Release

This PR is automatically completed.

CHANGELOG.md

@@ -2,6 +2,40 @@
 
 ## Unreleased
 
+## 2.4.0.0
+
+* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
+* Fixed [#246](https://github.com/Microsoft/PowerStig/issues/246): IIS Server rule V-76737 contains an incorrect value
+* Fixed [#225](https://github.com/Microsoft/PowerStig/issues/225): Update PowerStig integration tests to consolidate duplicate code.
+* Fixed [#160](https://github.com/Microsoft/PowerStig/issues/160): PowerStig.Convert needs to handle new registry rules without affecting existing code
+* Fixed [#201](https://github.com/Microsoft/PowerStig/issues/201): Update PowerStig integration tests to account for skips and exceptions.
+* Fixed [#260](https://github.com/Microsoft/PowerStig/issues/260): FireFox Composite Resource configuration applies correctly, but never passes a Test-DscConfiguration.
+* Fixed [#244](https://github.com/Microsoft/PowerStig/issues/244): IIS Server rule V-76727.b org setting test fails
+* Fixed [#265](https://github.com/Microsoft/PowerStig/issues/265): Fixed UserRightsAssignment split rule bug.
+* Fixed [#267](https://github.com/Microsoft/PowerStig/issues/267): Fixed winlogon registry path parser bug.
+* Fixed [#238](https://github.com/Microsoft/PowerStig/issues/238): Adds regex tracker for RegistryRule regex's.
+* Fixed [#274](https://github.com/Microsoft/PowerStig/issues/274): UserRightsAssignment composite resource does not leverage the Force Parameter.
+* Fixed [#280](https://github.com/Microsoft/PowerStig/issues/280): HKEY_CURRENT_USER is not needed with the cAdministrativeTemplateSetting composite resource.
+
+* Windows Server 2012R2 Fixes
+  * V-36707 is now an org setting
+  * (DC only) V-2376 - V-2380 are migrated from manual to account policy rules.
+
+* Added the following STIGs
+  * SQL Server 2016 Instance V1R3 [#186](https://github.com/Microsoft/PowerStig/issues/186)
+  * Windows Defender Antivirus V1R4 [#236](https://github.com/microsoft/PowerStig/issues/236)
+  * Mozilla Firefox V4R24 [#261](https://github.com/Microsoft/PowerStig/issues/261)
+  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
+  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
+  * SQL Server 2012 Database V1R18 [#263](https://github.com/Microsoft/PowerStig/issues/263)
+  * Windows Server 2012R2 DC V2R15 [#267](https://github.com/Microsoft/PowerStig/issues/267)
+  * Windows 10 V1R16 [#269](https://github.com/Microsoft/PowerStig/issues/269)
+  * IIS Server 8.5 V1R6 [#256](https://github.com/Microsoft/PowerStig/issues/266)
+  * Windows Server 2016 V1R6 [#169](https://github.com/Microsoft/PowerStig/issues/169)
+  * Windows Server 2016 V1R7 [#251](https://github.com/Microsoft/PowerStig/issues/251)
+  * Windows Server 2012R2 DNS V1R11 STIG [#265](https://github.com/Microsoft/PowerStig/issues/265)
+  * AD Domain V2R12 [#270](https://github.com/Microsoft/PowerStig/issues/270)
+
 ## 2.3.2.0
 
 * Fixed [#215](https://github.com/Microsoft/PowerStig/issues/215): Org settings wont apply for DotNet STIG

DSCResources/Browser/Browser.schema.psm1

@@ -43,7 +43,7 @@ Configuration Browser
         $BrowserVersion,
 
         [Parameter()]
-        [ValidateSet('1.13', '1.15', '1.16')]
+        [ValidateSet('1.15', '1.16')]
         [ValidateNotNullOrEmpty()]
         [version]
         $StigVersion,

DSCResources/FireFox/FireFox.schema.psm1

@@ -39,7 +39,7 @@ Configuration FireFox
         $InstallDirectory = "$env:ProgramFiles\Mozilla Firefox",
 
         [Parameter()]
-        [ValidateSet('4.21', '4.23')]
+        [ValidateSet('4.23', '4.24')]
         [ValidateNotNullOrEmpty()]
         [version]
         $StigVersion,

DSCResources/IisServer/IisServer.schema.psm1

@@ -64,7 +64,7 @@ Configuration IisServer
         $LogPath,
 
         [Parameter()]
-        [ValidateSet('1.3','1.5')]
+        [ValidateSet('1.5', '1.6')]
         [ValidateNotNullOrEmpty()]
         [version]
         $StigVersion,
@@ -120,7 +120,7 @@ Configuration IisServer
     . "$resourcePath\windows.Script.skip.ps1"
     ##### END DO NOT MODIFY #####
 
-    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.1.0.0
+    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.2.0.0
     . "$resourcePath\windows.AccessControl.ps1"
 
     Import-DscResource -ModuleName PSDesiredStateConfiguration -ModuleVersion 1.1
@@ -131,7 +131,7 @@ Configuration IisServer
 
