-
Notifications
You must be signed in to change notification settings - Fork 11
/
V-93025.rb
139 lines (111 loc) · 5.33 KB
/
V-93025.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
control 'V-93025' do
title "Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE
registry hive must be maintained."
desc "The registry is integral to the function, security, and stability of
the Windows system. Changing the system's registry permissions allows the
possibility of unauthorized and anonymous modification to the operating system."
desc 'rationale', ''
desc 'check', "Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive
noted below.
If any non-privileged groups such as Everyone, Users, or Authenticated
Users have greater than Read permission, this is a finding.
If permissions are not as restrictive as the default permissions listed
below, this is a finding:
Run \"Regedit\".
Right-click on the registry areas noted below.
Select \"Permissions\" and the \"Advanced\" button.
HKEY_LOCAL_MACHINE\\SECURITY
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
SYSTEM - Full Control - This key and subkeys
Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\\SOFTWARE
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - This key and subkeys
ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\\SYSTEM
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - Subkeys only
ALL APPLICATION PACKAGES - Read - This key and subkeys
Other examples under the noted keys may also be sampled. There may be some
instances where non-privileged groups have greater than Read permission.
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry
keys in Windows Server 2019 to the following SID, this is currently not a
finding.
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
If the defaults have not been changed, these are not a finding."
desc 'fix', "
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.
The default permissions of the higher-level keys are noted below.
HKEY_LOCAL_MACHINE\\SECURITY
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
SYSTEM - Full Control - This key and subkeys
Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\\SOFTWARE
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - This key and subkeys
ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\\SYSTEM
Type - \"Allow\" for all
Inherited from - \"None\" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - Subkeys only
ALL APPLICATION PACKAGES - Read - This key and subkeys
Microsoft has also given Read permission to the SOFTWARE and SYSTEM
registry keys in Windows Server 2019 to the following SID.
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681"
impact 0.5
tag 'severity': nil
tag 'gtitle': 'SRG-OS-000324-GPOS-00125'
tag 'gid': 'V-93025'
tag 'rid': 'SV-103113r1_rule'
tag 'stig_id': 'WN19-00-000170'
tag 'fix_id': 'F-99271r1_fix'
tag 'cci': ['CCI-002235']
tag 'nist': ['AC-6 (10)', 'Rev_4']
domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
if domain_role == '4' || domain_role == '5'
hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)
describe 'Registry Key Security are set correctly on folder structure' do
subject { hklm_system.eql? input('reg_system_perms_dc') }
it { should eq true }
end
else
hklm_software = powershell('(Get-Acl -Path HKLM:Software).AccessToString').stdout.lines.collect(&:strip)
describe 'Registry Key Software permissions are set correctly on folder structure' do
subject { hklm_software.eql? input('reg_software_perms') }
it { should eq true }
end
hklm_security = powershell('(Get-Acl -Path HKLM:Security).AccessToString').stdout.lines.collect(&:strip)
describe 'Registry Key Security are set correctly on folder structure' do
subject { hklm_security.eql? input('reg_security_perms') }
it { should eq true }
end
hklm_system = powershell('(Get-Acl -Path HKLM:System).AccessToString').stdout.lines.collect(&:strip)
describe 'Registry Key System are set correctly on folder structure' do
subject { hklm_system.eql? input('reg_system_perms') }
it { should eq true }
end
end
end