-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #76 from eemperor/win2022
Adding STIG baselines for Windows Server 2022 and Windows 11
- Loading branch information
Showing
31 changed files
with
3,888 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,51 +1,96 @@ | ||
| - Download the latest available DISA-provided GPO baseline zip file: https://public.cyber.mil/stigs/gpo/ | ||
|
|
||
| - Unzip the GPO baseline file on your computer | ||
|
|
||
| - Open the unzipped folder and browse to the desired baseline to update | ||
|
|
||
| - To identify the STIG GPO baseline associated with each GUID, you have to navigate into the GUID directories and open gpreport.xml. The <name> tag near the top in the xml will identify the STIG baseline provided | ||
|
|
||
| - Depending on the baseline, the `Machine` and `User` policies maybe under the same GUID or separate GUIDs. In either case, the following steps still applies | ||
|
|
||
| - Open `{GUID}\DomainSysvol\GPO\Machine` and copy `registry.pol` to the `stig/<baseline>` folder, renaming it to `machine_registry.pol`. Skip this step if `registry.pol` is missing or contains no policies (e.g. File size is very small) | ||
|
|
||
| - Check for `audit.csv` and `GptTmpl.inf` files under `{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\` and copy them to `stig/<baseline>` | ||
|
|
||
| - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/<baseline>` folder, renaming it to `user_registry.pol`. Again, skip if `registry.pol` is missing or contains no policies (e.g. File size is very small) | ||
|
|
||
| - Run the PowerShell code below from the root of the ash-windows-formula repo | ||
|
|
||
| ```powershell | ||
| $baselines = @( | ||
| 'IE_10', | ||
| 'IE_11', | ||
| 'IE_8', | ||
| 'IE_9', | ||
| 'Windows_2008ServerR2_DC', | ||
| 'Windows_2008ServerR2_MS', | ||
| 'Windows_2012ServerR2_DC', | ||
| 'Windows_2012ServerR2_MS', | ||
| 'Windows_8.1', | ||
| 'IE_11' | ||
| 'Windows_10' | ||
| 'Windows_11' | ||
| 'Windows_2012ServerR2_DC' | ||
| 'Windows_2012ServerR2_MS' | ||
| 'Windows_2016Server_DC' | ||
| 'Windows_2016Server_MS' | ||
| 'Windows_2019Server_DC' | ||
| 'Windows_2019Server_MS' | ||
| 'Windows_2022Server_DC' | ||
| 'Windows_2022Server_MS' | ||
| ) | ||
| foreach ($baseline in $baselines) | ||
| { | ||
| $dir = Resolve-Path ".\ash-windows\stig\$baseline" | ||
| $StigInf = "${dir}\stig.inf" | ||
| $StigTxt = "${dir}\stig.txt" | ||
| $dir = ".\ash-windows\stig\$baseline" | ||
| $gpttmpl_inf = "$dir\GptTmpl.inf" | ||
| $user_pol = "$dir\user_registry.pol" | ||
| $machine_pol = "$dir\machine_registry.pol" | ||
| $TxtFile = "$gpttmpl_inf" | ||
| $YmlFile = "$(Resolve-Path $dir)\gpttmpl.yml" | ||
| if (Test-Path "$TxtFile") | ||
| { | ||
| Write-Host "Processing $TxtFile" | ||
| python .\ash-windows\tools\convert-lgpo-policy.py ` | ||
| src_file="$TxtFile" ` | ||
| dst_file="$YmlFile" | ||
| } | ||
| else | ||
| { | ||
| # We need to ensure an empty YmlFile exists | ||
| $null = New-Item -Path $YmlFile -ItemType File -Force | ||
| } | ||
| $PolFile = $StigInf | ||
| $YmlFile = "${dir}\stig.inf.yml" | ||
| if (Test-Path "$PolFile") | ||
| $TxtFile = "${dir}\user_registry.txt" | ||
| $YmlFile = "${dir}\user_registry.yml" | ||
| rm $TxtFile -ErrorAction SilentlyContinue | ||
| if (Test-Path "$user_pol") | ||
| { | ||
| Write-Host "Processing $PolFile" | ||
| .\ash-windows\tools\LGPO.exe /parse /u "$user_pol" | Out-File "$TxtFile" -Encoding "ascii" | ||
| Write-Host "Processing $TxtFile" | ||
| python .\ash-windows\tools\convert-lgpo-policy.py ` | ||
| src_file="$PolFile" ` | ||
| src_file="$TxtFile" ` | ||
| dst_file="$YmlFile" | ||
| rm $TxtFile -ErrorAction SilentlyContinue | ||
| } | ||
| else | ||
| { | ||
| # We need to ensure an empty YmlFile exists | ||
| $null = New-Item -Path $YmlFile -ItemType File -Force | ||
| } | ||
| $PolFile = $StigTxt | ||
| $YmlFile = "${dir}\stig.txt.yml" | ||
| if (Test-Path "$PolFile") | ||
| $TxtFile = "${dir}\machine_registry.txt" | ||
| $YmlFile = "${dir}\machine_registry.yml" | ||
| #rm $TxtFile -ErrorAction SilentlyContinue | ||
| if (Test-Path "$machine_pol") | ||
| { | ||
| Write-Host "Processing $PolFile" | ||
| .\ash-windows\tools\LGPO.exe /parse /m "$machine_pol" | Out-File "$TxtFile" -Encoding "ascii" | ||
| Write-Host "Processing $TxtFile" | ||
| python .\ash-windows\tools\convert-lgpo-policy.py ` | ||
