mitre / microsoft-windows-server-2016-stig-baseline Goto Github PK

An InSpec Profile for evaluating a Windows 2016 server to the DISA STIGs

License: Other

Ruby 100.00%

inspec disa mitre-corporation stig windows-2016

microsoft-windows-server-2016-stig-baseline's Introduction

microsoft-windows-server-2016-stig-baseline

InSpec profile to validate the secure configuration of Microsoft Windows Server 2016, against DISA's Microsoft Windows Server 2016 Security Technical Implementation Guide (STIG) Version 1, Release 7.

Getting Started

It is intended and recommended that InSpec run this profile from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over winrm.

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

The latest versions and installation options are available at the InSpec site.

Tailoring to Your Environment

The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.

- List of authorized users in the Backup Operators Group
backup_operators:

- List of authorized users in the local Administrators group
administrators:

- List of authorized users in the local Administrators domain group
administrators_domain:

- List of temporary accounts on the system
temp_account:

- List of emergency accounts on the system
emergency_account:

- List of authorized users in the local Administrators domain group
administrator_domain_group:

- List of shared accounts on the system
shared_accounts:

- Set to true server has the ftp server role
has_ftp_server_role:

- Domain Controller forrest name
forrest:

- Default administator account
admin_account:

- Set to true if the system is dedicated to the management of Active Directory
is_AD_only_system:

- Set flag to true if the target system is unclassified
is_unclassified_system:

- List of DoD Interoperability Root Certificates
dod_certificates:

- List of DoD Interoperability Root Certificates
dod_cceb_certificates:

- Default account name for Built-In Administrator
built_in_admin_account:

- A list of all manually managed Application and Service account names
manually_managed_app_service_accounts:

Running This Baseline Directly from Github

# How to run
inspec exec https://github.com/mitre/microsoft-windows-server-2016-stig-baseline/archive/master.tar.gz --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Different Run Options

Full exec options

Running This Baseline from a local Archive copy

If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:

(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)

When the "runner" host uses this profile baseline for the first time, follow these steps:

mkdir profiles
cd profiles
git clone https://github.com/mitre/microsoft-windows-server-2016-stig-baseline
inspec archive microsoft-windows-server-2016-stig-baseline
inspec exec <name of generated archive> --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

For every successive run, follow these steps to always have the latest version of this baseline:

cd microsoft-windows-server-2016-stig-baseline
git pull
cd ..
inspec archive microsoft-windows-server-2016-stig-baseline --overwrite
inspec exec <name of generated archive> --target winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Using Heimdall for Viewing the JSON Results

The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.

The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.

Authors

Alicia Sturtevant, Mitre - asturtevant
Krishna Kola, DIFZ - kkola

Special Thanks

Aaron Lippold, Mitre - aaronlippold
Shivani Karikar, DIFZ - karikarshivani

Contributing and Getting Help

To report a bug or feature request, please open an issue.

NOTICE

Approved for Public Release; Distribution Unlimited. Case Number 18-3678.

NOTICE

MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.

NOTICE

This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.

No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.

For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.

NOTICE

DISA STIGs are published by DISA IASE, see: https://iase.disa.mil/Pages/privacy_policy.aspx

microsoft-windows-server-2016-stig-baseline's People

Contributors

Stargazers

Watchers

Forkers

agraf libyx ericchen01 intinternal jorson-chen carnells mingli103 lmicms kclinden dekoder slipthebit automatewithansible aagiardd neatnerdprime chriss-0x01

microsoft-windows-server-2016-stig-baseline's Issues

V-73307 Fails on Domain Controllers with PDC Emulator Role

Per the STIG, control V-73307 does not apply to domain controllers with the PDC Emulator role. V-73307.rb should skip if target is the PDC Emulator.

Per STIG, PDC Emulator can be determined using the command Get-ADDomain | FT PDCEmulator

V-73587 - Does not account for non-applicable case

V-73609 should be reworked a bit to use regex to find the elements being evaluated

This currently is not checking what is really being asked for

Attrib for class vs unclass
that elements exist in each cert
that the cert name matches ( CN ) what is expected
that the cert date exists and is still in the future
that the thumbprint exists and is properly formed - but we don't care about the value

incorporate attestations template and plugin to address manual controls

will be rolled up under a new project for all mitre/ baselines under https://github.com/mitre/mitre-saf/projects

reference model: https://github.com/ejaronne/cms-ars-3.1-manual-controls-baseline

V-73775.rb Skip Wording is confusing

[controls/V-73775.rb] (https://github.com/mitre/microsoft-windows-server-2016-stig-baseline/blob/master/controls/V-73775.rb)

Reads This system is a domain controller, therefore this control is not applicable as it only applies to domain controllers

V-73393 Fails for Default Domain Inheritance of Infrastructure Object

The STIG calls out that Audit Rules will exist with inheritance from the domain.

  Two instances with the following summary information will be listed.
  Type - Success
  Principal - Everyone
  Access - (blank)
  Inherited from - (CN of domain)"

These objects show up with InheritanceFlags = ContainerInherit, InheritanceType = Decendents, and PropagationFlags = InheritOnly. The describe block should be modified to verify the values compare to those previously mentions.

 ...
    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
          subject { acl_rule }
          its(['AuditFlags']) { should cmp "Success" }
          its(['IdentityReference']) { should cmp "Everyone" }
          its(['ActiveDirectoryRights']) { should cmp "WriteProperty" }
          its(['InheritanceFlags']) { should cmp "None" }
          its(['InheritanceType']) { should cmp "Descendents" }
          its(['PropagationFlags']) { should cmp "None" }
        end
      end
    end
 ...

For further consideration, InheritanceType of Decendents is defined as "Indicates inheritance that includes the object's immediate children and the descendants of the object's children, but not the object itself."
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=net-5.0

InheritaceFlag = None and PropagationFlags = None is not coherent with InheritanceType = Decendents.

Supporting documents properties:
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=net-5.0
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags?view=net-5.0
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags?view=net-5.0

In addition netbiosname variable does not appear to be used. Although, I believe this to be a problem in several controls. Perhaps a separate issue is needed.

Use the attribute object directly rather than assigning it to another variable

ADMINISTRATORS = attribute('administrators')
..
 administrator_group = command("net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'").stdout.strip.split("\n")
  administrator_group.each do |user|
    a = user.strip
    describe a.to_s do
      it { should be_in ADMINISTRATORS }
    end
  end
  if administrator_group.empty?
    impact 0.0
    desc 'There are no users with administrative privileges on this system, 
    therefore this control is not applicable'
    describe 'There are no users with administrative privileges on this system, 
    therefore this control is not applicable' do
      skip 'There are no users with administrative privileges on this system, 
      therefore this control is not applicable'
    end
  end

could just as easily be, avoiding both the ruby constant issue with ALLCAPS variables and a few less cycles.

..
 administrator_group = command("net localgroup Administrators | Format-List | Findstr /V 'Alias Name Comment Members - command'").stdout.strip.split("\n")
  administrator_group.each do |user|
    a = user.strip
    describe a.to_s do
      it { should be_in attribute('administrators') }
    end
  end
  if administrator_group.empty?
    impact 0.0
    desc 'There are no users with administrative privileges on this system, 
    therefore this control is not applicable'
    describe 'There are no users with administrative privileges on this system, 
    therefore this control is not applicable' do
      skip 'There are no users with administrative privileges on this system, 
      therefore this control is not applicable'
    end
  end

V-73389 Performs Excessive Iterations

Similar to Issue #46, V-73389 performs excessive iterations as a result of two factors: describe.one blocks around each describe block, and acl_rule looping within each describe set. This results in each acl_rule being evaluated against every describe set causing multiple failures for each acl_rule.

