-
Notifications
You must be signed in to change notification settings - Fork 113
/
UserRightsAssignmentRule.Integration.tests.ps1
131 lines (112 loc) · 6.33 KB
/
UserRightsAssignmentRule.Integration.tests.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#region Header
. $PSScriptRoot\.tests.header.ps1
#endregion
try
{
#region Test Setup
$rulesToTest = @(
@{
displayName = 'Act as part of the operating system'
constant = 'SeTcbPrivilege'
Identity = 'NULL'
organizationValueRequired = $false
organizationValueTestString = $null
CheckContent = 'Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
If any accounts or groups (to include administrators), are granted the "{0}" user right, this is a finding.'
}
@{
displayName = 'Take ownership of files or other objects'
constant = 'SeTakeOwnershipPrivilege'
Identity = 'Administrators'
organizationValueRequired = $false
organizationValueTestString = $null
CheckContent = 'Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If any groups or accounts other than the following are granted the "{0}" user right, this is a finding:
Administrators'
}
@{
displayName = 'Deny access to this computer from the network'
constant = 'SeDenyNetworkLogonRight'
Identity = 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'
organizationValueRequired = $true
organizationValueTestString = "'{0}' -match 'Enterprise Admins,Domain Admins,(Local account and member of Administrators group|Local account),Guests'"
CheckContent = 'Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding:
Domain Systems Only:
Enterprise Admins group
Domain Admins group
"Local account and member of Administrators group" or "Local account" (see Note below)
All Systems:
Guests group
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.
Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering.
Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.'
}
@{
displayName = 'Deny access to this computer from the network'
constant = 'SeDenyNetworkLogonRight'
Identity = 'Enterprise Admins,Domain Admins,Local account,Guests'
organizationValueRequired = $false
organizationValueTestString = $null
CheckContent = 'Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.
If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding:
Domain Systems Only:
Enterprise Admins group
Domain Admins group
Local account (see Note below)
All Systems:
Guests group
Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups.
Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering.
Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.'
}
)
#endregion
#region Tests
Describe 'User Rights Assignment Conversion' {
foreach ( $testRule in $rulesToTest )
{
[xml] $stigRule = Get-TestStigRule -CheckContent ( $testRule.CheckContent -f $testRule.displayName ) -XccdfTitle Windows
$TestFile = Join-Path -Path $TestDrive -ChildPath 'TextData.xml'
$stigRule.Save( $TestFile )
$rule = ConvertFrom-StigXccdf -Path $TestFile
It 'Should return an UserRightRule Object' {
$rule.GetType() | Should Be 'UserRightRule'
}
It 'Should extract the correct DisplayName' {
$rule.DisplayName | Should Be $testRule.displayName
}
It 'Should return the correct Constant' {
$rule.Constant | Should Be $testRule.constant
}
It 'Should extract the correct identity' {
$rule.Identity | Should Be $testRule.Identity
}
It 'Should not have OrganizationValueRequired set' {
$rule.OrganizationValueRequired | Should Be $testRule.organizationValueRequired
}
It 'Should have the correct test string' {
$rule.OrganizationValueTestString | Should Be $testRule.organizationValueTestString
}
It "Should set the correct DscResource" {
$rule.DscResource | Should Be 'UserRightsAssignment'
}
It 'Should Set the status to pass' {
$rule.conversionstatus | Should Be 'pass'
}
}
}
#endregion
}
finally
{
. $PSScriptRoot\.tests.footer.ps1
}