Update PowerSTIG to successfully parse/apply Windows 10 STIG V2 R2 (#894

) * updated to add windows 10 v2r2 support * update based on feedback Co-authored-by: Brian Wilhite <bcwilhite@live.com>
microsoft · May 27, 2021 · df6943e · df6943e
1 parent 279cf72
commit df6943e
Show file tree

Hide file tree

Showing 8 changed files with 6,944 additions and 6,676 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## [Unreleased]
 
+* Update PowerSTIG to successfully parse/apply Windows 10 STIG V2 R2: [#891](https://github.com/microsoft/PowerStig/issues/891)
+* Update PowerSTIG to Parse/Apply Google Chrome Ver 2, Rel 2: [#876](https://github.com/microsoft/PowerStig/issues/876)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 R2 DC STIG- Ver 3, Rel 2 [#902](https://github.com/microsoft/PowerStig/issues/902)
 * Update PowerSTIG to successfully parse/apply Microsoft IIS 10.0 SITE/SERVER STIG V2R2: [#882](https://github.com/microsoft/PowerStig/issues/882)
 * Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 Server Domain Name System STIG - Ver 2, Rel 2  [#896](https://github.com/microsoft/PowerStig/issues/896)

diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R23_Manual-xccdf.log b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R23_Manual-xccdf.log
diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R23_Manual-xccdf.xml b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R23_Manual-xccdf.xml
diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R2_Manual-xccdf.log b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R2_Manual-xccdf.log
@@ -0,0 +1,18 @@
+V-220745::"Minimum password length,"::"Minimum password length"
+V-220747::"Store password using reversible encryption"::"Store passwords using reversible encryption"
+V-220836::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = 'Block'; ValueName = 'ShellSmartScreenLevel'; ValueType = 'String'}<splitRule>HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = $null; ValueName = 'EnableSmartScreen'; ValueType = 'Dword'; OrganizationValueTestString = "{0} -eq 1|2"}
+V-220860::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\
+V-220805::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\
+V-220704::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '}
+V-220870::Value data: 0::Value: 0x00000000 (0)
+V-220871::Value data: 1::Value: 0x00000001 (1)
+V-220793::RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam::Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam
+V-220793::This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.::ValueType: REG_SZ
+V-220793::This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.::Value: Deny
+V-220793::Value Name: Deny::ValueName: Value
+V-220961::NT SERVICE\autotimesvc is added in v1909 cumulative update.::NT SERVICE\autotimesvc
+V-220891::OverrideExportAddressFilter: False::OverrideEnableExportAddressFilter: False
+V-220891::OverrideExportAddressFilterPlus: False::OverrideEnableExportAddressFilterPlus: False
+V-220891::OverrideImportAddressFilter: False::OverrideEnableImportAddressFilter: False
+V-220922::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'; ValueName = 'LegalNoticeCaption'; ValueType = 'String'; ValueData = $null; OrganizationValueTestString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'"}
+V-220921::assistants.  Such communications and work product are private and confidential.  See::assistants. Such communications and work product are private and confidential. See
diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R2_Manual-xccdf.xml b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R2_Manual-xccdf.xml
diff --git a/source/StigData/Processed/WindowsClient-10-1.23.org.default.xml b/source/StigData/Processed/WindowsClient-10-1.23.org.default.xml
diff --git a/source/StigData/Processed/WindowsClient-10-2.2.org.default.xml b/source/StigData/Processed/WindowsClient-10-2.2.org.default.xml
@@ -0,0 +1,83 @@
+<!--
+    The organizational settings file is used to define the local organizations
+    preferred setting within an allowed range of the STIG.
+
+    Each setting in this file is linked by STIG ID and the valid range is in an
+    associated comment.
+-->
+<OrganizationalSettings fullversion="2.2">
+  <!-- Ensure ValueData is set to 0x00000006 (6) or greater -->
+  <OrganizationalSetting id="V-220704" ValueData="" />
+  <!-- Ensure ''V-220739'' -ge '15' -or ''V-220739'' -eq '0'-->
+  <OrganizationalSetting id="V-220739" PolicyValue="15" />
+  <!-- Ensure ''V-220740'' -le '3' -and ''V-220740'' -ne '0'-->
+  <OrganizationalSetting id="V-220740" PolicyValue="3" />
+  <!-- Ensure ''V-220741'' -ge '15'-->
+  <OrganizationalSetting id="V-220741" PolicyValue="15" />
+  <!-- Ensure ''V-220742'' -ge '24'-->
+  <OrganizationalSetting id="V-220742" PolicyValue="24" />
+  <!-- Ensure ''V-220743'' -le '60' -and ''V-220743'' -ne '0'-->
+  <OrganizationalSetting id="V-220743" PolicyValue="30" />
+  <!-- Ensure ''V-220744'' -ge '1'-->
+  <OrganizationalSetting id="V-220744" PolicyValue="1" />
+  <!-- Ensure ''V-220745'' -ge '14'-->
+  <OrganizationalSetting id="V-220745" PolicyValue="14" />
+  <!-- Ensure ''V-220779'' -ge '32768'-->
+  <OrganizationalSetting id="V-220779" ValueData="32768" />
+  <!-- Ensure ''V-220780'' -ge '1024000'-->
+  <OrganizationalSetting id="V-220780" ValueData="1024000" />
+  <!-- Ensure ''V-220781'' -ge '32768'-->
+  <OrganizationalSetting id="V-220781" ValueData="32768" />
+  <!-- Ensure ''V-220806'' -match '1|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220806" ValueData="1" />
+  <!-- Ensure ''V-220811.b'' -match '1|3'-->
+  <OrganizationalSetting id="V-220811.b" ValueData="1" />
+  <!-- Ensure ''V-220813'' -match '1|3|8'-->
+  <OrganizationalSetting id="V-220813" ValueData="1" />
+  <!-- Ensure ''V-220818'' -match '1|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220818" ValueData="1" />
+  <!-- Ensure 'V-220836.b' -eq 1|2-->
+  <OrganizationalSetting id="V-220836.b" ValueData="1" />
+  <!-- Ensure ''V-220837'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220837" ValueData="0" />
+  <!-- Ensure ''V-220838'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220838" ValueData="0" />
+  <!-- Ensure ''V-220839'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220839" ValueData="0" />
+  <!-- Ensure ''V-220847'' -ge '6'-->
+  <OrganizationalSetting id="V-220847" ValueData="6" />
+  <!-- Ensure ''V-220854'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220854" ValueData="0" />
+  <!-- Ensure ''V-220858'' -match '0|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220858" ValueData="0" />
+  <!-- Ensure location for DoD Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220903.a" Location="" />
+  <!-- Ensure location for DoD Root CA 3 certificate is present-->
+  <OrganizationalSetting id="V-220903.b" Location="" />
+  <!-- Ensure location for DoD Root CA 4 certificate is present-->
+  <OrganizationalSetting id="V-220903.c" Location="" />
+  <!-- Ensure location for DoD Root CA 5 certificate is present-->
+  <OrganizationalSetting id="V-220903.d" Location="" />
+  <!-- Ensure location for DoD Interoperability Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220905.a" Location="" />
+  <!-- Ensure location for DoD Interoperability Root CA 1 certificate is present-->
+  <OrganizationalSetting id="V-220905.b" Location="" />
+  <!-- Ensure location for US DoD CCEB Interoperability Root CA 2 certificate is present-->
+  <OrganizationalSetting id="V-220906" Location="" />
+  <!-- Ensure ''V-220911'' -ne 'Administrator'-->
+  <OrganizationalSetting id="V-220911" OptionValue="" />
+  <!-- Ensure ''V-220912'' -ne 'Guest'-->
+  <OrganizationalSetting id="V-220912" OptionValue="" />
+  <!-- Ensure ''V-220918'' -le '30' -and ''V-220918'' -gt '0'-->
+  <OrganizationalSetting id="V-220918" ValueData="30" />
+  <!-- Ensure ''V-220920'' -le '900' -and ''V-220920'' -gt '0'-->
+  <OrganizationalSetting id="V-220920" ValueData="450" />
+  <!-- Ensure ''V-220922'' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'-->
+  <OrganizationalSetting id="V-220922" ValueData="US Department of Defense Warning Statement" />
+  <!-- Ensure ''V-220923'' -le '10'-->
+  <OrganizationalSetting id="V-220923" ValueData="10" />
+  <!-- Ensure ''V-220924'' -match '1|2'-->
+  <OrganizationalSetting id="V-220924" ValueData="1" />
+  <!-- Ensure ''V-220955'' -match '2|ShouldBeAbsent'-->
+  <OrganizationalSetting id="V-220955" ValueData="2" />
+</OrganizationalSettings>