 ...
      describe.one do
        acl_rules.each do |acl_rule|
          describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
            subject { acl_rule }
            its(['AuditFlags']) { should cmp "Fail" }
            its(['IdentityReference']) { should cmp "Everyone" }
            its(['ActiveDirectoryRights']) { should cmp /(GenericAll)/ }
          end
        end
      end

      describe.one do
        acl_rules.each do |acl_rule|
          describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
            subject { acl_rule }
            its(['AuditFlags']) { should cmp "Success" }
            its(['IdentityReference']) { should cmp "Everyone" }
            its(['ActiveDirectoryRights']) { should cmp /(WriteProperty)|(WriteDacl)/ }
            its(['IsInherited']) { should cmp "True" }
            its(['InheritanceType']) { should cmp "All" }
          end
        end
      end

      describe.one do
        acl_rules.each do |acl_rule|
          describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
 ...

https://docs.chef.io/inspec/dsl_inspec/#describeone-usage-notes

Suggested resolution:
A single describe.one block should encapsulate all of the describe sets, and the acl_rules loop be moved outside the describe.one block. This would ensure each acl_rule matches one of the describe sets or fail.

V-73611: Current test code error prone

V-73611: Current test code error prone because it relized on comparison to a null string...

suggested test code

 Get-ChildItem -Path Cert:\LocalMachine\ | ConvertTo-Json
.
.
.
    {
        "StoreHandle":  null,
        "Location":  2,
        "Name":  "My",
        "Certificates":  [

                         ],
        "PSPath":  "Microsoft.PowerShell.Security\\Certificate::My",
        "PSParentPath":  "",
        "PSChildName":  "My",
        "PSDrive":  {
                        "CurrentLocation":  "",
                        "Name":  "Cert",
                        "Provider":  "Microsoft.PowerShell.Security\\Certificate",
                        "Root":  "\\",
                        "Description":  "X509 Certificate Provider",
                        "MaximumSize":  null,
                        "Credential":  "System.Management.Automation.PSCredential",
                        "DisplayRoot":  null
                    },
        "PSProvider":  {
                           "ImplementingType":  "Microsoft.PowerShell.Commands.CertificateProvider",
                           "HelpFile":  "Microsoft.PowerShell.Security.dll-Help.xml",
                           "Name":  "Certificate",
                           "PSSnapIn":  null,
                           "ModuleName":  "Microsoft.PowerShell.Security",
                           "Module":  "Microsoft.PowerShell.Security",
                           "Description":  "",
                           "Capabilities":  16,
                           "Home":  "",
                           "Drives":  "Cert"
                       },
        "PSIsContainer":  true
    },
.
.
.
.

Incorrect condition for Non applicable case

Please update the following Non applicable case condition

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/42fbf823bfe09d727a12476deda3762fe266e3f3/controls/V-73283.rb#L66

if !temp_account.empty?

V-73393 adjust for inspec subject block limitation

Inspec has a limitation where subject {} blocks does not function properly within a describe.one block

Same applies to an input() or attribute() block within a describe.one block

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/42fbf823bfe09d727a12476deda3762fe266e3f3/controls/V-73393.rb#L119-L130

Current design of the test results in powershell resource being unrecognized.

Message: undefined method `powershell' for #<RSpec::ExampleGroups::TheFilePermissionsOnADCNInfrastructureDCVsphereadDCNet:0x00007ff42e8cf0a8>

Please update the test to call the powershell call outside the describe.one block and place it in a variable.

The variable can be using within the subject{} block within the describe.one block

V-73607 Certificate expiration not checked

V-73607 current test code does not validated the expiration date of the DOD Certificate

Incorrect verbiage for domain_role check V-73221

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/8b5935dafb445e7f0d5eab6f898cee57ea6356fa/controls/V-73221.rb#L89-L95

The please update the verbiage to the effect of

This applies to member servers and standalone systems. A
  separate version applies to domain controllers.

Standardize using V-92975 and V-92977

Update the relevant controls in 2016 by using the same approach used in:

V-73391 Performs Excessive Iterations

V-73391 performs excessive iterations as a result of two factors: describe.one blocks around each describe block, and acl_rule looping within each describe set. This results in each acl_rule being evaluated against every describe set causing multiple failures for each acl_rule.

    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
          subject { acl_rule }
          its(['AuditFlags']) { should cmp "Fail" }
          its(['IdentityReference']) { should cmp "Everyone" }
          its(['ActiveDirectoryRights']) { should cmp "GenericAll" }
          its(['InheritanceFlags']) { should cmp "None" }
          its(['InheritanceType']) { should cmp "None" }
          its(['PropagationFlags']) { should cmp "None" }
        end
      end
    end

    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
          subject { acl_rule }
          its(['AuditFlags']) { should cmp "Success" }
          its(['IdentityReference']) { should cmp "Everyone" }
          its(['ActiveDirectoryRights']) { should cmp "WriteProperty" }
          its(['InheritanceFlags']) { should cmp "ContainerInherit" }
          its(['InheritanceType']) { should cmp "All" }
          its(['PropagationFlags']) { should cmp "None" }
        end
      end
    end

    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do

https://docs.chef.io/inspec/dsl_inspec/#describeone-usage-notes

Suggested resolution:
A single describe.one block should encapsulate all of the describe sets, and the acl_rules loop be moved outside the describe.one block. This would ensure each acl_rule matches one of the describe sets or fail.

V-73393 Performs Excessive Iterations

Similar to Issue #46, V-73393 performs excessive iterations as a result of two factors: describe.one blocks around each describe block, and acl_rule looping within each describe set. This results in each acl_rule being evaluated against every describe set causing multiple failures for each acl_rule.

 ...
    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
          subject { acl_rule }
          its(['AuditFlags']) { should cmp "Fail" }
          its(['IdentityReference']) { should cmp "Everyone" }
          its(['ActiveDirectoryRights']) { should cmp "GenericAll" }
          its(['InheritanceFlags']) { should cmp "None" }
          its(['InheritanceType']) { should cmp "None" }
          its(['PropagationFlags']) { should cmp "None" }
        end
      end
    end

    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
          subject { acl_rule }
          its(['AuditFlags']) { should cmp "Success" }
          its(['IdentityReference']) { should cmp "Everyone" }
          its(['ActiveDirectoryRights']) { should cmp "WriteProperty, ExtendedRight" }
          its(['InheritanceFlags']) { should cmp "None" }
          its(['InheritanceType']) { should cmp "None" }
          its(['PropagationFlags']) { should cmp "None" }
        end
      end
    end

    describe.one do
      acl_rules.each do |acl_rule|
        describe "Audit rule property for principal: #{acl_rule['IdentityReference']}" do
 ...

https://docs.chef.io/inspec/dsl_inspec/#describeone-usage-notes

Issue with V-73509

Issues is that the registry for windows and inspec registry_key don't align on slashes, need to update the code to have:
variables to be added for gsub to work
keyvalue_netlogon = '\\\NETLOGON'
keyvalue_sysvol = '\\\SYSVOL'

in both describe statements
it { should have_property keyvalue_sysvol.gsub('\', '\\\\') }
its (keyvalue_sysvol.gsub('\', '\\\\')) { should cmp 'RequireMutualAuthentication=1, RequireIntegrity=1'}

ASCII-8BIT to UTF-8 (Encoding::UndefinedConversionError) error

Running this on a Windows 2016 stock image and attempting to output the format in json yielded the UTF error.

This is related to inspec/inspec#3375

I identified the following controls that cause the issue:

In controls 73607, 73609, 78127, the ... need's to be removed or escaped.

In control 73285 the - in -AccountExpiring needs to be escaped

controls/V-73285.rb:50:  Enter \"Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate\".
controls/V-73607.rb:73:  For each certificate with \"DoD Root CA…\" under \"Issued To\" and \"DoD
controls/V-73607.rb:74:  Interoperability Root CA…\" under \"Issued By\":
controls/V-73609.rb:66:  For each certificate with \"US DoD CCEB Interoperability Root CA …\" under
controls/V-78127.rb:28:(Unresolved SIDs have the format of \"*S-1-…\".)

After removing or escaping these, the output saves to json properly

Incorrect NIST Tag

Please remove the following lines from control V-73219 and V-73313.
It incorrectly overwrites a valid NIST tag specification above it.

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/42fbf823bfe09d727a12476deda3762fe266e3f3/controls/V-73219.rb#L22

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/0e48ee079b14b2799c22d28c2e40f986f3fdab4b/controls/V-73313.rb#L19

V-73377 current test code doesnt not actually test access.

V-73377 current test code doesnt not actually test access, it just looks for Allow flag but does not for what kind of access as specified in the check text

Proposed test:

$dn = (Get-ADDomain).DistinguishedName
PS C:\Users\Administrator> (Get-ACL -Path AD:\$dn).Access | ConvertTo-Csv | ConvertFrom-Csv | ConvertTo-Json
[
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "Everyone",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "GenericRead",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "GenericRead",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\Authenticated Users",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "GenericAll",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\SYSTEM",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner",
        "InheritanceType":  "All",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty, ReadControl",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ListChildren",
        "InheritanceType":  "All",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner",
        "InheritanceType":  "None",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Domain Admins",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "GenericAll",
        "InheritanceType":  "All",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "None",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Enterprise Admins",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "Self",
        "InheritanceType":  "Descendents",
        "ObjectType":  "9b026da6-0d3c-465c-8bee-5199d7165cba",
        "InheritedObjectType":  "bf967a86-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "CREATOR OWNER",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "89e95b76-444d-4c62-991a-0facbeda640c",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "b7c69e6d-2cc7-11d2-854e-00a0c983f608",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "b7c69e6d-2cc7-11d2-854e-00a0c983f608",
        "InheritedObjectType":  "bf967a9c-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "b7c69e6d-2cc7-11d2-854e-00a0c983f608",
        "InheritedObjectType":  "bf967a86-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "Self",
        "InheritanceType":  "Descendents",
        "ObjectType":  "9b026da6-0d3c-465c-8bee-5199d7165cba",
        "InheritedObjectType":  "bf967a86-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\SELF",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty, WriteProperty, ExtendedRight",
        "InheritanceType":  "Descendents",
        "ObjectType":  "91e647de-d96f-4b70-9557-d63ff4f3ccd8",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\SELF",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "WriteProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "ea1b7b93-5e48-46d5-bc6c-4df4fda78a35",
        "InheritedObjectType":  "bf967a86-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\SELF",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
        "InheritanceType":  "All",
        "ObjectType":  "3f78c3e5-f79a-46bd-a0b8-9d18116ddc79",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\SELF",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit, ObjectInherit",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "05c74c5e-4deb-43b4-bd9f-86664c2a7fd5",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\Authenticated Users",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\Authenticated Users",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "280f369c-67c7-438e-ae98-1d46f3c6f541",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\Authenticated Users",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "None",
        "ObjectType":  "b8119fd0-04f6-4762-ab7a-4986c76b3f9a",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "NT AUTHORITY\\Authenticated Users",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ae-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "89e95b76-444d-4c62-991a-0facbeda640c",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Administrators",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "GenericRead",
        "InheritanceType":  "Descendents",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "GenericRead",
        "InheritanceType":  "Descendents",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "bf967a9c-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "59ba2f42-79a2-11d0-9020-00c04fc2d3cf",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "GenericRead",
        "InheritanceType":  "Descendents",
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "None",
        "ObjectType":  "b8119fd0-04f6-4762-ab7a-4986c76b3f9a",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "037088f8-0ae1-11d2-b422-00a0c968f939",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "4c164200-20c0-11d0-a768-00aa006e0529",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "5f202010-79a5-11d0-9020-00c04fc2d4cf",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "5f202010-79a5-11d0-9020-00c04fc2d4cf",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "None",
        "ObjectType":  "c7407360-20bf-11d0-a768-00aa006e0529",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "59ba2f42-79a2-11d0-9020-00c04fc2d3cf",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "037088f8-0ae1-11d2-b422-00a0c968f939",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "bc0ac240-79a9-11d0-9020-00c04fc2d4cf",
        "InheritedObjectType":  "bf967aba-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "bc0ac240-79a9-11d0-9020-00c04fc2d4cf",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty",
        "InheritanceType":  "Descendents",
        "ObjectType":  "4c164200-20c0-11d0-a768-00aa006e0529",
        "InheritedObjectType":  "4828cc14-1437-45bc-9b07-ad6f015e5f28",
        "ObjectFlags":  "ObjectAceTypePresent, InheritedObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Pre-Windows 2000 Compatible Access",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "InheritOnly"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "e2a36dc9-ae17-47c3-b58b-be34c55ba633",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "BUILTIN\\Incoming Forest Trust Builders",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Enterprise Read-only Domain Controllers",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Domain Controllers",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ExtendedRight",
        "InheritanceType":  "None",
        "ObjectType":  "3e0f7e18-2c7a-4c10-ba82-4d926db99a3e",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Cloneable Domain Controllers",
        "IsInherited":  "False",
        "InheritanceFlags":  "None",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
        "InheritanceType":  "All",
        "ObjectType":  "5b47d60f-6090-40b2-9f37-2a4de88f3063",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Key Admins",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "None"
    },
    {
        "ActiveDirectoryRights":  "ReadProperty, WriteProperty",
        "InheritanceType":  "All",
        "ObjectType":  "5b47d60f-6090-40b2-9f37-2a4de88f3063",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  "ObjectAceTypePresent",
        "AccessControlType":  "Allow",
        "IdentityReference":  "VSPHEREAD\\Enterprise Key Admins",
        "IsInherited":  "False",
        "InheritanceFlags":  "ContainerInherit",
        "PropagationFlags":  "None"
    }
]

ActiveDirectoryRights Cheatsheet
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.8

Incorrect domain role condition

Some controls may have an incorrect domain role condition. For example, in V-73495, the check text states:

This applies to member servers. For domain controllers and standalone systems, this is NA.

So the code should be:

  domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip

  if !(domain_role == '3')
    impact 0.0
    describe 'This control is not applicable as it only applies to member servers.' do
      skip 'This control is not applicable as it only applies to member servers.'
    end
  else
    describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do
      it { should have_property 'LocalAccountTokenFilterPolicy' }
      its('LocalAccountTokenFilterPolicy') { should cmp 0 }
    end
  end

Reference for domain role values

Thanks @damif5 for catching this!

