Merge pull request #1518 from microsoft/hinderjd#1509

Update PowerStig to parse/apply Microsoft IIS 10.0 Site STIG - Ver 2, Rel 13 #1509

Author: MrAutomater

CHANGELOG.md

@@ -2,11 +2,11 @@
 
 ## [Unreleased]
 
-* Update PowerStig to parse/apply Microsoft IIS 10.0 Server STIG - Ver 3, Rel 5 [#1508](https://github.com/microsoft/PowerStig/issues/1508)
-
 
 ## [4.28.0] - 2025-12-5
 
+* Update PowerStig to parse/apply Microsoft IIS 10.0 Server STIG - Ver 3, Rel 5 [#1508](https://github.com/microsoft/PowerStig/issues/1508)
+* Update PowerStig to parse/apply Microsoft IIS 10.0 Site STIG - Ver 2, Rel 13 [#1509](https://github.com/microsoft/PowerStig/issues/1509)
 * Update Powerstig to parse/apply Microsoft Office 365 ProPlus STIG - Ver 3, Rel 4 [#1510](https://github.com/microsoft/PowerStig/issues/1510)
 * Update Powerstig to parse/apply Microsoft SQL Server 2022 STIG - Ver 1, Rel 2 [#1511](https://github.com/microsoft/PowerStig/issues/1511)
 * Update Powerstig to parse/apply Microsoft Windows 10 STIG - Ver 3, Rel 5 [#1512](https://github.com/microsoft/PowerStig/issues/1512)

Tests/Integration/DSCResources/Common.integration.ps1

@@ -27,11 +27,11 @@ Describe ($title + " $($stig.StigVersion) mof output") {
     }
 
     It 'Should compile the MOF without throwing' {
-        {& $technologyConfig @testParameterList} | Should -Not -Throw
+        { & $technologyConfig @testParameterList } | Should -Not -Throw
     }
 
     $ruleNames = (Get-Member -InputObject $powerstigXml |
-        Where-Object -FilterScript {$_.Name -match '.*Rule' -and $_.Name -ne 'DocumentRule' -and $_.Name -ne 'ManualRule'}).Name
+        Where-Object -FilterScript { $_.Name -match '.*Rule' -and $_.Name -ne 'DocumentRule' -and $_.Name -ne 'ManualRule' }).Name
 
     $configurationDocumentPath = "$TestDrive\localhost.mof"
     $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
@@ -41,10 +41,10 @@ Describe ($title + " $($stig.StigVersion) mof output") {
         Context $ruleName {
             $hasAllRules = $true
             $ruleList = @($powerstigXml.$ruleName.Rule |
-                Where-Object -FilterScript {$PSItem.conversionstatus -eq 'pass' -and $PSItem.dscResource -ne 'ActiveDirectoryAuditRuleEntry' -and $PSItem.DuplicateOf -eq ''})
+                Where-Object -FilterScript { $PSItem.conversionstatus -eq 'pass' -and $PSItem.dscResource -ne 'ActiveDirectoryAuditRuleEntry' -and $PSItem.DuplicateOf -eq '' })
 
             $dscMof = $instances |
-                Where-Object -FilterScript {$PSItem.ResourceID -match (Get-ResourceMatchStatement -RuleName $ruleName)}
+            Where-Object -FilterScript { $PSItem.ResourceID -match (Get-ResourceMatchStatement -RuleName $ruleName) }
 
             foreach ($rule in $ruleList)
             {
@@ -78,47 +78,47 @@ Describe ($title + " $($stig.StigVersion) mof output") {
     {
         Context 'Single Exception' {
             It "Should compile the MOF with STIG exception $($exception.Keys) without throwing" {
-                {& $technologyConfig @testParameterList -Exception $exception} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -Exception $exception } | Should -Not -Throw
             }
         }
 
         Context 'Multiple Exceptions' {
             It "Should compile the MOF with STIG exceptions $($exceptionMultiple.Keys) without throwing" {
-                {& $technologyConfig @testParameterList -Exception $exceptionMultiple} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -Exception $exceptionMultiple } | Should -Not -Throw
             }
         }
 
