Merge pull request #76 from eemperor/win2022

Adding STIG baselines for Windows Server 2022 and Windows 11

_modules/win_lgpo_ash.py

@@ -98,6 +98,8 @@ def __init__(self):
                 "REG_DWORD": "REG_DWORD",
                 "SZ": "REG_SZ",
                 "REG_SZ": "REG_SZ",
+                "MULTISZ": "REG_MULTI_SZ",
+                "REG_MULTI_SZ": "REG_MULTI_SZ",
             },
             "hives": {
                 "COMPUTER": "Machine",
@@ -512,6 +514,8 @@ def _buildKnownDataSearchString(
             this_element_value = struct.pack(b"Q", int(reg_data))
         elif reg_vtype == "REG_SZ":
             this_element_value = _encode_string(reg_data)
+        elif reg_vtype == "REG_MULTI_SZ":
+            this_element_value = _encode_string(reg_data)
         return b"".join(
             [
                 "[".encode("utf-16-le"),

ash-windows/Convert_STIG_Policies.md

@@ -1,51 +1,96 @@
+- Download the latest available DISA-provided GPO baseline zip file: https://public.cyber.mil/stigs/gpo/
+
+- Unzip the GPO baseline file on your computer
+
+- Open the unzipped folder and browse to the desired baseline to update
+
+- To identify the STIG GPO baseline associated with each GUID, you have to navigate into the GUID directories and open gpreport.xml. The <name> tag near the top in the xml will identify the STIG baseline provided
+
+- Depending on the baseline, the `Machine` and `User` policies maybe under the same GUID or separate GUIDs.  In either case, the following steps still applies
+
+  - Open `{GUID}\DomainSysvol\GPO\Machine` and copy `registry.pol` to the `stig/<baseline>` folder, renaming it to `machine_registry.pol`.  Skip this step if `registry.pol` is missing or contains no policies (e.g. File size is very small)
+
+  - Check for `audit.csv` and `GptTmpl.inf` files under `{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\` and copy them to `stig/<baseline>`
+
+  - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/<baseline>` folder, renaming it to `user_registry.pol`.  Again, skip if `registry.pol` is missing or contains no policies (e.g. File size is very small)
+
+  - Run the PowerShell code below from the root of the ash-windows-formula repo
+
 ```powershell
 $baselines = @(
-    'IE_10',
-    'IE_11',
-    'IE_8',
-    'IE_9',
-    'Windows_2008ServerR2_DC',
-    'Windows_2008ServerR2_MS',
-    'Windows_2012ServerR2_DC',
-    'Windows_2012ServerR2_MS',
-    'Windows_8.1',
+    'IE_11'
     'Windows_10'
+    'Windows_11'
+    'Windows_2012ServerR2_DC'
+    'Windows_2012ServerR2_MS'
+    'Windows_2016Server_DC'
+    'Windows_2016Server_MS'
+    'Windows_2019Server_DC'
+    'Windows_2019Server_MS'
+    'Windows_2022Server_DC'
+    'Windows_2022Server_MS'
 )
 
 foreach ($baseline in $baselines)
 {
-    $dir = Resolve-Path ".\ash-windows\stig\$baseline"
-    $StigInf = "${dir}\stig.inf"
-    $StigTxt = "${dir}\stig.txt"
+    $dir = ".\ash-windows\stig\$baseline"
+    $gpttmpl_inf = "$dir\GptTmpl.inf"
+    $user_pol = "$dir\user_registry.pol"
+    $machine_pol = "$dir\machine_registry.pol"
+
+    $TxtFile = "$gpttmpl_inf"
+    $YmlFile = "$(Resolve-Path $dir)\gpttmpl.yml"
+    if (Test-Path "$TxtFile")
+    {
+        Write-Host "Processing $TxtFile"
+        python .\ash-windows\tools\convert-lgpo-policy.py `
+            src_file="$TxtFile" `
+            dst_file="$YmlFile"
+    }
+    else
+    {
+        # We need to ensure an empty YmlFile exists
+        $null = New-Item -Path $YmlFile -ItemType File -Force
+    }
 
-    $PolFile = $StigInf
-    $YmlFile = "${dir}\stig.inf.yml"
-    if (Test-Path "$PolFile")
+    $TxtFile = "${dir}\user_registry.txt"
+    $YmlFile = "${dir}\user_registry.yml"
+    rm $TxtFile -ErrorAction SilentlyContinue
+    if (Test-Path "$user_pol")
     {
-        Write-Host "Processing $PolFile"
+        .\ash-windows\tools\LGPO.exe /parse /u "$user_pol" | Out-File "$TxtFile" -Encoding "ascii"
+        Write-Host "Processing $TxtFile"
         python .\ash-windows\tools\convert-lgpo-policy.py `
-            src_file="$PolFile" `
+            src_file="$TxtFile" `
             dst_file="$YmlFile"
+        rm $TxtFile -ErrorAction SilentlyContinue
     }
     else
     {
         # We need to ensure an empty YmlFile exists
         $null = New-Item -Path $YmlFile -ItemType File -Force
     }
 
-    $PolFile = $StigTxt
-    $YmlFile = "${dir}\stig.txt.yml"
-    if (Test-Path "$PolFile")
+    $TxtFile = "${dir}\machine_registry.txt"
+    $YmlFile = "${dir}\machine_registry.yml"
+    #rm $TxtFile -ErrorAction SilentlyContinue
+    if (Test-Path "$machine_pol")
     {
-        Write-Host "Processing $PolFile"
+        .\ash-windows\tools\LGPO.exe /parse /m "$machine_pol" | Out-File "$TxtFile" -Encoding "ascii"
+        Write-Host "Processing $TxtFile"
         python .\ash-windows\tools\convert-lgpo-policy.py `
-            src_file="$PolFile" `
+            src_file="$TxtFile" `
             dst_file="$YmlFile"
+        rm $TxtFile -ErrorAction SilentlyContinue
     }
     else
     {
         # We need to ensure an empty YmlFile exists
         $null = New-Item -Path $YmlFile -ItemType File -Force
     }
+    # Combine yml files into single stig.yml file
+    Get-Content -Path ${dir}\user_registry.yml,${dir}\machine_registry.yml,$dir\gpttmpl.yml | Set-Content -Path $dir\stig.yml
 }
 ```
+
+- After a new `stig.yml` file is generated for the STIG baseline being updated, open the file and inspect the policies.  The DISA policies may have placeholder values that need to be updated or remove as needed for your environment.