V-73241 The Windows Server 2016 system must use an anti-virus program.

Tests should be updated to cover Windows Defender as well.

Fixes needed for control V-73259

Current code wrongly assumes that control is NA for non Domain Controllers, however check text specifies it applicable to both
Current code relies on parsing based on character positions which can be very brittle.

Please below powershell code that can return data in a JSON format which can be tested in describe blocks

for Domain Controllers:

json(command: " Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00 | ConvertTo-Json").params

For memeber servers:

user_query = <<-FOO
$users = @() 
  ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where {
  $_.SchemaClassName -eq 'user' } | ForEach {
   $user = ([ADSI]$_.Path)
   $lastLogin = $user.Properties.LastLogin.Value


   $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2
   if ($lastLogin -eq $null) {
   $lastLogin = 'Never'
   }
   else {
   $today = Get-Date
   $diff = New-TimeSpan -Start "$lastLogin" -End $today
   $lastLogin = $diff.Days
   }

  $users += (@{ user = $user.Name.Value; lastLogin = $lastLogin; enabled = $enabled})
  }

$users | ConvertTo-Json
FOO

json(command: user_query).params

Command does not work

Command in control V-63873 and any control that has
get_domain_sid = command('wmic useraccount get sid | FINDSTR /V SID | Select -First 2').stdout.strip
domain_sid = get_domain_sid[9..40]

does not work, the first problem is that First 2 would only look at the first two local accounts, the second problem is that if you modify this command to get_domain_sid = command('wmic group get Name,SID | FINDSTR /C:"Domain Users"').stdout.strip. you will get the right SID but Inspec does not read domain objects with command or powershell it only sees local accounts

Incorrect if statement to check if not a domain controller

The if condition used below does the work as intended

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/de9ec3f2fda31332b7b4290c31cc192175dcfb09/controls/V-73381.rb#L65

please correct to either of the following

if !domain_role.eql?('4') && !domain_role.eql?('5')

if !(domain_role == '4') && !(domain_role == '5')

Corrections required on the following controls:

V-73377.rb:
  141    end
  142  
  143:   if !domain_role == '4' && !domain_role == '5'
  144      impact 0.0
  145      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73379.rb:
   72    end
   73  
   74:   if !domain_role == '4' && !domain_role == '5'
   75      impact 0.0
   76      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73381.rb:
   63    end
   64  
   65:   if !domain_role == '4' && !domain_role == '5'
   66      impact 0.0
   67      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73383.rb:
   51    end
   52  
   53:   if !domain_role == '4' && !domain_role == '5'
   54      impact 0.0
   55      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73385.rb:
   78    end
   79  
   80:   if !domain_role == '4' && !domain_role == '5'
   81      impact 0.0
   82      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73387.rb:
  108    end
  109  
  110:   if !domain_role == '4' && !domain_role == '5'
  111      impact 0.0
  112      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73389.rb:
  145    end
  146  
  147:   if !domain_role == '4' && !domain_role == '5'
  148      impact 0.0
  149      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73391.rb:
  156    end
  157  
  158:   if !domain_role == '4' && !domain_role == '5'
  159      impact 0.0
  160      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73393.rb:
  130    end
  131  
  132:   if !domain_role == '4' && !domain_role == '5'
  133      impact 0.0
  134      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73397.rb:
  131      end
  132    end
  133:   if !domain_role == '4' && !domain_role == '5'
  134      impact 0.0
  135      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73437.rb:
   65    end
   66  
   67:   if !domain_role == '4' && !domain_role == '5'
   68      impact 0.0
   69      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73439.rb:
   65    end
   66  
   67:   if !domain_role == '4' && !domain_role == '5'
   68      impact 0.0
   69      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73441.rb:
   65    end
   66  
   67:   if !domain_role == '4' && !domain_role == '5'
   68      impact 0.0
   69      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73495.rb:
   47    \\Windows\\PolicyDefinitions\\en-US directories respectively."
   48    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   49:   if !domain_role == '4' && !domain_role == '5'
   50      describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do
   51        it { should have_property 'LocalAccountTokenFilterPolicy' }

V-73533.rb:
   31    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   32  
   33:   if !domain_role == '4' && !domain_role == '5'
   34      describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System') do
   35        it { should have_property 'EnumerateLocalUsers' }

V-73541.rb:
   32    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   33  
   34:   if !domain_role == '4' && !domain_role == '5'
   35      describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc') do
   36        it { should have_property 'RestrictRemoteClients' }

V-73611.rb:
   47    end
   48  
   49:   if !domain_role == '4' && !domain_role == '5'
   50      impact 0.0
   51      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73613.rb:
   71    end
   72  
   73:   if !domain_role == '4' && !domain_role == '5'
   74      impact 0.0
   75      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73615.rb:
   56    end
   57  
   58:   if !domain_role == '4' && !domain_role == '5'
   59      impact 0.0
   60      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73617.rb:
   78    end
   79  
   80:   if !domain_role == '4' && !domain_role == '5'
   81      impact 0.0
   82      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73629.rb:
   46    end
   47  
   48:   if !domain_role == '4' && !domain_role == '5'
   49      impact 0.0
   50      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73631.rb:
   38    end
   39  
   40:   if !domain_role == '4' && !domain_role == '5'
   41      impact 0.0
   42      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73651.rb:
   35    Controller is not available) to 4 logons or less."
   36    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   37:   if !domain_role == '4' && !domain_role == '5'
   38      describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon') do
   39        it { should have_property 'CachedLogonsCount' }

V-73677.rb:
   44    for the policy to be enforced."
   45    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   46:   if !domain_role == '4' && !domain_role == '5'
   47      describe registry_key('HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa') do
   48        it { should have_property 'RestrictRemoteSAM' }

V-73731.rb:
   65    end
   66  
   67:   if !domain_role == '4' && !domain_role == '5'
   68      impact 0.0
   69      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73733.rb:
   60    the Authenticated Users group."
   61    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   62:   if !domain_role == '4' && !domain_role == '5'
   63      describe.one do
   64        describe security_policy do

V-73737.rb:
   49    end
   50  
   51:   if !domain_role == '4' && !domain_role == '5'
   52      impact 0.0
   53      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73741.rb:
   48    end
   49  
   50:   if !domain_role == '4' && !domain_role == '5'
   51      impact 0.0
   52      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73757.rb:
   52    end
   53  
   54:   if !domain_role == '4' && !domain_role == '5'
   55      impact 0.0
   56      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73759.rb:
   83    is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip
   84  
   85:   if !domain_role == '4' && !domain_role == '5'
   86      if is_domain == 'WORKGROUP'
   87        describe.one do

V-73761.rb:
   50    end
   51  
   52:   if !domain_role == '4' && !domain_role == '5'
   53      impact 0.0
   54      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73763.rb:
   57    is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip
   58  
   59:   if !domain_role == '4' && !domain_role == '5'
   60      if is_domain == 'WORKGROUP'
   61        describe.one do

V-73765.rb:
   43    end
   44  
   45:   if !domain_role == '4' && !domain_role == '5'
   46      impact 0.0
   47      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73767.rb:
   53    is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip
   54    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   55:   if !domain_role == '4' && !domain_role == '5'
   56      if is_domain == 'WORKGROUP'
   57        describe security_policy do

V-73769.rb:
   51    end
   52  
   53:   if !domain_role == '4' && !domain_role == '5'
   54      impact 0.0
   55      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73771.rb:
   65    is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip
   66  
   67:   if !domain_role == '4' && !domain_role == '5'
   68      if is_domain == 'WORKGROUP'
   69        describe.one do

V-73773.rb:
   52    end
   53  
   54:   if !domain_role == '4' && !domain_role == '5'
   55      impact 0.0
   56      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73775.rb:
   77    is_domain = command('wmic computersystem get domain | FINDSTR /V Domain').stdout.strip
   78  
   79:   if !domain_role == '4' && !domain_role == '5'
   80      if is_domain == 'WORKGROUP'
   81        describe.one do

V-73777.rb:
   53    end
   54  
   55:   if !domain_role == '4' && !domain_role == '5'
   56      impact 0.0
   57      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73779.rb:
   36    domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   37  
   38:   if !domain_role == '4' && !domain_role == '5'
   39      describe security_policy do
   40        its('SeEnableDelegationPrivilege') { should eq [] }

V-73395.rb:
  139    end
  140  
  141:   if !domain_role == '4' && domain_role == '5'
  142      impact 0.0
  143      desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'

V-73387 Hardcodes Domain to "testdomain.com"

The dsquery command in V-73387.rb has the domain hardcoded to "testdomain.com".
The control should use forrest as defined in inspec.yml.

 ...
   forrest = attribute('forrest')
   domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip
   if domain_role == '4' || domain_role == '5'
     query = command("dsquery * \"cn=Default Query Policy,cn=Query Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=testdomain,dc=com\" -attr LDAPAdminLimits").stdout
   ldap_admin_limits = parse_config(query.gsub(/;/, "\n")).params
...

V-73533 - Add clause for standalone systems

This control is currently configured to check for DCs but not standalone systems. Need to add a check for if the system is on a domain or not.

This applies to member servers. For domain controllers and standalone systems, this is NA.

Something like this should work.

//Add line after 31
member_of_domain = command('(gwmi win32_computersystem).partofdomain').stdout.strip

//Add clause after 43

...
  if member_of_domain == 'False'
    impact 0.0
    desc 'This system is not a member of a domain, therefore this control is not applicable as it only applies to member servers'
  end
...

Change `desc` to `skip`

Using desc in the InSpec logic overrides the description of the STIG rule. To avoid that, change code from:

impact 0.0
desc 'This control is not applicable'

to:

impact 0.0
describe 'This control is not applicable' do
  skip 'This control is not applicable'
end

Controls found with desc:

Additional code needed for Domain controllers 'V-73283'

The control does not address, specific check for domain controllers.

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/e6e7ff348bc5e5ed205ae51595aaf703d9459af2/controls/V-73283.rb#L39

V-73373 - Code does not take in account all GPO's

Looking at this Code it does not check if there are more GPO's than the default two. I looked at the Fix and Check text. If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. Need to review possibilities on how to get all GPO's in a file and then run a check

unable to check HKLM:\Security ACL

https://github.com/mitre/stig-microsoft-windows-server-2016-v1r4-baseline/blob/4e835f41b8153ed1b9b1e381a5754ba75d0d2f64/controls/V-73255.rb#L109-L124

The other keys like HKLM:\Software and HKLM:System return their ACLs when executing Get-ACL

Test code V-73387 does not correctly test the target

Proposed fix:

text = command("dsquery * \"cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=vspheread,dc=net\" -attr LDAPAdminLimits").stdout.

parse_config(text.gsub(/;/, "\n"),options).params
=> {"LDAPAdminLimits"=>"",
 "MaxValRange"=>"1500",
 "MaxReceiveBuffer"=>"10485760",
 "MaxDatagramRecv"=>"4096",
 "MaxPoolThreads"=>"4",
 "MaxResultSetSize"=>"262144",
 "MaxTempTableSize"=>"10000",
 "MaxQueryDuration"=>"120",
 "MaxPageSize"=>"1000",
 "MaxNotificationPerConn"=>"5",
 "MaxActiveQueries"=>"20",
 "MaxConnIdleTime"=>"900",
 "InitRecvTimeout"=>"120",
 "MaxConnections"=>"5000"}

Remove `desc` from control logic

@damif5 found desc being used before a describe block with skip statements - which would override the original description in certain controls. Here is an example snippet:

  impact 0.0
  desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'
  describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do
    skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers'
  end

The test result will still display the describe line and the skip line so desc is unnecessary and should be removed.

Rough list of controls:

Controls with multiple NIST Tags needs to be collapsed

Controls with multiple NIST Tags needs to be collapsed, otherwise only the last nist tag definition will be parsed.

tag "nist": ['IA-2', 'Rev_4']
tag "nist": ['IA-5 e', 'Rev_4']

should be modified to

tag "nist": ['IA-2','IA-5 e','Rev_4']

Non compliant entries

Searching 275 files for "\s*tag "nist": .*$
\s*tag "nist": .*$
" (regex)

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73259.rb:
   13    tag "stig_id": 'WN16-00-000210'
   14    tag "fix_id": 'F-79703r1_fix'
   15:   tag "cci": ['CCI-000764', 'CCI-000795']
   16:   tag "nist": ['IA-2', 'Rev_4']
   17:   tag "nist": ['IA-5 e', 'Rev_4']
   18:   tag "documentable": false
   19    tag "check": "Open Windows PowerShell.
   20  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73273.rb:
   24    tag "stig_id": 'WN16-00-000280'
   25    tag "fix_id": 'F-79717r1_fix'
   26:   tag "cci": ['CCI-001199', 'CCI-002475', 'CCI-002476']
   27:   tag "nist": ['SC-28', 'Rev_4']
   28:   tag "nist": ['SC-28 (1)', 'Rev_4']
   29:   tag "documentable": false
   30    tag "check": "Verify systems that require additional protections due to
   31    factors such as inadequate physical protection or sensitivity of the data

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73279.rb:
    9    tag "stig_id": 'WN16-00-000310'
   10    tag "fix_id": 'F-79723r1_fix'
   11:   tag "cci": ['CCI-000366', 'CCI-002080']
   12:   tag "nist": ['CM-6 b', 'Rev_4']
   13:   tag "nist": ['CA-3 (5)', 'Rev_4']
   14:   tag "documentable": false
   15    tag "check": "Determine if a host-based firewall is installed and enabled on
   16    the system.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73359.rb:
   14    tag "stig_id": 'WN16-DC-000020'
   15    tag "fix_id": 'F-79801r1_fix'
   16:   tag "cci": ['CCI-001941', 'CCI-001942']
   17:   tag "nist": ['IA-2 (8)', 'Rev_4']
   18:   tag "nist": ['IA-2 (9)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "This applies to domain controllers. It is NA for other systems.
   21  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73361.rb:
   15    tag "stig_id": 'WN16-DC-000030'
   16    tag "fix_id": 'F-79803r1_fix'
   17:   tag "cci": ['CCI-001941', 'CCI-001942']
   18:   tag "nist": ['IA-2 (8)', 'Rev_4']
   19:   tag "nist": ['IA-2 (9)', 'Rev_4']
   20:   tag "documentable": false
   21    tag "check": "This applies to domain controllers. It is NA for other systems.
   22  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73363.rb:
   19    tag "stig_id": 'WN16-DC-000040'
   20    tag "fix_id": 'F-79805r1_fix'
   21:   tag "cci": ['CCI-001941', 'CCI-001942']
   22:   tag "nist": ['IA-2 (8)', 'Rev_4']
   23:   tag "nist": ['IA-2 (9)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "This applies to domain controllers. It is NA for other systems.
   26  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73365.rb:
   13    tag "stig_id": 'WN16-DC-000050'
   14    tag "fix_id": 'F-79807r1_fix'
   15:   tag "cci": ['CCI-001941', 'CCI-001942']
   16:   tag "nist": ['IA-2 (8)', 'Rev_4']
   17:   tag "nist": ['IA-2 (9)', 'Rev_4']
   18:   tag "documentable": false
   19    tag "check": "This applies to domain controllers. It is NA for other systems.
   20  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73367.rb:
   16    tag "stig_id": 'WN16-DC-000060'
   17    tag "fix_id": 'F-79809r1_fix'
   18:   tag "cci": ['CCI-001941', 'CCI-001942']
   19:   tag "nist": ['IA-2 (8)', 'Rev_4']
   20:   tag "nist": ['IA-2 (9)', 'Rev_4']
   21:   tag "documentable": false
   22    tag "check": "This applies to domain controllers. It is NA for other systems.
   23  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73389.rb:
   27    tag "stig_id": 'WN16-DC-000170'
   28    tag "fix_id": 'F-86715r2_fix'
   29:   tag "cci": ['CCI-000172', 'CCI-002234']
   30:   tag "nist": ['AU-12 c', 'Rev_4']
   31:   tag "nist": ['AC-6 (9)', 'Rev_4']
   32:   tag "documentable": false
   33    tag "check": "This applies to domain controllers. It is NA for other systems.
   34  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73391.rb:
   27    tag "stig_id": 'WN16-DC-000180'
   28    tag "fix_id": 'F-79833r1_fix'
   29:   tag "cci": ['CCI-000172', 'CCI-002234']
   30:   tag "nist": ['AU-12 c', 'Rev_4']
   31:   tag "nist": ['AC-6 (9)', 'Rev_4']
   32:   tag "documentable": false
   33    tag "check": "This applies to domain controllers. It is NA for other systems.
   34  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73393.rb:
   27    tag "stig_id": 'WN16-DC-000190'
   28    tag "fix_id": 'F-79835r1_fix'
   29:   tag "cci": ['CCI-000172', 'CCI-002234']
   30:   tag "nist": ['AU-12 c', 'Rev_4']
   31:   tag "nist": ['AC-6 (9)', 'Rev_4']
   32:   tag "documentable": false
   33    tag "check": "This applies to domain controllers. It is NA for other systems.
   34  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73395.rb:
   28    tag "stig_id": 'WN16-DC-000200'
   29    tag "fix_id": 'F-79837r1_fix'
   30:   tag "cci": ['CCI-000172', 'CCI-002234']
   31:   tag "nist": ['AU-12 c', 'Rev_4']
   32:   tag "nist": ['AC-6 (9)', 'Rev_4']
   33:   tag "documentable": false
   34    tag "check": "This applies to domain controllers. It is NA for other systems.
   35  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73397.rb:
   27    tag "stig_id": 'WN16-DC-000210'
   28    tag "fix_id": 'F-79839r1_fix'
   29:   tag "cci": ['CCI-000172', 'CCI-002234'] 
   30:   tag "nist": ['AU-12 c', 'Rev_4']
   31:   tag "nist": ['AC-6 (9)', 'Rev_4']
   32:   tag "documentable": false
   33    tag "check": "This applies to domain controllers. It is NA for other systems.
   34  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73399.rb:
   27    tag "stig_id": 'WN16-DC-000220'
   28    tag "fix_id": 'F-79841r1_fix'
   29:   tag "cci": ['CCI-000172', 'CCI-002234']
   30:   tag "nist": ['AU-12 c', 'Rev_4']
   31:   tag "nist": ['AC-6 (9)', 'Rev_4']
   32:   tag "documentable": false
   33    tag "check": "This applies to domain controllers. It is NA for other systems.
   34  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73417.rb:
   22    tag "fix_id": 'F-79859r1_fix'
   23    tag "cci": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',
   24:               'CCI-001405', 'CCI-002130']
   25:   tag "nist": ['AC-2 (4)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "This applies to domain controllers. It is NA for other systems.
   29  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73419.rb:
   20    tag "stig_id": 'WN16-AU-000100'
   21    tag "fix_id": 'F-79861r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73423.rb:
   22    tag "fix_id": 'F-79865r1_fix'
   23    tag "cci": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',
   24:               'CCI-001405', 'CCI-002130']
   25:   tag "nist": ['AC-2 (4)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73427.rb:
   22    tag "fix_id": 'F-79869r1_fix'
   23    tag "cci": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',
   24:               'CCI-001405', 'CCI-002130']
   25:   tag "nist": ['AC-2 (4)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73429.rb:
   22    tag "fix_id": 'F-79871r1_fix'
   23    tag "cci": ['CCI-000018', 'CCI-000172', 'CCI-001403', 'CCI-001404',
   24:               'CCI-001405', 'CCI-002130']
   25:   tag "nist": ['AC-2 (4)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73433.rb:
   19    tag "stig_id": 'WN16-AU-000170'
   20    tag "fix_id": 'F-79875r1_fix'
   21:   tag "cci": ['CCI-000172', 'CCI-002234']
   22:   tag "nist": ['AU-12 c', 'Rev_4']
   23:   tag "nist": ['AC-6 (9)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "Security Option Audit: Force audit policy subcategory
   26    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73437.rb:
   21    tag "stig_id": 'WN16-DC-000250'
   22    tag "fix_id": 'F-79879r1_fix'
   23:   tag "cci": ['CCI-000172', 'CCI-002234']
   24:   tag "nist": ['AU-12 c', 'Rev_4']
   25:   tag "nist": ['AC-6 (9)', 'Rev_4']
   26:   tag "documentable": false
   27    tag "check": "This applies to domain controllers. It is NA for other systems.
   28  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73439.rb:
   20    tag "stig_id": 'WN16-DC-000260'
   21    tag "fix_id": 'F-79881r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "This applies to domain controllers. It is NA for other systems.
   27  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73441.rb:
   20    tag "stig_id": 'WN16-DC-000270'
   21    tag "fix_id": 'F-79883r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "This applies to domain controllers. It is NA for other systems.
   27  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73443.rb:
   19    tag "stig_id": 'WN16-AU-000220'
   20    tag "fix_id": 'F-79885r1_fix'
   21:   tag "cci": ['CCI-000172', 'CCI-001404']
   22:   tag "nist": ['AU-12 c', 'Rev_4']
   23:   tag "nist": ['AC-2 (4)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "Security Option Audit: Force audit policy subcategory
   26    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73445.rb:
   19    tag "stig_id": 'WN16-AU-000230'
   20    tag "fix_id": 'F-79887r1_fix'
   21:   tag "cci": ['CCI-000172', 'CCI-001404']
   22:   tag "nist": ['AU-12 c', 'Rev_4']
   23:   tag "nist": ['AC-2 (4)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "Security Option Audit: Force audit policy subcategory
   26    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73449.rb:
   22    tag "stig_id": 'WN16-AU-000250'
   23    tag "fix_id": 'F-79891r1_fix'
   24:   tag "cci": ['CCI-000067', 'CCI-000172']
   25:   tag "nist": ['AC-17 (1)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73451.rb:
   22    tag "stig_id": 'WN16-AU-000260'
   23    tag "fix_id": 'F-79893r1_fix'
   24:   tag "cci": ['CCI-000067', 'CCI-000172']
   25:   tag "nist": ['AC-17 (1)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73453.rb:
   22    tag "stig_id": 'WN16-AU-000270'
   23    tag "fix_id": 'F-79895r1_fix'
   24:   tag "cci": ['CCI-000067', 'CCI-000172']
   25:   tag "nist": ['AC-17 (1)', 'Rev_4']
   26:   tag "nist": ['AU-12 c', 'Rev_4']
   27:   tag "documentable": false
   28    tag "check": "Security Option Audit: Force audit policy subcategory
   29    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73461.rb:
   19    tag "stig_id": 'WN16-AU-000310'
   20    tag "fix_id": 'F-79903r1_fix'
   21:   tag "cci": ['CCI-000172', 'CCI-002234']
   22:   tag "nist": ['AU-12 c', 'Rev_4']
   23:   tag "nist": ['AC-6 (9)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "Security Option Audit: Force audit policy subcategory
   26    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73463.rb:
   19    tag "stig_id": 'WN16-AU-000320'
   20    tag "fix_id": 'F-79905r1_fix'
   21:   tag "cci": ['CCI-000172', 'CCI-002234']
   22:   tag "nist": ['AU-12 c', 'Rev_4']
   23:   tag "nist": ['AC-6 (9)', 'Rev_4']
   24:   tag "documentable": false
   25    tag "check": "Security Option Audit: Force audit policy subcategory
   26    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73465.rb:
   20    tag "stig_id": 'WN16-AU-000330'
   21    tag "fix_id": 'F-79907r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73467.rb:
   20    tag "stig_id": 'WN16-AU-000340'
   21    tag "fix_id": 'F-79909r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73469.rb:
   21    tag "stig_id": 'WN16-AU-000350'
   22    tag "fix_id": 'F-79911r1_fix'
   23:   tag "cci": ['CCI-000172', 'CCI-002234']
   24:   tag "nist": ['AU-12 c', 'Rev_4']
   25:   tag "nist": ['AC-6 (9)', 'Rev_4']
   26:   tag "documentable": false
   27    tag "check": "Security Option Audit: Force audit policy subcategory
   28    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73471.rb:
   21    tag "stig_id": 'WN16-AU-000360'
   22    tag "fix_id": 'F-79913r1_fix'
   23:   tag "cci": ['CCI-000172', 'CCI-002234']
   24:   tag "nist": ['AU-12 c', 'Rev_4']
   25:   tag "nist": ['AC-6 (9)', 'Rev_4']
   26:   tag "documentable": false
   27    tag "check": "Security Option Audit: Force audit policy subcategory
   28    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73473.rb:
   20    tag "stig_id": 'WN16-AU-000370'
   21    tag "fix_id": 'F-79915r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73475.rb:
   20    tag "stig_id": 'WN16-AU-000380'
   21    tag "fix_id": 'F-79917r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73477.rb:
   20    tag "stig_id": 'WN16-AU-000390'
   21    tag "fix_id": 'F-79919r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73479.rb:
   20    tag "stig_id": 'WN16-AU-000400'
   21    tag "fix_id": 'F-79921r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73481.rb:
   20    tag "stig_id": 'WN16-AU-000410'
   21    tag "fix_id": 'F-79923r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73483.rb:
   20    tag "stig_id": 'WN16-AU-000420'
   21    tag "fix_id": 'F-79925r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73489.rb:
   20    tag "stig_id": 'WN16-AU-000440'
   21    tag "fix_id": 'F-79931r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73491.rb:
   20    tag "stig_id": 'WN16-AU-000450'
   21    tag "fix_id": 'F-79933r1_fix'
   22:   tag "cci": ['CCI-000172', 'CCI-002234']
   23:   tag "nist": ['AU-12 c', 'Rev_4']
   24:   tag "nist": ['AC-6 (9)', 'Rev_4']
   25:   tag "documentable": false
   26    tag "check": "Security Option Audit: Force audit policy subcategory
   27    settings (Windows Vista or later) to override audit policy category settings