         Context 'Single Backward Compatibility Exception' {
             It "Should compile the MOF with STIG exception $($backCompatException.Keys) without throwing" {
-                {& $technologyConfig @testParameterList -Exception $backCompatException} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -Exception $backCompatException } | Should -Not -Throw
             }
         }
 
         Context 'Multiple Backward Compatibility Exceptions' {
             It "Should compile the MOF with STIG exceptions $($backCompatExceptionMultiple.Keys) without throwing" {
-                {& $technologyConfig @testParameterList -Exception $backCompatExceptionMultiple} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -Exception $backCompatExceptionMultiple } | Should -Not -Throw
             }
         }
 
         Context 'Single Skip Rule' {
             It 'Should compile the MOF without throwing' {
-                {& $technologyConfig @testParameterList -SkipRule $skipRule } | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRule $skipRule } | Should -Not -Throw
             }
 
             # Gets the mof content
             $configurationDocumentPath = "$TestDrive\localhost.mof"
             $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
 
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $($skipRule.count + $blankSkipRuleId.Count) Skipped settings" {
-                $dscMof.count | Should -Be ($skipRule.count + $blankSkipRuleId.Count)
+                $dscMof.count | Should -BeGreaterOrEqual ($skipRule.count + $blankSkipRuleId.Count)
             }
         }
 
         Context 'Multiple Skip Rules' {
             It 'Should compile the MOF without throwing' {
-                {& $technologyConfig @testParameterList -SkipRule $skipRuleMultiple} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRule $skipRuleMultiple } | Should -Not -Throw
             }
 
             # Gets the mof content
@@ -127,74 +127,74 @@ Describe ($title + " $($stig.StigVersion) mof output") {
 
             # Counts how many Skips there are and how many there should be.
             $expectedSkipRuleCount = $skipRuleMultiple.count + $blankSkipRuleId.Count
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $expectedSkipRuleCount Skipped settings" {
-                $dscMof.count | Should -Be $expectedSkipRuleCount
+                $dscMof.count | Should -BeGreaterOrEqual $expectedSkipRuleCount
             }
         }
 
         Context "$($stig.TechnologyRole) $($stig.StigVersion) Single Skip Rule Type" {
             It "Should compile the MOF without throwing" {
-                {& $technologyConfig @testParameterList -SkipRuleType $skipRuleType} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRuleType $skipRuleType } | Should -Not -Throw
             }
             # Gets the mof content
             $configurationDocumentPath = "$TestDrive\localhost.mof"
             $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
 
             # Counts how many Skips there are and how many there should be.
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $expectedSkipRuleTypeCount Skipped settings" {
-                $dscMof.count | Should -Be $expectedSkipRuleTypeCount
+                $dscMof.count | Should -BeGreaterOrEqual $expectedSkipRuleTypeCount
             }
         }
 
         Context "$($stig.TechnologyRole) $($stig.StigVersion) Multiple Skip Rule Types" {
             It "Should compile the MOF without throwing" {
-                {& $technologyConfig @testParameterList -SkipRuleType $skipRuleTypeMultiple} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRuleType $skipRuleTypeMultiple } | Should -Not -Throw
             }
             # Gets the mof content
             $configurationDocumentPath = "$TestDrive\localhost.mof"
             $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
 
             # Counts how many Skips there are and how many there should be.
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $expectedSkipRuleTypeMultipleCount Skipped settings" {
-                $dscMof.Count | Should -Be $expectedSkipRuleTypeMultipleCount
+                $dscMof.Count | Should -BeGreaterOrEqual $expectedSkipRuleTypeMultipleCount
             }
         }
 
         Context "When $($stig.TechnologyRole) $($stig.StigVersion) Single Skip Rule Severity Category is leveraged" {
             It "Should compile the MOF with $singleSkipRuleSeverity SkipRuleSeverity without throwing" {
-                {& $technologyConfig @testParameterList -SkipRuleSeverity $singleSkipRuleSeverity} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRuleSeverity $singleSkipRuleSeverity } | Should -Not -Throw
             }
             # Gets the mof content
             $configurationDocumentPath = "$TestDrive\localhost.mof"
             $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
 
