>
    </Rule>
    <Rule id="V-8553" severity="medium" conversionstatus="pass" title="Replication Schedule" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Open "Active Directory Sites and Services".  (Available from various menus or run "dssite.msc".)
 Expand "Sites" in the left pane.
 If only a single site exists, this is NA.  By default the first site in a domain is named "Default-First-Site-Name" but may have been changed.
 If more than one site exists, expand "Inter-Site Transports" and select "IP".
 For each site link that is defined in the right pane perform the following:
 Right click the site link item and select "Properties".
 If the interval on the "General" tab for the "Replicate every" field is greater than "1440", this is a finding.
 Click the "Change Schedule" button.
 If the time frames selected for "Replication Available" do not allow for replication to occur at least daily, this is a finding.
 Click the Cancel buttons to exit.</RawString>
    </Rule>
    <Rule id="V-25385" severity="medium" conversionstatus="pass" title="Directory Data Backup" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the organization's procedures for the backing up active directory data.
 Verify the frequency at which active directory data is backed up.
 If the Availability categorization of the domain is low, this must be at least weekly.
 If the Availability categorization of the domain is moderate or high, this must be at least daily.
 Verify the type of backup is appropriate to capturing the directory data.  For AD domain controllers, this must include a System State data backup.
 If any of these conditions are not met, this is a finding.</RawString>
    </Rule>
    <Rule id="V-25840" severity="medium" conversionstatus="pass" title="DSRM Password Change Policy" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the organization has a process that addresses DSRM password change frequency.
 If DSRM passwords are not changed at least annually, this is a finding.</RawString>
    </Rule>
    <Rule id="V-25997" severity="medium" conversionstatus="pass" title="Replication in the DMZ (RODC)" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec.
 2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs).
 3. Include an inspection of the RODC server in the DMZ when inspection for least privilege.
 4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients.
 5. If RODC server and configuration does not comply with requirements, then this is a finding.</RawString>
    </Rule>
    <Rule id="V-36435" severity="high" conversionstatus="pass" title="Delegation of Privileged Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Review the properties of all privileged accounts in Active Directory Users and Computers. Under the Account tab, verify "Account is sensitive and cannot be delegated" is selected in the Account Options section. If delegation is not prohibited for any  privileged account, this is a finding.</RawString>
    </Rule>
    <Rule id="V-36438" severity="medium" conversionstatus="pass" title="Unique Passwords for all Local Administrator Accounts" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding.
 Microsoft's Local Administrator Password Solution (LAPS) provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. LAPS can manage a single local administrator account. The default is the built-in administrator account however it can be configured to manage an administrator account of a different name. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts.
 Other automated solutions that provide this capability may also be used.
 If LAPS has been installed and enabled in the domain, the following PowerShell query will return a list of systems that do not have a local administrator password managed by LAPS. (The LAPS PowerShell module requires PowerShell 2.0 or higher and .NET Framework 4.0.)
 Open "Windows PowerShell".
 If the LAPS PowerShell module has not been previously imported, execute the following first: "Import-Module AdmPwd.ps".
 Execute "Get-AdmPwdPassword -ComputerName * | Where-object {$_.password -eq $null}"
 Review the returned list for validity.
 Exclude computers with "OU=Domain Controllers" in the DistinguishedName field.  Other possible exceptions include but are not limited to non-Windows computers in Active Directory.
 If any active/deployed Windows systems that are not managed by another process to ensure unique passwords for local administrator accounts are listed, this is a finding.
 If the query fails, the organization must demonstrate that passwords for local administrator accounts are properly managed to ensure unique passwords for each.  If not, this is a finding.</RawString>
    </Rule>
    <Rule id="V-43648" severity="medium" conversionstatus="pass" title="AD.0009" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify separate smart cards are used for EA and DA accounts from smart cards used for other accounts.  EA and DA accounts may be on the same smart card but must be separate from any other accounts.  If separate smart cards for EA and DA accounts from other accounts are not used, this is a finding.</RawString>
    </Rule>
    <Rule id="V-43652" severity="medium" conversionstatus="pass" title="AD.0013" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the domain does not have any public facing servers, this is NA.
 Review the local Administrators group on public facing servers.  Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group.
 For public facing servers, the Domain Admins group must be replaced by a domain member server administrator group whose members are different from any used to manage internal servers.
 If any domain accounts or groups used to manage internal servers are members of the local administrators group, this is a finding.</RawString>
    </Rule>
    <Rule id="V-43712" severity="medium" conversionstatus="pass" title="AD.AU.0001" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify account usage events for administrative accounts are being monitored.  This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups.  Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
 Monitor for the events listed below, at minimum.  If these events are not monitored, this is a finding.
 Account Lockouts (Subcategory: User Account Management)
 4740 - A user account is locked out.
 User Added to Privileged Group (Subcategory: Security Group Management)
 4728 - A member was added to a security-enabled global group.
 4732 - A member was added to a security-enabled local group.
 4756 - A member was added to a security-enabled universal group.
 Successful User Account Login (Subcategory: Logon)
 4624 - An account was successfully logged on.
 Failed User Account Login (Subcategory: Logon)
 4625 - An account failed to log on.
 Account Login with Explicit Credentials (Subcategory: Logon)
 4648 - A logon was attempted using explicit credentials.</RawString>
    </Rule>
    <Rule id="V-43713" severity="medium" conversionstatus="pass" title="AD.AU.0002" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify attempts to use local accounts to log on remotely from other systems are being monitored.  Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
 Monitor for the events listed below.  If these events are not monitored, this is a finding.
 More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
 Search for the event IDs listed with the following additional attributes:
 Logon Type = 3 (Network)
 Authentication Package Name = NTLM
 Not a domain logon and not the ANONYMOUS LOGON account
 Successful User Account Login (Subcategory: Logon)
 4624 - An account was successfully logged on.
 Failed User Account Login (Subcategory: Logon)
 4625 - An account failed to log on.</RawString>
    </Rule>
    <Rule id="V-43714" severity="medium" conversionstatus="pass" title="AD.AU.0003" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify Remote Desktop logins are being monitored.  Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.
 Monitor for the events listed below.  If these events are not monitored, this is a finding.
 More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
 Search for the event IDs listed with the following additional attributes:
 Logon Type = 10 (RemoteInteractive)
 Authentication Package Name = Negotiate
 Successful User Account Login (Subcategory: Logon)
 4624 - An account was successfully logged on.</RawString>
    </Rule>
    <Rule id="V-44059" severity="medium" conversionstatus="pass" title="AD.0014" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA.
 Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days.</RawString>
    </Rule>
    <Rule id="V-72821" severity="medium" conversionstatus="pass" title="AD.0016" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Windows Server 2016 with a domain functional level of Windows Server 2016:
 Open "Active Directory Administrative Center".
 Right-click on the domain name and select "Properties".
 If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes.  See below for other options.
 If the "Domain functional level:" is "Windows Server 2016" and "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" is not checked, this is a finding.
 Active Directory domains with a domain functional level below Windows Server 2016:
 Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days.
 This can be accomplished with the use of scripts.
 DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx.  See the User Guide for additional information.
 NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance.  Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash.  See the site for additional information.
 Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.
 If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding.</RawString>
    </Rule>
    <Rule id="V-78131" severity="medium" conversionstatus="pass" title="AD.0017" dscresource="None">
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>If the domain functional level is not at least Windows 2012 R2, this is NA.
 Open "Windows PowerShell".
 Enter "Get-ADDomain | FL DomainMode" to determine the domain functional level.
 Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
 Compare membership of the Protected Users group to membership of the following groups. By default, the groups are under the node referenced; however, it is possible to move those under "Users" to another location.
 Enterprise Admins (Users node)
 Domain Admins (Users node)
 Schema Admins (Users node)
 Administrators (Builtin node)
 Account Operators (Builtin node)
 Backup Operators (Builtin node)
 It is recommended that one account be excluded to ensure availability if there are issues with Kerberos.
