Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

applied fix to V-93475 and updated inspec.yml version #77

Merged
merged 1 commit into from
Feb 8, 2022
Merged

applied fix to V-93475 and updated inspec.yml version #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
60 changes: 36 additions & 24 deletions controls/V-93475.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# encoding: UTF-8

control "V-93475" do
title "Windows Server 2019 passwords must be configured to expire."
desc "Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked."
desc "rationale", ""
desc "check", "Review the password never expires status for enabled user accounts.
control 'V-93475' do
title 'Windows Server 2019 passwords must be configured to expire.'
desc 'Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.'
desc 'rationale', ''
desc 'check', "Review the password never expires status for enabled user accounts.
Open \"PowerShell\".

Domain Controllers:
Expand All @@ -16,27 +16,32 @@
Enter 'Get-CimInstance -Class Win32_Useraccount -Filter \"PasswordExpires=False and LocalAccount=True\" | FT Name, PasswordExpires, Disabled, LocalAccount'.
Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest).
If any enabled user accounts are returned with a \"PasswordExpires\" status of \"False\", this is a finding."
desc "fix", "Configure all enabled user account passwords to expire.
desc 'fix', "Configure all enabled user account passwords to expire.
Uncheck \"Password never expires\" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO."
impact 0.5
tag severity: nil
tag gtitle: "SRG-OS-000076-GPOS-00044"
tag gid: "V-93475"
tag rid: "SV-103561r1_rule"
tag stig_id: "WN19-00-000210"
tag fix_id: "F-99719r1_fix"
tag cci: ["CCI-000199"]
tag nist: ["IA-5 (1) (d)", "Rev_4"]

application_accounts = input('application_accounts_domain')
excluded_accounts = input('excluded_accounts_domain')
tag gtitle: 'SRG-OS-000076-GPOS-00044'
tag gid: 'V-93475'
tag rid: 'SV-103561r1_rule'
tag stig_id: 'WN19-00-000210'
tag fix_id: 'F-99719r1_fix'
tag cci: ['CCI-000199']
tag nist: ['IA-5 (1) (d)', 'Rev_4']

domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip

untracked_accounts = []

if domain_role == '4' || domain_role == '5'
ad_accounts = json({ command: "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where-Object {$_.PasswordNeverExpires -eq 'True' -and $_.Enabled -eq 'True'} | Select -ExpandProperty Name | ConvertTo-Json" }).params
untracked_accounts = ad_accounts - application_accounts - excluded_accounts


application_accounts = input('application_accounts_domain')
excluded_accounts = input('excluded_accounts_domain')

unless ad_accounts.empty?
ad_accounts = [ad_accounts] if ad_accounts.class == String
untracked_accounts = ad_accounts - application_accounts - excluded_accounts
end

describe 'Untracked Accounts' do
it 'No Enabled Domain Account should be set to have Password Never Expire' do
failure_message = "Users Accounts are set to Password Never Expire: #{untracked_accounts}"
Expand All @@ -45,12 +50,19 @@
end
else
local_accounts = json({ command: "Get-CimInstance -Class Win32_Useraccount -Filter 'PasswordExpires=False and LocalAccount=True and Disabled=False' | Select -ExpandProperty Name | ConvertTo-Json" }).params

describe "Account or Accounts exists" do

application_accounts = input('application_accounts_local')

unless local_accounts.empty?
local_accounts = [local_accounts] if local_accounts.class == String
untracked_accounts = local_accounts - application_accounts
end

describe 'Account or Accounts exists' do
it 'Server should not have Accounts with Password Never Expire' do
failure_message = "User or Users have Password set to not expire: #{local_accounts}"
expect(local_accounts).to be_empty, failure_message
failure_message = "User or Users have Password set to not expire: #{untracked_accounts}"
expect(untracked_accounts).to be_empty, failure_message
end
end
end
end
end
4 changes: 2 additions & 2 deletions inspec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ copyright: The Authors
copyright_email: you@example.com
license: Apache-2.0
summary: "Inspec Validation Profile for Microsoft Windows Member Server 2019 STIG"
version: 1.3.19
version: 1.3.20
inspec_version: ">= 4.0"

inputs:
Expand Down Expand Up @@ -401,7 +401,7 @@ inputs:
desc: ""
type: Array
value:
-
-

- name: dod_root_certificates
desc: "List of DoD CA Root Certificates"
Expand Down