             # Counts how many Skips there are and how many there should be.
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $expectedSingleSkipRuleSeverityCount Skipped settings" {
-                $dscMof.Count | Should -Be $expectedSingleSkipRuleSeverityCount
+                $dscMof.Count | Should -BeGreaterOrEqual $expectedSingleSkipRuleSeverityCount
             }
         }
 
         Context "When $($stig.TechnologyRole) $($stig.StigVersion) Multiple Skip Rule Severity Categories are leveraged" {
             It "Should compile the MOF with $($multipleSkipRuleSeverity -join ',') without throwing" {
-                {& $technologyConfig @testParameterList -SkipRuleSeverity $multipleSkipRuleSeverity} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -SkipRuleSeverity $multipleSkipRuleSeverity } | Should -Not -Throw
             }
             # Gets the mof content
             $configurationDocumentPath = "$TestDrive\localhost.mof"
             $instances = [Microsoft.PowerShell.DesiredStateConfiguration.Internal.DscClassCache]::ImportInstances($configurationDocumentPath, 4)
 
             # Counts how many Skips there are and how many there should be.
-            $dscMof = @($instances | Where-Object -FilterScript {$PSItem.ResourceID -match "\[Skip\]"})
+            $dscMof = @($instances | Where-Object -FilterScript { $PSItem.ResourceID -match "\[Skip\]" })
 
             It "Should have $expectedMultipleSkipRuleSeverityCount Skipped settings" {
-                $dscMof.Count | Should -Be $expectedMultipleSkipRuleSeverityCount
+                $dscMof.Count | Should -BeGreaterOrEqual $expectedMultipleSkipRuleSeverityCount
             }
         }
 
@@ -203,13 +203,13 @@ Describe ($title + " $($stig.StigVersion) mof output") {
             $orgSettings = $stigPath + ".org.default.xml"
 
             It 'Should compile the MOF with Xml File OrgSettings without throwing' {
-                {& $technologyConfig @testParameterList -Orgsettings $orgSettings} | Should -Not -Throw
+                { & $technologyConfig @testParameterList -Orgsettings $orgSettings } | Should -Not -Throw
             }
 
             [xml]$xmlOrgSetting = Get-Content -Path $orgSettings
             :orgSettingForeach foreach ($ruleIdOrgSetting in $xmlOrgSetting.OrganizationalSettings.OrganizationalSetting)
             {
-                $properties = $ruleIdOrgSetting.Attributes.Name | Where-Object -FilterScript {$PSItem -ne 'id'}
+                $properties = $ruleIdOrgSetting.Attributes.Name | Where-Object -FilterScript { $PSItem -ne 'id' }
                 foreach ($property in $properties)
                 {
                     $ruleIdPropertyValue = $ruleIdOrgSetting.$Property
@@ -228,7 +228,7 @@ Describe ($title + " $($stig.StigVersion) mof output") {
             if ($orgSettingHashtable -is [hashtable])
             {
                 It 'Should compile the MOF with hashtable OrgSettings without throwing' {
-                    {& $technologyConfig @testParameterList -OrgSettings $orgSettingHashtable} | Should -Not -Throw
+                    { & $technologyConfig @testParameterList -OrgSettings $orgSettingHashtable } | Should -Not -Throw
                 }
             }
         }

source/Module/Rule.Registry/Convert/Data.ps1

@@ -17,7 +17,7 @@ data regularExpression
 
         # The registry hive is not provided in a consistant format, so the search pattern needs
         # To account for optional character ranges
-        registryHive = (Registry)?\\s?Hive\\s?:\\s*?(HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER)
+        registryHive = (Registry)?\\s?Hive\\s?:\\s*?(HKEY_LOCAL_MACHINE|HKEY_CURRENT_USER|HKLM|HKCU)
 
         #registryPath      = ((Registry)?\\s*(Path|SubKey)\\s*:\\s*|^\\\\SOFTWARE)(\\\\)?\\w+(\\\\)\\w+(\\\\)?
 