 Excluding the account left out for availability, if all user accounts from the local domain that are members of the domain level groups above are not also members of the Protected Users group, this is a finding. (User accounts is referring to accounts for personnel, not service accounts.)</RawString>
    </Rule>
  </ManualRule>
 </DISASTIG>
--- a/StigData/Processed/Windows-Defender-Antivirus-1.4.org.default.xml
+++ b/StigData/Processed/Windows-Defender-Antivirus-1.4.org.default.xml
@ -0,0 +1,23 @@
 <!--
    The organizational settings file is used to define the local organizations
    preferred setting within an allowed range of the STIG.
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
 <OrganizationalSettings version="1.4">
  <!-- Ensure 'V-75237' -ge '0x0' -and 'V-75237' -le '0x7'-->
  <OrganizationalSetting id="V-75237" value="0x7" />
  <!-- Ensure 'V-75241' -ge '1' -and 'V-75241' -le '7'-->
  <OrganizationalSetting id="V-75241" value="7" />
  <!-- Ensure 'V-75243' -ge '1' -and 'V-75243' -le '7'-->
  <OrganizationalSetting id="V-75243" value="7" />
  <!-- Ensure 'V-75247' -match '2|3'-->
  <OrganizationalSetting id="V-75247" value="3" />
  <!-- Ensure 'V-79965' -match '2|3'-->
  <OrganizationalSetting id="V-79965" value="3" />
  <!-- Ensure 'V-79967' -match '2|3'-->
  <OrganizationalSetting id="V-79967" value="3" />
  <!-- Ensure 'V-79971' -match '2|3'-->
  <OrganizationalSetting id="V-79971" value="3" />
 </OrganizationalSettings>
--- a/StigData/Processed/Windows-Defender-Antivirus-1.4.xml
+++ b/StigData/Processed/Windows-Defender-Antivirus-1.4.xml
@ -0,0 +1,776 @@
 <DISASTIG id="Windows_Defender_Antivirus" version="1.4" created="1/8/2019">
  <RegistryRule dscresourcemodule="xPSDesiredStateConfiguration">
    <Rule id="V-75147" severity="high" conversionstatus="pass" title="SRG-APP-000279" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; MS Security Guide -&gt; "Turn on Windows Defender protection against Potentially Unwanted Applications" is set to "Enabled".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine
 Criteria: If the value "MpEnablePus" is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>MpEnablePus</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75151" severity="medium" conversionstatus="pass" title="SRG-APP-000279" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; "Turn off routine remediation" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender
 Criteria: If the value "DisableRoutinelyTakingAction" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableRoutinelyTakingAction</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75153" severity="high" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Absent</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; "Turn off Windows Defender Antivirus" is set to “Not Configured”.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender
 Criteria: If the value "DisableAntiSpyware" does not exist, this is not a finding.</RawString>
      <ValueData>
      </ValueData>
      <ValueName>DisableAntiSpyware</ValueName>
      <ValueType />
    </Rule>
    <Rule id="V-75155" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Absent</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Exclusions -&gt; "Path Exclusions" is set to "Disabled" or "Not Configured.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions
 Criteria: If the value "Exclusions_Paths" does not exist, this is not a finding.</RawString>
      <ValueData>
      </ValueData>
      <ValueName>Exclusions_Paths</ValueName>
      <ValueType />
    </Rule>
    <Rule id="V-75157" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Absent</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Exclusions -&gt; "Process Exclusions" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions
 Criteria: If the value "Exclusions_Processes" does not exist, this is not a finding.</RawString>
      <ValueData>
      </ValueData>
      <ValueName>Exclusions_Processes</ValueName>
      <ValueType />
    </Rule>
    <Rule id="V-75159" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Exclusions -&gt; "Turn off Auto Exclusions" is set to "Disabled".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions
 Criteria: If the value "DisableAutoExclusions" is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableAutoExclusions</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75161" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This is applicable to unclassified systems, for other systems this is NA.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; MAPS -&gt; "Configure local setting override for reporting to Microsoft MAPS" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Spynet
 Criteria: If the value "LocalSettingOverrideSpynetReporting" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideSpynetReporting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75163" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This is applicable to unclassified systems, for other systems this is NA.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; MAPS -&gt; "Configure the 'Block at First Sight' feature" is set to "Enabled".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Spynet
 Criteria: If the value "DisableBlockAtFirstSeen" is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableBlockAtFirstSeen</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75167" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This is applicable to unclassified systems, for other systems this is NA.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; MAPS -&gt; "Join Microsoft MAPS" is set to "Enabled" and "Advanced MAPS" selected from the drop down box.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Spynet
 Criteria: If the value "SpynetReporting" is REG_DWORD = 2, this is not a finding.</RawString>
      <ValueData>2</ValueData>
      <ValueName>SpynetReporting</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75207" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This is applicable to unclassified systems, for other systems this is NA.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; MAPS -&gt; "Send file samples when further analysis is required" is set to "Enabled" and "Send safe samples" selected from the drop down box.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Spynet
 Criteria: If the value "SubmitSamplesConsent" is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>SubmitSamplesConsent</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75209" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\NIS</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Network Inspection System -&gt; "Turn on protocol recognition" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key:
 HKLM\Software\Policies\Microsoft\Windows Defender\NIS
 Criteria: If the value "DisableProtocolRecognition" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableProtocolRecognition</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75211" severity="medium" conversionstatus="pass" title="SRG-APP-000112" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure local setting override for monitoring file and program activity on your computer" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "LocalSettingOverrideDisableOnAccessProtection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideDisableOnAccessProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75213" severity="medium" conversionstatus="pass" title="SRG-APP-000112" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure local setting override for monitoring for incoming and outgoing file activity" is set to "Disabled" or "Not Configure".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "LocalSettingOverrideRealtimeScanDirection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideRealtimeScanDirection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75215" severity="medium" conversionstatus="pass" title="SRG-APP-000209" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure local setting override for scanning all downloaded files and attachments" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "LocalSettingOverrideDisableIOAVProtection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideDisableIOAVProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75217" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure local setting override for turn on behavior monitoring" is set to "Disabled" or "Not Configure".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "LocalSettingOverrideDisableBehaviorMonitoring" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideDisableBehaviorMonitoring</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75219" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure local setting override to turn on real-time protection" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "LocalSettingOverrideDisableRealtimeMonitoring" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>LocalSettingOverrideDisableRealtimeMonitoring</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75221" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Configure monitoring for incoming and outgoing file and program activity" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "RealtimeScanDirection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1 or 2, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>RealtimeScanDirection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75223" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Monitor file and program activity on your computer to be scanned" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "DisableOnAccessProtection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableOnAccessProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75225" severity="medium" conversionstatus="pass" title="SRG-APP-000209" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Scan all downloaded files and attachments" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "DisableIOAVProtection" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableIOAVProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75227" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Turn off real-time protection" is set to "Disabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "DisableRealtimeMonitoring" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableRealtimeMonitoring</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75229" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Turn on behavior monitoring" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "DisableBehaviorMonitoring" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableBehaviorMonitoring</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75231" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Real-time Protection -&gt; "Turn on process scanning whenever real-time protection is enabled" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
 Criteria: If the value "DisableScanOnRealtimeEnable" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableScanOnRealtimeEnable</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75233" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Scan -&gt; "Scan archive files" is set to "Enabled" or "Not Configured".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Scan
 Criteria: If the value "DisableArchiveScanning" is REG_DWORD = 0, this is not a finding.
 If the value does not exist, this is not a finding.
 If the value is 1, this is a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableArchiveScanning</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75235" severity="medium" conversionstatus="pass" title="SRG-APP-000073" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Scan -&gt; "Scan removable drives" is set to "Enabled".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Scan
 Criteria: If the value "DisableRemovableDriveScanning" is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableRemovableDriveScanning</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75237" severity="medium" conversionstatus="pass" title="SRG-APP-000277" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '0x0' -and {0} -le '0x7'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Scan -&gt; "Specify the day of the week to run a scheduled scan" is set to "Enabled" and anything other than "Never" selected in the drop down box.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Scan
 Criteria: If the value "ScheduleDay" is REG_DWORD = 0x8, this is a finding.
