diff --git a/controls/V-93475.rb b/controls/V-93475.rb index 9e54cd2..b31166d 100644 --- a/controls/V-93475.rb +++ b/controls/V-93475.rb @@ -1,10 +1,10 @@ # encoding: UTF-8 -control "V-93475" do - title "Windows Server 2019 passwords must be configured to expire." - desc "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked." - desc "rationale", "" - desc "check", "Review the password never expires status for enabled user accounts. +control 'V-93475' do + title 'Windows Server 2019 passwords must be configured to expire.' + desc 'Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.' + desc 'rationale', '' + desc 'check', "Review the password never expires status for enabled user accounts. Open \"PowerShell\". Domain Controllers: @@ -16,27 +16,32 @@ Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordExpires=False and LocalAccount=True\" | FT Name, PasswordExpires, Disabled, LocalAccount'. Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a \"PasswordExpires\" status of \"False\", this is a finding." - desc "fix", "Configure all enabled user account passwords to expire. + desc 'fix', "Configure all enabled user account passwords to expire. Uncheck \"Password never expires\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO." impact 0.5 tag severity: nil - tag gtitle: "SRG-OS-000076-GPOS-00044" - tag gid: "V-93475" - tag rid: "SV-103561r1_rule" - tag stig_id: "WN19-00-000210" - tag fix_id: "F-99719r1_fix" - tag cci: ["CCI-000199"] - tag nist: ["IA-5 (1) (d)", "Rev_4"] - - application_accounts = input('application_accounts_domain') - excluded_accounts = input('excluded_accounts_domain') + tag gtitle: 'SRG-OS-000076-GPOS-00044' + tag gid: 'V-93475' + tag rid: 'SV-103561r1_rule' + tag stig_id: 'WN19-00-000210' + tag fix_id: 'F-99719r1_fix' + tag cci: ['CCI-000199'] + tag nist: ['IA-5 (1) (d)', 'Rev_4'] domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip - + untracked_accounts = [] + if domain_role == '4' || domain_role == '5' ad_accounts = json({ command: "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where-Object {$_.PasswordNeverExpires -eq 'True' -and $_.Enabled -eq 'True'} | Select -ExpandProperty Name | ConvertTo-Json" }).params - untracked_accounts = ad_accounts - application_accounts - excluded_accounts - + + application_accounts = input('application_accounts_domain') + excluded_accounts = input('excluded_accounts_domain') + + unless ad_accounts.empty? + ad_accounts = [ad_accounts] if ad_accounts.class == String + untracked_accounts = ad_accounts - application_accounts - excluded_accounts + end + describe 'Untracked Accounts' do it 'No Enabled Domain Account should be set to have Password Never Expire' do failure_message = "Users Accounts are set to Password Never Expire: #{untracked_accounts}" @@ -45,12 +50,19 @@ end else local_accounts = json({ command: "Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json" }).params - - describe "Account or Accounts exists" do + + application_accounts = input('application_accounts_local') + + unless local_accounts.empty? + local_accounts = [local_accounts] if local_accounts.class == String + untracked_accounts = local_accounts - application_accounts + end + + describe 'Account or Accounts exists' do it 'Server should not have Accounts with Password Never Expire' do - failure_message = "User or Users have Password set to not expire: #{local_accounts}" - expect(local_accounts).to be_empty, failure_message + failure_message = "User or Users have Password set to not expire: #{untracked_accounts}" + expect(untracked_accounts).to be_empty, failure_message end end end -end \ No newline at end of file +end diff --git a/inspec.yml b/inspec.yml index a323519..f40bd15 100644 --- a/inspec.yml +++ b/inspec.yml @@ -5,7 +5,7 @@ copyright: The Authors copyright_email: you@example.com license: Apache-2.0 summary: "Inspec Validation Profile for Microsoft Windows Member Server 2019 STIG" -version: 1.3.19 +version: 1.3.20 inspec_version: ">= 4.0" inputs: @@ -401,7 +401,7 @@ inputs: desc: "" type: Array value: - - + - - name: dod_root_certificates desc: "List of DoD CA Root Certificates"