4.10.1 to 4.11.0 (#971)

* updated code to better handle NULL Id (#968)

* Fixed: PowerSTIG should honor Boolean with all composite resources (#970)

* fixed bool composite issue

* fixed typo

* adjusted test case for string instead of bool

Co-authored-by: Brian Wilhite <bcwilhite@live.com>

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## [Unreleased]
 
+* Fixed: Windows Server 2019 V2R1 V-205763 generating an exception [#827](https://github.com/microsoft/PowerStig/issues/827)
+* Fixed: PowerSTIG should honor Boolean with all composite resources [#969](https://github.com/microsoft/PowerStig/issues/969)
+
 ## [4.10.0] - 2021-08-20
 
 * Update PowerSTIG to Parse/Apply SQL Server 2016 Instance V2R4 STIG: [#959](https://github.com/microsoft/PowerStig/issues/959)

Tests/Unit/Module/UserRightRule.tests.ps1

@@ -11,7 +11,7 @@ try
                 DisplayName = 'Deny access to this computer from the network'
                 Constant = 'SeDenyNetworkLogonRight'
                 Identity = 'Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Run "gpedit.msc".
 
@@ -25,7 +25,7 @@ try
                 DisplayName = 'Access this computer from the network'
                 Constant = 'SeNetworkLogonRight'
                 Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Run "gpedit.msc".
 
@@ -41,7 +41,7 @@ try
                 DisplayName = 'Debug programs'
                 Constant = 'SeDebugPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -56,7 +56,7 @@ try
                 DisplayName = 'Create a token object'
                 Constant = 'SeCreateTokenPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -69,7 +69,7 @@ try
                 DisplayName = 'Access Credential Manager as a trusted caller'
                 Constant = 'SeTrustedCredManAccessPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -82,7 +82,7 @@ try
                 DisplayName = 'Deny log on as a service'
                 Constant = 'SeDenyServiceLogonRight'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -95,7 +95,7 @@ try
                 DisplayName = 'Manage auditing and security log'
                 Constant = 'SeSecurityPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -121,7 +121,7 @@ try
                 DisplayName = 'Take ownership of files or other objects'
                 Constant = 'SeTakeOwnershipPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -136,7 +136,7 @@ try
                 DisplayName = 'Lock pages in memory'
                 Constant = 'SeLockMemoryPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -149,7 +149,7 @@ try
                 DisplayName = 'Deny log on through Remote Desktop Services'
                 Constant = 'SeDenyRemoteInteractiveLogonRight'
                 Identity = 'Enterprise Admins,Domain Admins,Local account,Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -176,7 +176,7 @@ try
                 DisplayName = 'Deny log on locally'
                 Constant = 'SeDenyInteractiveLogonRight'
                 Identity = 'Enterprise Admins,Domain Admins,Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -198,7 +198,7 @@ try
                 DisplayName = 'Access this computer from the network'
                 Constant = 'SeNetworkLogonRight'
                 Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'This applies to domain controllers. It is NA for other systems.
 

source/DSCResources/Resources/Vsphere.VmHostService.ps1

@@ -5,12 +5,15 @@ $rules = $stig.RuleList | Select-Rule -Type 'VsphereServiceRule'
 
 foreach ($rule in $rules)
 {
+    $ruleRunning = $null
+    [void][bool]::TryParse($rule.Running, [ref] $ruleRunning)
+
     VmHostService (Get-ResourceTitle -Rule $rule)
     {
         Name       = $HostIP
         Server     = $ServerIP
         Credential = $Credential
-        Running    = $rule.Running
+        Running    = $ruleRunning
         Key        = $rule.Key
         Policy     = $rule.Policy
     }

source/DSCResources/Resources/windows.UserRightsAssignment.ps1

@@ -33,33 +33,44 @@ if ($DomainName -and $ForestName)
 foreach ($rule in $rules)
 {
     Write-Verbose -Message $rule
-    $identitySplit = $rule.Identity -split ","
-    [System.Collections.ArrayList] $identityList = @()
 
-    foreach ($identity in $identitySplit)
+    if ($rule.Identity -eq 'NULL')
     {
-        if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity))
-        {
-            [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName )
-        }
-        elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity))
-        {
-            [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName )
-        }
-        # Default to adding the identify as provided for any non-default identities.
-        else
+        $identityList = $null
+    }
+    else
+    {
+        $identitySplit = $rule.Identity -split ","
+        [System.Collections.ArrayList] $identityList = @()
+
+        foreach ($identity in $identitySplit)
         {
-            if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors")
+            if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity))
+            {
+                [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName )
+            }
+            elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity))
             {
-                [void] $identityList.Add($identity)
+                [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName )
+            }
+            # Default to adding the identify as provided for any non-default identities.
+            else
+            {
+                if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors")
+                {
+                    [void] $identityList.Add($identity)
+                }
             }
         }
     }
 
+    $ruleForce = $null
+    [void][bool]::TryParse($rule.Force, [ref] $ruleForce)
+
     UserRightsAssignment (Get-ResourceTitle -Rule $rule)
     {
         Policy   = ($rule.DisplayName -replace " ", "_")
         Identity = $identityList
-        Force    = [bool] $rule.Force
+        Force    = $ruleForce
     }
 }

source/DSCResources/Resources/windows.WindowsEventLog.ps1

@@ -5,9 +5,12 @@ $rules = $stig.RuleList | Select-Rule -Type WinEventLogRule
 
 foreach ( $rule in $rules )
 {
+    $ruleIsEnabled = $null
+    [void][bool]::TryParse($rule.IsEnabled, [ref] $ruleIsEnabled)
+
     WindowsEventLog (Get-ResourceTitle -Rule $rule)
     {
         LogName   = $rule.LogName
-        IsEnabled = [boolean]$($rule.IsEnabled)
+        IsEnabled = $ruleIsEnabled
     }
 }

source/Module/Rule.Permission/PermissionRule.psm1

@@ -20,7 +20,7 @@ class PermissionRule : Rule
 {
     [string] $Path
     [object[]] $AccessControlEntry <#(ExceptionValue)#>
-    [bool] $Force
+    [string] $Force
 
     <#
         .SYNOPSIS

source/Module/Rule.UserRight/UserRightRule.psm1

@@ -23,7 +23,7 @@ class UserRightRule : Rule
     [ValidateNotNullOrEmpty()] [string] $DisplayName
     [ValidateNotNullOrEmpty()] [string] $Constant
     [ValidateNotNullOrEmpty()] [string] $Identity <#(ExceptionValue)#>
-    [bool] $Force = $false
+    [string] $Force = $false
 
     <#
         .SYNOPSIS

source/Module/Rule.VsphereService/VsphereServiceRule.psm1

@@ -20,7 +20,7 @@ class VsphereServiceRule : Rule
 {
     [string] $Key
     [string] $Policy
-    [bool] $Running
+    [string] $Running
 
     <#
         .SYNOPSIS

source/Module/Rule.WinEventLog/WinEventLogRule.psm1

@@ -17,7 +17,7 @@ using module .\..\Rule\Rule.psm1
 class WinEventLogRule : Rule
 {
     [string] $LogName
-    [bool] $IsEnabled <#(ExceptionValue)#>
+    [string] $IsEnabled <#(ExceptionValue)#>
 
     <#
         .SYNOPSIS