 Values of 0x0 through 0x7 are acceptable and not a finding.</RawString>
      <ValueData />
      <ValueName>ScheduleDay</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75239" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Scan -&gt; "Turn on e-mail scanning" is set to "Enabled".
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Scan
 Criteria: If the value "DisableEmailScanning" is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>DisableEmailScanning</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75241" severity="high" conversionstatus="pass" title="SRG-APP-000276" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '1' -and {0} -le '7'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Signature Updates -&gt; "Define the number of days before spyware definitions are considered out of date" is set to "Enabled" and "7"or less selected in the drop down box (excluding "0", which is unacceptable).
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
 Criteria: If the value "ASSignatureDue" is REG_DWORD = 7, this is not a finding.
 A value of 1 - 6 is also acceptable and not a finding.
 A value of 0 is a finding.
 A value higher than 7 is a finding.</RawString>
      <ValueData />
      <ValueName>ASSignatureDue</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75243" severity="high" conversionstatus="pass" title="SRG-APP-000276" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -ge '1' -and {0} -le '7'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Signature Updates -&gt; "Define the number of days before virus definitions are considered out of date" is set to "Enabled" and "7" or less selected in the drop down box (excluding "0", which is unacceptable).
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
 Criteria: If the value "AVSignatureDue" is REG_DWORD = 7, this is not a finding.
 A value of 1 - 6 is also acceptable and not a finding.
 A value of 0 is a finding.
 A value higher than 7 is a finding.</RawString>
      <ValueData />
      <ValueName>AVSignatureDue</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75245" severity="medium" conversionstatus="pass" title="SRG-APP-000261" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Update</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Signature Updates -&gt; "Specify the day of the week to check for definition updates" is set to "Enabled" and "Every Day" is selected in the drop down box.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Signature Update
 Criteria: If the value "ScheduleDay" is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>ScheduleDay</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-75247" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Threats -&gt; "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled".  Click the “Show…” box option and verify the ‘Value name’ field contains a value of “5” and the ‘Value’ field  contains a “2".  A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
 Criteria: If the value "5" is REG_SZ = 2 (or 3), this is not a finding.
 </RawString>
      <ValueData />
      <ValueName>5</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77965" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77967" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “D4F940AB-401B-4EFC-AADC-AD5F3C50688A” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>D4F940AB-401B-4EFC-AADC-AD5F3C50688A</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77969" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: 3B576869-A4EC-4529-8536-B80A7769E899
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “3B576869-A4EC-4529-8536-B80A7769E899” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>3B576869-A4EC-4529-8536-B80A7769E899</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77971" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77973" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: D3E037E1-3EB8-44C8-A917-57927947596D 
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “D3E037E1-3EB8-44C8-A917-57927947596D” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>D3E037E1-3EB8-44C8-A917-57927947596D</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77975" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “5BEB7EFE-FD9A-4556-801D-275E5FFC04CC” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>5BEB7EFE-FD9A-4556-801D-275E5FFC04CC</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77977" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Attack Surface Reduction -&gt; "Configure Attack Surface Reduction rules" is set to "Enabled”.  Click ‘Show...’.  Verify the rule ID in the Value name column and the desired state in the Value column is set as follows:
 Value name: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 Value:  1
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
 Criteria: If the value “92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B” is REG_SZ = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-77979" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions.
 Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Windows Defender Exploit Guard -&gt; Network Protection -&gt; "Prevent users and apps from accessing dangerous websites" is set to "Enabled” and “Block" selected in the drop down box.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
 Criteria: If the value "EnableNetworkProtection" is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>EnableNetworkProtection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-79965" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Threats -&gt; "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled".  Click the “Show…” box option and verify the ‘Value name’ field contains a value of “4” and the ‘Value’ field  contains a “2".  A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
 Criteria: If the value "4" is REG_SZ = 2 (or 3), this is not a finding. </RawString>
      <ValueData />
      <ValueName>4</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-79967" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Threats -&gt; "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled".  Click the “Show…” box option and verify the ‘Value name’ field contains a value of “2” and the ‘Value’ field  contains a “2".  A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
 Criteria: If the value "2" is REG_SZ = 2 (or 3), this is not a finding.</RawString>
      <ValueData />
      <ValueName>2</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-79971" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="xRegistry">
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction</Key>
      <OrganizationValueRequired>True</OrganizationValueRequired>
      <OrganizationValueTestString>{0} -match '2|3'</OrganizationValueTestString>
      <RawString>Verify the policy value for Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Windows Defender Antivirus -&gt; Threats -&gt; "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled".  Click the “Show…” box option and verify the ‘Value name’ field contains a value of “1” and the ‘Value’ field  contains a “2".  A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value.
 Procedure: Use the Windows Registry Editor to navigate to the following key: 
 HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
 Criteria: If the value "1" is REG_SZ = 2 (or 3), this is not a finding.</RawString>
      <ValueData />
      <ValueName>1</ValueName>
      <ValueType>String</ValueType>
    </Rule>
  </RegistryRule>
 </DISASTIG>
--- a/StigData/Processed/WindowsClient-10-1.15.org.default.xml
+++ b/StigData/Processed/WindowsClient-10-1.15.org.default.xml
@ -5,9 +5,11 @@
    Each setting in this file is linked by STIG ID and the valid range is in an
    associated comment.
 -->
-<OrganizationalSettings version="1.15">
+<OrganizationalSettings fullversion="1.15">
  <!-- Ensure ''V-63329'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63329" value="0" />
  <!-- Ensure ''V-63405'' -ge '15' -or ''V-63405'' -eq '0'-->
-  <OrganizationalSetting id="V-63405" value="15" />
+  <OrganizationalSetting id="V-63405" value="0" />
  <!-- Ensure ''V-63409'' -le '3' -and ''V-63409'' -ne '0'-->
  <OrganizationalSetting id="V-63409" value="3" />
  <!-- Ensure ''V-63413'' -ge '15'-->
@ -15,33 +17,49 @@
  <!-- Ensure ''V-63415'' -ge '24'-->
  <OrganizationalSetting id="V-63415" value="24" />
  <!-- Ensure ''V-63419'' -le '60' -and ''V-63419'' -ne '0'-->
-  <OrganizationalSetting id="V-63419" value="60" />
+  <OrganizationalSetting id="V-63419" value="30" />
  <!-- Ensure ''V-63421'' -ge '1'-->
  <OrganizationalSetting id="V-63421" value="1" />
  <!-- Ensure ''V-63423'' -ge '14'-->
  <OrganizationalSetting id="V-63423" value="14" />
-  <!-- Ensure 'V-63519' -ge '32768'-->