     Import-DscResource -ModuleName xWebAdministration -ModuleVersion 2.3.0.0
     . "$resourcePath\windows.xIisMimeTypeMapping.ps1"
-    . "$resourcePath\windows.WebConfigProperty.ps1"
+    . "$resourcePath\windows.xWebConfigProperty.ps1"
     . "$resourcePath\windows.xIisLogging.ps1"
 }
 #endregion Composite

DSCResources/IisSite/IisSite.schema.psm1

@@ -131,6 +131,9 @@ Configuration IisSite
     . "$resourcePath\windows.Script.skip.ps1"
     ##### END DO NOT MODIFY #####
 
+    Import-DscResource -ModuleName PSDesiredStateConfiguration -ModuleVersion 1.1
+    . "$resourcePath\windows.WindowsFeature.ps1"
+
     Import-DscResource -ModuleName xWebAdministration -ModuleVersion 2.3.0.0
     . "$resourcePath\windows.xWebSite.ps1"
     . "$resourcePath\windows.xWebAppPool.ps1"

DSCResources/Resources/firefox.ReplaceText.ps1

@@ -26,13 +26,13 @@ ReplaceText DoNotObscureFile
 }
 
 <#
-    The second file to create is called firefox.cfg and it is placed at the top level of the Firefox directory. It should always begin with a commented line, such as: 
+    The second file to create is called firefox.cfg and it is placed at the top level of the Firefox directory. It should always begin with a commented line, such as:
     // IMPORTANT: Start your code on the 2nd line
 #>
 ReplaceText BeginFileWithComment
 {
     Path        = "$InstallDirectory\firefox.cfg"
-    Search      = '// FireFox preference file'
+    Search      = ('// FireFox preference file' + "`r")
     Type        = 'Text'
     Text        = ('// FireFox preference file' + "`r")
 }
@@ -44,7 +44,7 @@ foreach ( $rule in $rules )
         Path        = "$InstallDirectory\FireFox.cfg"
         Search      = 'lockPref\("{0}", (.*)\);' -f $rule.Key
         Type        = 'Text'
-        Text        = ("`r`n" + 'lockPref("{0}", {1});' -f $rule.Key, (Format-FireFoxPreference -Value $rule.Value))
+        Text        = 'lockPref("{0}", {1});' -f $rule.Key, (Format-FireFoxPreference -Value $rule.Value)
         AllowAppend = $true
     }
 }

DSCResources/Resources/windows.UserRightsAssignment.ps1

@@ -57,5 +57,6 @@ foreach ($rule in $rules)
     {
         Policy   = ($rule.DisplayName -replace " ", "_")
         Identity = $identityList
+        Force    = [bool]$rule.Force
     }
 }

DSCResources/Resources/windows.WindowsFeature.ps1

@@ -16,7 +16,7 @@ foreach ( $rule in $rules )
         future if WindowsOptionalFeature is updated to allow it to run a on DC
         lines 17-31 can be removed.
     #>
-    if ($stigData.DISASTIG.id -match 'Windows_10')
+    if ($stigData.DISASTIG.stigid -match 'Windows_10')
     {
         WindowsOptionalFeature (Get-ResourceTitle -Rule $rule)
         {

DSCResources/Resources/windows.cAdministrativeTemplateSetting.ps1

@@ -7,7 +7,20 @@ foreach ($rule in $rules)
 {
     if ($rule.Key -match "^HKEY_CURRENT_USER")
     {
-        $valueData = $rule.ValueData.Split("{;}")
+        $rule.Key = $rule.Key -replace 'HKEY_CURRENT_USER', ''
+        if ($rule.ValueType -eq 'MultiString')
+        {
+            $valueData = $rule.ValueData.Split("{;}")
+        }
+        else
+        {
+            $valueData = $rule.ValueData
+        }
+
+        if ($valueData -eq 'ShouldBeAbsent')
+        {
+            $rule.Ensure = 'Absent'
+        }
 
         cAdministrativeTemplateSetting (Get-ResourceTitle -Rule $rule)
         {

DSCResources/Resources/windows.xIisLogging.ps1

@@ -7,7 +7,6 @@ if ($rules)
 {
     $logFlags = Get-UniqueStringArray -InputObject $rules.LogFlags -AsString
     $logFormat = Get-UniqueString -InputObject $rules.LogFormat
-    $logPeriod = Get-UniqueString -InputObject $rules.LogPeriod
     $logCustomField = Get-LogCustomField -LogCustomField $rules.LogCustomFieldEntry.Entry -Resource 'xIisLogging'
 
     $resourceTitle = "[$($rules.id -join ' ')]"
@@ -18,7 +17,6 @@ if ($rules)
             LogPath         = '$LogPath'
             LogFlags        = @($logFlags)
             LogFormat       = '$logFormat'
-            LogPeriod       = '$logPeriod'
             LogCustomFields = @($logCustomField)
         }"
     )

DSCResources/Resources/windows.xRegistry.ps1

@@ -16,6 +16,11 @@ foreach ( $rule in $rules )
             $valueData = $rule.ValueData
         }
 
+        if( $valueData -eq 'ShouldBeAbsent')
+        {
+            $rule.Ensure = 'Absent'
+        }
+
         xRegistry (Get-ResourceTitle -Rule $rule)
         {
             Key       = $rule.Key

