IIS Sever 10.0 STIG hardening rule V-100163 fails with error in Windows Server 2019 while using PowerSTIG 4.4.2

[kmsarfraz]

Describe the bug
IIS Sever 10.0 STIG hardening rule V-100163 fails with error in Windows Server 2019 while using PowerSTIG 4.4.2

To Reproduce

1. Create configuration file targeting IIS 10.0 without skipping any STIG rules implemented in PowerSTIG 4.4.2.
2. Start DSC configuration using the MOF file generated by executing the configuration created in a Windows Server 2019 with IIS roles installed.
3. STIG rule V-100163 failed to configure with errors below

VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > AccessControlType : 'Allow'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > FileSystemRights : 'ReadAndExecute, Synchronize'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > InheritanceFlags : 'None'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > PropagationFlags : 'None'
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : IdentityNotMappedException
+ PSComputerName : localhost
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could
not be translated."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : IdentityNotMappedException
+ PSComputerName : localhost

VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] Adding access rule:
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > Path : 'C:\inetpub'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > IdentityReference : 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > AccessControlType : 'Allow'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > FileSystemRights : 'ReadAndExecute, Synchronize'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > InheritanceFlags : 'None'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > PropagationFlags : 'None'
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : IdentityNotMappedException
+ PSComputerName : localhost
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could
not be translated."
+ CategoryInfo : NotSpecified: (:) [], CimException
+ FullyQualifiedErrorId : IdentityNotMappedException
+ PSComputerName : localhost

VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] Adding access rule:
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > Path : 'C:\inetpub'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > IdentityReference : 'BUILTIN\Users'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > AccessControlType : 'Allow'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > FileSystemRights : 'ReadAndExecute, Synchronize'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > InheritanceFlags : 'None'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > PropagationFlags : 'None'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] Adding access rule:
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > Path : 'C:\inetpub'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > IdentityReference : 'CREATOR OWNER'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > AccessControlType : 'Allow'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > FileSystemRights : 'FullControl'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > InheritanceFlags : 'ContainerInherit, ObjectInherit'
VERBOSE: [WIN-IC52FTLINFF]: [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] > PropagationFlags : 'InheritOnly'
VERBOSE: [WIN-IC52FTLINFF]: LCM: [ End Set ] [[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine] in 0.4850 seconds.
The PowerShell DSC resource '[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine' with
SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerStig\4.4.2\DSCResources\Resources\windows.AccessControl.ps1:
:66::13::NTFSAccessEntry' threw one or more non-terminating errors while running the Set-TargetResource functionality.
These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more
details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
The PowerShell DSC resource
'[NTFSAccessEntry][V-100163][medium][SRG-APP-000340-WSR-000029]::[IisServer]BaseLine' with
SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerStig\4.4.2\DSCResources\Resources\windows.AccessControl.ps1::66::13::NTFSAccessEntry' threw one or more non-terminating errors while
running the Set-TargetResource functionality. These errors are logged to the ETW channel called
Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost

VERBOSE: [WIN-IC52FTLINFF]: LCM: [ Start Resource ] [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine]
VERBOSE: [WIN-IC52FTLINFF]: LCM: [ Start Test ] [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine]
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] Test-TargetResource is starting for Registry resource with Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] Get-TargetResource is starting for Registry resource with Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] The registry key at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server exists.
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] The registry key at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server has a value named DisabledByDefault.
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] Get-TargetResource has finished for Registry resource with Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] The registry key at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server has a value named DisabledByDefault.
VERBOSE: [WIN-IC52FTLINFF]: [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] Test-TargetResource has finished for Registry resource with Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
VERBOSE: [WIN-IC52FTLINFF]: LCM: [ End Test ] [[Registry][V-100177.a][high][SRG-APP-000439-WSR-000156]::[IisServer]BaseLine] in 0.4060 seconds.
Expected behavior
Configuration should get applied without any error.

Screenshots

Additional context

[bcwilhite]

Hi @kmsarfraz, this is actually a Win32 API bug. The bug is exposed in the AccessControlDsc resource and not in PowerSTIG, however, we'll keep this open here for tracking purposes for now.

For more context, you can reference this discussion on Github:
PowerShell/Win32-OpenSSH#750

I will open an issue on AccessControlDsc and look to come up with a work around.

Linked issue:
mcollera/AccessControlDsc#58