diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..c9fa266 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,818 @@ +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.0.8.4) + concurrent-ruby (~> 1.0, >= 1.0.2) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + addressable (2.8.7) + public_suffix (>= 2.0.2, < 7.0) + ast (2.4.2) + aws-eventstream (1.3.0) + aws-partitions (1.863.0) + aws-sdk-accessanalyzer (1.44.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-account (1.20.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-alexaforbusiness (1.67.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-amplify (1.54.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-apigateway (1.90.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-apigatewayv2 (1.53.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-applicationautoscaling (1.79.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-athena (1.79.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-autoscaling (1.102.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-batch (1.79.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-budgets (1.62.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudformation (1.97.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudfront (1.86.1) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudhsm (1.50.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudhsmv2 (1.53.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudtrail (1.74.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatch (1.83.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatchevents (1.69.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cloudwatchlogs (1.77.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-codecommit (1.62.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-codedeploy (1.62.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-codepipeline (1.67.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cognitoidentity (1.51.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-cognitoidentityprovider (1.85.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-configservice (1.103.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-core (3.190.3) + aws-eventstream (~> 1, >= 1.3.0) + aws-partitions (~> 1, >= 1.651.0) + aws-sigv4 (~> 1.8) + jmespath (~> 1, >= 1.6.1) + aws-sdk-costandusagereportservice (1.53.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-databasemigrationservice (1.91.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-dynamodb (1.98.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ec2 (1.429.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecr (1.68.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecrpublic (1.25.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ecs (1.135.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-efs (1.71.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-eks (1.95.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticache (1.95.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticbeanstalk (1.63.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticloadbalancing (1.51.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticloadbalancingv2 (1.96.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-elasticsearchservice (1.79.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-emr (1.81.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-eventbridge (1.54.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-firehose (1.60.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-glue (1.165.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-guardduty (1.85.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-iam (1.92.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-kafka (1.67.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-kinesis (1.54.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-kms (1.76.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-lambda (1.113.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-macie2 (1.64.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-mq (1.58.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-networkfirewall (1.39.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-networkmanager (1.40.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-organizations (1.83.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ram (1.52.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-rds (1.208.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-redshift (1.107.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53 (1.83.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53domains (1.54.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-route53resolver (1.51.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.141.0) + aws-sdk-core (~> 3, >= 3.189.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.8) + aws-sdk-s3control (1.74.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-secretsmanager (1.87.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-securityhub (1.98.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-servicecatalog (1.90.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ses (1.58.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-shield (1.60.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-signer (1.50.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-simpledb (1.42.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv2 (~> 1.0) + aws-sdk-sms (1.52.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-sns (1.70.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-sqs (1.69.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-ssm (1.162.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-states (1.63.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-synthetics (1.39.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-transfer (1.86.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-waf (1.58.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sdk-wafv2 (1.74.0) + aws-sdk-core (~> 3, >= 3.188.0) + aws-sigv4 (~> 1.1) + aws-sigv2 (1.2.0) + aws-sigv4 (1.8.0) + aws-eventstream (~> 1, >= 1.0.2) + azure_graph_rbac (0.17.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_key_vault (0.17.7) + ms_rest_azure (~> 0.12.0) + azure_mgmt_resources (0.18.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_security (0.19.0) + ms_rest_azure (~> 0.12.0) + azure_mgmt_storage (0.23.0) + ms_rest_azure (~> 0.12.0) + base64 (0.2.0) + bcrypt_pbkdf (1.1.1-arm64-darwin) + bigdecimal (3.1.8) + bson (4.15.0) + builder (3.3.0) + byebug (11.1.3) + chef-config (18.5.0) + addressable + chef-utils (= 18.5.0) + fuzzyurl + mixlib-config (>= 2.2.12, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) + tomlrb (~> 1.2) + chef-licensing (1.0.0) + activesupport (~> 7.0, < 7.1) + chef-config (>= 15) + faraday (>= 1, < 3) + faraday-http-cache + tty-prompt (~> 0.23) + tty-spinner (~> 0.9.3) + chef-telemetry (1.1.1) + chef-config + concurrent-ruby (~> 1.0) + chef-utils (18.5.0) + concurrent-ruby + coderay (1.1.3) + concurrent-ruby (1.3.3) + cookstyle (7.32.8) + rubocop (= 1.25.1) + declarative (0.0.20) + diff-lcs (1.5.1) + docker-api (2.3.0) + excon (>= 0.64.0) + multi_json + domain_name (0.6.20240107) + dry-configurable (1.2.0) + dry-core (~> 1.0, < 2) + zeitwerk (~> 2.6) + dry-core (1.0.1) + concurrent-ruby (~> 1.0) + zeitwerk (~> 2.6) + dry-inflector (1.1.0) + dry-logic (1.5.0) + concurrent-ruby (~> 1.0) + dry-core (~> 1.0, < 2) + zeitwerk (~> 2.6) + dry-struct (1.6.0) + dry-core (~> 1.0, < 2) + dry-types (>= 1.7, < 2) + ice_nine (~> 0.11) + zeitwerk (~> 2.6) + dry-types (1.7.2) + bigdecimal (~> 3.0) + concurrent-ruby (~> 1.0) + dry-core (~> 1.0) + dry-inflector (~> 1.0) + dry-logic (~> 1.4) + zeitwerk (~> 2.6) + ed25519 (1.3.0) + erubi (1.13.0) + excon (0.111.0) + faraday (1.10.3) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-httpclient (~> 1.0) + faraday-multipart (~> 1.0) + faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.0) + faraday-patron (~> 1.0) + faraday-rack (~> 1.0) + faraday-retry (~> 1.0) + ruby2_keywords (>= 0.0.4) + faraday-cookie_jar (0.0.7) + faraday (>= 0.8.0) + http-cookie (~> 1.0.0) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.0) + faraday-excon (1.1.0) + faraday-follow_redirects (0.3.0) + faraday (>= 1, < 3) + faraday-http-cache (2.5.1) + faraday (>= 0.8) + faraday-httpclient (1.0.1) + faraday-multipart (1.0.4) + multipart-post (~> 2) + faraday-net_http (1.0.1) + faraday-net_http_persistent (1.2.0) + faraday-patron (1.0.0) + faraday-rack (1.0.0) + faraday-retry (1.0.3) + faraday_middleware (1.0.0) + faraday (~> 1.0) + ffi (1.16.3) + fuzzyurl (0.9.0) + google-apis-admin_directory_v1 (0.46.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-cloudkms_v1 (0.41.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-cloudresourcemanager_v1 (0.35.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-compute_v1 (0.83.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-core (0.11.3) + addressable (~> 2.5, >= 2.5.1) + googleauth (>= 0.16.2, < 2.a) + httpclient (>= 2.8.1, < 3.a) + mini_mime (~> 1.0) + representable (~> 3.0) + retriable (>= 2.0, < 4.a) + rexml + google-apis-iam_v1 (0.50.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-monitoring_v3 (0.51.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-storage_v1 (0.30.0) + google-apis-core (>= 0.11.0, < 2.a) + googleauth (1.8.1) + faraday (>= 0.17.3, < 3.a) + jwt (>= 1.4, < 3.0) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (>= 0.16, < 2.a) + gssapi (1.3.1) + ffi (>= 1.0.1) + gyoku (1.4.0) + builder (>= 2.1.2) + rexml (~> 3.0) + hashdiff (1.0.1) + hashie (5.0.0) + highline (3.1.0) + reline + http-cookie (1.0.6) + domain_name (~> 0.5) + httpclient (2.8.3) + i18n (1.14.5) + concurrent-ruby (~> 1.0) + ice_nine (0.11.2) + inifile (3.0.0) + inspec (6.6.0) + cookstyle + faraday_middleware (>= 0.12.2, < 1.1) + inspec-core (= 6.6.0) + mongo (= 2.13.2) + progress_bar (~> 1.3.3) + rake + train (~> 3.10) + train-aws (~> 0.2) + train-habitat (~> 0.1) + train-kubernetes (~> 0.1) + train-winrm (~> 0.2) + inspec-bin (6.6.0) + inspec (= 6.6.0) + inspec-core (6.6.0) + addressable (~> 2.4) + chef-licensing (>= 0.7.5) + chef-telemetry (~> 1.0, >= 1.0.8) + faraday (>= 1, < 3) + faraday-follow_redirects (~> 0.3) + hashie (>= 3.4, < 6.0) + license-acceptance (>= 0.2.13, < 3.0) + method_source (>= 0.8, < 2.0) + mixlib-log (~> 3.0) + multipart-post (~> 2.0) + parallel (~> 1.9) + parslet (>= 1.5, < 2.0) + pry (~> 0.13) + rspec (>= 3.9, <= 3.12) + rspec-its (~> 1.2) + rubyzip (>= 1.2.2, < 3.0) + semverse (~> 3.0) + sslshake (~> 1.2) + thor (>= 0.20, < 1.3.0) + tomlrb (>= 1.2, < 2.1) + train-core (>= 3.11.0) + tty-prompt (~> 0.17) + tty-table (~> 0.10) + io-console (0.7.2) + jmespath (1.6.2) + json (2.7.2) + jsonpath (1.1.5) + multi_json + jwt (2.8.2) + base64 + k8s-ruby (0.16.0) + dry-configurable + dry-struct + dry-types + excon (~> 0.71) + hashdiff (~> 1.0.0) + jsonpath (~> 1.1) + recursive-open-struct (~> 1.1.3) + yajl-ruby (~> 1.4.0) + yaml-safe_load_stream3 + kitchen-ansible (0.56.0) + net-ssh (>= 3) + test-kitchen (>= 1.4) + kitchen-docker (3.0.0) + test-kitchen (>= 1.0.0) + kitchen-dokken (2.20.6) + docker-api (>= 1.33, < 3) + lockfile (~> 2.1) + test-kitchen (>= 1.15, < 4) + kitchen-ec2 (3.19.0) + aws-sdk-ec2 (~> 1.0) + retryable (>= 2.0, < 4.0) + test-kitchen (>= 1.4.1, < 4) + kitchen-inspec (2.6.1) + hashie (>= 3.4, <= 5.0) + inspec (>= 2.2.64, < 7.0) + test-kitchen (>= 2.7, < 4) + kitchen-sync (2.2.1) + net-sftp + test-kitchen (>= 1.0.0) + kitchen-vagrant (2.0.1) + test-kitchen (>= 1.4, < 4) + license-acceptance (2.1.13) + pastel (~> 0.7) + tomlrb (>= 1.2, < 3.0) + tty-box (~> 0.6) + tty-prompt (~> 0.20) + little-plugger (1.1.4) + lockfile (2.1.3) + logging (2.4.0) + little-plugger (~> 1.1) + multi_json (~> 1.14) + method_source (1.1.0) + mini_mime (1.1.5) + minitest (5.24.1) + mixlib-config (3.0.27) + tomlrb + mixlib-install (3.12.30) + mixlib-shellout + mixlib-versioning + thor + mixlib-log (3.1.1) + ffi (< 1.17.0) + mixlib-shellout (3.2.8) + chef-utils + mixlib-versioning (1.2.12) + mongo (2.13.2) + bson (>= 4.8.2, < 5.0.0) + ms_rest (0.7.6) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + timeliness (~> 0.3.10) + ms_rest_azure (0.12.0) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + faraday-cookie_jar (~> 0.0.6) + ms_rest (~> 0.7.6) + multi_json (1.15.0) + multipart-post (2.4.1) + net-scp (4.0.0) + net-ssh (>= 2.6.5, < 8.0.0) + net-sftp (4.0.0) + net-ssh (>= 5.0.0, < 8.0.0) + net-ssh (7.2.3) + net-ssh-gateway (2.0.0) + net-ssh (>= 4.0.0) + nori (2.7.0) + bigdecimal + options (2.3.2) + os (1.1.4) + parallel (1.25.1) + parser (3.3.0.5) + ast (~> 2.4.1) + racc + parslet (1.8.2) + pastel (0.8.0) + tty-color (~> 0.5) + progress_bar (1.3.4) + highline (>= 1.6) + options (~> 2.3.0) + pry (0.14.2) + coderay (~> 1.1) + method_source (~> 1.0) + pry-byebug (3.10.1) + byebug (~> 11.0) + pry (>= 0.13, < 0.15) + public_suffix (6.0.1) + racc (1.8.0) + rainbow (3.1.1) + rake (13.2.1) + recursive-open-struct (1.1.3) + regexp_parser (2.9.2) + reline (0.5.9) + io-console (~> 0.5) + representable (3.2.0) + declarative (< 0.1.0) + trailblazer-option (>= 0.1.1, < 0.2.0) + uber (< 0.2.0) + retriable (3.1.2) + retryable (3.0.5) + rexml (3.3.2) + strscan + rspec (3.12.0) + rspec-core (~> 3.12.0) + rspec-expectations (~> 3.12.0) + rspec-mocks (~> 3.12.0) + rspec-core (3.12.3) + rspec-support (~> 3.12.0) + rspec-expectations (3.12.4) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.12.0) + rspec-its (1.3.0) + rspec-core (>= 3.0.0) + rspec-expectations (>= 3.0.0) + rspec-mocks (3.12.7) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.12.0) + rspec-support (3.12.2) + rubocop (1.25.1) + parallel (~> 1.10) + parser (>= 3.1.0.0) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml + rubocop-ast (>= 1.15.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 1.4.0, < 3.0) + rubocop-ast (1.31.2) + parser (>= 3.3.0.4) + rubocop-rake (0.6.0) + rubocop (~> 1.0) + ruby-progressbar (1.13.0) + ruby2_keywords (0.0.5) + rubyntlm (0.6.5) + base64 + rubyzip (2.3.2) + semverse (3.0.2) + signet (0.19.0) + addressable (~> 2.8) + faraday (>= 0.17.5, < 3.a) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) + sslshake (1.3.1) + strings (0.2.1) + strings-ansi (~> 0.2) + unicode-display_width (>= 1.5, < 3.0) + unicode_utils (~> 1.4) + strings-ansi (0.2.0) + strscan (3.1.0) + test-kitchen (3.6.0) + bcrypt_pbkdf (~> 1.0) + chef-utils (>= 16.4.35) + ed25519 (~> 1.2) + license-acceptance (>= 1.0.11, < 3.0) + mixlib-install (~> 3.6) + mixlib-shellout (>= 1.2, < 4.0) + net-scp (>= 1.1, < 5.0) + net-ssh (>= 2.9, < 8.0) + net-ssh-gateway (>= 1.2, < 3.0) + thor (>= 0.19, < 2.0) + winrm (~> 2.0) + winrm-elevated (~> 1.0) + winrm-fs (~> 1.1) + thor (1.2.2) + timeliness (0.3.10) + tomlrb (1.3.0) + trailblazer-option (0.1.2) + train (3.12.6) + activesupport (>= 6.0.3.1) + azure_graph_rbac (~> 0.16) + azure_mgmt_key_vault (~> 0.17) + azure_mgmt_resources (~> 0.15) + azure_mgmt_security (~> 0.18) + azure_mgmt_storage (~> 0.18) + docker-api (>= 1.26, < 3.0) + google-apis-admin_directory_v1 (~> 0.46.0) + google-apis-cloudkms_v1 (~> 0.41.0) + google-apis-cloudresourcemanager_v1 (~> 0.35.0) + google-apis-compute_v1 (~> 0.83.0) + google-apis-iam_v1 (~> 0.50.0) + google-apis-monitoring_v3 (~> 0.51.0) + google-apis-storage_v1 (~> 0.30.0) + googleauth (>= 0.16.2, < 1.9.0) + inifile (~> 3.0) + train-core (= 3.12.6) + train-winrm (~> 0.2) + train-aws (0.2.41) + aws-partitions (~> 1.863.0) + aws-sdk-accessanalyzer (~> 1.44.0) + aws-sdk-account (~> 1.20.0) + aws-sdk-alexaforbusiness (~> 1.67.0) + aws-sdk-amplify (~> 1.54.0) + aws-sdk-apigateway (~> 1.90.0) + aws-sdk-apigatewayv2 (~> 1.53.0) + aws-sdk-applicationautoscaling (~> 1.79.0) + aws-sdk-athena (>= 1.78, < 1.80) + aws-sdk-autoscaling (= 1.102.0) + aws-sdk-batch (~> 1.79.0) + aws-sdk-budgets (~> 1.62.0) + aws-sdk-cloudformation (>= 1.96, < 1.98) + aws-sdk-cloudfront (~> 1.86.0) + aws-sdk-cloudhsm (~> 1.50.0) + aws-sdk-cloudhsmv2 (~> 1.53.0) + aws-sdk-cloudtrail (~> 1.74.0) + aws-sdk-cloudwatch (~> 1.83.0) + aws-sdk-cloudwatchevents (~> 1.69.0) + aws-sdk-cloudwatchlogs (~> 1.75) + aws-sdk-codecommit (~> 1.62.0) + aws-sdk-codedeploy (~> 1.62.0) + aws-sdk-codepipeline (~> 1.67.0) + aws-sdk-cognitoidentity (~> 1.51.0) + aws-sdk-cognitoidentityprovider (~> 1.84) + aws-sdk-configservice (~> 1.103.0) + aws-sdk-core (~> 3.190.0) + aws-sdk-costandusagereportservice (~> 1.53.0) + aws-sdk-databasemigrationservice (~> 1.91.0) + aws-sdk-dynamodb (~> 1.98.0) + aws-sdk-ec2 (>= 1.427, < 1.430) + aws-sdk-ecr (~> 1.68.0) + aws-sdk-ecrpublic (~> 1.25.0) + aws-sdk-ecs (~> 1.135.0) + aws-sdk-efs (~> 1.71.0) + aws-sdk-eks (~> 1.95.0) + aws-sdk-elasticache (~> 1.95.0) + aws-sdk-elasticbeanstalk (~> 1.63.0) + aws-sdk-elasticloadbalancing (~> 1.51.0) + aws-sdk-elasticloadbalancingv2 (~> 1.96.0) + aws-sdk-elasticsearchservice (~> 1.79.0) + aws-sdk-emr (~> 1.81.0) + aws-sdk-eventbridge (~> 1.54.0) + aws-sdk-firehose (~> 1.60.0) + aws-sdk-glue (~> 1.164) + aws-sdk-guardduty (~> 1.85.0) + aws-sdk-iam (~> 1.92.0) + aws-sdk-kafka (~> 1.67.0) + aws-sdk-kinesis (~> 1.54.0) + aws-sdk-kms (~> 1.74) + aws-sdk-lambda (~> 1.113.0) + aws-sdk-macie2 (~> 1.64.0) + aws-sdk-mq (~> 1.58.0) + aws-sdk-networkfirewall (~> 1.39.0) + aws-sdk-networkmanager (~> 1.40.0) + aws-sdk-organizations (~> 1.83.0) + aws-sdk-ram (~> 1.52.0) + aws-sdk-rds (~> 1.208.0) + aws-sdk-redshift (~> 1.107.0) + aws-sdk-route53 (~> 1.83.0) + aws-sdk-route53domains (~> 1.54.0) + aws-sdk-route53resolver (~> 1.51.0) + aws-sdk-s3 (~> 1.141.0) + aws-sdk-s3control (~> 1.74.0) + aws-sdk-secretsmanager (~> 1.87.0) + aws-sdk-securityhub (~> 1.98.0) + aws-sdk-servicecatalog (~> 1.90.0) + aws-sdk-ses (~> 1.58.0) + aws-sdk-shield (~> 1.60.0) + aws-sdk-signer (~> 1.50.0) + aws-sdk-simpledb (~> 1.42.0) + aws-sdk-sms (~> 1.52.0) + aws-sdk-sns (~> 1.70.0) + aws-sdk-sqs (~> 1.69.0) + aws-sdk-ssm (~> 1.162.0) + aws-sdk-states (~> 1.63.0) + aws-sdk-synthetics (~> 1.39.0) + aws-sdk-transfer (~> 1.86.0) + aws-sdk-waf (~> 1.58.0) + aws-sdk-wafv2 (~> 1.74.0) + train-awsssm (0.3.1) + train-core (3.12.6) + addressable (~> 2.5) + ffi (!= 1.13.0) + json (>= 1.8, < 3.0) + mixlib-shellout (>= 2.0, < 4.0) + net-scp (>= 1.2, < 5.0) + net-ssh (>= 2.9, < 8.0) + train-habitat (0.2.22) + train-kubernetes (0.2.1) + k8s-ruby (~> 0.16.0) + train (~> 3.0) + train-winrm (0.2.13) + winrm (>= 2.3.6, < 3.0) + winrm-elevated (~> 1.2.2) + winrm-fs (~> 1.0) + tty-box (0.7.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-cursor (~> 0.7) + tty-color (0.6.0) + tty-cursor (0.7.1) + tty-prompt (0.23.1) + pastel (~> 0.8) + tty-reader (~> 0.8) + tty-reader (0.9.0) + tty-cursor (~> 0.7) + tty-screen (~> 0.8) + wisper (~> 2.0) + tty-screen (0.8.2) + tty-spinner (0.9.3) + tty-cursor (~> 0.7) + tty-table (0.12.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-screen (~> 0.8) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + uber (0.1.0) + unicode-display_width (2.5.0) + unicode_utils (1.4.0) + winrm (2.3.8) + builder (>= 2.1.2) + erubi (~> 1.8) + gssapi (~> 1.2) + gyoku (~> 1.0) + httpclient (~> 2.2, >= 2.2.0.2) + logging (>= 1.6.1, < 3.0) + nori (~> 2.0) + rexml (~> 3.0) + rubyntlm (~> 0.6.0, >= 0.6.3) + winrm-elevated (1.2.3) + erubi (~> 1.8) + winrm (~> 2.0) + winrm-fs (~> 1.0) + winrm-fs (1.3.5) + erubi (~> 1.8) + logging (>= 1.6.1, < 3.0) + rubyzip (~> 2.0) + winrm (~> 2.0) + wisper (2.0.1) + yajl-ruby (1.4.3) + yaml-safe_load_stream3 (0.1.2) + zeitwerk (2.6.16) + +PLATFORMS + arm64-darwin + +DEPENDENCIES + cookstyle + highline + inspec (>= 6.6.0) + inspec-bin + inspec-core + kitchen-ansible + kitchen-docker + kitchen-dokken + kitchen-ec2 + kitchen-inspec + kitchen-sync + kitchen-vagrant + parser (= 3.3.0.5) + pry-byebug + rake + rubocop + rubocop-rake + test-kitchen + train-awsssm + +BUNDLED WITH + 2.5.11 diff --git a/controls/V-92975.rb b/controls/SV-205624.rb similarity index 95% rename from controls/V-92975.rb rename to controls/SV-205624.rb index e621b9a..d967a79 100644 --- a/controls/V-92975.rb +++ b/controls/SV-205624.rb @@ -1,8 +1,8 @@ # encoding: UTF-8 -control 'V-92975' do - title "Windows Server 2019 must automatically remove or disable temporary user accounts after #{input('temporary_account_period')*24} hours." - desc "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + control 'SV-205624' do + title "Windows Server 2019 must automatically remove or disable temporary user accounts after #{input('temporary_account_period')} hours." + desc "If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a #{input('org_name')[:acronym]}-defined time period of #{input('temporary_account_period')*24} hours. diff --git a/controls/V-92979.rb b/controls/SV-205625.rb similarity index 99% rename from controls/V-92979.rb rename to controls/SV-205625.rb index 6f21381..e1d60c7 100644 --- a/controls/V-92979.rb +++ b/controls/SV-205625.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92979" do +control "SV-205625" do title "Windows Server 2019 must be configured to audit Account Management - Security Group Management successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-92981.rb b/controls/SV-205626.rb similarity index 99% rename from controls/V-92981.rb rename to controls/SV-205626.rb index 78b6fbe..fcceeb7 100644 --- a/controls/V-92981.rb +++ b/controls/SV-205626.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92981" do +control "SV-205626" do title "Windows Server 2019 must be configured to audit Account Management - User Account Management successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-92983.rb b/controls/SV-205627.rb similarity index 99% rename from controls/V-92983.rb rename to controls/SV-205627.rb index 7fde90f..c191209 100644 --- a/controls/V-92983.rb +++ b/controls/SV-205627.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92983" do +control "SV-205627" do title "Windows Server 2019 must be configured to audit Account Management - User Account Management failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-92985.rb b/controls/SV-205628.rb similarity index 99% rename from controls/V-92985.rb rename to controls/SV-205628.rb index 4187286..d55e578 100644 --- a/controls/V-92985.rb +++ b/controls/SV-205628.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control 'V-92985' do +control 'SV-205628' do title "Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93141.rb b/controls/SV-205629.rb similarity index 99% rename from controls/V-93141.rb rename to controls/SV-205629.rb index f3c708f..3cb6611 100644 --- a/controls/V-93141.rb +++ b/controls/SV-205629.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93141" do +control "SV-205629" do title "Windows Server 2019 must have the number of allowed bad logon attempts configured to #{input('max_pass_lockout')} or less." desc "The account lockout feature, when enabled, prevents brute-force diff --git a/controls/V-93143.rb b/controls/SV-205630.rb similarity index 99% rename from controls/V-93143.rb rename to controls/SV-205630.rb index 51dea17..13f7fae 100644 --- a/controls/V-93143.rb +++ b/controls/SV-205630.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93143" do +control "SV-205630" do title "Windows Server 2019 must have the period of time before the bad logon counter is reset configured to #{input('pass_lock_time')} minutes or greater." desc "The account lockout feature, when enabled, prevents brute-force diff --git a/controls/V-93147.rb b/controls/SV-205631.rb similarity index 98% rename from controls/V-93147.rb rename to controls/SV-205631.rb index df7e2e1..48ab0b9 100644 --- a/controls/V-93147.rb +++ b/controls/SV-205631.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93147" do +control "SV-205631" do title "Windows Server 2019 required legal notice must be configured to display before console logon." desc "Failure to display the logon banner prior to a logon attempt will diff --git a/controls/V-93149.rb b/controls/SV-205632.rb similarity index 98% rename from controls/V-93149.rb rename to controls/SV-205632.rb index ab5262b..d45913d 100644 --- a/controls/V-93149.rb +++ b/controls/SV-205632.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93149" do +control "SV-205632" do title "Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text." desc "Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources." desc "rationale", "" diff --git a/controls/V-92961.rb b/controls/SV-205633.rb similarity index 98% rename from controls/V-92961.rb rename to controls/SV-205633.rb index b775b9e..c3121e1 100644 --- a/controls/V-92961.rb +++ b/controls/SV-205633.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92961" do +control "SV-205633" do title "Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." desc "Unattended systems are susceptible to unauthorized use and should be diff --git a/controls/V-92967.rb b/controls/SV-205634.rb similarity index 98% rename from controls/V-92967.rb rename to controls/SV-205634.rb index fe1fe63..507f9aa 100644 --- a/controls/V-92967.rb +++ b/controls/SV-205634.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92967" do +control "SV-205634" do title "Windows Server 2019 must be configured to audit logon successes." desc "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises diff --git a/controls/V-92969.rb b/controls/SV-205635.rb similarity index 98% rename from controls/V-92969.rb rename to controls/SV-205635.rb index e218e93..43ef1ee 100644 --- a/controls/V-92969.rb +++ b/controls/SV-205635.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92969" do +control "SV-205635" do title "Windows Server 2019 must be configured to audit logon failures." desc "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises diff --git a/controls/V-92971.rb b/controls/SV-205636.rb similarity index 98% rename from controls/V-92971.rb rename to controls/SV-205636.rb index 1d316ce..f1235f5 100644 --- a/controls/V-92971.rb +++ b/controls/SV-205636.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92971" do +control "SV-205636" do title "Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." desc "Allowing unsecure RPC communication exposes the system to diff --git a/controls/V-92973.rb b/controls/SV-205637.rb similarity index 98% rename from controls/V-92973.rb rename to controls/SV-205637.rb index 3a39e9f..f4f098e 100644 --- a/controls/V-92973.rb +++ b/controls/SV-205637.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92973" do +control "SV-205637" do title "Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level." desc "Remote connections must be encrypted to prevent interception of data diff --git a/controls/V-93173.rb b/controls/SV-205638.rb similarity index 98% rename from controls/V-93173.rb rename to controls/SV-205638.rb index dda2f52..035703e 100644 --- a/controls/V-93173.rb +++ b/controls/SV-205638.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93173" do +control "SV-205638" do title "Windows Server 2019 command line data must be included in process creation events." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93175.rb b/controls/SV-205639.rb similarity index 98% rename from controls/V-93175.rb rename to controls/SV-205639.rb index 182f46d..bb45ba5 100644 --- a/controls/V-93175.rb +++ b/controls/SV-205639.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93175" do +control "SV-205639" do title "Windows Server 2019 PowerShell script block logging must be enabled." desc "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises diff --git a/controls/V-93189.rb b/controls/SV-205640.rb similarity index 99% rename from controls/V-93189.rb rename to controls/SV-205640.rb index 373f033..fd77aa5 100644 --- a/controls/V-93189.rb +++ b/controls/SV-205640.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93189" do +control "SV-205640" do title "Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93191.rb b/controls/SV-205641.rb similarity index 99% rename from controls/V-93191.rb rename to controls/SV-205641.rb index 5f9160f..d97d424 100644 --- a/controls/V-93191.rb +++ b/controls/SV-205641.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93191" do +control "SV-205641" do title "Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93193.rb b/controls/SV-205642.rb similarity index 99% rename from controls/V-93193.rb rename to controls/SV-205642.rb index 4d95f7f..d018c65 100644 --- a/controls/V-93193.rb +++ b/controls/SV-205642.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93193" do +control "SV-205642" do title "Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93197.rb b/controls/SV-205643.rb similarity index 99% rename from controls/V-93197.rb rename to controls/SV-205643.rb index 26b4242..06d64aa 100644 --- a/controls/V-93197.rb +++ b/controls/SV-205643.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93197" do +control "SV-205643" do title "Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93151.rb b/controls/SV-205644.rb similarity index 98% rename from controls/V-93151.rb rename to controls/SV-205644.rb index 33e1672..623004d 100644 --- a/controls/V-93151.rb +++ b/controls/SV-205644.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93151" do +control "SV-205644" do title "Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93481.rb b/controls/SV-205645.rb similarity index 98% rename from controls/V-93481.rb rename to controls/SV-205645.rb index 6c32d1e..452403b 100644 --- a/controls/V-93481.rb +++ b/controls/SV-205645.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93481" do +control "SV-205645" do title "Windows Server 2019 domain controllers must have a PKI server certificate." desc "Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain." desc "rationale", "" diff --git a/controls/V-93483.rb b/controls/SV-205646.rb similarity index 99% rename from controls/V-93483.rb rename to controls/SV-205646.rb index d3e0f4b..def16c0 100644 --- a/controls/V-93483.rb +++ b/controls/SV-205646.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93483" do +control "SV-205646" do title "Windows Server 2019 domain Controller PKI certificates must be issued by the #{input('org_name')[:acronym]} PKI or an approved External Certificate Authority (ECA)." desc "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other." desc "rationale", "" diff --git a/controls/V-93485.rb b/controls/SV-205647.rb similarity index 98% rename from controls/V-93485.rb rename to controls/SV-205647.rb index 0be4337..9339dd5 100644 --- a/controls/V-93485.rb +++ b/controls/SV-205647.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93485" do +control "SV-205647" do title "Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." desc "A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions." desc "rationale", "" diff --git a/controls/V-93487.rb b/controls/SV-205648.rb similarity index 99% rename from controls/V-93487.rb rename to controls/SV-205648.rb index a3a1799..a2b6796 100644 --- a/controls/V-93487.rb +++ b/controls/SV-205648.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93487" do +control "SV-205648" do title "Windows Server 2019 must have the #{input('org_name')[:acronym]} Root Certificate Authority (CA) certificates installed in the Trusted Root Store." desc "To ensure secure #{input('org_name')[:acronym]} websites and #{input('org_name')[:acronym]}-signed code are properly validated, the system must trust the #{input('org_name')[:acronym]} Root CAs. The #{input('org_name')[:acronym]} root certificates will ensure that the trust chain is established for server certificates issued from the #{input('org_name')[:acronym]} CAs." desc "rationale", "" diff --git a/controls/V-93489.rb b/controls/SV-205649.rb similarity index 99% rename from controls/V-93489.rb rename to controls/SV-205649.rb index 0dd7172..7751725 100644 --- a/controls/V-93489.rb +++ b/controls/SV-205649.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93489" do +control "SV-205649" do title "Windows Server 2019 must have the #{input('org_name')[:acronym]} Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." desc "To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the #{input('org_name')[:acronym]} Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems." desc "rationale", "" diff --git a/controls/V-93491.rb b/controls/SV-205650.rb similarity index 99% rename from controls/V-93491.rb rename to controls/SV-205650.rb index 8ae3f3f..788367a 100644 --- a/controls/V-93491.rb +++ b/controls/SV-205650.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93491" do +control "SV-205650" do title "Windows Server 2019 must have the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." desc "To ensure users do not experience denial of service when performing certificate-based authentication to #{input('org_name')[:acronym]} websites due to the system chaining to a root other than #{input('org_name')[:acronym]} Root CAs, the US #{input('org_name')[:acronym]} CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems." desc "rationale", "" diff --git a/controls/V-93493.rb b/controls/SV-205651.rb similarity index 98% rename from controls/V-93493.rb rename to controls/SV-205651.rb index dc18290..5c66555 100644 --- a/controls/V-93493.rb +++ b/controls/SV-205651.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93493" do +control "SV-205651" do title "Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." desc "If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. diff --git a/controls/V-93459.rb b/controls/SV-205652.rb similarity index 98% rename from controls/V-93459.rb rename to controls/SV-205652.rb index 08f4599..6b4d73f 100644 --- a/controls/V-93459.rb +++ b/controls/SV-205652.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93459" do +control "SV-205652" do title "Windows Server 2019 must have the built-in Windows password complexity policy enabled." desc "The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names." desc "rationale", "" diff --git a/controls/V-93465.rb b/controls/SV-205653.rb similarity index 98% rename from controls/V-93465.rb rename to controls/SV-205653.rb index bfc6db1..7e72c5e 100644 --- a/controls/V-93465.rb +++ b/controls/SV-205653.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93465" do +control "SV-205653" do title "Windows Server 2019 reversible password encryption must be disabled." desc "Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled." desc "rationale", "" diff --git a/controls/V-93467.rb b/controls/SV-205654.rb similarity index 98% rename from controls/V-93467.rb rename to controls/SV-205654.rb index 70a8d1d..7f58874 100644 --- a/controls/V-93467.rb +++ b/controls/SV-205654.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93467" do +control "SV-205654" do title "Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords." desc "The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed." desc "rationale", "" diff --git a/controls/V-93469.rb b/controls/SV-205655.rb similarity index 98% rename from controls/V-93469.rb rename to controls/SV-205655.rb index ac346dd..4da8194 100644 --- a/controls/V-93469.rb +++ b/controls/SV-205655.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93469" do +control "SV-205655" do title "Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." desc "Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication." desc "rationale", "" diff --git a/controls/V-93471.rb b/controls/SV-205656.rb similarity index 98% rename from controls/V-93471.rb rename to controls/SV-205656.rb index 22aa492..7b98002 100644 --- a/controls/V-93471.rb +++ b/controls/SV-205656.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93471" do +control "SV-205656" do title "Windows Server 2019 minimum password age must be configured to at least one day." desc "Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes." desc "rationale", "" diff --git a/controls/V-93473.rb b/controls/SV-205657.rb similarity index 99% rename from controls/V-93473.rb rename to controls/SV-205657.rb index b968129..cb38c52 100644 --- a/controls/V-93473.rb +++ b/controls/SV-205657.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93473" do +control "SV-205657" do title "Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days." desc "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every \"30\" days by default." diff --git a/controls/V-93475.rb b/controls/SV-205658.rb similarity index 99% rename from controls/V-93475.rb rename to controls/SV-205658.rb index 78be128..a5076d6 100644 --- a/controls/V-93475.rb +++ b/controls/SV-205658.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control 'V-93475' do +control 'SV-205658' do title 'Windows Server 2019 passwords must be configured to expire.' desc 'Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.' desc 'rationale', '' diff --git a/controls/V-93477.rb b/controls/SV-205659.rb similarity index 98% rename from controls/V-93477.rb rename to controls/SV-205659.rb index c8f19f3..d8fac10 100644 --- a/controls/V-93477.rb +++ b/controls/SV-205659.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93477" do +control "SV-205659" do title "Windows Server 2019 maximum password age must be configured to 60 days or less." desc "The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system." desc "rationale", "" diff --git a/controls/V-93479.rb b/controls/SV-205660.rb similarity index 98% rename from controls/V-93479.rb rename to controls/SV-205660.rb index 8224927..db14973 100644 --- a/controls/V-93479.rb +++ b/controls/SV-205660.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93479" do +control "SV-205660" do title "Windows Server 2019 password history must be configured to #{input('password_history_size')} passwords remembered." desc "A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is \"#{input('password_history_size')}\" for Windows domain systems. #{input('org_name')[:acronym]} has decided this is the appropriate value for all Windows systems." desc "rationale", "" diff --git a/controls/V-93461.rb b/controls/SV-205661.rb similarity index 98% rename from controls/V-93461.rb rename to controls/SV-205661.rb index acad751..cca1dec 100644 --- a/controls/V-93461.rb +++ b/controls/SV-205661.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93461" do +control "SV-205661" do title "Windows Server 2019 manually managed application account passwords must be at least #{input('minimum_password_length_manual')} characters in length." desc "Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least #{input('minimum_password_length_manual')} characters in length." desc "rationale", "" diff --git a/controls/V-93463.rb b/controls/SV-205662.rb similarity index 98% rename from controls/V-93463.rb rename to controls/SV-205662.rb index 3e94b7f..9627756 100644 --- a/controls/V-93463.rb +++ b/controls/SV-205662.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93463" do +control "SV-205662" do title "Windows Server 2019 minimum password length must be configured to #{input('minimum_password_length')} characters." desc "Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network." desc "rationale", "" diff --git a/controls/V-92991.rb b/controls/SV-205663.rb similarity index 98% rename from controls/V-92991.rb rename to controls/SV-205663.rb index f73b604..730abb4 100644 --- a/controls/V-92991.rb +++ b/controls/SV-205663.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92991" do +control "SV-205663" do title "Windows Server 2019 local volumes must use a format that supports NTFS attributes." desc "The ability to set access permissions and auditing is critical to diff --git a/controls/V-92993.rb b/controls/SV-205664.rb similarity index 98% rename from controls/V-92993.rb rename to controls/SV-205664.rb index b532c3c..9faa436 100644 --- a/controls/V-92993.rb +++ b/controls/SV-205664.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92993" do +control "SV-205664" do title "Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares." desc "Windows shares are a means by which files, folders, printers, and diff --git a/controls/V-92995.rb b/controls/SV-205665.rb similarity index 99% rename from controls/V-92995.rb rename to controls/SV-205665.rb index 14a65c8..96d4751 100644 --- a/controls/V-92995.rb +++ b/controls/SV-205665.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92995" do +control "SV-205665" do title "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." desc "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the \"Access this computer from the network\" right may access resources on the system, and this right must be limited to those requiring it." diff --git a/controls/V-92997.rb b/controls/SV-205666.rb similarity index 99% rename from controls/V-92997.rb rename to controls/SV-205666.rb index 3b4fc50..82ab8df 100644 --- a/controls/V-92997.rb +++ b/controls/SV-205666.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92997" do +control "SV-205666" do title "Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-92999.rb b/controls/SV-205667.rb similarity index 99% rename from controls/V-92999.rb rename to controls/SV-205667.rb index bf79eab..69c9c3f 100644 --- a/controls/V-92999.rb +++ b/controls/SV-205667.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92999" do +control "SV-205667" do title "Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." diff --git a/controls/V-93001.rb b/controls/SV-205668.rb similarity index 99% rename from controls/V-93001.rb rename to controls/SV-205668.rb index a919b04..50f3870 100644 --- a/controls/V-93001.rb +++ b/controls/SV-205668.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93001" do +control "SV-205668" do title "Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93003.rb b/controls/SV-205669.rb similarity index 99% rename from controls/V-93003.rb rename to controls/SV-205669.rb index acfa03d..f8bca6c 100644 --- a/controls/V-93003.rb +++ b/controls/SV-205669.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93003" do +control "SV-205669" do title "Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93005.rb b/controls/SV-205670.rb similarity index 99% rename from controls/V-93005.rb rename to controls/SV-205670.rb index 6fd2f9c..d1778be 100644 --- a/controls/V-93005.rb +++ b/controls/SV-205670.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93005" do +control "SV-205670" do title "Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93007.rb b/controls/SV-205671.rb similarity index 99% rename from controls/V-93007.rb rename to controls/SV-205671.rb index 0358138..31984be 100644 --- a/controls/V-93007.rb +++ b/controls/SV-205671.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93007" do +control "SV-205671" do title "Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." diff --git a/controls/V-93009.rb b/controls/SV-205672.rb similarity index 99% rename from controls/V-93009.rb rename to controls/SV-205672.rb index ebabe47..b8503cf 100644 --- a/controls/V-93009.rb +++ b/controls/SV-205672.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93009" do +control "SV-205672" do title "Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated diff --git a/controls/V-93011.rb b/controls/SV-205673.rb similarity index 99% rename from controls/V-93011.rb rename to controls/SV-205673.rb index af20c44..e7b7eb6 100644 --- a/controls/V-93011.rb +++ b/controls/SV-205673.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93011" do +control "SV-205673" do title "Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." diff --git a/controls/V-93013.rb b/controls/SV-205674.rb similarity index 99% rename from controls/V-93013.rb rename to controls/SV-205674.rb index 4f4a8e3..bc574cf 100644 --- a/controls/V-93013.rb +++ b/controls/SV-205674.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93013" do +control "SV-205674" do title "Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this diff --git a/controls/V-93015.rb b/controls/SV-205675.rb similarity index 99% rename from controls/V-93015.rb rename to controls/SV-205675.rb index a9a99ef..a7499a1 100644 --- a/controls/V-93015.rb +++ b/controls/SV-205675.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93015" do +control "SV-205675" do title "Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." diff --git a/controls/V-93017.rb b/controls/SV-205676.rb similarity index 98% rename from controls/V-93017.rb rename to controls/SV-205676.rb index 10054db..599bfe3 100644 --- a/controls/V-93017.rb +++ b/controls/SV-205676.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93017" do +control "SV-205676" do title "Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93381.rb b/controls/SV-205677.rb similarity index 98% rename from controls/V-93381.rb rename to controls/SV-205677.rb index f2738bc..15fab05 100644 --- a/controls/V-93381.rb +++ b/controls/SV-205677.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93381" do +control "SV-205677" do title "Windows Server 2019 must have the roles and features required by the system documented." desc "Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation." desc "rationale", "" diff --git a/controls/V-93383.rb b/controls/SV-205678.rb similarity index 98% rename from controls/V-93383.rb rename to controls/SV-205678.rb index 9ca7121..c823d9d 100644 --- a/controls/V-93383.rb +++ b/controls/SV-205678.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93383" do +control "SV-205678" do title "Windows Server 2019 must not have the Fax Server role installed." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system." desc "rationale", "" diff --git a/controls/V-93385.rb b/controls/SV-205679.rb similarity index 98% rename from controls/V-93385.rb rename to controls/SV-205679.rb index ed2e0d1..d5e24af 100644 --- a/controls/V-93385.rb +++ b/controls/SV-205679.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93385" do +control "SV-205679" do title "Windows Server 2019 must not have the Peer Name Resolution Protocol installed." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system." desc "rationale", "" diff --git a/controls/V-93387.rb b/controls/SV-205680.rb similarity index 98% rename from controls/V-93387.rb rename to controls/SV-205680.rb index 6b675e3..96e0900 100644 --- a/controls/V-93387.rb +++ b/controls/SV-205680.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93387" do +control "SV-205680" do title "Windows Server 2019 must not have Simple TCP/IP Services installed." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system." desc "rationale", "" diff --git a/controls/V-93389.rb b/controls/SV-205681.rb similarity index 98% rename from controls/V-93389.rb rename to controls/SV-205681.rb index 0189af7..bf780e1 100644 --- a/controls/V-93389.rb +++ b/controls/SV-205681.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93389" do +control "SV-205681" do title "Windows Server 2019 must not have the TFTP Client installed." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system." desc "rationale", "" diff --git a/controls/V-93391.rb b/controls/SV-205682.rb similarity index 99% rename from controls/V-93391.rb rename to controls/SV-205682.rb index f190e34..d72ded9 100644 --- a/controls/V-93391.rb +++ b/controls/SV-205682.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93391" do +control "SV-205682" do title "Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed." desc "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant." desc "rationale", "" diff --git a/controls/V-93393.rb b/controls/SV-205683.rb similarity index 99% rename from controls/V-93393.rb rename to controls/SV-205683.rb index fd6e57d..e511a44 100644 --- a/controls/V-93393.rb +++ b/controls/SV-205683.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93393" do +control "SV-205683" do title "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." desc "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant." desc "rationale", "" diff --git a/controls/V-93395.rb b/controls/SV-205684.rb similarity index 99% rename from controls/V-93395.rb rename to controls/SV-205684.rb index 8529303..69eaec7 100644 --- a/controls/V-93395.rb +++ b/controls/SV-205684.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93395" do +control "SV-205684" do title "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client." desc "SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant." desc "rationale", "" diff --git a/controls/V-93397.rb b/controls/SV-205685.rb similarity index 98% rename from controls/V-93397.rb rename to controls/SV-205685.rb index a58da1b..2e74caf 100644 --- a/controls/V-93397.rb +++ b/controls/SV-205685.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93397" do +control "SV-205685" do title "Windows Server 2019 must not have Windows PowerShell 2.0 installed." desc "Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature." desc "rationale", "" diff --git a/controls/V-93399.rb b/controls/SV-205686.rb similarity index 98% rename from controls/V-93399.rb rename to controls/SV-205686.rb index 51c8c52..5a811b8 100644 --- a/controls/V-93399.rb +++ b/controls/SV-205686.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93399" do +control "SV-205686" do title "Windows Server 2019 must prevent the display of slide shows on the lock screen." desc "Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user." desc "rationale", "" diff --git a/controls/V-93401.rb b/controls/SV-205687.rb similarity index 98% rename from controls/V-93401.rb rename to controls/SV-205687.rb index 761eca4..3dc9bb2 100644 --- a/controls/V-93401.rb +++ b/controls/SV-205687.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93401" do +control "SV-205687" do title "Windows Server 2019 must have WDigest Authentication disabled." desc "When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS),exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced." desc "rationale", "" diff --git a/controls/V-93403.rb b/controls/SV-205688.rb similarity index 98% rename from controls/V-93403.rb rename to controls/SV-205688.rb index 45f95c6..03305d1 100644 --- a/controls/V-93403.rb +++ b/controls/SV-205688.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93403" do +control "SV-205688" do title "Windows Server 2019 downloading print driver packages over HTTP must be turned off." desc "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. diff --git a/controls/V-93405.rb b/controls/SV-205689.rb similarity index 98% rename from controls/V-93405.rb rename to controls/SV-205689.rb index 610b2d9..d3f0631 100644 --- a/controls/V-93405.rb +++ b/controls/SV-205689.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93405" do +control "SV-205689" do title "Windows Server 2019 printing over HTTP must be turned off." desc "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. diff --git a/controls/V-93407.rb b/controls/SV-205690.rb similarity index 98% rename from controls/V-93407.rb rename to controls/SV-205690.rb index 4d8bbd2..dee97d9 100644 --- a/controls/V-93407.rb +++ b/controls/SV-205690.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93407" do +control "SV-205690" do title "Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." desc "Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows." desc "rationale", "" diff --git a/controls/V-93409.rb b/controls/SV-205691.rb similarity index 98% rename from controls/V-93409.rb rename to controls/SV-205691.rb index ec0489a..fd4ef77 100644 --- a/controls/V-93409.rb +++ b/controls/SV-205691.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93409" do +control "SV-205691" do title "Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." desc "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. diff --git a/controls/V-93411.rb b/controls/SV-205692.rb similarity index 98% rename from controls/V-93411.rb rename to controls/SV-205692.rb index e4dc998..48d2b2f 100644 --- a/controls/V-93411.rb +++ b/controls/SV-205692.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93411" do +control "SV-205692" do title "Windows Server 2019 Windows Defender SmartScreen must be enabled." desc "Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users." desc "rationale", "" diff --git a/controls/V-93413.rb b/controls/SV-205693.rb similarity index 98% rename from controls/V-93413.rb rename to controls/SV-205693.rb index f781bec..452d938 100644 --- a/controls/V-93413.rb +++ b/controls/SV-205693.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93413" do +control "SV-205693" do title "Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." desc "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential." desc "rationale", "" diff --git a/controls/V-93415.rb b/controls/SV-205694.rb similarity index 98% rename from controls/V-93415.rb rename to controls/SV-205694.rb index c05fa78..a37d9e5 100644 --- a/controls/V-93415.rb +++ b/controls/SV-205694.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93415" do +control "SV-205694" do title "Windows Server 2019 must prevent Indexing of encrypted files." desc "Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed." desc "rationale", "" diff --git a/controls/V-93417.rb b/controls/SV-205695.rb similarity index 99% rename from controls/V-93417.rb rename to controls/SV-205695.rb index 698e177..274d495 100644 --- a/controls/V-93417.rb +++ b/controls/SV-205695.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93417" do +control "SV-205695" do title "Windows Server 2019 domain controllers must run on a machine dedicated to that function." desc "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. diff --git a/controls/V-93419.rb b/controls/SV-205696.rb similarity index 98% rename from controls/V-93419.rb rename to controls/SV-205696.rb index 3bda10b..3978294 100644 --- a/controls/V-93419.rb +++ b/controls/SV-205696.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93419" do +control "SV-205696" do title "Windows Server 2019 local users on domain-joined member servers must not be enumerated." desc "The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel." desc "rationale", "" diff --git a/controls/V-93421.rb b/controls/SV-205697.rb similarity index 98% rename from controls/V-93421.rb rename to controls/SV-205697.rb index d290fde..16c2442 100644 --- a/controls/V-93421.rb +++ b/controls/SV-205697.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93421" do +control "SV-205697" do title "Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption." desc "rationale", "" diff --git a/controls/V-93423.rb b/controls/SV-205698.rb similarity index 98% rename from controls/V-93423.rb rename to controls/SV-205698.rb index 819147c..7e90f3b 100644 --- a/controls/V-93423.rb +++ b/controls/SV-205698.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93423" do +control "SV-205698" do title "Windows Server 2019 must not have the Telnet Client installed." desc "Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system." desc "rationale", "" diff --git a/controls/V-93437.rb b/controls/SV-205699.rb similarity index 98% rename from controls/V-93437.rb rename to controls/SV-205699.rb index 197494c..0dd90db 100644 --- a/controls/V-93437.rb +++ b/controls/SV-205699.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93437" do +control "SV-205699" do title "Windows Server 2019 shared user accounts must not be permitted." desc "Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage." desc "rationale", "" diff --git a/controls/V-93439.rb b/controls/SV-205700.rb similarity index 99% rename from controls/V-93439.rb rename to controls/SV-205700.rb index af50f53..a667ebc 100644 --- a/controls/V-93439.rb +++ b/controls/SV-205700.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93439" do +control "SV-205700" do title "Windows Server 2019 accounts must require passwords." desc "The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords." desc "rationale", "" diff --git a/controls/V-93441.rb b/controls/SV-205701.rb similarity index 99% rename from controls/V-93441.rb rename to controls/SV-205701.rb index e8441de..7e5abd1 100644 --- a/controls/V-93441.rb +++ b/controls/SV-205701.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93441" do +control "SV-205701" do title "Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." desc "Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication." desc "rationale", "" diff --git a/controls/V-93443.rb b/controls/SV-205702.rb similarity index 98% rename from controls/V-93443.rb rename to controls/SV-205702.rb index b1713a9..320f194 100644 --- a/controls/V-93443.rb +++ b/controls/SV-205702.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93443" do +control "SV-205702" do title "Windows Server 2019 Kerberos user logon restrictions must be enforced." desc "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented." desc "rationale", "" diff --git a/controls/V-93445.rb b/controls/SV-205703.rb similarity index 98% rename from controls/V-93445.rb rename to controls/SV-205703.rb index 0c9c516..f4df488 100644 --- a/controls/V-93445.rb +++ b/controls/SV-205703.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93445" do +control "SV-205703" do title "Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." desc "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection." desc "rationale", "" diff --git a/controls/V-93447.rb b/controls/SV-205704.rb similarity index 99% rename from controls/V-93447.rb rename to controls/SV-205704.rb index 65b8228..88ce452 100644 --- a/controls/V-93447.rb +++ b/controls/SV-205704.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93447" do +control "SV-205704" do title "Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." desc "In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed." desc "rationale", "" diff --git a/controls/V-93449.rb b/controls/SV-205705.rb similarity index 98% rename from controls/V-93449.rb rename to controls/SV-205705.rb index a9088e5..88e0f6f 100644 --- a/controls/V-93449.rb +++ b/controls/SV-205705.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93449" do +control "SV-205705" do title "Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." desc "This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access." desc "rationale", "" diff --git a/controls/V-93451.rb b/controls/SV-205706.rb similarity index 98% rename from controls/V-93451.rb rename to controls/SV-205706.rb index d21b1b3..6fc6fdd 100644 --- a/controls/V-93451.rb +++ b/controls/SV-205706.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93451" do +control "SV-205706" do title "Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less." desc "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible." desc "rationale", "" diff --git a/controls/V-93457.rb b/controls/SV-205707.rb similarity index 99% rename from controls/V-93457.rb rename to controls/SV-205707.rb index 8c337f7..f6b350f 100644 --- a/controls/V-93457.rb +++ b/controls/SV-205707.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control 'V-93457' do +control 'SV-205707' do title 'Windows Server 2019 outdated or unused accounts must be removed or disabled.' desc 'Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.' desc 'rationale', '' diff --git a/controls/V-93495.rb b/controls/SV-205708.rb similarity index 98% rename from controls/V-93495.rb rename to controls/SV-205708.rb index 1981945..e29d19d 100644 --- a/controls/V-93495.rb +++ b/controls/SV-205708.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93495" do +control "SV-205708" do title "Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." desc "Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting \"The other domain supports Kerberos AES Encryption\" on domain trusts, may be required to allow client communication across the trust relationship." diff --git a/controls/V-93497.rb b/controls/SV-205709.rb similarity index 98% rename from controls/V-93497.rb rename to controls/SV-205709.rb index b12a3a9..0d9385c 100644 --- a/controls/V-93497.rb +++ b/controls/SV-205709.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93497" do +control "SV-205709" do title "Windows Server 2019 must have the built-in guest account disabled." desc "A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned." desc "rationale", "" diff --git a/controls/V-92977.rb b/controls/SV-205710.rb similarity index 99% rename from controls/V-92977.rb rename to controls/SV-205710.rb index 38c5951..cf98d6b 100644 --- a/controls/V-92977.rb +++ b/controls/SV-205710.rb @@ -1,7 +1,7 @@ # encoding: UTF-8 -control "V-92977" do - title "Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within #{input('emergency_account_period')*24} hours." +control "SV-205710" do + title "Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within #{input('emergency_account_period')} hours." desc "Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements." diff --git a/controls/V-93503.rb b/controls/SV-205711.rb similarity index 98% rename from controls/V-93503.rb rename to controls/SV-205711.rb index 6a065e5..dc9018e 100644 --- a/controls/V-93503.rb +++ b/controls/SV-205711.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93503" do +control "SV-205711" do title "Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication." desc "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential." desc "rationale", "" diff --git a/controls/V-93505.rb b/controls/SV-205712.rb similarity index 98% rename from controls/V-93505.rb rename to controls/SV-205712.rb index 5a58412..e509a6c 100644 --- a/controls/V-93505.rb +++ b/controls/SV-205712.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93505" do +control "SV-205712" do title "Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." desc "Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential." desc "rationale", "" diff --git a/controls/V-93507.rb b/controls/SV-205713.rb similarity index 98% rename from controls/V-93507.rb rename to controls/SV-205713.rb index a89b1ba..7315daa 100644 --- a/controls/V-93507.rb +++ b/controls/SV-205713.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93507" do +control "SV-205713" do title "Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication." desc "Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential." desc "rationale", "" diff --git a/controls/V-93517.rb b/controls/SV-205714.rb similarity index 98% rename from controls/V-93517.rb rename to controls/SV-205714.rb index 2f9a6fc..904956e 100644 --- a/controls/V-93517.rb +++ b/controls/SV-205714.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93517" do +control "SV-205714" do title "Windows Server 2019 administrator accounts must not be enumerated during elevation." desc "Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application." desc "rationale", "" diff --git a/controls/V-93519.rb b/controls/SV-205715.rb similarity index 99% rename from controls/V-93519.rb rename to controls/SV-205715.rb index b4da034..1a8cc18 100644 --- a/controls/V-93519.rb +++ b/controls/SV-205715.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93519" do +control "SV-205715" do title "Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers." desc "A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network." diff --git a/controls/V-93521.rb b/controls/SV-205716.rb similarity index 98% rename from controls/V-93521.rb rename to controls/SV-205716.rb index 2bb96d8..38f4dda 100644 --- a/controls/V-93521.rb +++ b/controls/SV-205716.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93521" do +control "SV-205716" do title "Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts." desc "rationale", "" diff --git a/controls/V-93523.rb b/controls/SV-205717.rb similarity index 99% rename from controls/V-93523.rb rename to controls/SV-205717.rb index 372fbbb..a8822a0 100644 --- a/controls/V-93523.rb +++ b/controls/SV-205717.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93523" do +control "SV-205717" do title "Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges." desc "rationale", "" diff --git a/controls/V-93525.rb b/controls/SV-205718.rb similarity index 98% rename from controls/V-93525.rb rename to controls/SV-205718.rb index 2664f11..6097f80 100644 --- a/controls/V-93525.rb +++ b/controls/SV-205718.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93525" do +control "SV-205718" do title "Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials." desc "rationale", "" diff --git a/controls/V-93527.rb b/controls/SV-205719.rb similarity index 98% rename from controls/V-93527.rb rename to controls/SV-205719.rb index e0817b7..034716d 100644 --- a/controls/V-93527.rb +++ b/controls/SV-205719.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93527" do +control "SV-205719" do title "Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." desc "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\\System32 folders, to run with elevated privileges." desc "rationale", "" diff --git a/controls/V-93529.rb b/controls/SV-205720.rb similarity index 98% rename from controls/V-93529.rb rename to controls/SV-205720.rb index ab4879a..9dfb4b5 100644 --- a/controls/V-93529.rb +++ b/controls/SV-205720.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93529" do +control "SV-205720" do title "Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." desc "UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run." desc "rationale", "" diff --git a/controls/V-93531.rb b/controls/SV-205721.rb similarity index 99% rename from controls/V-93531.rb rename to controls/SV-205721.rb index 0414104..3a7ddf1 100644 --- a/controls/V-93531.rb +++ b/controls/SV-205721.rb @@ -1,4 +1,4 @@ -control 'V-93531' do +control 'SV-205721' do title 'Windows Server 2019 non-system-created file shares must limit access to groups that require it.' desc 'Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.' desc 'rationale', '' diff --git a/controls/V-93533.rb b/controls/SV-205722.rb similarity index 98% rename from controls/V-93533.rb rename to controls/SV-205722.rb index 3c103dc..608b23b 100644 --- a/controls/V-93533.rb +++ b/controls/SV-205722.