search

microsoft / PowerStig

STIG Automation
https://www.powershellgallery.com/packages/PowerSTIG
Other
542 stars 116 forks source link

Windows Server 2022 - "Cannot find an appropriate constructor for type System.Security.Principal.NTAccount" #1360

Open Wheels387 opened 3 months ago

Wheels387 commented 3 months ago

Describe the bug Attempting to run "Test-DSCConfiguration -ComputerName "localhost" -ReferenceConfiguration ".\localhost.mof" fails with the following errors:

Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
    + CategoryInfo          : NotSpecified: (:) [], CimException
    + FullyQualifiedErrorId : System.Management.Automation.MethodInvocationException,Resolve-Identity
    + PSComputerName        : localhost

A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.NTAccount.
    + CategoryInfo          : ObjectNotFound: (:) [], CimException
    + FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
    + PSComputerName        : localhost

The PowerShell DSC resource '[RegistryAccessEntry][V-254254.c][medium][SRG-OS-000324-GPOS-00125]::[WindowsServer]BaseLine'
with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\4.22.0\DSCResources\Resources\windows.AccessControl.p
s1::15::13::RegistryAccessEntry' threw one or more non-terminating errors while running the Test-TargetResource
functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel
for more details.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

To Reproduce

  1. Install Windows Server 2022 Standard - Desktop Experience

  2. Download / Install PowerShell 7.4.x LTS

  3. Download / Install Terminal

  4. Perform Windows Updates

  5. Open Windows PowerShell as Admin (NOT PowerShell 7.4.x)

  6. Run commands:

    Install-Module PowerStig -Scope CurrentUser
winrm quickconfig
Set-NetConnectionProfile -InterfaceAlias 'Ethernet' -NetworkCategory Private
Set-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb -Value 8192
$(Get-Module PowerStig -ListAvailable).RequiredModules | % { $PSITEM | Install-Module -Force }

    NOTE: Issue occurs with or without running the final command to install the modules. Unsure if that's just supposed to be executed on remote machines when you're running this from another machine. Seems like the error message I'm seeing is coming from the submodules inside of the PowerStig module.

  7. Close Windows PowerShell

  8. Create C:\temp\conf.ps1 with contents:

    
configuration Example
{
param
(
    [parameter()]
    [string]
    $NodeName = 'localhost'
)

Import-DscResource -ModuleName PowerStig

Node $NodeName
{
    WindowsServer BaseLine
    {
        OsVersion   = '2022'
        OsRole      = 'MS'
        DomainName  = 'sample.test'
        ForestName  = 'sample.test'
    }
}
}

Example


NOTE: Found contradictory instructions for Domain Name, Forest Name values. Have tried with those omitted and set to sample.test. Issue happens in both cases.

9. Open Windows PowerShell as Admin
10. Run commands:
. C:\temp\conf.ps1
Test-DscConfiguration -ComputerName 'localhost' -ReferenceConfiguration <localhost.mof from previous command>

**Expected behavior**
Return from command indicating most settings are not in compliance.
erjenkin commented 3 months ago

Hello @wheels387,

Thanks for creating the issue. I confirmed that rule 'v-254254.c' produces the error. The security group "Server Operators" should not be in this 'MS' STIG because it only exists on DomainControllers.

Temp workaround - skip that rule ( you could also use the exception format with PowerSTIG to update that rule to still apply without the "Server Operator" group

configuration Example
{
    param
    (
        [parameter()]
        [string]
        $NodeName = 'localhost'
    )

    Import-DscResource -ModuleName PowerStig

    Node $NodeName
    {
        WindowsServer BaseLine
        {
            OsVersion   = '2022'
            OsRole      = 'MS'
            DomainName  = 'sample.test'
            ForestName  = 'sample.test'
            SkipRules = @('V-254254.c')
        }
    }
}

Example

Fix needed Update converted STIG for MemberServer 2022, to not include 'Server Operators'

Thanks Eric

erjenkin commented 3 months ago

Created a PR to fix your issue, which will be released with the next version of PowerSTIG https://github.com/microsoft/PowerStig/pull/1361

Thank you, Eric

Wheels387 commented 3 months ago

Adding SkipRule = @('V-254254.c') to the configuration allowed everything to run as expected. Thank you for the quick response!