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73605.rb:
   14    tag "stig_id": 'WN16-PK-000010'
   15    tag "fix_id": 'F-87311r1_fix'
   16:   tag "cci": ['CCI-000185', 'CCI-002470']
   17:   tag "nist": ['IA-5 (2) (a)', 'Rev_4']
   18:   tag "nist": ['SC-23 (5)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "The certificates and thumbprints referenced below apply to
   21    unclassified systems; see PKE documentation for other networks.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73607.rb:
   14    tag "stig_id": 'WN16-PK-000020'
   15    tag "fix_id": 'F-87313r2_fix'
   16:   tag "cci": ['CCI-000185', 'CCI-002470']
   17:   tag "nist": ['IA-5 (2) (a)', 'Rev_4']
   18:   tag "nist": ['SC-23 (5)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "This is applicable to unclassified systems. It is NA for others.
   21  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73609.rb:
   15    tag "stig_id": 'WN16-PK-000030'
   16    tag "fix_id": 'F-87315r1_fix'
   17:   tag "cci": ['CCI-000185', 'CCI-002470']
   18:   tag "nist": ['IA-5 (2) (a)', 'Rev_4']
   19:   tag "nist": ['SC-23 (5)', 'Rev_4']
   20:   tag "documentable": false
   21    tag "check": "This is applicable to unclassified systems. It is NA for others.
   22  

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73617.rb:
   18    tag "fix_id": 'F-80067r1_fix'
   19    tag "cci": ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768',
   20:               'CCI-001948']
   21:   tag "nist": ['IA-2 (1)', 'Rev_4']
   22:   tag "nist": ['IA-2 (2)', 'Rev_4']
   23:   tag "nist": ['IA-2 (3)', 'Rev_4']
   24:   tag "nist": ['IA-2 (4)', 'Rev_4']
   25:   tag "nist": ['IA-2 (11)', 'Rev_4']
   26    tag "documentable": false
   27    tag "check": "This applies to domain controllers. It is NA for other systems.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73633.rb:
   14    tag "stig_id": 'WN16-SO-000080'
   15    tag "fix_id": 'F-80083r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73635.rb:
   14    tag "stig_id": 'WN16-SO-000090'
   15    tag "fix_id": 'F-80085r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73637.rb:
   14    tag "stig_id": 'WN16-SO-000100'
   15    tag "fix_id": 'F-80087r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73643.rb:
   15    tag "stig_id": 'WN16-SO-000130'
   16    tag "fix_id": 'F-80093r1_fix'
   17:   tag "cci": ['CCI-002418', 'CCI-002421']
   18:   tag "nist": ['SC-8', 'Rev_4']
   19:   tag "nist": ['SC-8 (1)', 'Rev_4']
   20:   tag "documentable": false
   21    tag "check": "If the following registry value does not exist or is not
   22    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73647.rb:
   15    tag "fix_id": 'F-80097r2_fix'
   16    tag "cci": ['CCI-000048', 'CCI-000050', 'CCI-001384', 'CCI-001385',
   17:               'CCI-001386', 'CCI-001387', 'CCI-001388']
   18:   tag "nist": ['AC-8 a', 'Rev_4']
   19:   tag "nist": ['AC-8 b', 'Rev_4']
   20:   tag "nist": ['AC-8 c 1', 'Rev_4']
   21:   tag "nist": ['AC-8 c 2', 'Rev_4']
   22:   tag "nist": ['AC-8 c 3', 'Rev_4']
   23    tag "documentable": false
   24    tag "check": "If the following registry value does not exist or is not