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93533" do +control "SV-205722" do title "Windows Server 2019 Remote Desktop Services must prevent drive redirection." desc "Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data." desc "rationale", "" diff --git a/controls/V-93535.rb b/controls/SV-205723.rb similarity index 99% rename from controls/V-93535.rb rename to controls/SV-205723.rb index 9e25bad..44fef97 100644 --- a/controls/V-93535.rb +++ b/controls/SV-205723.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93535" do +control "SV-205723" do title "Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." desc "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. diff --git a/controls/V-93537.rb b/controls/SV-205724.rb similarity index 98% rename from controls/V-93537.rb rename to controls/SV-205724.rb index f1d3c3b..6117bae 100644 --- a/controls/V-93537.rb +++ b/controls/SV-205724.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93537" do +control "SV-205724" do title "Windows Server 2019 must not allow anonymous enumeration of shares." desc "Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system." desc "rationale", "" diff --git a/controls/V-93539.rb b/controls/SV-205725.rb similarity index 98% rename from controls/V-93539.rb rename to controls/SV-205725.rb index 0cef79a..afa4a26 100644 --- a/controls/V-93539.rb +++ b/controls/SV-205725.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93539" do +control "SV-205725" do title "Windows Server 2019 must restrict anonymous access to Named Pipes and Shares." desc "Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in \"Network access: Named Pipes that can be accessed anonymously\" and \"Network access: Shares that can be accessed anonymously\", both of which must be blank under other requirements." desc "rationale", "" diff --git a/controls/V-93509.rb b/controls/SV-205726.rb similarity index 97% rename from controls/V-93509.rb rename to controls/SV-205726.rb index 82a273e..c42454f 100644 --- a/controls/V-93509.rb +++ b/controls/SV-205726.rb @@ -1,7 +1,7 @@ # encoding: UTF-8 -control 'V-93509' do - title "Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')/60} minutes of inactivity." +control 'SV-205726' do + title "Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after #{input('maximum_idle_time')} minutes of inactivity." desc 'The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.' desc 'rationale', '' desc 'check', "This applies to domain controllers. It is NA for other systems. diff --git a/controls/V-93515.rb b/controls/SV-205727.rb similarity index 99% rename from controls/V-93515.rb rename to controls/SV-205727.rb index 67bb3ff..c0d0525 100644 --- a/controls/V-93515.rb +++ b/controls/SV-205727.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93515" do +control "SV-205727" do title "Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." desc "This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields)." diff --git a/controls/V-93567.rb b/controls/SV-205728.rb similarity index 99% rename from controls/V-93567.rb rename to controls/SV-205728.rb index a6f1eac..93c325f 100644 --- a/controls/V-93567.rb +++ b/controls/SV-205728.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93567" do +control "SV-205728" do title "Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." desc "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools." desc "rationale", "" diff --git a/controls/V-92987.rb b/controls/SV-205729.rb similarity index 98% rename from controls/V-92987.rb rename to controls/SV-205729.rb index 20c1cb3..54381b1 100644 --- a/controls/V-92987.rb +++ b/controls/SV-205729.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92987" do +control "SV-205729" do title "Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-92989.rb b/controls/SV-205730.rb similarity index 100% rename from controls/V-92989.rb rename to controls/SV-205730.rb diff --git a/controls/V-93195.rb b/controls/SV-205731.rb similarity index 99% rename from controls/V-93195.rb rename to controls/SV-205731.rb index b3cac95..02f1c4d 100644 --- a/controls/V-93195.rb +++ b/controls/SV-205731.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93195" do +control "SV-205731" do title "Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." desc "Protecting audit information also includes identifying and protecting diff --git a/controls/V-92963.rb b/controls/SV-205732.rb similarity index 99% rename from controls/V-92963.rb rename to controls/SV-205732.rb index 1d89f15..680a40b 100644 --- a/controls/V-92963.rb +++ b/controls/SV-205732.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control 'V-92963' do +control 'SV-205732' do title "Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." diff --git a/controls/V-92965.rb b/controls/SV-205733.rb similarity index 99% rename from controls/V-92965.rb rename to controls/SV-205733.rb index 3416a7d..066406a 100644 --- a/controls/V-92965.rb +++ b/controls/SV-205733.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-92965" do +control "SV-205733" do title "Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from diff --git a/controls/V-93019.rb b/controls/SV-205734.rb similarity index 99% rename from controls/V-93019.rb rename to controls/SV-205734.rb index 55ab0a6..0f75c59 100644 --- a/controls/V-93019.rb +++ b/controls/SV-205734.rb @@ -1,4 +1,4 @@ -control 'V-93019' do +control 'SV-205734' do title "Windows Server 2019 permissions for the system drive root directory (usually C:\\) must conform to minimum requirements." desc "Changing the system's file and directory permissions allows the diff --git a/controls/V-93021.rb b/controls/SV-205735.rb similarity index 99% rename from controls/V-93021.rb rename to controls/SV-205735.rb index 6f513d6..b3fa438 100644 --- a/controls/V-93021.rb +++ b/controls/SV-205735.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93021" do +control "SV-205735" do title "Windows Server 2019 permissions for program file directories must conform to minimum requirements." desc "Changing the system's file and directory permissions allows the diff --git a/controls/V-93023.rb b/controls/SV-205736.rb similarity index 99% rename from controls/V-93023.rb rename to controls/SV-205736.rb index 89cc9c3..e7b7ff5 100644 --- a/controls/V-93023.rb +++ b/controls/SV-205736.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93023" do +control "SV-205736" do title "Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." desc "Changing the system's file and directory permissions allows the diff --git a/controls/V-93025.rb b/controls/SV-205737.rb similarity index 99% rename from controls/V-93025.rb rename to controls/SV-205737.rb index 42b2ecd..43b5245 100644 --- a/controls/V-93025.rb +++ b/controls/SV-205737.rb @@ -1,4 +1,4 @@ -control 'V-93025' do + control 'SV-205737' do title "Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." desc "The registry is integral to the function, security, and stability of diff --git a/controls/V-93027.rb b/controls/SV-205738.rb similarity index 99% rename from controls/V-93027.rb rename to controls/SV-205738.rb index e881185..4dc6832 100644 --- a/controls/V-93027.rb +++ b/controls/SV-205738.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93027" do +control "SV-205738" do title "Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system." desc "An account that does not have Administrator duties must not have diff --git a/controls/V-93029.rb b/controls/SV-205739.rb similarity index 99% rename from controls/V-93029.rb rename to controls/SV-205739.rb index 3a511c8..423c0c2 100644 --- a/controls/V-93029.rb +++ b/controls/SV-205739.rb @@ -1,4 +1,4 @@ -control 'V-93029' do +control 'SV-205739' do title "Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access." desc "Improper access permissions for directory data-related files could diff --git a/controls/V-93031.rb b/controls/SV-205740.rb similarity index 99% rename from controls/V-93031.rb rename to controls/SV-205740.rb index 6ca40ab..1535547 100644 --- a/controls/V-93031.rb +++ b/controls/SV-205740.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93031" do +control "SV-205740" do title "Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions." desc "Improper access permissions for directory data files could allow diff --git a/controls/V-93033.rb b/controls/SV-205741.rb similarity index 99% rename from controls/V-93033.rb rename to controls/SV-205741.rb index 19365ba..c17c204 100644 --- a/controls/V-93033.rb +++ b/controls/SV-205741.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93033" do +control "SV-205741" do title "Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions." desc "When directory service database objects do not have appropriate access diff --git a/controls/V-93035.rb b/controls/SV-205742.rb similarity index 99% rename from controls/V-93035.rb rename to controls/SV-205742.rb index c6ad064..77be6ce 100644 --- a/controls/V-93035.rb +++ b/controls/SV-205742.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93035" do +control "SV-205742" do title "Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." desc "When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. diff --git a/controls/V-93037.rb b/controls/SV-205743.rb similarity index 99% rename from controls/V-93037.rb rename to controls/SV-205743.rb index a107053..cd6ebf0 100644 --- a/controls/V-93037.rb +++ b/controls/SV-205743.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93037" do +control "SV-205743" do title "Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." desc "When directory service database objects do not have appropriate access diff --git a/controls/V-93039.rb b/controls/SV-205744.rb similarity index 99% rename from controls/V-93039.rb rename to controls/SV-205744.rb index ce829e5..eac3f44 100644 --- a/controls/V-93039.rb +++ b/controls/SV-205744.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93039" do +control "SV-205744" do title "Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93041.rb b/controls/SV-205745.rb similarity index 99% rename from controls/V-93041.rb rename to controls/SV-205745.rb index 53e5a21..e03b886 100644 --- a/controls/V-93041.rb +++ b/controls/SV-205745.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93041" do +control "SV-205745" do title "Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." diff --git a/controls/V-93043.rb b/controls/SV-205746.rb similarity index 99% rename from controls/V-93043.rb rename to controls/SV-205746.rb index e485688..7d9d332 100644 --- a/controls/V-93043.rb +++ b/controls/SV-205746.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93043" do +control "SV-205746" do title "Windows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system." desc "An account that does not have Administrator duties must not have diff --git a/controls/V-93045.rb b/controls/SV-205747.rb similarity index 99% rename from controls/V-93045.rb rename to controls/SV-205747.rb index c9dffcf..b62b887 100644 --- a/controls/V-93045.rb +++ b/controls/SV-205747.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93045" do +control "SV-205747" do title "Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems." diff --git a/controls/V-93047.rb b/controls/SV-205748.rb similarity index 99% rename from controls/V-93047.rb rename to controls/SV-205748.rb index 6fd69a1..205f355 100644 --- a/controls/V-93047.rb +++ b/controls/SV-205748.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93047" do +control "SV-205748" do title "Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems." diff --git a/controls/V-93049.rb b/controls/SV-205749.rb similarity index 98% rename from controls/V-93049.rb rename to controls/SV-205749.rb index 92d718d..a8eae15 100644 --- a/controls/V-93049.rb +++ b/controls/SV-205749.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93049" do +control "SV-205749" do title "Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93051.rb b/controls/SV-205750.rb similarity index 99% rename from controls/V-93051.rb rename to controls/SV-205750.rb index 7a14725..542d9ee 100644 --- a/controls/V-93051.rb +++ b/controls/SV-205750.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93051" do +control "SV-205750" do title "Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93053.rb b/controls/SV-205751.rb similarity index 99% rename from controls/V-93053.rb rename to controls/SV-205751.rb index 30d3bc2..9d925ee 100644 --- a/controls/V-93053.rb +++ b/controls/SV-205751.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93053" do +control "SV-205751" do title "Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93055.rb b/controls/SV-205752.rb similarity index 98% rename from controls/V-93055.rb rename to controls/SV-205752.rb index 85a8215..79fcbac 100644 --- a/controls/V-93055.rb +++ b/controls/SV-205752.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93055" do +control "SV-205752" do title "Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93057.rb b/controls/SV-205753.rb similarity index 99% rename from controls/V-93057.rb rename to controls/SV-205753.rb index eb8de76..06e8c1e 100644 --- a/controls/V-93057.rb +++ b/controls/SV-205753.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93057" do +control "SV-205753" do title "Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93059.rb b/controls/SV-205754.rb similarity index 99% rename from controls/V-93059.rb rename to controls/SV-205754.rb index 29845e3..de0b049 100644 --- a/controls/V-93059.rb +++ b/controls/SV-205754.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93059" do +control "SV-205754" do title "Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." desc "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the \"Create global objects\" user right can create objects that are available to all sessions, which could affect processes in otherusers' sessions." diff --git a/controls/V-93061.rb b/controls/SV-205755.rb similarity index 98% rename from controls/V-93061.rb rename to controls/SV-205755.rb index 40fc1d6..b047030 100644 --- a/controls/V-93061.rb +++ b/controls/SV-205755.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93061" do +control "SV-205755" do title "Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93063.rb b/controls/SV-205756.rb similarity index 99% rename from controls/V-93063.rb rename to controls/SV-205756.rb index a9da034..ee1e8e0 100644 --- a/controls/V-93063.rb +++ b/controls/SV-205756.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93063" do +control "SV-205756" do title "Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93065.rb b/controls/SV-205757.rb similarity index 99% rename from controls/V-93065.rb rename to controls/SV-205757.rb index 96897e0..5beab39 100644 --- a/controls/V-93065.rb +++ b/controls/SV-205757.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93065" do +control "SV-205757" do title "Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93067.rb b/controls/SV-205758.rb similarity index 99% rename from controls/V-93067.rb rename to controls/SV-205758.rb index 82e2b7a..1865b8f 100644 --- a/controls/V-93067.rb +++ b/controls/SV-205758.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93067" do +control "SV-205758" do title "Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93069.rb b/controls/SV-205759.rb similarity index 99% rename from controls/V-93069.rb rename to controls/SV-205759.rb index 8a22398..ec2da93 100644 --- a/controls/V-93069.rb +++ b/controls/SV-205759.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93069" do +control "SV-205759" do title "Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." desc "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The \"Generate security audits\" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined." diff --git a/controls/V-93071.rb b/controls/SV-205760.rb similarity index 99% rename from controls/V-93071.rb rename to controls/SV-205760.rb index 3006a9f..d51bfc7 100644 --- a/controls/V-93071.rb +++ b/controls/SV-205760.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93071" do +control "SV-205760" do title "Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." diff --git a/controls/V-93073.rb b/controls/SV-205761.rb similarity index 99% rename from controls/V-93073.rb rename to controls/SV-205761.rb index 32c9ead..aa1ca81 100644 --- a/controls/V-93073.rb +++ b/controls/SV-205761.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93073" do +control "SV-205761" do title "Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the \"Increase scheduling priority\" user right can change a scheduling priority, causing performance issues or a denial of service." diff --git a/controls/V-93075.rb b/controls/SV-205762.rb similarity index 99% rename from controls/V-93075.rb rename to controls/SV-205762.rb index 4dadb56..e254acd 100644 --- a/controls/V-93075.rb +++ b/controls/SV-205762.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93075" do +control "SV-205762" do title "Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93077.rb b/controls/SV-205763.rb similarity index 99% rename from controls/V-93077.rb rename to controls/SV-205763.rb index 1d28efe..2eaa9ad 100644 --- a/controls/V-93077.rb +++ b/controls/SV-205763.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93077" do +control "SV-205763" do title "Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93079.rb b/controls/SV-205764.rb similarity index 99% rename from controls/V-93079.rb rename to controls/SV-205764.rb index 1ea7782..760ac15 100644 --- a/controls/V-93079.rb +++ b/controls/SV-205764.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93079" do +control "SV-205764" do title "Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93081.rb b/controls/SV-205765.rb similarity index 99% rename from controls/V-93081.rb rename to controls/SV-205765.rb index 01614fd..896ac2a 100644 --- a/controls/V-93081.rb +++ b/controls/SV-205765.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93081" do +control "SV-205765" do title "Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93083.rb b/controls/SV-205766.rb similarity index 99% rename from controls/V-93083.rb rename to controls/SV-205766.rb index 539f87c..ad53d85 100644 --- a/controls/V-93083.rb +++ b/controls/SV-205766.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93083" do +control "SV-205766" do title "Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93085.rb b/controls/SV-205767.rb similarity index 99% rename from controls/V-93085.rb rename to controls/SV-205767.rb index 7a237cb..9c061c0 100644 --- a/controls/V-93085.rb +++ b/controls/SV-205767.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93085" do +control "SV-205767" do title "Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93087.rb b/controls/SV-205768.rb similarity index 99% rename from controls/V-93087.rb rename to controls/SV-205768.rb index 3911a24..3699ae0 100644 --- a/controls/V-93087.rb +++ b/controls/SV-205768.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93087" do +control "SV-205768" do title "Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." desc "Inappropriate granting of user rights can provide system, diff --git a/controls/V-93089.rb b/controls/SV-205769.rb similarity index 99% rename from controls/V-93089.rb rename to controls/SV-205769.rb index e95d375..3ebb88d 100644 --- a/controls/V-93089.rb +++ b/controls/SV-205769.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93089" do +control "SV-205769" do title "Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93091.rb b/controls/SV-205770.rb similarity index 98% rename from controls/V-93091.rb rename to controls/SV-205770.rb index 1429a5b..35726fe 100644 --- a/controls/V-93091.rb +++ b/controls/SV-205770.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93091" do +control "SV-205770" do title "Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93093.rb b/controls/SV-205771.rb similarity index 98% rename from controls/V-93093.rb rename to controls/SV-205771.rb index 446de4b..74ea2d7 100644 --- a/controls/V-93093.rb +++ b/controls/SV-205771.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93093" do +control "SV-205771" do title "Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93095.rb b/controls/SV-205772.rb similarity index 98% rename from controls/V-93095.rb rename to controls/SV-205772.rb index a6fb1c4..8f10ddc 100644 --- a/controls/V-93095.rb +++ b/controls/SV-205772.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93095" do +control "SV-205772" do title "Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93097.rb b/controls/SV-205773.rb similarity index 99% rename from controls/V-93097.rb rename to controls/SV-205773.rb index 4e59ec0..b03ecaa 100644 --- a/controls/V-93097.rb +++ b/controls/SV-205773.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93097" do +control "SV-205773" do title "Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93099.rb b/controls/SV-205774.rb similarity index 99% rename from controls/V-93099.rb rename to controls/SV-205774.rb index 1da4fae..b82b201 100644 --- a/controls/V-93099.rb +++ b/controls/SV-205774.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93099" do +control "SV-205774" do title "Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93101.rb b/controls/SV-205775.rb similarity index 99% rename from controls/V-93101.rb rename to controls/SV-205775.rb index 7306cf8..6a87574 100644 --- a/controls/V-93101.rb +++ b/controls/SV-205775.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93101" do +control "SV-205775" do title "Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93103.rb b/controls/SV-205776.rb similarity index 99% rename from controls/V-93103.rb rename to controls/SV-205776.rb index 379a85f..fb0b199 100644 --- a/controls/V-93103.rb +++ b/controls/SV-205776.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93103" do +control "SV-205776" do title "Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93105.rb b/controls/SV-205777.rb similarity index 98% rename from controls/V-93105.rb rename to controls/SV-205777.rb index fd8db82..5a12f55 100644 --- a/controls/V-93105.rb +++ b/controls/SV-205777.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93105" do +control "SV-205777" do title "Windows Server 2019 must be configured to audit System - IPsec Driver successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93107.rb b/controls/SV-205778.rb similarity index 98% rename from controls/V-93107.rb rename to controls/SV-205778.rb index cccea91..091ca05 100644 --- a/controls/V-93107.rb +++ b/controls/SV-205778.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93107" do +control "SV-205778" do title "Windows Server 2019 must be configured to audit System - IPsec Driver failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93109.rb b/controls/SV-205779.rb similarity index 98% rename from controls/V-93109.rb rename to controls/SV-205779.rb index b4c7cb2..1354e2f 100644 --- a/controls/V-93109.rb +++ b/controls/SV-205779.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93109" do +control "SV-205779" do title "Windows Server 2019 must be configured to audit System - Other System Events successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93111.rb b/controls/SV-205780.rb similarity index 98% rename from controls/V-93111.rb rename to controls/SV-205780.rb index 4e1d974..a38fa9b 100644 --- a/controls/V-93111.rb +++ b/controls/SV-205780.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93111" do +control "SV-205780" do title "Windows Server 2019 must be configured to audit System - Other System Events failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93113.rb b/controls/SV-205781.rb similarity index 98% rename from controls/V-93113.rb rename to controls/SV-205781.rb index a623ab4..7c69bc8 100644 --- a/controls/V-93113.rb +++ b/controls/SV-205781.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93113" do +control "SV-205781" do title "Windows Server 2019 must be configured to audit System - Security State Change successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93115.rb b/controls/SV-205782.rb similarity index 99% rename from controls/V-93115.rb rename to controls/SV-205782.rb index 2749bfc..8a49449 100644 --- a/controls/V-93115.rb +++ b/controls/SV-205782.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93115" do +control "SV-205782" do title "Windows Server 2019 must be configured to audit System - Security System Extension successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93117.rb b/controls/SV-205783.rb similarity index 98% rename from controls/V-93117.rb rename to controls/SV-205783.rb index d0fb4c9..1983a74 100644 --- a/controls/V-93117.rb +++ b/controls/SV-205783.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93117" do +control "SV-205783" do title "Windows Server 2019 must be configured to audit System - System Integrity successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93119.rb b/controls/SV-205784.rb similarity index 98% rename from controls/V-93119.rb rename to controls/SV-205784.rb index be3c222..39e6d90 100644 --- a/controls/V-93119.rb +++ b/controls/SV-205784.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93119" do +control "SV-205784" do title "Windows Server 2019 must be configured to audit System - System Integrity failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93121.rb b/controls/SV-205785.rb similarity index 99% rename from controls/V-93121.rb rename to controls/SV-205785.rb index 21ee49c..2597ca8 100644 --- a/controls/V-93121.rb +++ b/controls/SV-205785.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93121" do +control "SV-205785" do title "Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93123.rb b/controls/SV-205786.rb similarity index 99% rename from controls/V-93123.rb rename to controls/SV-205786.rb index a1d3237..321dcce 100644 --- a/controls/V-93123.rb +++ b/controls/SV-205786.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93123" do +control "SV-205786" do title "Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93125.rb b/controls/SV-205787.rb similarity index 99% rename from controls/V-93125.rb rename to controls/SV-205787.rb index 6b8d75e..daa1de8 100644 --- a/controls/V-93125.rb +++ b/controls/SV-205787.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93125" do +control "SV-205787" do title "Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93127.rb b/controls/SV-205788.rb similarity index 99% rename from controls/V-93127.rb rename to controls/SV-205788.rb index 00ceb70..9788288 100644 --- a/controls/V-93127.rb +++ b/controls/SV-205788.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93127" do +control "SV-205788" do title "Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93129.rb b/controls/SV-205789.rb similarity index 99% rename from controls/V-93129.rb rename to controls/SV-205789.rb index c4da4c4..bd3fb14 100644 --- a/controls/V-93129.rb +++ b/controls/SV-205789.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93129" do +control "SV-205789" do title "Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93131.rb b/controls/SV-205790.rb similarity index 99% rename from controls/V-93131.rb rename to controls/SV-205790.rb index fd82924..f38bcf6 100644 --- a/controls/V-93131.rb +++ b/controls/SV-205790.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93131" do +control "SV-205790" do title "Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." desc "When inappropriate audit settings are configured for directory service diff --git a/controls/V-93133.rb b/controls/SV-205791.rb similarity index 99% rename from controls/V-93133.rb rename to controls/SV-205791.rb index 422eb85..af2a084 100644 --- a/controls/V-93133.rb +++ b/controls/SV-205791.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93133" do +control "SV-205791" do title "Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93135.rb b/controls/SV-205792.rb similarity index 99% rename from controls/V-93135.rb rename to controls/SV-205792.rb index 13006d2..15bafd6 100644 --- a/controls/V-93135.rb +++ b/controls/SV-205792.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93135" do +control "SV-205792" do title "Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93137.rb b/controls/SV-205793.rb similarity index 99% rename from controls/V-93137.rb rename to controls/SV-205793.rb index 6bb0f5f..e8f1d5e 100644 --- a/controls/V-93137.rb +++ b/controls/SV-205793.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93137" do +control "SV-205793" do title "Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93139.rb b/controls/SV-205794.rb similarity index 99% rename from controls/V-93139.rb rename to controls/SV-205794.rb index 0ff455c..3c23881 100644 --- a/controls/V-93139.rb +++ b/controls/SV-205794.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93139" do +control "SV-205794" do title "Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93145.rb b/controls/SV-205795.rb similarity index 99% rename from controls/V-93145.rb rename to controls/SV-205795.rb index 2c64fad..49ec5b5 100644 --- a/controls/V-93145.rb +++ b/controls/SV-205795.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93145" do +control "SV-205795" do title "Windows Server 2019 account lockout duration must be configured to #{input('pass_lock_duration')} minutes or greater." desc "The account lockout feature, when enabled, prevents brute-force diff --git a/controls/V-93177.rb b/controls/SV-205796.rb similarity index 98% rename from controls/V-93177.rb rename to controls/SV-205796.rb index e189f0c..3a5c26a 100644 --- a/controls/V-93177.rb +++ b/controls/SV-205796.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93177" do +control "SV-205796" do title "Windows Server 2019 Application event log size must be configured to 32768 KB or greater." desc "Inadequate log size will cause the log to fill up quickly. This may diff --git a/controls/V-93179.rb b/controls/SV-205797.rb similarity index 98% rename from controls/V-93179.rb rename to controls/SV-205797.rb index e5fed1e..da3e4b2 100644 --- a/controls/V-93179.rb +++ b/controls/SV-205797.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93179" do +control "SV-205797" do title "Windows Server 2019 Security event log size must be configured to 196608 KB or greater." desc "Inadequate log size will cause the log to fill up quickly. This may diff --git a/controls/V-93181.rb b/controls/SV-205798.rb similarity index 98% rename from controls/V-93181.rb rename to controls/SV-205798.rb index d45b04f..1ced652 100644 --- a/controls/V-93181.rb +++ b/controls/SV-205798.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93181" do +control "SV-205798" do title "Windows Server 2019 System event log size must be configured to 32768 KB or greater." desc "Inadequate log size will cause the log to fill up quickly. This may diff --git a/controls/V-93183.rb b/controls/SV-205799.rb similarity index 98% rename from controls/V-93183.rb rename to controls/SV-205799.rb index db22e32..a0bf458 100644 --- a/controls/V-93183.rb +++ b/controls/SV-205799.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93183" do +control "SV-205799" do title "Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." desc "Protection of log data includes assuring the log data is not diff --git a/controls/V-93187.rb b/controls/SV-205800.rb similarity index 99% rename from controls/V-93187.rb rename to controls/SV-205800.rb index cee2d15..254510c 100644 --- a/controls/V-93187.rb +++ b/controls/SV-205800.rb @@ -1,4 +1,4 @@ -control 'V-93187' do +control 'SV-205800' do title "The Windows Server 2019 time service must synchronize with an appropriate #{input('org_name')[:acronym]} time source." desc "The Windows Time Service controls time synchronization settings. Time diff --git a/controls/V-93199.rb b/controls/SV-205801.rb similarity index 98% rename from controls/V-93199.rb rename to controls/SV-205801.rb index 3d477eb..dfe5098 100644 --- a/controls/V-93199.rb +++ b/controls/SV-205801.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93199" do +control "SV-205801" do title "Windows Server 2019 must prevent users from changing installation options." desc "Installation options for applications are typically controlled by diff --git a/controls/V-93201.rb b/controls/SV-205802.rb similarity index 98% rename from controls/V-93201.rb rename to controls/SV-205802.rb index a14f9ad..89457e2 100644 --- a/controls/V-93201.rb +++ b/controls/SV-205802.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93201" do +control "SV-205802" do title "Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option." desc "Standard user accounts must not be granted elevated privileges. diff --git a/controls/V-93203.rb b/controls/SV-205803.rb similarity index 98% rename from controls/V-93203.rb rename to controls/SV-205803.rb index 7411dcb..126c05b 100644 --- a/controls/V-93203.rb +++ b/controls/SV-205803.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93203" do +control "SV-205803" do title "Windows Server 2019 system files must be monitored for unauthorized changes." desc "Monitoring system files for changes against a baseline on a regular diff --git a/controls/V-93373.rb b/controls/SV-205804.rb similarity index 98% rename from controls/V-93373.rb rename to controls/SV-205804.rb index fcc203c..f034b85 100644 --- a/controls/V-93373.rb +++ b/controls/SV-205804.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93373" do +control "SV-205804" do title "Windows Server 2019 Autoplay must be turned off for non-volume devices." desc "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices." desc "rationale", "" diff --git a/controls/V-93375.rb b/controls/SV-205805.rb similarity index 98% rename from controls/V-93375.rb rename to controls/SV-205805.rb index bc027c0..7c84348 100644 --- a/controls/V-93375.rb +++ b/controls/SV-205805.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93375" do +control "SV-205805" do title "Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands." desc "Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing." desc "rationale", "" diff --git a/controls/V-93377.rb b/controls/SV-205806.rb similarity index 98% rename from controls/V-93377.rb rename to controls/SV-205806.rb index 0cc1224..2f672db 100644 --- a/controls/V-93377.rb +++ b/controls/SV-205806.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93377" do +control "SV-205806" do title "Windows Server 2019 AutoPlay must be disabled for all drives." desc "Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives." desc "rationale", "" diff --git a/controls/V-93379.rb b/controls/SV-205807.rb similarity index 99% rename from controls/V-93379.rb rename to controls/SV-205807.rb index c7c303b..c03e2a5 100644 --- a/controls/V-93379.rb +++ b/controls/SV-205807.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93379" do +control "SV-205807" do title "Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." desc "Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting." diff --git a/controls/V-93425.rb b/controls/SV-205808.rb similarity index 98% rename from controls/V-93425.rb rename to controls/SV-205808.rb index dad3239..42bd23f 100644 --- a/controls/V-93425.rb +++ b/controls/SV-205808.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93425" do +control "SV-205808" do title "Windows Server 2019 must not save passwords in the Remote Desktop Client." desc "Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client." desc "rationale", "" diff --git a/controls/V-93427.rb b/controls/SV-205809.rb similarity index 98% rename from controls/V-93427.rb rename to controls/SV-205809.rb index b8d0be0..a8a376c 100644 --- a/controls/V-93427.rb +++ b/controls/SV-205809.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93427" do +control "SV-205809" do title "Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection." desc "This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server." desc "rationale", "" diff --git a/controls/V-93429.rb b/controls/SV-205810.rb similarity index 98% rename from controls/V-93429.rb rename to controls/SV-205810.rb index 198d916..6d7ac50 100644 --- a/controls/V-93429.rb +++ b/controls/SV-205810.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93429" do +control "SV-205810" do title "Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." desc "Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins." desc "rationale", "" diff --git a/controls/V-93431.rb b/controls/SV-205811.rb similarity index 98% rename from controls/V-93431.rb rename to controls/SV-205811.rb index 9730ff8..44d5733 100644 --- a/controls/V-93431.rb +++ b/controls/SV-205811.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93431" do +control "SV-205811" do title "Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode." desc "rationale", "" diff --git a/controls/V-93433.rb b/controls/SV-205812.rb similarity index 98% rename from controls/V-93433.rb rename to controls/SV-205812.rb index cbbd3f9..05c1895 100644 --- a/controls/V-93433.rb +++ b/controls/SV-205812.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93433" do +control "SV-205812" do title "Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account." desc "rationale", "" diff --git a/controls/V-93435.rb b/controls/SV-205813.rb similarity index 98% rename from controls/V-93435.rb rename to controls/SV-205813.rb index e9e99b6..f3adf65 100644 --- a/controls/V-93435.rb +++ b/controls/SV-205813.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93435" do +control "SV-205813" do title "Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." desc "User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC." desc "rationale", "" diff --git a/controls/V-93453.rb b/controls/SV-205814.rb similarity index 98% rename from controls/V-93453.rb rename to controls/SV-205814.rb index 495b2d9..c9435fc 100644 --- a/controls/V-93453.rb +++ b/controls/SV-205814.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93453" do +control "SV-205814" do title "Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems." desc "Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections." desc "rationale", "" diff --git a/controls/V-93455.rb b/controls/SV-205815.rb similarity index 98% rename from controls/V-93455.rb rename to controls/SV-205815.rb index 6d55b1a..fc7d59b 100644 --- a/controls/V-93455.rb +++ b/controls/SV-205815.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93455" do +control "SV-205815" do title "Windows Server 2019 computer account password must not be prevented from being reset." desc "Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days." desc "rationale", "" diff --git a/controls/V-93499.rb b/controls/SV-205816.rb similarity index 98% rename from controls/V-93499.rb rename to controls/SV-205816.rb index 493135c..00b1297 100644 --- a/controls/V-93499.rb +++ b/controls/SV-205816.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93499" do +control "SV-205816" do title "Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." desc "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this." desc "rationale", "" diff --git a/controls/V-93501.rb b/controls/SV-205817.rb similarity index 98% rename from controls/V-93501.rb rename to controls/SV-205817.rb index 2e308f7..14fc124 100644 --- a/controls/V-93501.rb +++ b/controls/SV-205817.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93501" do +control "SV-205817" do title "Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." desc "Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this." desc "rationale", "" diff --git a/controls/V-93513.rb b/controls/SV-205818.rb similarity index 99% rename from controls/V-93513.rb rename to controls/SV-205818.rb index e30164a..2bd02b0 100644 --- a/controls/V-93513.rb +++ b/controls/SV-205818.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93513" do +control "SV-205818" do title "Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." desc "Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network." desc "rationale", "" diff --git a/controls/V-93541.rb b/controls/SV-205819.rb similarity index 98% rename from controls/V-93541.rb rename to controls/SV-205819.rb index 9d6bf45..6acadf9 100644 --- a/controls/V-93541.rb +++ b/controls/SV-205819.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93541" do +control "SV-205819" do title "Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers." desc "Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability." desc "rationale", "" diff --git a/controls/V-93545.rb b/controls/SV-205820.rb similarity index 99% rename from controls/V-93545.rb rename to controls/SV-205820.rb index da88600..2abc13c 100644 --- a/controls/V-93545.rb +++ b/controls/SV-205820.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93545" do +control "SV-205820" do title "Windows Server 2019 domain controllers must require LDAP access signing." desc "Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult." desc "rationale", "" diff --git a/controls/V-93547.rb b/controls/SV-205821.rb similarity index 98% rename from controls/V-93547.rb rename to controls/SV-205821.rb index e2d6490..5966cd1 100644 --- a/controls/V-93547.rb +++ b/controls/SV-205821.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93547" do +control "SV-205821" do title "Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." desc "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed." desc "rationale", "" diff --git a/controls/V-93549.rb b/controls/SV-205822.rb similarity index 98% rename from controls/V-93549.rb rename to controls/SV-205822.rb index fb516cc..dcd30a5 100644 --- a/controls/V-93549.rb +++ b/controls/SV-205822.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93549" do +control "SV-205822" do title "Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." desc "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted." desc "rationale", "" diff --git a/controls/V-93551.rb b/controls/SV-205823.rb similarity index 98% rename from controls/V-93551.rb rename to controls/SV-205823.rb index 2b8d0a8..772adf7 100644 --- a/controls/V-93551.rb +++ b/controls/SV-205823.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93551" do +control "SV-205823" do title "Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." desc "Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed." desc "rationale", "" diff --git a/controls/V-93553.rb b/controls/SV-205824.rb similarity index 98% rename from controls/V-93553.rb rename to controls/SV-205824.rb index 21c317f..0a63403 100644 --- a/controls/V-93553.rb +++ b/controls/SV-205824.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93553" do +control "SV-205824" do title "Windows Server 2019 must be configured to require a strong session key." desc "A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems." desc "rationale", "" diff --git a/controls/V-93555.rb b/controls/SV-205825.rb similarity index 98% rename from controls/V-93555.rb rename to controls/SV-205825.rb index d00e047..ce7c104 100644 --- a/controls/V-93555.rb +++ b/controls/SV-205825.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93555" do +control "SV-205825" do title "Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." desc "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing." desc "rationale", "" diff --git a/controls/V-93557.rb b/controls/SV-205826.rb similarity index 98% rename from controls/V-93557.rb rename to controls/SV-205826.rb index f224d30..2cc9ddb 100644 --- a/controls/V-93557.rb +++ b/controls/SV-205826.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93557" do +control "SV-205826" do title "Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." desc "The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing." desc "rationale", "" diff --git a/controls/V-93559.rb b/controls/SV-205827.rb similarity index 98% rename from controls/V-93559.rb rename to controls/SV-205827.rb index 4da7748..3f9de3e 100644 --- a/controls/V-93559.rb +++ b/controls/SV-205827.