Not able to apply Registry Rules on AWS Windows host

Question

Not able to apply Registry Rules on AWS Windows host

seanlogan-wh opened this issue a year ago · 3 comments

Describe the bug
My team is applying PowerStig to our Windows hosts and we have to skip the RegistryRule otherwise PowerShell breaks for us. It looks related to winrm or windows remote shell but I have not been able to find a setting that allows powershell to work after applying the stig.

To Reproduce
We are running an Windows host in the AWS cloud using this AMI: ami-0595b708bb9f30517

CIS Microsoft Windows Server 2016 Benchmark v2.0.0.6 - Level 2-9652b83a-72cf-4084-82a9-8ce71a17d573
Install PowerStig
Run PowerStig with all the default settings ( OsVersion = '2016', OsRole = 'MS' )
After host reboots, not able to continue the configuration using the Start-DscConfiguration -UseExisting command. Reports an error "Not enough storage is available to complete this operation."

Expected behavior
PowerStig is fully applied and host is still usable

Screenshots

Additional context
We had to apply a skipRuleType for @('RegistryRule') and apply those settings manually to meet compliance.

Thanks.

Answer 1 · 2023-12-01T14:22:58.000Z

Hello @seanlogan-wh,

I have not seen this on standard Windows Server 2016 VM's. Could you try to deploy on a non-CIS image? CIS has its own security configurations that doesn't always map to STIG and I would just like to determine if this is a PowerSTIG issue or an issue with the CIS image.

Thank you,
Eric

Answer 2 · 2023-12-04T14:48:55.000Z

Hi Eric,

It looks like it is an issue just with the CIS image we are using. We are stuck on the current AMI for the time being so we just skipped those rules and applied manually. Was hoping it was something you had seen before and knew a fix for.

Thanks.

Answer 3 · 2023-12-04T15:44:11.000Z

Hello @seanlogan-wh

I would recommend filing a ticket with the creator the image - they should be able to drill down to what in their configuration could be causing that storage error with the RemoteRM listener - If had was I was going dig in I would start with the "Get-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb" (to ensure your document size isn't too small, you could always increase it for test purposes) and check the differences between the CIS and non-CIS with "Get-DscLocalConfigurationManager"(if any)

I will leave this thread open for when you find the solution.

Thank you,
Eric