+  <!-- Ensure ''V-63519'' -ge '32768'-->
  <OrganizationalSetting id="V-63519" value="32768" />
-  <!-- Ensure 'V-63523' -ge '1024000'-->
+  <!-- Ensure ''V-63523'' -ge '1024000'-->
  <OrganizationalSetting id="V-63523" value="1024000" />
-  <!-- Ensure 'V-63527' -ge '32768'-->
+  <!-- Ensure ''V-63527'' -ge '32768'-->
  <OrganizationalSetting id="V-63527" value="32768" />
-  <!-- Ensure 'V-63595.b' -match '1|3'-->
+  <!-- Ensure ''V-63581'' -match '1|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63581" value="1" />
  <!-- Ensure ''V-63595.b'' -match '1|3'-->
  <OrganizationalSetting id="V-63595.b" value="1" />
-  <!-- Ensure 'V-63603' -match '0x00000001|1|0x00000002|2'-->
+  <!-- Ensure ''V-63603'' -match '1|2'-->
  <OrganizationalSetting id="V-63603" value="1" />
  <!-- Ensure ''V-63607'' -match '1|3|8|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63607" value="1" />
  <!-- Ensure ''V-63619'' -ne 'Administrator'-->
-  <OrganizationalSetting id="V-63619" value="xAdministrator" />
+  <OrganizationalSetting id="V-63619" value="testadmin" />
  <!-- Ensure ''V-63625'' -ne 'Guest'-->
-  <OrganizationalSetting id="V-63625" value="xGuest" />
+  <OrganizationalSetting id="V-63625" value="testguest" />
-  <!-- Ensure 'V-63661' -le '30' -and 'V-63661' -gt '0'-->
+  <!-- Ensure ''V-63627'' -match '1|ShouldBeAbsent'-->
-  <OrganizationalSetting id="V-63661" value="30" />
+  <OrganizationalSetting id="V-63627" value="1" />
-  <!-- Ensure 'V-63669' -le '900' -and 'V-63669' -gt '0'-->
+  <!-- Ensure ''V-63661'' -le '30' -and ''V-63661'' -gt '0'-->
-  <OrganizationalSetting id="V-63669" value="900" />
+  <OrganizationalSetting id="V-63661" value="15" />
-  <!-- Ensure 'V-63687' -le '10'-->
+  <!-- Ensure ''V-63669'' -le '900' -and ''V-63669'' -gt '0'-->
  <OrganizationalSetting id="V-63669" value="450" />
  <!-- Ensure ''V-63687'' -le '10'-->
  <OrganizationalSetting id="V-63687" value="10" />
-  <!-- Ensure 'V-63697' -match '1|2'-->
+  <!-- Ensure ''V-63689'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63689" value="0" />
  <!-- Ensure ''V-63691'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63691" value="0" />
  <!-- Ensure ''V-63695'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63695" value="0" />
  <!-- Ensure ''V-63697'' -match '1|2'-->
  <OrganizationalSetting id="V-63697" value="1" />
-  <!-- Ensure 'V-63721' -ge '6'-->
+  <!-- Ensure ''V-63721'' -ge '6'-->
  <OrganizationalSetting id="V-63721" value="6" />
  <!-- Ensure ''V-63747'' -match '0|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63747" value="0" />
  <!-- Ensure ''V-63841'' -match '2|ShouldBeAbsent'-->
  <OrganizationalSetting id="V-63841" value="2" />
 </OrganizationalSettings>
--- a/StigData/Processed/WindowsClient-10-1.15.xml
+++ b/StigData/Processed/WindowsClient-10-1.15.xml
--- a/Tests/Integration/DSCResources/PowerStig
+++ b/Tests/Integration/DSCResources/PowerStig
@ -0,0 +1 @@
 Subproject commit 228afc21b7c72153f293a058719cfb30c36a259a
--- a/Tests/Integration/PowerStig.Integration.tests.ps1
+++ b/Tests/Integration/PowerStig.Integration.tests.ps1
@ -26,7 +26,7 @@ Describe "$moduleName module" {
            }
        }
-    It 'Should not have more commands than are tested' {
+        It 'Should not have more commands than are tested' {
            $compare = Compare-Object -ReferenceObject $commands -DifferenceObject $exportedCommands
            $compare.Count | Should Be 0
        }
--- a/Tests/Unit/Module/RegistryRule.tests.ps1
+++ b/Tests/Unit/Module/RegistryRule.tests.ps1
@ -1444,7 +1444,6 @@ try
            $hashtable = @{
                Select = '(?<=REG_Type)(\s*)?=.*(?=(,|\())'
            }
            It "Should return '$valueData' from '$checkContent'" {
                $result = Get-RegistryValueDataFromSLStig -CheckContent $checkContent -Hashtable $hashtable
                $result | Should Be $valueData
@ -1515,6 +1514,31 @@ try
                Test-SingleLineStigFormat -CheckContent $checkContent | Should Be $false
            }
        }
        Describe "Get-RegistryPatternLog" {
            Import-Module "$($PSScriptRoot).\..\..\..\PowerStig.Convert.psm1"
            $folderPath = Resolve-Path -Path "$($PSScriptRoot).\..\..\..\StigData\Archive\browser" -Relative
            $filePath = Resolve-Path -Path "$($PSScriptRoot).\..\..\..\StigData\Archive\browser\U_MS_IE11_STIG_V1R13_Manual-xccdf.xml" -Relative
            Context 'Path is directory' {
                It "Should return valid table with updated counts" {
                    $result = Get-RegistryPatternLog -Path $folderPath
                    $result.GetType() | Should -Be 'System.Object[]'
                }
            }
            Context 'Path is file' {
                It "Should return valid table with updated counts" {
                    $result = Get-RegistryPatternLog -Path $filePath
                    $result.GetType() | Should -Be 'System.Object[]'
                }
            }
            Context 'Path is null' {
                It "Should throw if path is null" {
                    { Get-RegistryPatternLog -Path $null } | Should -Throw "Cannot bind argument to parameter 'Path' because it is an empty string."
                }
            }
        }
        #endregion
        #region Data Tests
--- a/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1
+++ b/Tests/Unit/Module/SqlScriptQueryRule.tests.ps1
@ -8,10 +8,10 @@ try
    InModuleScope -ModuleName "$($script:moduleName).Convert" {
        #region Test Setup
        $sqlScriptQueryRule = @{
-            Trace = @{
+            Trace      = @{
-                GetScript = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END"
+                GetScript    = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END"
-                TestScript = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END"
+                TestScript   = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) CREATE TABLE #Trace (TraceId INT) CREATE TABLE #TraceEvent (TraceId INT, EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @traceId INT FETCH NEXT FROM cursorTrace INTO @traceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @traceId, EventId FROM sys.fn_trace_geteventinfo(@traceId) FETCH NEXT FROM cursorTrace INTO @TraceId END CLOSE cursorTrace DEALLOCATE cursorTrace SELECT * FROM #StigEvent SELECT SE.EventId AS NotFound FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL END"
-                SetScript = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END"
+                SetScript    = "BEGIN IF OBJECT_ID('TempDB.dbo.#StigEvent') IS NOT NULL BEGIN DROP TABLE #StigEvent END IF OBJECT_ID('TempDB.dbo.#Trace') IS NOT NULL BEGIN DROP TABLE #Trace END IF OBJECT_ID('TempDB.dbo.#TraceEvent') IS NOT NULL BEGIN DROP TABLE #TraceEvent END CREATE TABLE #StigEvent (EventId INT) INSERT INTO #StigEvent (EventId) VALUES (14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178) CREATE TABLE #Trace (TraceId INT) INSERT INTO #Trace (TraceId) SELECT DISTINCT TraceId FROM sys.fn_trace_getinfo(0)ORDER BY TraceId DESC CREATE TABLE #TraceEvent (TraceId INT, EventId INT) DECLARE cursorTrace CURSOR FOR SELECT TraceId FROM #Trace OPEN cursorTrace DECLARE @currentTraceId INT FETCH NEXT FROM cursorTrace INTO @currentTraceId WHILE @@FETCH_STATUS = 0 BEGIN INSERT INTO #TraceEvent (TraceId, EventId) SELECT DISTINCT @currentTraceId, EventId FROM sys.fn_trace_geteventinfo(@currentTraceId) FETCH NEXT FROM cursorTrace INTO @currentTraceId END CLOSE cursorTrace DEALLOCATE cursorTrace DECLARE @missingStigEventCount INT SET @missingStigEventCount = (SELECT COUNT(*) FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL) IF @missingStigEventCount > 0 BEGIN DECLARE @returnCode INT DECLARE @newTraceId INT DECLARE @maxFileSize BIGINT = 5 EXEC @returnCode = sp_trace_create @traceid = @newTraceId OUTPUT, @options = 2, @tracefile = N'C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\PowerStig', @maxfilesize = @maxFileSize, @stoptime = NULL, @filecount = 2; IF @returnCode = 0 BEGIN EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 0 DECLARE cursorMissingStigEvent CURSOR FOR SELECT DISTINCT SE.EventId FROM #StigEvent SE LEFT JOIN #TraceEvent TE ON SE.EventId = TE.EventId WHERE TE.EventId IS NULL OPEN cursorMissingStigEvent DECLARE @currentStigEventId INT FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId WHILE @@FETCH_STATUS = 0 BEGIN EXEC sp_trace_setevent @traceid = @newTraceId, @eventid = @currentStigEventId, @columnid = NULL, @on = 1 FETCH NEXT FROM cursorMissingStigEvent INTO @currentStigEventId END CLOSE cursorMissingStigEvent DEALLOCATE cursorMissingStigEvent EXEC sp_trace_setstatus @traceid = @newTraceId, @status = 1 END END END"
                CheckContent = 'Check to see that all required events are being audited.