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93559" do +control "SV-205827" do title "Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." desc "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing." desc "rationale", "" diff --git a/controls/V-93561.rb b/controls/SV-205828.rb similarity index 98% rename from controls/V-93561.rb rename to controls/SV-205828.rb index 3be5e2a..1514063 100644 --- a/controls/V-93561.rb +++ b/controls/SV-205828.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93561" do +control "SV-205828" do title "Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." desc "The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client." desc "rationale", "" diff --git a/controls/V-93543.rb b/controls/SV-205829.rb similarity index 99% rename from controls/V-93543.rb rename to controls/SV-205829.rb index 93744af..33db469 100644 --- a/controls/V-93543.rb +++ b/controls/SV-205829.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93543" do +control "SV-205829" do title "Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." desc "Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. diff --git a/controls/V-93563.rb b/controls/SV-205830.rb similarity index 98% rename from controls/V-93563.rb rename to controls/SV-205830.rb index fd12995..a8d8590 100644 --- a/controls/V-93563.rb +++ b/controls/SV-205830.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93563" do +control "SV-205830" do title "Windows Server 2019 Explorer Data Execution Prevention must be enabled." desc "Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer." desc "rationale", "" diff --git a/controls/V-93153.rb b/controls/SV-205832.rb similarity index 98% rename from controls/V-93153.rb rename to controls/SV-205832.rb index ae5173c..b3b6604 100644 --- a/controls/V-93153.rb +++ b/controls/SV-205832.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93153" do +control "SV-205832" do title "Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93155.rb b/controls/SV-205833.rb similarity index 98% rename from controls/V-93155.rb rename to controls/SV-205833.rb index 7b872da..0be8d06 100644 --- a/controls/V-93155.rb +++ b/controls/SV-205833.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93155" do +control "SV-205833" do title "Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93159.rb b/controls/SV-205834.rb similarity index 98% rename from controls/V-93159.rb rename to controls/SV-205834.rb index 9242fc0..d8c50d5 100644 --- a/controls/V-93159.rb +++ b/controls/SV-205834.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93159" do +control "SV-205834" do title "Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93161.rb b/controls/SV-205835.rb similarity index 98% rename from controls/V-93161.rb rename to controls/SV-205835.rb index d322b99..ee6cd4f 100644 --- a/controls/V-93161.rb +++ b/controls/SV-205835.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93161" do +control "SV-205835" do title "Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93163.rb b/controls/SV-205836.rb similarity index 98% rename from controls/V-93163.rb rename to controls/SV-205836.rb index 089f832..9d43426 100644 --- a/controls/V-93163.rb +++ b/controls/SV-205836.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93163" do +control "SV-205836" do title "Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93165.rb b/controls/SV-205837.rb similarity index 98% rename from controls/V-93165.rb rename to controls/SV-205837.rb index ec50d05..5b40650 100644 --- a/controls/V-93165.rb +++ b/controls/SV-205837.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93165" do +control "SV-205837" do title "Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93171.rb b/controls/SV-205838.rb similarity index 98% rename from controls/V-93171.rb rename to controls/SV-205838.rb index c8ae54d..e808c82 100644 --- a/controls/V-93171.rb +++ b/controls/SV-205838.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93171" do +control "SV-205838" do title "Windows Server 2019 must be configured to audit logoff successes." desc "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises diff --git a/controls/V-93157.rb b/controls/SV-205839.rb similarity index 99% rename from controls/V-93157.rb rename to controls/SV-205839.rb index e855dbb..e81d908 100644 --- a/controls/V-93157.rb +++ b/controls/SV-205839.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93157" do +control "SV-205839" do title "Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93167.rb b/controls/SV-205840.rb similarity index 99% rename from controls/V-93167.rb rename to controls/SV-205840.rb index e17a312..077063c 100644 --- a/controls/V-93167.rb +++ b/controls/SV-205840.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93167" do +control "SV-205840" do title "Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93169.rb b/controls/SV-205841.rb similarity index 99% rename from controls/V-93169.rb rename to controls/SV-205841.rb index e6301db..d4461a1 100644 --- a/controls/V-93169.rb +++ b/controls/SV-205841.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93169" do +control "SV-205841" do title "Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." desc "Maintaining an audit trail of system activity logs can help identify diff --git a/controls/V-93511.rb b/controls/SV-205842.rb similarity index 98% rename from controls/V-93511.rb rename to controls/SV-205842.rb index 145fb7d..61acf53 100644 --- a/controls/V-93511.rb +++ b/controls/SV-205842.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93511" do +control "SV-205842" do title "Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." desc "This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions." desc "rationale", "" diff --git a/controls/V-93185.rb b/controls/SV-205843.rb similarity index 98% rename from controls/V-93185.rb rename to controls/SV-205843.rb index 57f5cc1..8231ad2 100644 --- a/controls/V-93185.rb +++ b/controls/SV-205843.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93185" do +control "SV-205843" do title "Windows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly." desc "Protection of log data includes assuring the log data is not diff --git a/controls/V-93369.rb b/controls/SV-205844.rb similarity index 98% rename from controls/V-93369.rb rename to controls/SV-205844.rb index 34a9df3..d94a58c 100644 --- a/controls/V-93369.rb +++ b/controls/SV-205844.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93369" do +control "SV-205844" do title "Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." desc "Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges." desc "rationale", "" diff --git a/controls/V-93205.rb b/controls/SV-205845.rb similarity index 99% rename from controls/V-93205.rb rename to controls/SV-205845.rb index 5e33b6a..fc2c8c3 100644 --- a/controls/V-93205.rb +++ b/controls/SV-205845.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93205" do +control "SV-205845" do title "Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." diff --git a/controls/V-93207.rb b/controls/SV-205846.rb similarity index 98% rename from controls/V-93207.rb rename to controls/SV-205846.rb index 51637ea..f440e11 100644 --- a/controls/V-93207.rb +++ b/controls/SV-205846.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93207" do +control "SV-205846" do title "Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." desc "Backup Operators are able to read and write to any file in the system, diff --git a/controls/V-93209.rb b/controls/SV-205847.rb similarity index 99% rename from controls/V-93209.rb rename to controls/SV-205847.rb index a812181..732324b 100644 --- a/controls/V-93209.rb +++ b/controls/SV-205847.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93209" do +control "SV-205847" do title "Windows Server 2019 manually managed application account passwords must be changed at least every #{input('app_password_age')} days or when a system administrator with knowledge of the password leaves the organization." desc "Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords." desc "rationale", "" diff --git a/controls/V-93213.rb b/controls/SV-205848.rb similarity index 99% rename from controls/V-93213.rb rename to controls/SV-205848.rb index 84211c5..5a499b5 100644 --- a/controls/V-93213.rb +++ b/controls/SV-205848.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93213" do +control "SV-205848" do title "Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." desc "Credential Guard uses virtualization-based security to protect data diff --git a/controls/V-93215.rb b/controls/SV-205849.rb similarity index 98% rename from controls/V-93215.rb rename to controls/SV-205849.rb index 92f786d..7d65795 100644 --- a/controls/V-93215.rb +++ b/controls/SV-205849.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93215" do +control "SV-205849" do title "Windows Server 2019 must be maintained at a supported servicing level." desc "Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. diff --git a/controls/V-93217.rb b/controls/SV-205850.rb similarity index 98% rename from controls/V-93217.rb rename to controls/SV-205850.rb index f212126..7dd21ea 100644 --- a/controls/V-93217.rb +++ b/controls/SV-205850.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93217" do +control "SV-205850" do title "Windows Server 2019 must use an anti-virus program." desc "Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will diff --git a/controls/V-93219.rb b/controls/SV-205851.rb similarity index 98% rename from controls/V-93219.rb rename to controls/SV-205851.rb index 3f9f98d..b39e195 100644 --- a/controls/V-93219.rb +++ b/controls/SV-205851.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93219" do +control "SV-205851" do title "Windows Server 2019 must have a host-based intrusion detection or prevention system." desc "A properly configured Host-based Intrusion Detection System (HIDS) or diff --git a/controls/V-93221.rb b/controls/SV-205852.rb similarity index 98% rename from controls/V-93221.rb rename to controls/SV-205852.rb index 58b7965..1007c55 100644 --- a/controls/V-93221.rb +++ b/controls/SV-205852.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93221" do +control "SV-205852" do title "Windows Server 2019 must have software certificate installation files removed." desc "Use of software certificates and their accompanying installation files diff --git a/controls/V-93223.rb b/controls/SV-205853.rb similarity index 98% rename from controls/V-93223.rb rename to controls/SV-205853.rb index 7f2f79e..0975e3c 100644 --- a/controls/V-93223.rb +++ b/controls/SV-205853.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93223" do +control "SV-205853" do title "Windows Server 2019 FTP servers must be configured to prevent anonymous logons." desc "The FTP service allows remote users to access shared files and diff --git a/controls/V-93225.rb b/controls/SV-205854.rb similarity index 98% rename from controls/V-93225.rb rename to controls/SV-205854.rb index c4d0cb2..eca7ed0 100644 --- a/controls/V-93225.rb +++ b/controls/SV-205854.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93225" do +control "SV-205854" do title "Windows Server 2019 FTP servers must be configured to prevent access to the system drive." desc "The FTP service allows remote users to access shared files and diff --git a/controls/V-93227.rb b/controls/SV-205855.rb similarity index 99% rename from controls/V-93227.rb rename to controls/SV-205855.rb index e278429..4987024 100644 --- a/controls/V-93227.rb +++ b/controls/SV-205855.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93227" do +control "SV-205855" do title "Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights." desc "Accounts or groups given rights on a system may show up as unresolved diff --git a/controls/V-93229.rb b/controls/SV-205856.rb similarity index 98% rename from controls/V-93229.rb rename to controls/SV-205856.rb index fdf9784..e67cc41 100644 --- a/controls/V-93229.rb +++ b/controls/SV-205856.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93229" do +control "SV-205856" do title "Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." diff --git a/controls/V-93231.rb b/controls/SV-205857.rb similarity index 98% rename from controls/V-93231.rb rename to controls/SV-205857.rb index d569559..fca033a 100644 --- a/controls/V-93231.rb +++ b/controls/SV-205857.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93231" do +control "SV-205857" do title "Windows Server 2019 must have Secure Boot enabled." desc "Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security diff --git a/controls/V-93233.rb b/controls/SV-205858.rb similarity index 98% rename from controls/V-93233.rb rename to controls/SV-205858.rb index 912d606..f607345 100644 --- a/controls/V-93233.rb +++ b/controls/SV-205858.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93233" do +control "SV-205858" do title "Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." diff --git a/controls/V-93235.rb b/controls/SV-205859.rb similarity index 98% rename from controls/V-93235.rb rename to controls/SV-205859.rb index 76f2f75..8223bcd 100644 --- a/controls/V-93235.rb +++ b/controls/SV-205859.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93235" do +control "SV-205859" do title "Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." desc "Configuring the system to disable IP source routing protects against diff --git a/controls/V-93237.rb b/controls/SV-205860.rb similarity index 98% rename from controls/V-93237.rb rename to controls/SV-205860.rb index f24e88e..469a703 100644 --- a/controls/V-93237.rb +++ b/controls/SV-205860.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93237" do +control "SV-205860" do title "Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." diff --git a/controls/V-93239.rb b/controls/SV-205861.rb similarity index 98% rename from controls/V-93239.rb rename to controls/SV-205861.rb index 2c224c8..f7e30b4 100644 --- a/controls/V-93239.rb +++ b/controls/SV-205861.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93239" do +control "SV-205861" do title "Windows Server 2019 insecure logons to an SMB server must be disabled." desc "Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper diff --git a/controls/V-93241.rb b/controls/SV-205862.rb similarity index 99% rename from controls/V-93241.rb rename to controls/SV-205862.rb index 54eef8d..c14e581 100644 --- a/controls/V-93241.rb +++ b/controls/SV-205862.rb @@ -1,6 +1,6 @@ -control 'V-93241' do +control 'SV-205862' do title "Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\\\*\\SYSVOL and \\\\*\\NETLOGON shares." diff --git a/controls/V-93243.rb b/controls/SV-205863.rb similarity index 98% rename from controls/V-93243.rb rename to controls/SV-205863.rb index 9ef39e8..814f3cb 100644 --- a/controls/V-93243.rb +++ b/controls/SV-205863.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93243" do +control "SV-205863" do title "Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." desc "An exportable version of credentials is provided to remote hosts when diff --git a/controls/V-93245.rb b/controls/SV-205864.rb similarity index 99% rename from controls/V-93245.rb rename to controls/SV-205864.rb index 905ff31..9bb3681 100644 --- a/controls/V-93245.rb +++ b/controls/SV-205864.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93245" do +control "SV-205864" do title "Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." diff --git a/controls/V-93249.rb b/controls/SV-205865.rb similarity index 99% rename from controls/V-93249.rb rename to controls/SV-205865.rb index 825ec4e..e8eb4fb 100644 --- a/controls/V-93249.rb +++ b/controls/SV-205865.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93249" do +control "SV-205865" do title "Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." desc "Compromised boot drivers can introduce malware prior to protection diff --git a/controls/V-93251.rb b/controls/SV-205866.rb similarity index 98% rename from controls/V-93251.rb rename to controls/SV-205866.rb index f743755..caee4e8 100644 --- a/controls/V-93251.rb +++ b/controls/SV-205866.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93251" do +control "SV-205866" do title "Windows Server 2019 group policy objects must be reprocessed even if they have not changed." desc "Registry entries for group policy settings can potentially be changed diff --git a/controls/V-93253.rb b/controls/SV-205867.rb similarity index 98% rename from controls/V-93253.rb rename to controls/SV-205867.rb index 6a7e31f..7786f08 100644 --- a/controls/V-93253.rb +++ b/controls/SV-205867.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93253" do +control "SV-205867" do title "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." desc "A system that does not require authentication when resuming from sleep diff --git a/controls/V-93255.rb b/controls/SV-205868.rb similarity index 98% rename from controls/V-93255.rb rename to controls/SV-205868.rb index 55182e6..9b270d7 100644 --- a/controls/V-93255.rb +++ b/controls/SV-205868.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93255" do +control "SV-205868" do title "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." desc "A system that does not require authentication when resuming from sleep diff --git a/controls/V-93257.rb b/controls/SV-205869.rb similarity index 98% rename from controls/V-93257.rb rename to controls/SV-205869.rb index 72f8cff..3964535 100644 --- a/controls/V-93257.rb +++ b/controls/SV-205869.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93257" do +control "SV-205869" do title "Windows Server 2019 Telemetry must be configured to Security or Basic." desc "Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this diff --git a/controls/V-93259.rb b/controls/SV-205870.rb similarity index 99% rename from controls/V-93259.rb rename to controls/SV-205870.rb index a7c67fe..d132780 100644 --- a/controls/V-93259.rb +++ b/controls/SV-205870.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93259" do +control "SV-205870" do title "Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet." desc "Windows Update can obtain updates from additional sources instead of diff --git a/controls/V-93261.rb b/controls/SV-205871.rb similarity index 98% rename from controls/V-93261.rb rename to controls/SV-205871.rb index f02d49a..d39f467 100644 --- a/controls/V-93261.rb +++ b/controls/SV-205871.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93261" do +control "SV-205871" do title "Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled." desc "Legacy plug-in applications may continue to function when a File diff --git a/controls/V-93263.rb b/controls/SV-205872.rb similarity index 98% rename from controls/V-93263.rb rename to controls/SV-205872.rb index 4eec2d4..9125d19 100644 --- a/controls/V-93263.rb +++ b/controls/SV-205872.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93263" do +control "SV-205872" do title "Windows Server 2019 File Explorer shell protocol must run in protected mode." desc "The shell protocol will limit the set of folders that applications can diff --git a/controls/V-93265.rb b/controls/SV-205873.rb similarity index 98% rename from controls/V-93265.rb rename to controls/SV-205873.rb index a30a589..96698e3 100644 --- a/controls/V-93265.rb +++ b/controls/SV-205873.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93265" do +control "SV-205873" do title "Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." desc "Attachments from RSS feeds may not be secure. This setting will diff --git a/controls/V-93267.rb b/controls/SV-205874.rb similarity index 98% rename from controls/V-93267.rb rename to controls/SV-205874.rb index b57c832..4e752dd 100644 --- a/controls/V-93267.rb +++ b/controls/SV-205874.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93267" do +control "SV-205874" do title "Windows Server 2019 users must be notified if a web-based program attempts to install software." desc "Web-based programs may attempt to install malicious software on a diff --git a/controls/V-93271.rb b/controls/SV-205875.rb similarity index 99% rename from controls/V-93271.rb rename to controls/SV-205875.rb index c2402fa..8f90b5d 100644 --- a/controls/V-93271.rb +++ b/controls/SV-205875.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93271" do +control "SV-205875" do title "Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access." desc "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data." desc "rationale", "" diff --git a/controls/V-93273.rb b/controls/SV-205876.rb similarity index 98% rename from controls/V-93273.rb rename to controls/SV-205876.rb index ff45648..475e4d0 100644 --- a/controls/V-93273.rb +++ b/controls/SV-205876.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93273" do +control "SV-205876" do title "Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." desc "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable." desc "rationale", "" diff --git a/controls/V-93211.rb b/controls/SV-205877.rb similarity index 99% rename from controls/V-93211.rb rename to controls/SV-205877.rb index ac42e43..1782f82 100644 --- a/controls/V-93211.rb +++ b/controls/SV-205877.rb @@ -1,4 +1,4 @@ -control 'V-93211' do +control 'SV-205877' do title "The password for the krbtgt account on a domain must be reset at least every 180 days." desc "The krbtgt account acts as a service account for the Kerberos Key diff --git a/controls/V-93275.rb b/controls/SV-205906.rb similarity index 98% rename from controls/V-93275.rb rename to controls/SV-205906.rb index ec3bffb..2390206 100644 --- a/controls/V-93275.rb +++ b/controls/SV-205906.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93275" do +control "SV-205906" do title "Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." desc "The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain." desc "rationale", "" diff --git a/controls/V-93277.rb b/controls/SV-205907.rb similarity index 99% rename from controls/V-93277.rb rename to controls/SV-205907.rb index fec471e..e5122e5 100644 --- a/controls/V-93277.rb +++ b/controls/SV-205907.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93277" do +control "SV-205907" do title "Windows Server 2019 must be running Credential Guard on domain-joined member servers." desc "Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software." desc "rationale", "" diff --git a/controls/V-93279.rb b/controls/SV-205908.rb similarity index 98% rename from controls/V-93279.rb rename to controls/SV-205908.rb index 3486acf..e3c8b1d 100644 --- a/controls/V-93279.rb +++ b/controls/SV-205908.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93279" do +control "SV-205908" do title "Windows Server 2019 must prevent local accounts with blank passwords from being used from the network." desc "An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only." desc "rationale", "" diff --git a/controls/V-93281.rb b/controls/SV-205909.rb similarity index 98% rename from controls/V-93281.rb rename to controls/SV-205909.rb index 639fc11..bb5b103 100644 --- a/controls/V-93281.rb +++ b/controls/SV-205909.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93281" do +control "SV-205909" do title "Windows Server 2019 built-in administrator account must be renamed." desc "The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system." desc "rationale", "" diff --git a/controls/V-93283.rb b/controls/SV-205910.rb similarity index 98% rename from controls/V-93283.rb rename to controls/SV-205910.rb index 0a07d8f..475fdf3 100644 --- a/controls/V-93283.rb +++ b/controls/SV-205910.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93283" do +control "SV-205910" do title "Windows Server 2019 built-in guest account must be renamed." desc "The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system." desc "rationale", "" diff --git a/controls/V-93285.rb b/controls/SV-205911.rb similarity index 98% rename from controls/V-93285.rb rename to controls/SV-205911.rb index e2ecebd..df18e85 100644 --- a/controls/V-93285.rb +++ b/controls/SV-205911.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93285" do +control "SV-205911" do title "Windows Server 2019 maximum age for machine account passwords must be configured to #{input('maximum_password_age_machine')} days or less." desc "Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than #{input('maximum_password_age_machine')} days, ensuring the machine changes its password monthly." desc "rationale", "" diff --git a/controls/V-93287.rb b/controls/SV-205912.rb similarity index 98% rename from controls/V-93287.rb rename to controls/SV-205912.rb index 27bfd0d..f3df7b2 100644 --- a/controls/V-93287.rb +++ b/controls/SV-205912.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93287" do +control "SV-205912" do title "Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." desc "Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended." desc "rationale", "" diff --git a/controls/V-93289.rb b/controls/SV-205913.rb similarity index 98% rename from controls/V-93289.rb rename to controls/SV-205913.rb index ae5a207..d304ecd 100644 --- a/controls/V-93289.rb +++ b/controls/SV-205913.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93289" do +control "SV-205913" do title "Windows Server 2019 must not allow anonymous SID/Name translation." desc "Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations." desc "rationale", "" diff --git a/controls/V-93291.rb b/controls/SV-205914.rb similarity index 98% rename from controls/V-93291.rb rename to controls/SV-205914.rb index 5a37202..770fa91 100644 --- a/controls/V-93291.rb +++ b/controls/SV-205914.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93291" do +control "SV-205914" do title "Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." desc "Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system." desc "rationale", "" diff --git a/controls/V-93293.rb b/controls/SV-205915.rb similarity index 98% rename from controls/V-93293.rb rename to controls/SV-205915.rb index 0ef749b..d00d20a 100644 --- a/controls/V-93293.rb +++ b/controls/SV-205915.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93293" do +control "SV-205915" do title "Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." desc "Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights." desc "rationale", "" diff --git a/controls/V-93295.rb b/controls/SV-205916.rb similarity index 98% rename from controls/V-93295.rb rename to controls/SV-205916.rb index 6486e9c..8ad986f 100644 --- a/controls/V-93295.rb +++ b/controls/SV-205916.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93295" do +control "SV-205916" do title "Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." desc "Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity." desc "rationale", "" diff --git a/controls/V-93297.rb b/controls/SV-205917.rb similarity index 98% rename from controls/V-93297.rb rename to controls/SV-205917.rb index 92cbd20..4d18519 100644 --- a/controls/V-93297.rb +++ b/controls/SV-205917.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93297" do +control "SV-205917" do title "Windows Server 2019 must prevent NTLM from falling back to a Null session." desc "NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access." desc "rationale", "" diff --git a/controls/V-93299.rb b/controls/SV-205918.rb similarity index 98% rename from controls/V-93299.rb rename to controls/SV-205918.rb index 1c7800a..c794098 100644 --- a/controls/V-93299.rb +++ b/controls/SV-205918.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93299" do +control "SV-205918" do title "Windows Server 2019 must prevent PKU2U authentication using online identities." desc "PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts." desc "rationale", "" diff --git a/controls/V-93301.rb b/controls/SV-205919.rb similarity index 98% rename from controls/V-93301.rb rename to controls/SV-205919.rb index bf81f05..383a67a 100644 --- a/controls/V-93301.rb +++ b/controls/SV-205919.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93301" do +control "SV-205919" do title "Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." desc "The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions." desc "rationale", "" diff --git a/controls/V-93303.rb b/controls/SV-205920.rb similarity index 98% rename from controls/V-93303.rb rename to controls/SV-205920.rb index c413b42..c3b5d96 100644 --- a/controls/V-93303.rb +++ b/controls/SV-205920.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93303" do +control "SV-205920" do title "Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." desc "This setting controls the signing requirements for LDAP clients. This must be set to \"Negotiate signing\" or \"Require signing\", depending on the environment and type of LDAP server in use." desc "rationale", "" diff --git a/controls/V-93305.rb b/controls/SV-205921.rb similarity index 98% rename from controls/V-93305.rb rename to controls/SV-205921.rb index 843c50c..96268e3 100644 --- a/controls/V-93305.rb +++ b/controls/SV-205921.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93305" do +control "SV-205921" do title "Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." desc "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level." desc "rationale", "" diff --git a/controls/V-93307.rb b/controls/SV-205922.rb similarity index 98% rename from controls/V-93307.rb rename to controls/SV-205922.rb index 5be9d54..bd1e330 100644 --- a/controls/V-93307.rb +++ b/controls/SV-205922.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93307" do +control "SV-205922" do title "Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." desc "Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level." desc "rationale", "" diff --git a/controls/V-93309.rb b/controls/SV-205923.rb similarity index 98% rename from controls/V-93309.rb rename to controls/SV-205923.rb index cea801f..1793992 100644 --- a/controls/V-93309.rb +++ b/controls/SV-205923.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93309" do +control "SV-205923" do title "Windows Server 2019 default permissions of global system objects must be strengthened." desc "Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create." desc "rationale", "" diff --git a/controls/V-93311.rb b/controls/SV-205924.rb similarity index 98% rename from controls/V-93311.rb rename to controls/SV-205924.rb index 9a2f45b..268a986 100644 --- a/controls/V-93311.rb +++ b/controls/SV-205924.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93311" do +control "SV-205924" do title "Windows Server 2019 must preserve zone information when saving attachments." desc "Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk." desc "rationale", "" diff --git a/controls/V-93269.rb b/controls/SV-205925.rb similarity index 98% rename from controls/V-93269.rb rename to controls/SV-205925.rb index 8af9457..fc49ff5 100644 --- a/controls/V-93269.rb +++ b/controls/SV-205925.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93269" do +control "SV-205925" do title "Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." desc "Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart." desc "rationale", "" diff --git a/controls/V-93571.rb b/controls/SV-214936.rb similarity index 98% rename from controls/V-93571.rb rename to controls/SV-214936.rb index 6c5d02e..c706512 100644 --- a/controls/V-93571.rb +++ b/controls/SV-214936.rb @@ -1,6 +1,6 @@ # encoding: UTF-8 -control "V-93571" do +control "SV-214936" do title "Windows Server 2019 must have a host-based firewall installed and enabled." desc "A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules." desc "rationale", "" diff --git a/controls/V-93313.rb b/controls/V-93313.rb deleted file mode 100644 index b968be9..0000000 --- a/controls/V-93313.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control "V-93313" do - title "Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on." - desc "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Data Execution Prevention (DEP)\", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "This is applicable to unclassified systems, for other systems this is NA. - - The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\". - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -System\". - If the status of \"DEP: Enable\" is \"OFF\", this is a finding. - - Values that would not be a finding include: - ON - NOTSET (Default configuration)" - desc "fix", "Ensure Exploit Protection system-level mitigation, \"Data Execution Prevention (DEP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - - Open \"Windows Defender Security Center\". - Select \"App & browser control\". - Select \"Exploit protection settings\". - Under \"System settings\", configure \"Data Execution Prevention (DEP)\" to \"On by default\" or \"Use default ()\". - - The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under ): - - - - - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93313" - tag rid: "SV-103401r1_rule" - tag stig_id: "WN19-EP-000010" - tag fix_id: "F-99559r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - systemdep = json({ command: "Get-ProcessMitigation -System | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif systemdep.empty? - describe "Exploit Protection: the following mitigation" do - it "must be set to 'ON' for the System" do - failure_message = "Exploit Protection is not set" - expect(systemdep).not_to be_empty, failure_message - end - end - else - describe "Exploit Protection: the following mitigation must be set to 'ON' for the System" do - subject { systemdep } - its(['Dep','Enable']) { should be_between(0,1) } - end - end -end \ No newline at end of file diff --git a/controls/V-93315.rb b/controls/V-93315.rb deleted file mode 100644 index 0db79f7..0000000 --- a/controls/V-93315.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control "V-93315" do - title "Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on." - desc "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Control flow guard (CFG)\", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "This is applicable to unclassified systems, for other systems this is NA. - - The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\". - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -System\". - If the status of \"CFG: Enable\" is \"OFF\", this is a finding. - Values that would not be a finding include: - - ON - NOTSET (Default configuration)" - desc "fix", "Ensure Exploit Protection system-level mitigation, \"Control flow guard (CFG)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - - Open \"Windows Defender Security Center\". - Select \"App & browser control\". - Select \"Exploit protection settings\". - Under \"System settings\", configure \"Control flow guard (CFG)\" to \"On by default\" or \"Use default ()\". - - The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under ): - - - - - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93315" - tag rid: "SV-103403r1_rule" - tag stig_id: "WN19-EP-000030" - tag fix_id: "F-99561r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - systemcfg = json({ command: "Get-ProcessMitigation -System | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif systemcfg.empty? - describe "Exploit Protection: the following mitigation" do - it "must be set to 'ON' for the System" do - failure_message = "Exploit Protection is not set" - expect(systemcfg).not_to be_empty, failure_message - end - end - else - describe "Exploit Protection: the following mitigation must be set to 'ON' for the System" do - subject { systemcfg } - its(['Cfg','Enable']) { should be_between(0,1) } - end - end -end \ No newline at end of file diff --git a/controls/V-93317.rb b/controls/V-93317.rb deleted file mode 100644 index 86fd12f..0000000 --- a/controls/V-93317.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control "V-93317" do - title "Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on." - desc "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate exception chains (SEHOP)\", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "This is applicable to unclassified systems, for other systems this is NA. - - The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\". - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -System\". - If the status of \"SEHOP: Enable\" is \"OFF\", this is a finding. - Values that would not be a finding include: - - ON - NOTSET (Default configuration)" - desc "fix", "Ensure Exploit Protection system-level mitigation, \"Validate exception chains (SEHOP)\", is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - - Open \"Windows Defender Security Center\". - Select \"App & browser control\". - Select \"Exploit protection settings\". - Under \"System settings\", configure \"Validate exception chains (SEHOP)\" to \"On by default\" or \"Use default ()\". - - The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under ): - - - - - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93317" - tag rid: "SV-103405r1_rule" - tag stig_id: "WN19-EP-000040" - tag fix_id: "F-99563r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - systemsehop = json({ command: "Get-ProcessMitigation -System | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif systemsehop.empty? - describe "Exploit Protection: the following mitigation" do - it "must be set to 'ON' for the System" do - failure_message = "Exploit Protection is not set" - expect(systemsehop).not_to be_empty, failure_message - end - end - else - describe "Exploit Protection: the following mitigation must be set to 'ON' for the System" do - subject { systemsehop } - its(['SEHOP','Enable']) { should be_between(0,1) } - end - end -end \ No newline at end of file diff --git a/controls/V-93319.rb b/controls/V-93319.rb deleted file mode 100644 index e5404e9..0000000 --- a/controls/V-93319.rb +++ /dev/null @@ -1,61 +0,0 @@ -# encoding: UTF-8 - -control "V-93319" do - title "Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on." - desc "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Validate heap integrity\", are enabled by default at the system level. \"Validate heap integrity\" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "This is applicable to unclassified systems, for other systems this is NA. - - The default configuration in Exploit Protection is \"On by default\" which meets this requirement. The PowerShell query results for this show as \"NOTSET\". - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -System\". - If the status of \"Heap: TerminateOnError\" is \"OFF\", this is a finding. - Values that would not be a finding include: - - ON - NOTSET (Default configuration)" - desc "fix", "Ensure Exploit Protection system-level mitigation, \"Validate heap integrity\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - - Open \"Windows Defender Security Center\". - Select \"App & browser control\". - Select \"Exploit protection settings\". - Under \"System settings\", configure \"Validate heap integrity\" to \"On by default\" or \"Use default ()\". - - The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under ): - - - - - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93319" - tag rid: "SV-103407r1_rule" - tag stig_id: "WN19-EP-000050" - tag fix_id: "F-99565r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - systemheap = json({ command: "Get-ProcessMitigation -System | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif systemheap.empty? - describe "Exploit Protection: the following mitigation" do - it "must be set to 'ON' for the System" do - failure_message = "Exploit Protection is not set" - expect(systemheap).not_to be_empty, failure_message - end - end - else - describe "Exploit Protection: the following mitigation must be set to 'ON' for the System" do - subject { systemheap } - its(['Heap','TerminateOnError']) { should be_between(0,1) } - end - end -end \ No newline at end of file diff --git a/controls/V-93321.rb b/controls/V-93321.rb deleted file mode 100644 index e7638ff..0000000 --- a/controls/V-93321.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: UTF-8 - -control "V-93321" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name Acrobat.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for Acrobat.exe: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93321" - tag rid: "SV-103409r1_rule" - tag stig_id: "WN19-EP-000060" - tag fix_id: "F-99567r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - acrobat = json({ command: "Get-ProcessMitigation -Name Acrobat.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif acrobat.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for Acrobat.exe" do - subject { acrobat } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','BottomUp']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93323.rb b/controls/V-93323.rb deleted file mode 100644 index ffa4582..0000000 --- a/controls/V-93323.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: UTF-8 - -control "V-93323" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name AcroRd32.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for AcroRd32.exe: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93323" - tag rid: "SV-103411r1_rule" - tag stig_id: "WN19-EP-000070" - tag fix_id: "F-99569r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - acroRd32 = json({ command: "Get-ProcessMitigation -Name AcroRd32.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif acroRd32.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for AcroRd32.exe" do - subject { acroRd32 } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','BottomUp']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93325.rb b/controls/V-93325.rb deleted file mode 100644 index ac0d3d5..0000000 --- a/controls/V-93325.rb +++ /dev/null @@ -1,55 +0,0 @@ -# encoding: UTF-8 - -control "V-93325" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name chrome.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for chrome.exe: - - DEP: - Enable: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93325" - tag rid: "SV-103413r1_rule" - tag stig_id: "WN19-EP-000080" - tag fix_id: "F-99571r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - chrome = json({ command: "Get-ProcessMitigation -Name chrome.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif chrome.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for chrome.exe" do - subject { chrome } - its(['Dep','Enable']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93327.rb b/controls/V-93327.rb deleted file mode 100644 index 21fbb03..0000000 --- a/controls/V-93327.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93327" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name EXCEL.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for EXCEL.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93327" - tag rid: "SV-103415r1_rule" - tag stig_id: "WN19-EP-000090" - tag fix_id: "F-99573r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - excel = json({ command: "Get-ProcessMitigation -Name EXCEL.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif excel.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for EXCEL.EXE" do - subject { excel } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93329.rb b/controls/V-93329.rb deleted file mode 100644 index ee0a7e2..0000000 --- a/controls/V-93329.rb +++ /dev/null @@ -1,66 +0,0 @@ -# encoding: UTF-8 - -control "V-93329" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name firefox.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for firefox.exe: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93329" - tag rid: "SV-103417r1_rule" - tag stig_id: "WN19-EP-000100" - tag fix_id: "F-99575r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - firefox = json({ command: "Get-ProcessMitigation -Name firefox.