Windows 10 IIS Compliance Audit Insufficient

nsacyber / Windows-Secure-Host-Baseline

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber

Other

1.56k stars 286 forks source link

Windows 10 IIS Compliance Audit Insufficient #34

Closed fsteves closed 7 years ago

fsteves commented 7 years ago

I recently ran into issues with this issue for STIG ID : WN10-00-000100 and a false positive using the OVAL content. In an effort to double check myself, I looked at what the Windows10.audit file expected and noticed it would be insufficient in determining of IIS is actually installed and running on the system.

The "Windows Process Activation Service" will also install IIS on the system.

The compliance audit run against this does a verification of the number of "Enabled" entries being greater than 0 using Powershell using powershell_args: "((Get-WindowsOptionalFeature -Online -FeatureName IIS*).State | select-string 'Enabled').Count". This doesn't catch this instance of WPA service or it's IIS components installed to C:\Widows\System32\inetsrv

However, if the registry key HKLM\SOFTWARE\Microsoft\Inetstp\Components exists, it generally points to an instance of IIS being installed, based on the OVAL method.

That is about as far as I got before I removed it and moved on.

iadgovuser1 commented 7 years ago

@fsteves

Two questions for clarifications:

Are you saying the OVAL method, which uses the registry value that you noted, is a false positive?
Are you saying that the .audit is also producing a false positive or that it is just missing the case for detecting when only WPA components are installed?

iadgovuser1 commented 7 years ago

This should probably fix it if I'm understanding you correctly:

Get-WindowsOptionalFeature -Online | Where-Object { $.FeatureName -like 'IIS-*' -or $.FeatureName -like 'WAS-*' }

Get-WindowsOptionalFeature is slow though. This might be a better check because it is much faster (works even if it is running or not but not sure if it is reliable for WPA/WPAS):

Get-WmiObject -Class 'Win32_Service' -Filter "Name='W3Svc'"

fsteves commented 7 years ago

The OVAL provides a positive result and the audit file can potentially miss the fact that it is installed due to the fact that it wasn't from the IIS features.

Sent from my iPhone

On May 26, 2017, at 12:04, D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6 notifications@github.com wrote:

This should probably fix it:

Get-WindowsOptionalFeature -Online | Where-Object { $.FeatureName -like 'IIS-' -or $.FeatureName -like 'WAS-' }

Get-WindowsOptionalFeature is slow though. This might be a better check because it is much faster:

Get-WmiObject -Class 'Win32_Service' -Filter "Name='W3Svc'"

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

iadgovuser1 commented 7 years ago

Noting some references for that registry path: