我正在尝试使用PowerSTIG模块为Windows客户端应用STIG。 https://github.com/Microsoft/PowerStig。
此模块使用PowerShell DSC作为基础技术。
我正在使用此STIG版本。 https://github.com/Microsoft/PowerStig/blob/dev/StigData/Archive/Windows.Client/U_Windows_10_STIG_V1R16_Manual-xccdf.xml。
运行Start-DscConfiguration命令以应用上述配置后,无法应用STIG V-63373,即 系统文件和目录的权限必须符合最低要求。在此处查找详细信息:https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63373
C:\驱动器的默认文件权限应如下所示:
c:\
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Successfully processed 1 files; Failed processing 0 files
但是我系统的默认文件和目录权限如下:
c:\ BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
Everyone:(RX)
STIG还提到安全选项“网络访问:让每个人的权限都适用于匿名用户”应设置为“已禁用”。设置为禁用。
以下是应用DSC配置后在DSC操作日志中记录的错误:
4/10/2019 9:25:02 AM Job {836FE066-5B72-11E9-9074-000D3AF2D729} :
MIResult: 1
Error Message: The PowerShell DSC resource '[NTFSAccessEntry][V-63373.a][medium][WN10-00-000095]::[WindowsClient]STIGBaseLine' with SourceInfo 'C:\Program Files\WindowsPowerShell\Modules\PowerSTIG\3.1.0\DSCResources\Resources\windows.AccessControl.ps1::60::13::NTFSAccessEntry' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
Message ID: NonTerminatingErrorFromProvider
Error Category: 7
Error Code: 1
Error Type: MI