EvotecIT / Testimo

Testimo is a PowerShell module for running health checks for Active Directory against a bunch of different tests
547 stars 58 forks source link

Spooler Service #40

Closed rgfhfdghfgdh435645365 closed 4 years ago

rgfhfdghfgdh435645365 commented 5 years ago

Spooler Service is STOPPED [Fail] Spooler Service START TYPE is DISABLED [Fail]

These should be Pass or Informative. Disabling the print spooler on a DC is for hardening purposes.

PrzemyslawKlys commented 5 years ago

Hi, take a look here: https://github.com/EvotecIT/Testimo/issues/38

Let me know what you think?

PrzemyslawKlys commented 5 years ago

As you've not responded, closing. Feel free to reopen if you're ready to talk.

rgfhfdghfgdh435645365 commented 5 years ago

All you wrote was "Let me know what you think?" Think about what? I'm in the 'for' category solely based on my comment that disabling the print spooler is for hardening purposes.

PrzemyslawKlys commented 5 years ago

I gave you a link to another issue where it was discussed. I wanted you to take a look and let me know if you have any thoughts about it?

PrzemyslawKlys commented 5 years ago

Currently Testimo only supports 3 states True/False/Null (Passed/Failed/Skipped). To support what you propose (correctly) I need to rebuild Testimo from 3 states to multiple states.

As you can see in sources I started preparing for that, by defining Details for Source/Each Test

        Details        = [ordered] @{
            Area        = ''
            Category    = ''
            Severity    = ''
            RiskLevel   = 0
            Description = "Group Policy permissions should always have Authenticated Users and Domain Computers gropup"
            Resolution  = 'Do not remove Authenticated Users, Domain Computers from Group Policies.'
            Resources   = @(
                'https://secureinfra.blog/2018/12/31/most-common-mistakes-in-active-directory-and-domain-services-part-1/'
                'https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016'
            )
        }

When I get to the point where all Area/Category/Severity/RiskLevel is filled I could probably work out a better scale.

rgfhfdghfgdh435645365 commented 5 years ago

How about making the print spooler the last test in the service test [i] section but place another [i] before the print spooler. I have one server where a Pass would be expected as disabled but another server where automatic would be the pass as it has the print server on the DC. My solution would be to just run the test twice but place an informative message above each one that states DoD Stig compliance and Non-DoD Stig compliance. That way, those that expect it to be disabled see the result as pass and those that expect it to be automatic would also see a pass on another [i] section.

example:

[i][domain.local][server.domain.local] Service Status [Informative] [t][domain.local][server.domain.local] SAMSS Service is RUNNING [Pass] [Expected value (Equal): Running] [t][domain.local][server.domain.local] SAMSS Service START TYPE is Automatic [Pass] [Expected value (Equal): Automatic] [t][domain.local][server.domain.local] W32Time Service is RUNNING [Pass] [Expected value (Equal): Running] [t][domain.local][server.domain.local] W32Time Service START TYPE is Automatic [Pass] [Expected value (Equal): Automatic] [i][domain.local][server.domain.local] Print Spooler - _Non-DoD STIG compliance check [Informative] [t][domain.local][server.domain.local] Spooler Service is STOPPED [Fail] [Expected value (Equal): Running, Found value: Stopped] [t][domain.local][server.domain.local] Spooler Service START TYPE is DISABLED [Fail] [Expected value (Equal): Automatic, Found value: Disabled] [i][domain.local][server.domain.local] Print Spooler - _DoD STIG compliance check [Informative] [t][domain.local][server.domain.local] Spooler Service is STOPPED [Pass] [Expected value (Equal): Stopped, Found value: Stopped] [t][domain.local][server.domain.local] Spooler Service START TYPE is DISABLED [Pass] [Expected value (Equal): Disabled, Found value: Disabled]

PrzemyslawKlys commented 5 years ago

Why not control it the way you want with a config file?

image

I guess the only thing missing is the ability to rename test to reflect a change in Name. I could probably add also Name to requirements so that one could define server names - currently only supports COmmandAvailable and few other variables.

        Requirements = @{
            DomainController = 'somename'
            CommandAvailable = 'repadmin'
            OperatingSystem  = '*2008*'
        }

If requirements are not matched it would skip the test.

So a final solution would require duplicating SpoolerServiceStatus/SpoolerServiceStartType with only one enabled by default where you could control enable/disable of that rule per your need.

SUBnet192 commented 4 years ago

On Windows Server Core, the Spooler service isn't installed and results in N/A being returned. So this should be compliant, not returning a fail. Is that possible to fix?

PrzemyslawKlys commented 4 years ago

Fixed. Will be in next release