DSCResources/Resources/windows.xWebConfigProperty.ps1

@@ -1,18 +1,46 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
 
+#region Header
 $rules = Get-RuleClassData -StigData $stigData -Name WebConfigurationPropertyRule
-
-foreach ($website in $WebsiteName)
+#endregion Header
+#region Resource
+if ($WebsiteName)
+{
+    foreach ($website in $WebsiteName)
+    {
+        foreach ($rule in $rules)
+        {
+            xWebConfigProperty "$(Get-ResourceTitle -Rule $rule -Instance $website)"
+            {
+                WebsitePath     = "IIS:\Sites\$website"
+                Filter          = $rule.ConfigSection
+                PropertyName    = $rule.Key
+                Value           = $rule.Value
+            }
+        }
+    }
+}
+else
 {
     foreach ($rule in $rules)
     {
-        xWebConfigProperty "$(Get-ResourceTitle -Rule $rule -Instance $website)"
+        if ($rule.ConfigSection -match '/system.web')
+        {
+            $psPath = 'MACHINE/WEBROOT'
+        }
+        else
+        {
+            $psPath = 'MACHINE/WEBROOT/APPHOST'
+        }
+
+        xWebConfigProperty "$(Get-ResourceTitle -Rule $rule)"
         {
-            WebsitePath     = "IIS:\Sites\$website"
+            WebsitePath     = $psPath
             Filter          = $rule.ConfigSection
             PropertyName    = $rule.Key
             Value           = $rule.Value
         }
     }
 }
+#endregion Resource

DSCResources/SqlServer/SqlServer.schema.psm1

@@ -51,7 +51,7 @@ Configuration SqlServer
     param
     (
         [Parameter(Mandatory = $true)]
-        [ValidateSet('2012')]
+        [ValidateSet('2012', '2016')]
         [string]
         $SqlVersion,
 
@@ -61,7 +61,7 @@ Configuration SqlServer
         $SqlRole,
 
         [Parameter()]
-        [ValidateSet('1.16', '1.17')]
+        [ValidateSet('1.3', '1.16', '1.17', '1.18')]
         [ValidateNotNullOrEmpty()]
         [version]
         $StigVersion,
@@ -128,4 +128,7 @@ Configuration SqlServer
 
     Import-DscResource -ModuleName SqlServerDsc -ModuleVersion '12.1.0.0'
     . "$resourcePath\SqlServer.ScriptQuery.ps1"
+
+    Import-DscResource -ModuleName SecurityPolicyDsc -ModuleVersion '2.4.0.0'
+    . "$resourcePath\Windows.SecurityOption.ps1"
 }

DSCResources/WindowsClient/WindowsClient.schema.psm1

@@ -53,7 +53,7 @@ Configuration WindowsClient
 
         [Parameter()]
         [ValidateNotNullOrEmpty()]
-        [ValidateSet('1.14', '1.15')]
+        [ValidateSet('1.15', '1.16')]
         [version]
         $StigVersion,
 
@@ -118,7 +118,7 @@ Configuration WindowsClient
     . "$resourcePath\windows.Script.skip.ps1"
     ##### END DO NOT MODIFY #####
 
-    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.1.0.0
+    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.2.0.0
     . "$resourcePath\windows.AccessControl.ps1"
 
     Import-DscResource -ModuleName AuditPolicyDsc -ModuleVersion 1.2.0.0

DSCResources/WindowsDnsServer/WindowsDnsServer.schema.psm1

@@ -51,7 +51,7 @@ Configuration WindowsDnsServer
         $OsVersion,
 
         [Parameter()]
-        [ValidateSet('1.7', '1.9', '1.10')]
+        [ValidateSet('1.10', '1.11')]
         [ValidateNotNullOrEmpty()]
         [version]
         $StigVersion,
@@ -116,7 +116,7 @@ Configuration WindowsDnsServer
     . "$resourcePath\windows.Script.skip.ps1"
     ##### END DO NOT MODIFY #####
 
-    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.1.0.0
+    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.2.0.0
     . "$resourcePath\windows.AccessControl.ps1"
 
     Import-DscResource -ModuleName PSDesiredStateConfiguration -ModuleVersion 1.1

DSCResources/WindowsServer/WindowsServer.schema.psm1

@@ -62,7 +62,7 @@ Configuration WindowsServer
 
         [Parameter()]
         [ValidateNotNullOrEmpty()]
-        [ValidateSet('2.12', '2.13', '2.14')]
+        [ValidateSet('2.13', '2.14', '2.15', '1.6', '1.7')]
         [version]
         $StigVersion,
 
@@ -126,7 +126,7 @@ Configuration WindowsServer
     . "$resourcePath\windows.Script.skip.ps1"
     ##### END DO NOT MODIFY #####
 
-    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.1.0.0
+    Import-DscResource -ModuleName AccessControlDsc -ModuleVersion 1.2.0.0
     . "$resourcePath\windows.AccessControl.ps1"
 
     Import-DscResource -ModuleName AuditPolicyDsc -ModuleVersion 1.2.0.0