                From the query prompt:
                SELECT DISTINCT traceid FROM sys.fn_trace_getinfo(0);
@ -42,8 +42,8 @@ try
                the aggregate of all such requirements.
                6. Microsoft has flagged the trace techniques and tools used in this Check and Fix as deprecated.  They will be removed at some point after SQL Server 2014.  The replacement feature is `
                Extended Events.  If Extended Events are in use, and cover all the required audit events listed above, this is not a finding.'
-                FixText = 'This will not be used for this type of rule.'
+                FixText      = 'This will not be used for this type of rule.'
-                EventId = '(14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178)'
+                EventId      = '(14),(15),(18),(20),(102),(103),(104),(105),(106),(107),(108),(109),(110),(111),(112),(113),(115),(116),(117),(118),(128),(129),(130),(131),(132),(133),(134),(135),(152),(153),(170),(171),(172),(173),(175),(176),(177),(178)'
            }
            Permission = @{
                GetScript = "SELECT who.name AS [Principal Name], who.type_desc AS [Principal Type], who.is_disabled AS [Principal Is Disabled], what.state_desc AS [Permission State], what.permission_name AS [Permission Name] FROM sys.server_permissions what INNER JOIN sys.server_principals who ON who.principal_id = what.grantee_principal_id WHERE what.permission_name = 'Alter any endpoint' AND    who.name NOT LIKE '##MS%##' AND    who.type_desc <> 'SERVER_ROLE' ORDER BY who.name;"
@ -122,10 +122,10 @@ try
                REVOKE ALTER ANY ENDPOINT TO <'account name'>
                GO"
            }
-            SysAdminAccount = @{
+            SysAdminAccount    = @{
-                GetScript = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;"
+                GetScript    = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;"
-                TestScript = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;"
+                TestScript   = "USE [master] SELECT name, is_disabled FROM sys.sql_logins WHERE principal_id = 1 AND is_disabled <> 1;"
-                SetScript = 'USE [master] DECLARE @SysAdminAccountName varchar(50) SET @SysAdminAccountName = (SELECT name FROM sys.sql_logins WHERE principal_id = 1) IF @SysAdminAccountName = ''sa'' ALTER LOGIN [sa] WITH NAME = [old_sa] SET @SysAdminAccountName = ''old_sa'' DECLARE @saDisabled int SET @saDisabled = (SELECT is_disabled FROM sys.sql_logins WHERE principal_id = 1) IF @saDisabled <> 1 ALTER LOGIN [@SysAdminAccountName] DISABLE;'
+                SetScript    = 'USE [master] DECLARE @SysAdminAccountName varchar(50) SET @SysAdminAccountName = (SELECT name FROM sys.sql_logins WHERE principal_id = 1) IF @SysAdminAccountName = ''sa'' ALTER LOGIN [sa] WITH NAME = [old_sa] SET @SysAdminAccountName = ''old_sa'' DECLARE @saDisabled int SET @saDisabled = (SELECT is_disabled FROM sys.sql_logins WHERE principal_id = 1) IF @saDisabled <> 1 ALTER LOGIN [@SysAdminAccountName] DISABLE;'
                CheckContent = "Check SQL Server settings to determine if the [sa] (system administrator) account has been disabled by executing the following query:
                USE master;
                GO
@ -133,31 +133,31 @@ try
                FROM sys.sql_logins
                WHERE principal_id = 1; GO
                Verify that the `"name`" column contains the current name of the [sa] database server account (see note)."
-                FixText = "Modify the SQL Server's [sa] (system administrator) account by running the following script:
+                FixText      = "Modify the SQL Server's [sa] (system administrator) account by running the following script:
                USE master;
                GO
                ALTER LOGIN [sa] WITH NAME = <new name> GO"
            }
            Audit = @{
-                GetScript = "USE [master] DECLARE @MissingAuditCount INTEGER DECLARE @server_specification_id INTEGER DECLARE @FoundCompliant INTEGER SET @FoundCompliant = 0 /* Create a table for the events that we are looking for */ CREATE TABLE #AuditEvents (AuditEvent varchar(100)) INSERT INTO #AuditEvents (AuditEvent) VALUES (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),(DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),(DATABASE_OWNERSHIP_CHANGE_GROUP) /* Create a cursor to walk through all audits that are enabled at startup */ DECLARE auditspec_cursor CURSOR FOR SELECT s.server_specification_id FROM sys.server_audits a INNER JOIN sys.server_audit_specifications s ON a.audit_guid = s.audit_guid WHERE a.is_state_enabled = 1; OPEN auditspec_cursor FETCH NEXT FROM auditspec_cursor INTO @server_specification_id WHILE @@FETCH_STATUS = 0 AND @FoundCompliant = 0 /* Does this specification have the needed events in it? */ BEGIN SET @MissingAuditCount = (SELECT Count(a.AuditEvent) AS MissingAuditCount FROM #AuditEvents a JOIN sys.server_audit_specification_details d ON a.AuditEvent = d.audit_action_name WHERE d.audit_action_name NOT IN (SELECT d2.audit_action_name FROM sys.server_audit_specification_details d2 WHERE d2.server_specification_id = @server_specification_id)) IF @MissingAuditCount = 0 SET @FoundCompliant = 1; FETCH NEXT FROM auditspec_cursor INTO @server_specification_id END CLOSE auditspec_cursor; DEALLOCATE auditspec_cursor; DROP TABLE #AuditEvents /* Produce output that works with DSC - records if we do not find the audit events we are looking for */ IF @FoundCompliant > 0 SELECT name FROM sys.sql_logins WHERE principal_id = -1; ELSE SELECT name FROM sys.sql_logins WHERE principal_id = 1"
+                GetScript    = "USE [master] DECLARE @MissingAuditCount INTEGER DECLARE @server_specification_id INTEGER DECLARE @FoundCompliant INTEGER SET @FoundCompliant = 0 /* Create a table for the events that we are looking for */ CREATE TABLE #AuditEvents (AuditEvent varchar(100)) INSERT INTO #AuditEvents (AuditEvent) VALUES (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),(DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),(DATABASE_OWNERSHIP_CHANGE_GROUP) /* Create a cursor to walk through all audits that are enabled at startup */ DECLARE auditspec_cursor CURSOR FOR SELECT s.server_specification_id FROM sys.server_audits a INNER JOIN sys.server_audit_specifications s ON a.audit_guid = s.audit_guid WHERE a.is_state_enabled = 1; OPEN auditspec_cursor FETCH NEXT FROM auditspec_cursor INTO @server_specification_id WHILE @@FETCH_STATUS = 0 AND @FoundCompliant = 0 /* Does this specification have the needed events in it? */ BEGIN SET @MissingAuditCount = (SELECT Count(a.AuditEvent) AS MissingAuditCount FROM #AuditEvents a JOIN sys.server_audit_specification_details d ON a.AuditEvent = d.audit_action_name WHERE d.audit_action_name NOT IN (SELECT d2.audit_action_name FROM sys.server_audit_specification_details d2 WHERE d2.server_specification_id = @server_specification_id)) IF @MissingAuditCount = 0 SET @FoundCompliant = 1; FETCH NEXT FROM auditspec_cursor INTO @server_specification_id END CLOSE auditspec_cursor; DEALLOCATE auditspec_cursor; DROP TABLE #AuditEvents /* Produce output that works with DSC - records if we do not find the audit events we are looking for */ IF @FoundCompliant > 0 SELECT name FROM sys.sql_logins WHERE principal_id = -1; ELSE SELECT name FROM sys.sql_logins WHERE principal_id = 1"
