Merge pull request #1374 from microsoft/hinderjd#1368
Update Powerstig to parse\apply Microsoft Windows 11 STIG - Ver 2, Rel 1 #1368
This commit is contained in:
Michael Rasmussen
GitHub
Коммит
8ab20acbbc
|
|
@ -13,6 +13,8 @@
|
|||
|
||||
* Update Powerstig to parse\apply Microsoft Office 365 ProPlus STIG - Ver 3, Rel 1 [#1372](https://github.com/microsoft/PowerStig/issues/1372)
|
||||
|
||||
* Update Powerstig to parse\apply Microsoft Windows 11 STIG - Ver 2, Rel 1 [#1368](https://github.com/microsoft/PowerStig/issues/1368)
|
||||
|
||||
## [4.22.0] - 2024-05-31
|
||||
|
||||
* Update Powerstig to parse/apply Microsoft Edge STIG - Ver 1, Rel 8 [#1350](https://github.com/microsoft/PowerStig/issues/1350)
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -5,7 +5,7 @@
|
|||
Each setting in this file is linked by STIG ID and the valid range is in an
|
||||
associated comment.
|
||||
-->
|
||||
<OrganizationalSettings fullversion="1.5">
|
||||
<OrganizationalSettings fullversion="2.1">
|
||||
<!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
|
||||
<OrganizationalSetting id="V-253261" ValueData="" />
|
||||
<!-- Ensure ''V-253297'' -ge '15' -or ''V-253297'' -eq '0'-->
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V1R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 09 Nov 2023 3.4.1.22916 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.5" created="11/17/2023">
|
||||
<DISASTIG version="2" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Windows_11_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MS_Windows_11_STIG_V2R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 24 Jul 2024 3.5 1.10.0" title="Microsoft Windows 11 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="2.1" created="7/20/2024">
|
||||
<AccountPolicyRule dscresourcemodule="SecurityPolicyDsc">
|
||||
<Rule id="V-253297" severity="medium" conversionstatus="pass" title="SRG-OS-000329-GPOS-00128" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -54,7 +54,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253300" severity="medium" conversionstatus="pass" title="SRG-OS-000077-GPOS-00045" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DOD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -71,7 +71,7 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo
|
|||
If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253301" severity="medium" conversionstatus="pass" title="SRG-OS-000076-GPOS-00044" dscresource="AccountPolicy">
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<Description><VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
<LegacyId>
|
||||
|
|
@ -572,7 +572,7 @@ Auditing object access for removable media records events related to access atte
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
<RawString>Security Option "Audit: Force audit policy subcategory settings to override audit policy category settings" must be set to "Enabled" (WN11-SO-000030) for the detailed auditing subcategories to be effective.
|
||||
|
||||
Use the AuditPol tool to review the current Audit Policy configuration:
|
||||
Open a Command Prompt with elevated privileges ("Run as Administrator").
|
||||
|
|
@ -1088,7 +1088,7 @@ To support this requirement, the operating system may have an integrated solutio
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>Verify DoD-approved ESS software is installed and properly operating. Ask the site ISSM for documentation of the ESS software installation and configuration.
|
||||
<RawString>Verify DOD-approved ESS software is installed and properly operating. Ask the site information system security manager (ISSM) for documentation of the ESS software installation and configuration.
|
||||
|
||||
If the ISSM is not able to provide a documented configuration for an installed ESS or if the ESS software is not properly maintained or used, this is a finding.
|
||||
|
||||
|
|
@ -1130,7 +1130,7 @@ Local administrator account
|
|||
|
||||
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
|
||||
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.</RawString>
|
||||
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253271" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00124" dscresource="None">
|
||||
<Description><VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by virtualization-based Security features such as Credential Guard on Windows 11; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
|
|
@ -1293,7 +1293,7 @@ Run "System Information".
|
|||
|
||||
Under "System Summary", if "Secure Boot State" does not display "On", this is a finding.</RawString>
|
||||
</Rule>
|
||||
<Rule id="V-253259" severity="medium" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Rule id="V-253259" severity="high" conversionstatus="pass" title="SRG-OS-000404-GPOS-00183" dscresource="None">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<IsNullOrEmpty>False</IsNullOrEmpty>
|
||||
|
|
@ -1326,9 +1326,7 @@ The organization must identify authorized software programs and only permit exec
|
|||
</LegacyId>
|
||||
<OrganizationValueRequired>False</OrganizationValueRequired>
|
||||
<OrganizationValueTestString />
|
||||
<RawString>This is applicable to unclassified systems.
|
||||
|
||||
Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
<RawString>Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universal apps installed by default on systems.
|
||||
|
||||
If an application allowlisting program is not in use on the system, this is a finding.
|
||||
|
||||
|
|
@ -1776,7 +1774,7 @@ Windows LAPS must be used to change the built-in Administrator account password.
|
|||
|
||||
Review the password last set date for the enabled local Administrator account.
|
||||
|
||||
On the local domain-joined workstation:
|
||||
On the standalone or domain-joined workstation:
|
||||
|
||||
Open "PowerShell".
|
||||
|
||||
|
|
@ -1837,7 +1835,7 @@ These audit events can assist in understanding how a computer is being used and
|
|||
<OrganizationValueTestString />
|
||||
<RawString>Ensure Audit Process Creation auditing has been enabled:
|
||||
|
||||
Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure".
|
||||
Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation.
|
||||
|
||||
If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
|
||||
</Rule>
|
||||
|
|
@ -2474,7 +2472,7 @@ If the defaults have not been changed, these are not a finding.
|
|||
</Rule>
|
||||
</PermissionRule>
|
||||
<RegistryRule dscresourcemodule="PSDscResources">
|
||||
<Rule id="V-253260.a" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.a" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
|
|
@ -2493,7 +2491,7 @@ Value: 0x00000001 (1)</RawString>
|
|||
<ValueName>UseAdvancedStartup</ValueName>
|
||||
<ValueType>Dword</ValueType>
|
||||
</Rule>
|
||||
<Rule id="V-253260.b" severity="medium" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Rule id="V-253260.b" severity="high" conversionstatus="pass" title="SRG-OS-000405-GPOS-00184" dscresource="RegistryPolicyFile">
|
||||
<Description><VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
|
||||
<DuplicateOf />
|
||||
<Ensure>Present</Ensure>
|
||||
Загрузка…
Ссылка в новой задаче