| src_file="$PolFile" ` | ||
| src_file="$TxtFile" ` | ||
| dst_file="$YmlFile" | ||
| rm $TxtFile -ErrorAction SilentlyContinue | ||
| } | ||
| else | ||
| { | ||
| # We need to ensure an empty YmlFile exists | ||
| $null = New-Item -Path $YmlFile -ItemType File -Force | ||
| } | ||
| # Combine yml files into single stig.yml file | ||
| Get-Content -Path ${dir}\user_registry.yml,${dir}\machine_registry.yml,$dir\gpttmpl.yml | Set-Content -Path $dir\stig.yml | ||
| } | ||
| ``` | ||
|
|
||
| - After a new `stig.yml` file is generated for the STIG baseline being updated, open the file and inspect the policies. The DISA policies may have placeholder values that need to be updated or remove as needed for your environment. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value | ||
| ,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 | ||
| ,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 | ||
| ,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2 | ||
| ,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 | ||
| ,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 | ||
| ,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,188 @@ | ||
| - name: LSAAnonymousNameLookup | ||
| policy_type: secedit | ||
| value: '0' | ||
| - name: SeSecurityPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeRestorePrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeTakeOwnershipPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeBackupPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeDenyRemoteInteractiveLogonRight | ||
| policy_type: secedit | ||
| value: '*S-1-5-113' | ||
| - name: SeCreatePermanentPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - name: SeManageVolumePrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeLoadDriverPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeLockMemoryPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - name: SeDenyNetworkLogonRight | ||
| policy_type: secedit | ||
| value: '*S-1-5-113' | ||
| - name: SeNetworkLogonRight | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544,*S-1-5-32-555' | ||
| - name: SeImpersonatePrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' | ||
| - name: SeCreateTokenPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - name: SeCreateGlobalPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' | ||
| - name: SeSystemEnvironmentPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeCreatePagefilePrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeInteractiveLogonRight | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544,*S-1-5-32-545' | ||
| - name: SeRemoteShutdownPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeDebugPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeTrustedCredManAccessPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - name: SeProfileSingleProcessPrivilege | ||
| policy_type: secedit | ||
| value: '*S-1-5-32-544' | ||
| - name: SeTcbPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - name: SeEnableDelegationPrivilege | ||
| policy_type: secedit | ||
| value: '' | ||
| - key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: SZ | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs | ||
| policy_type: regpol | ||
| value: '900' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword | ||
| policy_type: regpol | ||
| value: '0' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec | ||
| policy_type: regpol | ||
| value: '537395200' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel | ||
| policy_type: regpol | ||
| value: '5' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback | ||
| policy_type: regpol | ||
| value: '0' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec | ||
| policy_type: regpol | ||
| value: '537395200' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin | ||
| policy_type: regpol | ||
| value: '2' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser | ||
| policy_type: regpol | ||
| value: '0' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity | ||
| policy_type: regpol | ||
| value: '1' | ||
| vtype: DWORD | ||
| - key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM | ||
| policy_type: regpol | ||
| value: O:BAG:BAD:(A;;RC;;;BA) | ||
| vtype: SZ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {#- Placeholder init file #} |
Oops, something went wrong.