-                TestScript = "USE [master] DECLARE @MissingAuditCount INTEGER DECLARE @server_specification_id INTEGER DECLARE @FoundCompliant INTEGER SET @FoundCompliant = 0 /* Create a table for the events that we are looking for */ CREATE TABLE #AuditEvents (AuditEvent varchar(100)) INSERT INTO #AuditEvents (AuditEvent) VALUES (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),(DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),(DATABASE_OWNERSHIP_CHANGE_GROUP) /* Create a cursor to walk through all audits that are enabled at startup */ DECLARE auditspec_cursor CURSOR FOR SELECT s.server_specification_id FROM sys.server_audits a INNER JOIN sys.server_audit_specifications s ON a.audit_guid = s.audit_guid WHERE a.is_state_enabled = 1; OPEN auditspec_cursor FETCH NEXT FROM auditspec_cursor INTO @server_specification_id WHILE @@FETCH_STATUS = 0 AND @FoundCompliant = 0 /* Does this specification have the needed events in it? */ BEGIN SET @MissingAuditCount = (SELECT Count(a.AuditEvent) AS MissingAuditCount FROM #AuditEvents a JOIN sys.server_audit_specification_details d ON a.AuditEvent = d.audit_action_name WHERE d.audit_action_name NOT IN (SELECT d2.audit_action_name FROM sys.server_audit_specification_details d2 WHERE d2.server_specification_id = @server_specification_id)) IF @MissingAuditCount = 0 SET @FoundCompliant = 1; FETCH NEXT FROM auditspec_cursor INTO @server_specification_id END CLOSE auditspec_cursor; DEALLOCATE auditspec_cursor; DROP TABLE #AuditEvents /* Produce output that works with DSC - records if we do not find the audit events we are looking for */ IF @FoundCompliant > 0 SELECT name FROM sys.sql_logins WHERE principal_id = -1; ELSE SELECT name FROM sys.sql_logins WHERE principal_id = 1"
+                TestScript    = "USE [master] DECLARE @MissingAuditCount INTEGER DECLARE @server_specification_id INTEGER DECLARE @FoundCompliant INTEGER SET @FoundCompliant = 0 /* Create a table for the events that we are looking for */ CREATE TABLE #AuditEvents (AuditEvent varchar(100)) INSERT INTO #AuditEvents (AuditEvent) VALUES (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),(DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),(DATABASE_OWNERSHIP_CHANGE_GROUP) /* Create a cursor to walk through all audits that are enabled at startup */ DECLARE auditspec_cursor CURSOR FOR SELECT s.server_specification_id FROM sys.server_audits a INNER JOIN sys.server_audit_specifications s ON a.audit_guid = s.audit_guid WHERE a.is_state_enabled = 1; OPEN auditspec_cursor FETCH NEXT FROM auditspec_cursor INTO @server_specification_id WHILE @@FETCH_STATUS = 0 AND @FoundCompliant = 0 /* Does this specification have the needed events in it? */ BEGIN SET @MissingAuditCount = (SELECT Count(a.AuditEvent) AS MissingAuditCount FROM #AuditEvents a JOIN sys.server_audit_specification_details d ON a.AuditEvent = d.audit_action_name WHERE d.audit_action_name NOT IN (SELECT d2.audit_action_name FROM sys.server_audit_specification_details d2 WHERE d2.server_specification_id = @server_specification_id)) IF @MissingAuditCount = 0 SET @FoundCompliant = 1; FETCH NEXT FROM auditspec_cursor INTO @server_specification_id END CLOSE auditspec_cursor; DEALLOCATE auditspec_cursor; DROP TABLE #AuditEvents /* Produce output that works with DSC - records if we do not find the audit events we are looking for */ IF @FoundCompliant > 0 SELECT name FROM sys.sql_logins WHERE principal_id = -1; ELSE SELECT name FROM sys.sql_logins WHERE principal_id = 1"
-                SetScript = '/* See STIG supplemental files for the annotated version of this script */ USE [master] IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = ''STIG_AUDIT_SERVER_SPECIFICATION'') ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = OFF); IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = ''STIG_AUDIT_SERVER_SPECIFICATION'') DROP SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION; IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') ALTER SERVER AUDIT STIG_AUDIT WITH (STATE = OFF); IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') DROP SERVER AUDIT STIG_AUDIT; CREATE SERVER AUDIT STIG_AUDIT TO FILE (FILEPATH = ''C:\Audits'', MAXSIZE = 200MB, MAX_ROLLOVER_FILES = 50, RESERVE_DISK_SPACE = OFF) WITH (QUEUE_DELAY = 1000, ON_FAILURE = SHUTDOWN) IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') ALTER SERVER AUDIT STIG_AUDIT WITH (STATE = ON); CREATE SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION FOR SERVER AUDIT STIG_AUDIT ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OPERATION_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DBCC_GROUP), ADD (FAILED_LOGIN_GROUP), ADD (LOGIN_CHANGE_PASSWORD_GROUP), ADD (LOGOUT_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OPERATION_GROUP), ADD (SERVER_PERMISSION_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP), ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), ADD (SERVER_STATE_CHANGE_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP), ADD (TRACE_CHANGE_GROUP) WITH (STATE = ON); GO '
+                SetScript    = '/* See STIG supplemental files for the annotated version of this script */ USE [master] IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = ''STIG_AUDIT_SERVER_SPECIFICATION'') ALTER SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION WITH (STATE = OFF); IF EXISTS (SELECT 1 FROM sys.server_audit_specifications WHERE name = ''STIG_AUDIT_SERVER_SPECIFICATION'') DROP SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION; IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') ALTER SERVER AUDIT STIG_AUDIT WITH (STATE = OFF); IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') DROP SERVER AUDIT STIG_AUDIT; CREATE SERVER AUDIT STIG_AUDIT TO FILE (FILEPATH = ''C:\Audits'', MAXSIZE = 200MB, MAX_ROLLOVER_FILES = 50, RESERVE_DISK_SPACE = OFF) WITH (QUEUE_DELAY = 1000, ON_FAILURE = SHUTDOWN) IF EXISTS (SELECT 1 FROM sys.server_audits WHERE name = ''STIG_AUDIT'') ALTER SERVER AUDIT STIG_AUDIT WITH (STATE = ON); CREATE SERVER AUDIT SPECIFICATION STIG_AUDIT_SERVER_SPECIFICATION FOR SERVER AUDIT STIG_AUDIT ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (AUDIT_CHANGE_GROUP), ADD (BACKUP_RESTORE_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OPERATION_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DBCC_GROUP), ADD (FAILED_LOGIN_GROUP), ADD (LOGIN_CHANGE_PASSWORD_GROUP), ADD (LOGOUT_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OPERATION_GROUP), ADD (SERVER_PERMISSION_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_CHANGE_GROUP), ADD (SERVER_PRINCIPAL_IMPERSONATION_GROUP), ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), ADD (SERVER_STATE_CHANGE_GROUP), ADD (SUCCESSFUL_LOGIN_GROUP), ADD (TRACE_CHANGE_GROUP) WITH (STATE = ON); GO '
                CheckContent = "If the following events are not included, this is a finding.
                DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
                DATABASE_OWNERSHIP_CHANGE_GROUP"
-                FixText = "Fix Text: Add the following events to the SQL Server Audit that is being used for the STIG compliant audit.
+                FixText      = "Fix Text: Add the following events to the SQL Server Audit that is being used for the STIG compliant audit.
                DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
                DATABASE_OWNERSHIP_CHANGE_GROUP
                See the supplemental file `"SQL 2016 Audit.sql`". "
            }
-            PlainSQL = @{
+            PlainSQL    = @{
-                GetScript = "SELECT name from sysdatabases where name like 'AdventureWorks%';"
+                GetScript    = "SELECT name from sysdatabases where name like 'AdventureWorks%';"
-                TestScript = "SELECT name from sysdatabases where name like 'AdventureWorks%';"
+                TestScript   = "SELECT name from sysdatabases where name like 'AdventureWorks%';"
-                SetScript = "DROP DATABASE AdventureWorks"
+                SetScript    = "DROP DATABASE AdventureWorks"
                CheckContent = "Check SQL Server for the existence of the publicly available `"AdventureWorks`" database by performing the following query:
                SELECT name from sysdatabases where name like 'AdventureWorks%';
                If the `"AdventureWorks`" database is present, this is a finding."