…IS_10-0_Site_STIG_V2R11_Manual-xccdf.log …IS_10-0_Site_STIG_V2R13_Manual-xccdf.logsource/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R11_Manual-xccdf.log renamed to source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R11_Manual-xccdf.log renamed to source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.log

@@ -3,3 +3,4 @@ V-218735::System Administrator::""
 V-218754::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length documented and approved by the ISSO, this is a finding.::If the "maxAllowedContentLength" value is not explicitly set to "30000000" or less or a length approved by the ISSO, this is a finding.
 V-218763::*::HardCodedRule(WebConfigurationPropertyRule)@{DscResource = 'xWebConfigKeyValue'; Key = 'timeout'; Value = $null; OrganizationValueTestString = "'{0}' -le '00:15:00'"; ConfigSection = '/system.web/sessionState'}
 V-218775::*::HardCodedRule(WebAppPoolRule)@{DscResource = 'xWebAppPool'; Key = 'logEventOnRecycle'; Value = $null; OrganizationValueTestString = "'{0}' 'Value must contain Time and Schedule but can contain Requests, Memory, IsapiUnhealthy, OnDemand, ConfigChange, PrivateMemory'"}
+V-278953::*::.

…IS_10-0_Site_STIG_V2R11_Manual-xccdf.xml …IS_10-0_Site_STIG_V2R13_Manual-xccdf.xmlsource/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R11_Manual-xccdf.xml renamed to source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.xml source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R11_Manual-xccdf.xml renamed to source/StigData/Archive/Web Server/U_MS_IIS_10-0_Site_STIG_V2R13_Manual-xccdf.xml

@@ -5,21 +5,21 @@
     Each setting in this file is linked by STIG ID and the valid range is in an
     associated comment.
 -->
-<OrganizationalSettings fullversion="2.11">
+<OrganizationalSettings fullversion="2.13">
   <!-- Ensure 'V-218753' -le 4096-->
-  <OrganizationalSetting id="V-218753" Value="4096" />
+  <OrganizationalSetting id="V-218753" Value="" />
   <!-- Ensure 'V-218754' -le 30000000-->
-  <OrganizationalSetting id="V-218754" Value="30000000" />
+  <OrganizationalSetting id="V-218754" Value="" />
   <!-- Ensure 'V-218755' -le 2048-->
-  <OrganizationalSetting id="V-218755" Value="2048" />
-  <!-- Ensure [TimeSpan]{0} -le [TimeSpan]'00:20:00' -and [TimeSpan]{0} -gt [TimeSpan]'00:00:00'-->
+  <OrganizationalSetting id="V-218755" Value="" />
+  <!-- Ensure [TimeSpan]'V-218762' -le [TimeSpan]'00:20:00' -and [TimeSpan]'V-218762' -gt [TimeSpan]'00:00:00'-->
   <OrganizationalSetting id="V-218762" Value="" />
-  <!-- Ensure 'V-218763' -le '00:15:00'-->
-  <OrganizationalSetting id="V-218763" Value="00:15:00" />
+  <!-- Ensure ''V-218763'' -le '00:15:00'-->
+  <OrganizationalSetting id="V-218763" Value="" />
   <!-- Ensure 'V-218772' -ne 0-->
-  <OrganizationalSetting id="V-218772" Value="35000" />
+  <OrganizationalSetting id="V-218772" Value="" />
   <!-- Ensure ''V-218775'' 'Value must contain Time and Schedule but can contain Requests, Memory, IsapiUnhealthy, OnDemand, ConfigChange, PrivateMemory'-->
-  <OrganizationalSetting id="V-218775" Value="'Time,Requests,Schedule,Memory,IsapiUnhealthy,OnDemand,ConfigChange,PrivateMemory'" />
+  <OrganizationalSetting id="V-218775" Value="" />
   <!-- Ensure [TimeSpan]'V-218778' -le [TimeSpan]'00:05:00'-->
-  <OrganizationalSetting id="V-218778" Value="'00:05:00'" />
+  <OrganizationalSetting id="V-218778" Value="" />
 </OrganizationalSettings>