mitre/microsoft-windows-server-2016-stig-baseline

Incorrect domain role condition

Opened this issue · 0 comments

karikarshivani commented

Some controls may have an incorrect domain role condition. For example, in V-73495, the check text states:

This applies to member servers. For domain controllers and standalone systems, this is NA.

So the code should be:

  domain_role = command('wmic computersystem get domainrole | Findstr /v DomainRole').stdout.strip

  if !(domain_role == '3')
    impact 0.0
    describe 'This control is not applicable as it only applies to member servers.' do
      skip 'This control is not applicable as it only applies to member servers.'
    end
  else
    describe registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System') do
      it { should have_property 'LocalAccountTokenFilterPolicy' }
      its('LocalAccountTokenFilterPolicy') { should cmp 0 }
    end
  end

Reference for domain role values

Thanks @damif5 for catching this!