-                FixText = "Remove the publicly available `"AdventureWorks`" database from SQL Server by running the following query:
+                FixText      = "Remove the publicly available `"AdventureWorks`" database from SQL Server by running the following query:
                DROP DATABASE AdventureWorks"
            }
        }
--- a/Tests/Unit/Tools/Release.Tests.ps1
+++ b/Tests/Unit/Tools/Release.Tests.ps1
@ -689,7 +689,7 @@ try
            $testPullRequestNumber = 488
            $repository = @{
                name = 'PowerStig'
-                url = 'https://api.github.com'
+                url  = 'https://api.github.com'
            }
            $pullRequest = @{
                head = @{
@ -738,6 +738,40 @@ try
                Assert-MockCalled -CommandName Push-GitBranch
            }
        }
        Describe 'Set-FileHashMarkdown' -Tag 'tools' {
            Mock -CommandName Get-FileHash -MockWith {
                return @{
                    Algorithm = 'SHA256'
                    Hash      = '832A2A0F2EFF192EDB189E577753691143A50B674B14B68961FC08761F1DE81E'
                    Path      = 'c:\dev\project\StigTestFile.xml'
                }
            }
            Mock -CommandName Get-Item -MockWith {
                return @{
                    Mode   = '-a----'
                    Length = 8414
                    Name   = 'StigTestFile.xml'
                }
            }
            It 'Should insert StigTestFile.xml file hash data in FILEHASH.md' {
                $setFileHashMarkdownParams = @{
                    FileHashPath  = 'c:\dev\project\StigTestFile.xml'
                    MarkdownPath  = 'TestDrive:\FILEHASH.md'
                    Algorithm     = 'SHA256'
                    ModuleVersion = '2.0.0.0'
                }
                Set-FileHashMarkdown @setFileHashMarkdownParams
                $fileInfo = Get-ChildItem -Path 'TestDrive:\FILEHASH.md'
                $fileContent = Get-Content -Path 'TestDrive:\FILEHASH.md'
                $shouldBeContent = '| StigTestFile.xml | 832A2A0F2EFF192EDB189E577753691143A50B674B14B68961FC08761F1DE81E | 8414 |'
                $fileInfo.Name | Should Be 'FILEHASH.md'
                $fileContent -contains $shouldBeContent | Should Be $true
            }
        }
    }
 }
 finally
--- a/Tools/Release/Release.psm1
+++ b/Tools/Release/Release.psm1
@ -69,11 +69,11 @@ function Get-PowerStigRepository
    $gitRemote = Invoke-Git -Command "remote get-url origin"
-    $baseUrl = $gitRemote -replace '\.git$',''
+    $baseUrl = $gitRemote -replace '\.git$', ''
    if ([string]::IsNullOrEmpty($gitRemote) -or
        $gitRemote -notmatch "^https://github.com/Microsoft/PowerStig")
    {
-       throw "$gitRemote is not a PowerStig Project. Please select a PowerStig project to release."
+        throw "$gitRemote is not a PowerStig Project. Please select a PowerStig project to release."
    }
    else
    {
@ -253,7 +253,7 @@ function Get-UnreleasedNotes
    $unreleasedLine = $changelogContent | Select-String -Pattern $unreleasedHeader
    $latestedreleaseLine = ($changelogContent |
-        Select-String -Pattern $latestedreleaseHeader)[0]
+            Select-String -Pattern $latestedreleaseHeader)[0]
    $releaseNotes = $changelogContent[
        ($unreleasedLine.LineNumber)..($latestedreleaseLine.LineNumber - 2)] |
@ -341,7 +341,7 @@ function Update-Contributors
    $null = $contributorsMd.AppendLine('')
    $readmeContributorsRegEx = '(?<=### Contributors)[^#]+(?=#)'
-    $readmeContent = $readmeContent -replace $readmeContributorsRegEx,$contributorsMd.ToString()
+    $readmeContent = $readmeContent -replace $readmeContributorsRegEx, $contributorsMd.ToString()
    Set-Content -Path $readmePath -Value $readmeContent.Trim()
 }
@ -381,12 +381,16 @@ function Update-Manifest
        $ManifestPath = (Get-ChildItem -Path $PWD -Filter "*.psd1").FullName
    }
-    $manifestContent    = Get-Content -Path $ManifestPath -Raw
+    $manifestContent = Get-Content -Path $ManifestPath -Raw
    $moduleVersionRegex = '(?<=ModuleVersion\s*=\s*'')(?<ModuleVersion>.*)(?=''(?!(\s*)}))'
-    $manifestContent    = $manifestContent -replace $moduleVersionRegex, $ModuleVersion
+    $manifestContent = $manifestContent -replace $moduleVersionRegex, $ModuleVersion
    $releaseNotesRegEx = "(?<=ReleaseNotes\s*=\s*')[^']+(?=')"
-    $manifestContent   = $manifestContent -replace $releaseNotesRegEx, $ReleaseNotes
+
    # If any single quotes are in the release notes, they need to be escaped with another single quote
    $ReleaseNotes = $ReleaseNotes -replace "'","''"
    $manifestContent = $manifestContent -replace $releaseNotesRegEx, $ReleaseNotes
    Set-Content -Path $ManifestPath -Value $manifestContent.TrimEnd()
 }
@ -445,12 +449,12 @@ function Get-ProjectContributorList
    # https://developer.github.com/v3/pulls/#list-pull-requests
    $gitHubReleaseParam = [ordered]@{
        Authentication = 'OAuth'
-        Token = $script:GitHubApiKeySecure
+        Token          = $script:GitHubApiKeySecure
-        Uri = "$($Repository.api_url)/pulls"
+        Uri            = "$($Repository.api_url)/pulls"
-        Method = 'Get'
+        Method         = 'Get'
-        Body = [ordered]@{
+        Body           = [ordered]@{
            state = 'closed'
-            base = 'dev'
+            base  = 'dev'
        }
    }
    $pulls = Invoke-RestMethod @gitHubReleaseParam
@ -460,8 +464,8 @@ function Get-ProjectContributorList
    # There were several contributors before this project was moved to GitHub, so
    # make sure they are given credit along side the contributions from GitHub.
    $preGitHubContributors = @{
-        PowerStig    = @('jcwalker','regedit32','bgouldman','mcollera')
+        PowerStig    = @('jcwalker', 'regedit32', 'bgouldman', 'mcollera')
-        PowerStigDsc = @('jcwalker','regedit32','bgouldman','mcollera')
+        PowerStigDsc = @('jcwalker', 'regedit32', 'bgouldman', 'mcollera')
    }
    foreach ($user in $preGitHubContributors.($Repository.name))
@ -478,9 +482,9 @@ function Get-ProjectContributorList
        # https://developer.github.com/v3/users/#get-a-single-user
        $gitHubReleaseParam = [ordered]@{
            Authentication = 'OAuth'
-            Token = $script:GitHubApiKeySecure
+            Token          = $script:GitHubApiKeySecure
-            Uri = "https://api.github.com/users/$user"
+            Uri            = "https://api.github.com/users/$user"
-            Method = 'Get'
+            Method         = 'Get'