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73649.rb:
   13    tag "fix_id": 'F-80099r1_fix'
   14    tag "cci": ['CCI-000048', 'CCI-001384', 'CCI-001385', 'CCI-001386',
   15:               'CCI-001387', 'CCI-001388']
   16:   tag "nist": ['AC-8 a', 'Rev_4']
   17:   tag "nist": ['AC-8 b', 'Rev_4']
   18:   tag "nist": ['AC-8 c 1', 'Rev_4']
   19:   tag "nist": ['AC-8 c 2', 'Rev_4']
   20:   tag "nist": ['AC-8 c 3', 'Rev_4']
   21    tag "documentable": false
   22    tag "check": "If the following registry value does not exist or is not

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73653.rb:
   14    tag "stig_id": 'WN16-SO-000190'
   15    tag "fix_id": 'F-80103r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73655.rb:
   14    tag "stig_id": 'WN16-SO-000200'
   15    tag "fix_id": 'F-80105r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73659.rb:
   15    tag "stig_id": 'WN16-SO-000220'
   16    tag "fix_id": 'F-80109r1_fix'
   17:   tag "cci": ['CCI-001133', 'CCI-002361']
   18:   tag "nist": ['SC-10', 'Rev_4']
   19:   tag "nist": ['AC-12', 'Rev_4']
   20:   tag "documentable": false
   21    tag "check": "If the following registry value does not exist or is not
   22    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73661.rb:
   14    tag "stig_id": 'WN16-SO-000230'
   15    tag "fix_id": 'F-80111r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73663.rb:
   14    tag "stig_id": 'WN16-SO-000240'
   15    tag "fix_id": 'F-80113r1_fix'
   16:   tag "cci": ['CCI-002418', 'CCI-002421']
   17:   tag "nist": ['SC-8', 'Rev_4']
   18:   tag "nist": ['SC-8 (1)', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73701.rb:
   14    tag "stig_id": 'WN16-SO-000430'
   15    tag "fix_id": 'F-80151r1_fix'
   16:   tag "cci": ['CCI-000068', 'CCI-002450']
   17:   tag "nist": ['AC-17 (2)', 'Rev_4']
   18:   tag "nist": ['SC-13', 'Rev_4']
   19:   tag "documentable": false
   20    tag "check": "If the following registry value does not exist or is not
   21    configured as specified, this is a finding.

stig-microsoft-windows-server-2016-v1r4-baseline/controls/V-73793.rb:
   19    tag "fix_id": 'F-80243r1_fix'
   20    tag "cci": ['CCI-000162', 'CCI-000163', 'CCI-000164', 'CCI-000171',
   21:               'CCI-001914']
   22:   tag "nist": ['AU-9', 'Rev_4']
   23:   tag "nist": ['AU-9 (1)', 'Rev_4']
   24:   tag "nist": ['AU-12 b', 'Rev_4']
   25:   tag "nist": ['AU-12 (3)', 'Rev_4']
   26:   tag "documentable": false
   27    tag "check": "Verify the effective setting in Local Group Policy Editor.
   28  

63 matches across 59 files

V-73391 are meant to validate audit definitions.

V-73391 is meant to validate audit definitions...currently it performs ACL checks

Similar affected controls
V-73389 V-73393 V-73397 V-73395

Similar affected controls but not currently part of PR#5
V-73399

Suggest test code below:

$dn = (Get-ADDomain).DistinguishedName
(Get-ACL -Audit -Path AD:\$dn).Audit | ConvertTo-Json
[
    {
        "ActiveDirectoryRights":  983551,
        "InheritanceType":  1,
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  0,
        "AuditFlags":  3,
        "IdentityReference":  {
                                  "Value":  "Everyone"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  1,
        "PropagationFlags":  0
    },
    {
        "ActiveDirectoryRights":  786464,
        "InheritanceType":  0,
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  0,
        "AuditFlags":  1,
        "IdentityReference":  {
                                  "Value":  "Everyone"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  0,
        "PropagationFlags":  0
    },
    {
        "ActiveDirectoryRights":  256,
        "InheritanceType":  0,
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  0,
        "AuditFlags":  1,
        "IdentityReference":  {
                                  "Value":  "BUILTIN\\Administrators"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  0,
        "PropagationFlags":  0
    },
    {
        "ActiveDirectoryRights":  256,
        "InheritanceType":  0,
        "ObjectType":  "00000000-0000-0000-0000-000000000000",
        "InheritedObjectType":  "00000000-0000-0000-0000-000000000000",
        "ObjectFlags":  0,
        "AuditFlags":  1,
        "IdentityReference":  {
                                  "Value":  "VSPHEREAD\\Domain Users"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  0,
        "PropagationFlags":  0
    },
    {
        "ActiveDirectoryRights":  32,
        "InheritanceType":  1,
        "ObjectType":  "f30e3bbf-9ff0-11d1-b603-0000f80367c1",
        "InheritedObjectType":  "bf967aa5-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  3,
        "AuditFlags":  1,
        "IdentityReference":  {
                                  "Value":  "Everyone"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  1,
        "PropagationFlags":  0
    },
    {
        "ActiveDirectoryRights":  32,
        "InheritanceType":  1,
        "ObjectType":  "f30e3bbe-9ff0-11d1-b603-0000f80367c1",
        "InheritedObjectType":  "bf967aa5-0de6-11d0-a285-00aa003049e2",
        "ObjectFlags":  3,
        "AuditFlags":  1,
        "IdentityReference":  {
                                  "Value":  "Everyone"
                              },
        "IsInherited":  false,
        "InheritanceFlags":  1,
        "PropagationFlags":  0
    }
]

To see the meaning of numeric flags such as AuditFlags please try command below

PS C:\Users\Administrator> (Get-ACL -Audit -Path AD:\$dn).Audit 


ActiveDirectoryRights : GenericAll
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success, Failure
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : WriteProperty, WriteDacl, WriteOwner
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : BUILTIN\Administrators
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : ExtendedRight
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AuditFlags            : Success
IdentityReference     : VSPHEREAD\Domain Users
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : WriteProperty
InheritanceType       : All
ObjectType            : f30e3bbf-9ff0-11d1-b603-0000f80367c1
InheritedObjectType   : bf967aa5-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : WriteProperty
InheritanceType       : All
ObjectType            : f30e3bbe-9ff0-11d1-b603-0000f80367c1
InheritedObjectType   : bf967aa5-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AuditFlags            : Success
IdentityReference     : Everyone
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

mitre / microsoft-windows-server-2016-stig-baseline Goto Github PK

microsoft-windows-server-2016-stig-baseline's Introduction

microsoft-windows-server-2016-stig-baseline

Getting Started

Tailoring to Your Environment

Running This Baseline Directly from Github

Different Run Options

Running This Baseline from a local Archive copy

Using Heimdall for Viewing the JSON Results

Authors

Special Thanks

Contributing and Getting Help

NOTICE

NOTICE

NOTICE

NOTICE

microsoft-windows-server-2016-stig-baseline's People

Contributors

Stargazers

Watchers

Forkers

microsoft-windows-server-2016-stig-baseline's Issues

Recommend Projects

Recommend Topics

Recommend Org