ash-windows/iavm/iavm.yml

@@ -12,7 +12,11 @@
   vtype: DWORD
 - key: Computer\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
   policy_type: regpol
-  value: '2688'
+  value: '2048'
+  vtype: DWORD
+- key: Computer\Software\Policies\Microsoft\Internet Explorer\IEDevTools\Disabled
+  policy_type: regpol
+  value: '1'
   vtype: DWORD
 - key: Computer\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled
   policy_type: regpol

ash-windows/map.jinja

@@ -22,9 +22,11 @@
 # Define default role for supported Operating System versions
 {% set default_role = salt.grains.filter_by(
     {
+        '2022Server' : 'MemberServer',
         '2019Server' : 'MemberServer',
         '2016Server' : 'MemberServer',
         '2012ServerR2' : 'MemberServer',
+        '11' : 'Workstation',
         '10' : 'Workstation',
     },
     grain='osrelease'

ash-windows/sct/Windows_11/audit.csv

@@ -0,0 +1,24 @@
+Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
+,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2
+,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
+,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1
+,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3

ash-windows/sct/Windows_11/gpttmpl.yml

@@ -0,0 +1,188 @@
+- name: LSAAnonymousNameLookup
+  policy_type: secedit
+  value: '0'
+- name: SeSecurityPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeRestorePrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeTakeOwnershipPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeBackupPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeDenyRemoteInteractiveLogonRight
+  policy_type: secedit
+  value: '*S-1-5-113'
+- name: SeCreatePermanentPrivilege
+  policy_type: secedit
+  value: ''
+- name: SeManageVolumePrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeLoadDriverPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeLockMemoryPrivilege
+  policy_type: secedit
+  value: ''
+- name: SeDenyNetworkLogonRight
+  policy_type: secedit
+  value: '*S-1-5-113'
+- name: SeNetworkLogonRight
+  policy_type: secedit
+  value: '*S-1-5-32-544,*S-1-5-32-555'
+- name: SeImpersonatePrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeCreateTokenPrivilege
+  policy_type: secedit
+  value: ''
+- name: SeCreateGlobalPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20'
+- name: SeSystemEnvironmentPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeCreatePagefilePrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeInteractiveLogonRight
+  policy_type: secedit
+  value: '*S-1-5-32-544,*S-1-5-32-545'
+- name: SeRemoteShutdownPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeDebugPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeTrustedCredManAccessPrivilege
+  policy_type: secedit
+  value: ''
+- name: SeProfileSingleProcessPrivilege
+  policy_type: secedit
+  value: '*S-1-5-32-544'
+- name: SeTcbPrivilege
+  policy_type: secedit
+  value: ''
+- name: SeEnableDelegationPrivilege
+  policy_type: secedit
+  value: ''
+- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
+  policy_type: regpol
+  value: '1'
+  vtype: SZ
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
+  policy_type: regpol
+  value: '900'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
+  policy_type: regpol
+  value: '0'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
+  policy_type: regpol
+  value: '537395200'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+  policy_type: regpol
+  value: '5'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
+  policy_type: regpol
+  value: '0'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
+  policy_type: regpol
+  value: '537395200'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
+  policy_type: regpol
+  value: '2'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
+  policy_type: regpol
+  value: '0'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
+  policy_type: regpol
+  value: '1'
+  vtype: DWORD
+- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
+  policy_type: regpol
+  value: O:BAG:BAD:(A;;RC;;;BA)
+  vtype: SZ

ash-windows/sct/Windows_11/init.sls

@@ -0,0 +1 @@
+{#- Placeholder init file #}