        }
        # The GitHub release triggers the AppVeyor deployment to the Gallery.
        $userDetails = Invoke-RestMethod @gitHubReleaseParam
@ -563,10 +567,10 @@ function Get-GitHubRefStatus
    # https://developer.github.com/v3/repos/statuses/#list-statuses-for-a-specific-ref
    $restParameters = [ordered]@{
        'Authentication' = 'OAuth'
-        'Token' = $script:GitHubApiKeySecure
+        'Token'          = $script:GitHubApiKeySecure
-        'Uri' = "$($Repository.api_url)/commits/$Name/status"
+        'Uri'            = "$($Repository.api_url)/commits/$Name/status"
-        'Method' = 'Get'
+        'Method'         = 'Get'
-        'Verbose' = $false
+        'Verbose'        = $false
    }
    [int] $i = 0
@ -680,9 +684,9 @@ function Get-GitHubPullRequest
    # https://developer.github.com/v3/pulls/#list-pull-requests
    $pullRequestParams = @{
        Authentication = 'OAuth'
-        Token = $script:GitHubApiKeySecure
+        Token          = $script:GitHubApiKeySecure
-        Method = 'Get'
+        Method         = 'Get'
-        Uri = "$($Repository.api_url)/pulls"
+        Uri            = "$($Repository.api_url)/pulls"
    }
    If ($PSCmdlet.ParameterSetName -eq 'one')
@ -718,7 +722,7 @@ function Approve-GitHubPullRequest
        $CommitMessage,
        [Parameter()]
-        [ValidateSet('merge','squash','rebase')]
+        [ValidateSet('merge', 'squash', 'rebase')]
        [string]
        $MergeMethod = 'merge'
    )
@ -726,14 +730,14 @@ function Approve-GitHubPullRequest
    # https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button
    $restMethodParam = [ordered]@{
        Authentication = 'OAuth'
-        Token = $script:GitHubApiKeySecure
+        Token          = $script:GitHubApiKeySecure
-        Uri = "$($PullRequest.url)/merge"
+        Uri            = "$($PullRequest.url)/merge"
-        Method = 'Put'
+        Method         = 'Put'
-        Body = [ordered]@{
+        Body           = [ordered]@{
-            commit_title = $CommitTitle
+            commit_title   = $CommitTitle
            commit_message = $CommitMessage
-            sha = $PullRequest.head.sha
+            sha            = $PullRequest.head.sha
-            merge_method = $MergeMethod.ToLower()
+            merge_method   = $MergeMethod.ToLower()
        } | ConvertTo-Json
    }
@ -773,22 +777,97 @@ function New-GitHubRelease
    # https://developer.github.com/v3/repos/releases/#create-a-release
    $restMethodParam = [ordered]@{
        Authentication = 'OAuth'
-        Token = $script:GitHubApiKeySecure
+        Token          = $script:GitHubApiKeySecure
-        Uri = "$($Repository.api_url)/releases"
+        Uri            = "$($Repository.api_url)/releases"
-        Method = 'Post'
+        Method         = 'Post'
-        Body = [ordered]@{
+        Body           = [ordered]@{
-            tag_name = $TagName
+            tag_name         = $TagName
            target_commitish = 'master'
-            name = $Title
+            name             = $Title
-            body = $Description
+            body             = $Description
-            draft = $Draft
+            draft            = $Draft
-            prerelease = $Prerelease
+            prerelease       = $Prerelease
        } | ConvertTo-Json
    }
    Invoke-RestMethod @restMethodParam
 }
 <#
    .SYNOPSIS
        Sets a markdown file which contains PowerSTIG file hashes.
    .DESCRIPTION
        Used to set a markdown file with file hashes for PowerSTIG
        module files, such as Processed STIG Data, etc.
    .PARAMETER FileHashPath
        Specifies the path to one or more files as an array to generate file
        hash data. Wildcard characters are permitted.
    .PARAMETER MarkdownPath
        Specifies the path for the markdown file.
    .PARAMETER Algorithm
        Specifies the cryptographic hash function to use for computing the hash
        value of the contents of the specified file. A cryptographic hash function
        includes the property that it is not possible to find two distinct inputs
        that generate the same hash values. Hash functions are commonly used with
        digital signatures and for data integrity.
        The acceptable values for this parameter are:
        'SHA256', 'SHA384' or 'SHA512'
 #>
 function Update-FileHashMarkdown
 {
    param
    (
        [Parameter()]
        [string[]]
        $FileHashPath = (Join-Path -Path $PWD -ChildPath '\StigData\Processed\*.xml'),
        [Parameter()]
        [string]
        $MarkdownPath = (Join-Path -Path $PWD -ChildPath '\FILEHASH.md'),
        [Parameter()]
        [ValidateSet('SHA256', 'SHA384', 'SHA512')]
        [string]
        $Algorithm = 'SHA256',
        [Parameter(Mandatory = $true)]
        [string]
        $ModuleVersion
    )
    # Markdown header for file hash information table
    $markdownHeader = @'
 # PowerSTIG File Hashes : Module Version {0}
 Hashes for **PowerSTIG** files are listed in the following table:
 | File | {1} Hash | Size (bytes) |
 | :---- | ---- | ---: |
 '@ -f $ModuleVersion, $Algorithm
    $fileHash = Get-FileHash -Path $FileHashPath -Algorithm $Algorithm
    # String builder to set the markdown file
    $fileHashMarkdownFileContent = New-Object System.Text.StringBuilder
    $null = $fileHashMarkdownFileContent.AppendLine($markdownHeader)
    foreach ($file in $fileHash)
    {
        $fileHashWithSize = '| {0} | {1} | {2} |' -f
        $(Split-Path -Path $file.Path -Leaf),
        $($file.Hash),
        $((Get-Item -Path $file.Path).Length)
        $null = $fileHashMarkdownFileContent.AppendLine($fileHashWithSize)
    }
    Set-Content -Path $MarkdownPath -Value $fileHashMarkdownFileContent.ToString().Trim() -Force
 }
 #endregion
 #region DevMerge
@ -1038,6 +1117,102 @@ function Start-PowerStigRelease
    }
 }
 function Start-PowerStigDevMerge
 {
    [OutputType([int])]
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [ValidateSet('Feature', 'Hotfix')]
        [string]
        $Type,
        [Parameter(Mandatory = $true)]
        [string]
        $GitRepositoryPath,
        [Parameter(Mandatory = $true)]
        [string]
        $ModuleVersion,
        [Parameter()]
        [string]
        $GitHubApiSecureFilePath
    )
    $repository = Get-PowerStigRepository
    Get-GitHubApiKey -SecureFilePath $GitHubApiSecureFilePath
    $releaseBranchName = $script:ReleaseName -f $ModuleVersion
    # Convert GitRepositoryPath into an absolute path if it is relative
    if (-not ([System.IO.Path]::IsPathRooted($GitRepositoryPath)))
    {
        $GitRepositoryPath = Resolve-Path -Path $GitRepositoryPath
    }
    Push-Location -Path $GitRepositoryPath
    if (Test-ModuleVersion -ModuleVersion $ModuleVersion)
    {
        Write-Verbose -Message "$ModuleVersion is greater than currently released."
    }
    else
    {
        throw "$ModuleVersion is not greater than currently released."
    }
    if ($Type -eq 'Hotfix')
    {
        New-GitReleaseBranch -BranchName $releaseBranchName
    }
    else
    {
        try
        {
            Set-GitBranch -Branch $ModuleVersion -SkipPull
            $releaseBranchName = $ModuleVersion
        }
        catch
        {
            throw "Git branch $ModuleVersion was not found"
        }
    }
    # $releaseNotes = Get-UnreleasedNotes
    # if ([string]::IsNullOrEmpty($releaseNotes))
    # {
    #     throw 'There are no release notes for this release.'
    # }
    #Update-ReleaseNotes -ModuleVersion $ModuleVersion
    #Update-Manifest -ModuleVersion $ModuleVersion -ReleaseNotes $releaseNotes
    Update-AppVeyorConfiguration -ModuleVersion $ModuleVersion
    Update-Contributors -Repository $repository
    Update-FileHashMarkdown -ModuleVersion $ModuleVersion
    # Push the release branch to GitHub
    Push-GitBranch -Name $releaseBranchName -CommitMessage "Bumped version number to $ModuleVersion for release."
    $repository = Get-PowerStigRepository
    $pullRequestParameters = @{
        Repository    = $Repository
        ModuleVersion = $ModuleVersion
        BranchHead    = $releaseBranchName
        BranchBase    = 'dev'
    }
    #$pullRequest = New-GitHubPullRequest @pullRequestParameters
    return $pullRequest.number
 }
 <#
    .SYNOPSIS
        Completes the PowerStig release process for a given module that was
--- a/appveyor.yml
+++ b/appveyor.yml
@ -8,7 +8,7 @@
 #      general configuration      #
 #---------------------------------#
-version: 2.3.2.{build}
+version: 2.4.0.{build}
 skip_commits:
  files:
		`@ -0,0 +1 @@`
							`Subproject commit 228afc21b7c72153f293a058719cfb30c36a259a`