Win10 Client STIGS Process Mitigations

[Cj-Scott]

Describe the bug The following V-ID's report as not configured appropriately but I have validated they are manually. I believe the bug may be in the STIG conversion. The STIG lists the process names in Capital letters but the command in case sensitive and does not return the process if Capital letters are used. This could be the case for more V-ID's but have confirmed the case for these.

V-77201 V-77221 V-77231 V-77233 V-77243 V-77247 V-77259 V-77263

Example Get-ProcessMitigation -Name msaccess.exe -> Returns the mitigations settings correctly Get-ProcessMitigation -Name MSAACCESS.EXE -> Returns null

[athaynes]

@Cj-Scott I can't reproduce the behavior you are describing on ShB 1709. I noticed that you have a small typo in your null example above. I tried each of the Rues that you identified and they all return results in any case I tried. I looked at the STIG data we have published as well and the spelling looks correct. What version of Windows 10 are you working with and what version of the STIG are you trying to apply/audit?

[Cj-Scott]

We are working with Windows 10 LTSC 2019. Sorry about the typo, It wasn't present during testing.

I will reproduce and capture results. Can I send it via Internal email?

[athaynes]

Yeah send it over.

[Cj-Scott]

@athaynes after several tests Ive only been able to repro the issue 1 time and I cant nail down what caused it. But I do see V-77191 consistently failing with. Destination array was not long enough. Check destIndex and length, and the array's lower bounds.

• CategoryInfo : NotSpecified: (:) [], CimException
• FullyQualifiedErrorId : System.ArgumentException,Microsoft.Samples.PowerShell.Commands.SetProcessMitigationsCommand
• PSComputerName : CJ-TEST-NNDM

The PowerShell DSC resource '[ProcessMitigation]AcroRd32.exe-V-77191::[WindowsClient]STIGBaseLine' with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\2.3.1.0\DSCResources\Resources\windows.ProcessMitigation.ps1::30::5::P rocessMitigation' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.

• CategoryInfo : InvalidOperation: (:) [], CimException
• FullyQualifiedErrorId : NonTerminatingErrorFromProvider
• PSComputerName : CJ-TEST-NNDM

[athaynes]

If call the resource directly using the text from the xml in PowerSTIG\StigData\Processed, do you get the same behavior?

[Cj-Scott]

You mean run the command listed in the xml? Get-ProcessMitigation -Name AcroRd32.exe I do not get an error I get the returned results not set per the stig.

[athaynes]

Sorry I meant if you use the ProcessMitigation resource directly and not use the WindowsClient composite.

[athaynes]

@Cj-Scott I wanted to follow up to see if I can close this issue or if you need additional help.

[Cj-Scott]

Yes Thank you for your assistance.