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif firefox.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for firefox.exe" do - subject { firefox } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','BottomUp']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93331.rb b/controls/V-93331.rb deleted file mode 100644 index 1a91618..0000000 --- a/controls/V-93331.rb +++ /dev/null @@ -1,92 +0,0 @@ -# encoding: UTF-8 - -control "V-93331" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name FLTLDR.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Child Process: - DisallowChildProcessCreation: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for FLTLDR.EXE: - - DEP: - Enable: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Child Process: - DisallowChildProcessCreation: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93331" - tag rid: "SV-103419r1_rule" - tag stig_id: "WN19-EP-000110" - tag fix_id: "F-99577r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - fltldr = json({ command: "Get-ProcessMitigation -Name FLTLDR.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif fltldr.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for FLTLDR.EXE" do - subject { fltldr } - its(['Dep','Enable']) { should eq 1 } - its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93333.rb b/controls/V-93333.rb deleted file mode 100644 index 2474ff1..0000000 --- a/controls/V-93333.rb +++ /dev/null @@ -1,99 +0,0 @@ -# encoding: UTF-8 - -control "V-93333" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name GROOVE.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Child Process: - DisallowChildProcessCreation: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for GROOVE.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Child Process: - DisallowChildProcessCreation: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93333" - tag rid: "SV-103421r1_rule" - tag stig_id: "WN19-EP-000120" - tag fix_id: "F-99579r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - groove = json({ command: "Get-ProcessMitigation -Name GROOVE.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif groove.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for GROOVE.EXE" do - subject { groove } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - its(['ChildProcess','DisallowChildProcessCreation']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93335.rb b/controls/V-93335.rb deleted file mode 100644 index 969e9ff..0000000 --- a/controls/V-93335.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: UTF-8 - -control "V-93335" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name iexplore.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for iexplore.exe: - - DEP: - Enable: ON - - ASLR: - BottomUp: ON - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93335" - tag rid: "SV-103423r1_rule" - tag stig_id: "WN19-EP-000130" - tag fix_id: "F-99581r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - iexplore = json({ command: "Get-ProcessMitigation -Name iexplore.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif iexplore.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for iexplore.exe" do - subject { iexplore } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','BottomUp']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93337.rb b/controls/V-93337.rb deleted file mode 100644 index 9d5aff5..0000000 --- a/controls/V-93337.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93337" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name INFOPATH.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for INFOPATH.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93337" - tag rid: "SV-103425r1_rule" - tag stig_id: "WN19-EP-000140" - tag fix_id: "F-99583r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - infopath = json({ command: "Get-ProcessMitigation -Name INFOPATH.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif infopath.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for INFOPATH.EXE" do - subject { infopath } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93339.rb b/controls/V-93339.rb deleted file mode 100644 index bc72487..0000000 --- a/controls/V-93339.rb +++ /dev/null @@ -1,88 +0,0 @@ -# encoding: UTF-8 - -control "V-93339" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name [application name]\" with each of the following substituted for [application name]: - java.exe, javaw.exe, and javaws.exe - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\" for each, this is a finding: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for java.exe, javaw.exe, and javaws.exe: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93339" - tag rid: "SV-103427r1_rule" - tag stig_id: "WN19-EP-000150" - tag fix_id: "F-99585r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - java = json({ command: "Get-ProcessMitigation -Name java.exe | ConvertTo-Json" }).params - javaw = json({ command: "Get-ProcessMitigation -Name javaw.exe | ConvertTo-Json" }).params - javaws = json({ command: "Get-ProcessMitigation -Name javaws.exe | ConvertTo-Json" }).params - - apps = [ java, javaw, javaws ] - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - else - if java.empty? && javaw.empty? && javaws.empty? - impact 0.0 - describe 'The referenced applications are not installed on the system, this is NA.' do - skip 'The referenced applications are not installed on the system, this is NA.' - end - else - apps.each do |app| - next if app.empty? - describe "Exploit Protection: the following mitigations must be set to 'ON' for java.exe" do - subject { app } - its(['Dep','Enable']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end - end - end -end \ No newline at end of file diff --git a/controls/V-93341.rb b/controls/V-93341.rb deleted file mode 100644 index a53825a..0000000 --- a/controls/V-93341.rb +++ /dev/null @@ -1,86 +0,0 @@ -# encoding: UTF-8 - -control "V-93341" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name lync.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for lync.exe: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93341" - tag rid: "SV-103429r1_rule" - tag stig_id: "WN19-EP-000160" - tag fix_id: "F-99587r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - lync = json({ command: "Get-ProcessMitigation -Name lync.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif lync.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for lync.exe" do - subject { lync } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93343.rb b/controls/V-93343.rb deleted file mode 100644 index fafdfe3..0000000 --- a/controls/V-93343.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93343" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name MSACCESS.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for MSACCESS.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93343" - tag rid: "SV-103431r1_rule" - tag stig_id: "WN19-EP-000170" - tag fix_id: "F-99589r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - msaccess = json({ command: "Get-ProcessMitigation -Name MSACCESS.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif msaccess.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for MSACCESS.EXE" do - subject { msaccess } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93345.rb b/controls/V-93345.rb deleted file mode 100644 index 56ed288..0000000 --- a/controls/V-93345.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93345" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name MSPUB.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for MSPUB.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93345" - tag rid: "SV-103433r1_rule" - tag stig_id: "WN19-EP-000180" - tag fix_id: "F-99591r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - mspub = json({ command: "Get-ProcessMitigation -Name MSPUB.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif mspub.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for MSPUB.EXE" do - subject { mspub } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93347.rb b/controls/V-93347.rb deleted file mode 100644 index 588b539..0000000 --- a/controls/V-93347.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control "V-93347" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name OIS.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for OIS.EXE: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93347" - tag rid: "SV-103435r1_rule" - tag stig_id: "WN19-EP-000190" - tag fix_id: "F-99593r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - ois = json({ command: "Get-ProcessMitigation -Name OIS.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif ois.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for OIS.EXE" do - subject { ois } - its(['Dep','Enable']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93349.rb b/controls/V-93349.rb deleted file mode 100644 index eaf24c6..0000000 --- a/controls/V-93349.rb +++ /dev/null @@ -1,92 +0,0 @@ -# encoding: UTF-8 - -control "V-93349" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name OneDrive.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for OneDrive.exe: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - ImageLoad: - BlockRemoteImageLoads: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93349" - tag rid: "SV-103437r1_rule" - tag stig_id: "WN19-EP-000200" - tag fix_id: "F-99595r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - onedrive = json({ command: "Get-ProcessMitigation -Name OneDrive.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif onedrive.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for OneDrive.EXE" do - subject { onedrive } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['ImageLoad','BlockRemoteImageLoads']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93351.rb b/controls/V-93351.rb deleted file mode 100644 index 703c8eb..0000000 --- a/controls/V-93351.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93351" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name OUTLOOK.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for OUTLOOK.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93351" - tag rid: "SV-103439r1_rule" - tag stig_id: "WN19-EP-000210" - tag fix_id: "F-99597r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - outlook = json({ command: "Get-ProcessMitigation -Name OUTLOOK.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif outlook.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for OUTLOOK.EXE" do - subject { outlook } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93353.rb b/controls/V-93353.rb deleted file mode 100644 index 53287f2..0000000 --- a/controls/V-93353.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control "V-93353" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name plugin-container.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for plugin-container.exe: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93353" - tag rid: "SV-103441r1_rule" - tag stig_id: "WN19-EP-000220" - tag fix_id: "F-99599r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - container = json({ command: "Get-ProcessMitigation -Name plugin-container.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif container.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for plugin-container.exe" do - subject { container } - its(['Dep','Enable']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93355.rb b/controls/V-93355.rb deleted file mode 100644 index ffb3e0f..0000000 --- a/controls/V-93355.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93355" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name POWERPNT.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for POWERPNT.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93355" - tag rid: "SV-103443r1_rule" - tag stig_id: "WN19-EP-000230" - tag fix_id: "F-99601r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - powerpnt = json({ command: "Get-ProcessMitigation -Name POWERPNT.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif powerpnt.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for POWERPNT.EXE" do - subject { powerpnt } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93357.rb b/controls/V-93357.rb deleted file mode 100644 index 40398bb..0000000 --- a/controls/V-93357.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93357" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name PPTVIEW.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for PPTVIEW.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93357" - tag rid: "SV-103445r1_rule" - tag stig_id: "WN19-EP-000240" - tag fix_id: "F-99603r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - pptview = json({ command: "Get-ProcessMitigation -Name PPTVIEW.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif pptview.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for PPTVIEW.EXE" do - subject { pptview } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93359.rb b/controls/V-93359.rb deleted file mode 100644 index c19d546..0000000 --- a/controls/V-93359.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93359" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name VISIO.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for VISIO.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93359" - tag rid: "SV-103447r1_rule" - tag stig_id: "WN19-EP-000250" - tag fix_id: "F-99605r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - visio = json({ command: "Get-ProcessMitigation -Name VISIO.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif visio.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for VISIO.EXE" do - subject { visio } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93361.rb b/controls/V-93361.rb deleted file mode 100644 index c89a7d0..0000000 --- a/controls/V-93361.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93361" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name VPREVIEW.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for VPREVIEW.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93361" - tag rid: "SV-103449r1_rule" - tag stig_id: "WN19-EP-000260" - tag fix_id: "F-99607r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - vpreview = json({ command: "Get-ProcessMitigation -Name VPREVIEW.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif vpreview.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for VPREVIEW.EXE" do - subject { vpreview } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93363.rb b/controls/V-93363.rb deleted file mode 100644 index 6dd67c1..0000000 --- a/controls/V-93363.rb +++ /dev/null @@ -1,85 +0,0 @@ -# encoding: UTF-8 - -control "V-93363" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name WINWORD.EXE\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for WINWORD.EXE: - - DEP: - Enable: ON - - ASLR: - ForceRelocateImages: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93363" - tag rid: "SV-103451r1_rule" - tag stig_id: "WN19-EP-000270" - tag fix_id: "F-99609r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - winword = json({ command: "Get-ProcessMitigation -Name WINWORD.EXE | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif winword.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for WINWORD.EXE" do - subject { winword } - its(['Dep','Enable']) { should eq 1 } - its(['Aslr','ForceRelocateImages']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93365.rb b/controls/V-93365.rb deleted file mode 100644 index 437d14f..0000000 --- a/controls/V-93365.rb +++ /dev/null @@ -1,69 +0,0 @@ -# encoding: UTF-8 - -control "V-93365" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name wmplayer.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - Payload: - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for wmplayer.exe: - - DEP: - Enable: ON - - Payload: - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93365" - tag rid: "SV-103453r1_rule" - tag stig_id: "WN19-EP-000280" - tag fix_id: "F-99611r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - wmplayer = json({ command: "Get-ProcessMitigation -Name wmplayer.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif wmplayer.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for wmplayer.exe" do - subject { wmplayer } - its(['Dep','Enable']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93367.rb b/controls/V-93367.rb deleted file mode 100644 index 8723a31..0000000 --- a/controls/V-93367.rb +++ /dev/null @@ -1,78 +0,0 @@ -# encoding: UTF-8 - -control "V-93367" do - title "Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe." - desc "Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "If the referenced application is not installed on the system, this is NA. - - This is applicable to unclassified systems, for other systems this is NA. - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -Name wordpad.exe\". - (Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - - If the following mitigations do not have a status of \"ON\", this is a finding: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - The PowerShell command produces a list of mitigations; only those with a required status of \"ON\" are listed here." - desc "fix", "Ensure the following mitigations are turned \"ON\" for wordpad.exe: - - DEP: - Enable: ON - - Payload: - EnableExportAddressFilter: ON - EnableExportAddressFilterPlus: ON - EnableImportAddressFilter: ON - EnableRopStackPivot: ON - EnableRopCallerCheck: ON - EnableRopSimExec: ON - - Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the \"Supporting Files\" folder. - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-93367" - tag rid: "SV-103455r1_rule" - tag stig_id: "WN19-EP-000290" - tag fix_id: "F-99613r1_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b", "Rev_4"] - - wordpad = json({ command: "Get-ProcessMitigation -Name wordpad.exe | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif wordpad.empty? - impact 0.0 - describe 'The referenced application is not installed on the system, this is NA.' do - skip 'The referenced application is not installed on the system, this is NA.' - end - else - describe "Exploit Protection: the following mitigations must be set to 'ON' for wordpad.exe" do - subject { wordpad } - its(['Dep','Enable']) { should eq 1 } - its(['Payload','EnableExportAddressFilter']) { should eq 1 } - its(['Payload','EnableExportAddressFilterPlus']) { should eq 1 } - its(['Payload','EnableImportAddressFilter']) { should eq 1 } - its(['Payload','EnableRopStackPivot']) { should eq 1 } - its(['Payload','EnableRopCallerCheck']) { should eq 1 } - its(['Payload','EnableRopSimExec']) { should eq 1 } - end - end -end \ No newline at end of file diff --git a/controls/V-93565.rb b/controls/V-93565.rb deleted file mode 100644 index 0c2306a..0000000 --- a/controls/V-93565.rb +++ /dev/null @@ -1,58 +0,0 @@ -# encoding: UTF-8 - -control "V-93565" do - title "Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on." - desc "Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including \"Randomize memory allocations (Bottom-Up ASLR)\", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits." - desc "rationale", "" - desc "check", "This is applicable to unclassified systems, for other systems this is NA. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - The PowerShell query results for this show as \"NOTSET\". - Run \"Windows PowerShell\" with elevated privileges (run as administrator). - Enter \"Get-ProcessMitigation -System\". - If the status of \"ASLR: BottomUp\" is \"OFF\", this is a finding. - Values that would not be a finding include: - ON - NOTSET (Default configuration)" - desc "fix", "Ensure Exploit Protection system-level mitigation, \"Randomize memory allocations (Bottom-Up ASLR)\" is turned on. The default configuration in Exploit Protection is \"On by default\" which meets this requirement. - Open \"Windows Defender Security Center\". - Select \"App & browser control\". - Select \"Exploit protection settings\". - Under \"System settings\", configure \"Randomize memory allocations - (Bottom-Up ASLR)\" to \"On by default\" or \"Use default ()\". - - The STIG package includes a DoD EP XML file in the \"Supporting Files\" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under ): - - - - - The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> \"Use a common set of exploit protection settings\" configured to \"Enabled\" with file name and location defined under \"Options:\". It is recommended the file be in a read-only network location." - impact 0.5 - tag severity: nil - tag gtitle: "SRG-OS-000433-GPOS-00193" - tag gid: "V-93565" - tag rid: "SV-103651r1_rule" - tag stig_id: "WN19-EP-000020" - tag fix_id: "F-99809r1_fix" - tag cci: ["CCI-002824"] - tag nist: ["SI-16", "Rev_4"] - - systemaslr = json({ command: "Get-ProcessMitigation -System | ConvertTo-Json" }).params - - if input('sensitive_system') == true || nil - impact 0.0 - describe 'This Control is Not Applicable to sensitive systems.' do - skip 'This Control is Not Applicable to sensitive systems.' - end - elsif systemaslr.empty? - describe "Exploit Protection: the following mitigation" do - it "must be set to 'ON' for the System" do - failure_message = "Exploit Protection is not set" - expect(systemaslr).not_to be_empty, failure_message - end - end - else - describe "Exploit Protection: the following mitigation must be set to 'ON' for the System" do - subject { systemaslr } - its(['Aslr','BottomUp']) { should be_between(0,1) } - end - end -end \ No newline at end of file diff --git a/inspec.yml b/inspec.yml index ff58c15..937d963 100644 --- a/inspec.yml +++ b/inspec.yml @@ -28,7 +28,7 @@ inputs: value: - - - name: temporary_account_period # V-92975 + - name: temporary_account_period # SV-205624 desc: "List the number of days that temporary accounts remain active for" type: Numeric value: 3