In a new w2019 server, im having many errors because of w10, w2012 issues (mainly Windos Registry stuff). So im having 500 errors, 944 passed.

Describe the solution you'd like
I´d like to be able to configure the version of WIndows im targeting

Files in are organized in:

tree controls 
controls
├── 01_password_policy_spec.rb
├── 02_account_lockout_spec.rb
├── 03_user_rights_spec.rb
├── 04_audit_spec.rb
├── 05_ie_spec.rb
├── 07_rdp_spec.rb
└── 08_access_spec.rb

Instead we should organize them by components and remove the prefix numbers.

The 'should include' doesn't check that unwanted accounts are not present so this control is invalid.

control 'cis-adjust-memory-quotas-2.2.5' do
impact 0.7
title '2.2.5 Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
desc 'Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
describe security_policy do
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-19' }
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-20' }
its('SeIncreaseQuotaPrivilege') { should include 'S-1-5-32-544' }
end
end

I suggest the following. This will work only if the returned array is always sorted which I think is true.
Otherwise we need to check no other account is added.

control 'cis-adjust-memory-quotas-2.2.5' do
impact 0.7
title '2.2.5 Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
desc 'Set Adust memory quotas for a process to Administrators, LOCAL SERVICE, NETWORK SERVICE'
describe security_policy do
its('SeIncreaseQuotaPrivilege') { should eq ['S-1-5-19','S-1-5-20','S-1-5-32-544'] }
end
end

Description

Window-011 check is failing due to an array ordering problem

It is looking for expected: ["S-1-5-9", "S-1-5-32-544"] but is finding got: ["S-1-5-32-544", "S-1-5-9"]

Reproduction steps

This is with a stock windows 2016 build, using the stock inspec defaults

https://github.com/dev-sec/windows-baseline/blob/master/inspec.yml#L34-L38

Current Behavior

expected: ["S-1-5-9", "S-1-5-32-544"]
got: ["S-1-5-32-544", "S-1-5-9"]

Expected Behavior

The array order should not change.
If the array order does change, it should not be considered a failure as long as the contents are equivalent.

OS / Environment

windows 2016

Inspec Version

5.18.14

Baseline Version

name: .
title: InSpec Profile
maintainer: The Authors
copyright: The Authors
copyright_email: [email protected]
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
supports:
  platform-family: windows
depends:
  - name: windows-baseline
    git: https://github.com/dev-sec/windows-baseline
    tag: 2.1.9

Additional information

No response

Describe the bug
I may be unsure of the intent here, but windows-base-201 "Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled" is not set correctly according to CIS Windows 2012R2 and 2016. I'm not sure if the current implementation is for a different spec.

The CIS policy I'm referencing is:

2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication
level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' 

Expected behavior
HKLM\System\CurrentControlSet\Control\Lsa:LmCompatibilityLevel should be set to 5

Actual behavior
HKLM\System\CurrentControlSet\Control\Lsa:LmCompatibilityLevel is set to 4

Inspec Version

1.51.21

Baseline Version

1c916e9
(master as of 2018-12-06)

Additional context
If the current implementation is correct, then I'm unsure of how to modify windows-baseline to support different specs for the same registry key. Any guidance would be helpful.

For CIS 2.2.7 'Allow log on through Remote Desktop Services' - I would like to configure a describe block that either nothing, or admins, or admins & RDS users, but no other accounts.

    describe security_policy do
      its('SeRemoteInteractiveLogonRight') { should eq ['] } or
      its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544'] } or
      its('SeRemoteInteractiveLogonRight') { should eq ['S-1-5-32-544', 'S-1-5-32-555'] } 
    end

Is this possible?

Describe the bug
In some recent testing I discovered this profile is failing inspec exec with some formatting issues.

Expected behavior
Can execute this profile with inspec exec and send the results to Automate

Actual behavior

         2: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/reporters/automate.rb:41:in
 `send_report'
         1: from C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/reporters/automate.rb:41:in
 `to_json'
C:/opscode/inspec/embedded/lib/ruby/gems/2.6.0/gems/inspec-4.3.2/lib/inspec/reporters/automate.rb:41:in `encode': "\xC3"
 from ASCII-8BIT to UTF-8 (Encoding::UndefinedConversionError)

OS / Environment
windows_server_2016

Inspec Version
inspec 3.9.0

Baseline Version
master

Additional context
chef/automate#296

This test:

..currently allows for other users to be present. This is potentially necessary, if the server is a web server or SQL server, but is not secure by default, as any user can be arbitrarily added?

Describe the bug
In control windows-249 there is a mitigation called MitigationOptions_FontBocking instead of MitigationOptions_FontBlocking

I don't know if this is correct.
Stig viewer has the same typo: https://www.stigviewer.com/stig/windows_10/2015-11-30/finding/V-63641

For Windows 10 Font Blocking works entirely different: https://docs.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise

  describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\MitigationOptions') do
    it { should exist }
    it { should have_property 'MitigationOptions_FontBocking' }
    its('MitigationOptions_FontBocking') { should eq '1000000000000' }
end

We should check what option actually blocks untrusted fonts.

Reference dev-sec/ansible-windows-hardening#3

I think we should allow NetworkLogon for Administrator group, because instead we cannot manage Windows Server via WinRM:
https://github.com/dev-sec/windows-baseline/blob/master/controls/user_rights.rb#L19

+    its('SeNetworkLogonRight') { should eq ['S-1-5-32-544'] }
-    its('SeNetworkLogonRight') { should eq ['S-1-0-0'] }

On the windows baseline, I'm finding the following error

undefined method `positive?' for #<RSpec::Matchers::DSL::Matcher cmp>

inspec is using a method cmp.positive?

    its('MaximumPasswordAge') { should cmp.positive? }

https://github.com/dev-sec/windows-baseline/blob/master/controls/local_policies.rb#L1291-L1318

cmp.positive? does not appear to be a valid method on the RSpec::Matchers::DSL::Matcher class

https://rspec.info/documentation/3.0/rspec-expectations/RSpec/Matchers/DSL/Matcher.html

inspec --version
5.18.14

There is only 1 example in this repo of .positive? being used.

Here is the commit where it was changed. https://github.com/dev-sec/windows-baseline/pull/50/files

Previous versions used the its('MaximumPasswordAge') { should cmp > 0 } syntax

https://github.com/dev-sec/windows-baseline/blob/master/README.md

The second line below should be different...

* se_impersonate_privilege define which users are allowed to impersonate a client after authentication

* se_load_driver_privilege define which users are allowed to impersonate a client after authentication

Controls in this repo (numbers 04-08) contain the following information in the headers:

# copyright: 2015, Chef Software, Inc
# license: All rights reserved

Pardon my ignorance, but isn't it contradictory to the general Apache License specified at the repo level?

This is not a bug, rather a comment. The title of each test should clearly state what should be done or what should not be done.
For instance:
'windows-base-105'
title 'SMB1 to Windows Shares is disabled'
It would be better to update the title to something like:
title 'SMB1 to Windows Shares should be disabled'

'windows-base-203'
title 'Enable Strong Encryption for Windows Network Sessions on Servers'
It would be better to update the title to something like:
title 'Strong Encryption for Windows Network Sessions on Servers should be enabled'

Thanks.

Describe the bug
Many Inspec tests are failing the test when Windows stores a numerical value as a string.

Expected behavior
Tests should pass when the expected value is either a number or string

Actual behavior

AllocateDASD
is expected to eq 
  Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }

    expected: 0
         got: "0"

    (compared using ==)
  # windows-baseline-master/controls/local_policies.rb:1094:in `block (3 levels) in load_with_context'

OS / Environment
Domain-joined Windows Server 2016/2019

Inspec Version

4.20.10

Baseline Version

2.1.4

Additional context

I believe the recommendation from Opscode is to use cmp instead of eq

Looking at control windows-019 i noticed this is using: SeSystemtimePrivilege
and not: SeTimeZonePrivilege

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment