diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 14a8ffe..a5c4e03 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -1,6 +1,19 @@ Contributing to MindPoint Group Projects ======================================== +Rules +----- +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch +4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +5) Be open and nice to eachother + +Workflow +-------- +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release Signing your contribution ------------------------- @@ -50,4 +63,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. +option to `git commit` to automatically include the signoff message. \ No newline at end of file diff --git a/README.md b/README.md index 6bd57b6..dad434f 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,69 @@ Windows Server 2019 CIS ========= +![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic) -Configure a Windows Server 2019 system to be CIS compliant. +Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default. -This role is based on CIS Microsoft Windows Server 2019: [Version 1.1.0 Rel 1809 released on Janurary 14, 2020] (https://workbench.cisecurity.org/benchmarks/4846). +Caution(s) +------- +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch +Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://downloads.cisecurity.org/#/). + +Documentation +------------- +[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+[Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)
Requirements ------------ +**General:** +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables). + +**Technical Dependencies:** +- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) + +The following packages must be installed on the controlling host/host where ansible is executed: + +- passlib (or python2-passlib, if using python2) +- python-lxml +- python-xmltodict +- python-jmespath +- pywinrm + +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. + +Role Variables +-------------- +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. + +Branches +-------- +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh-pages** - This is the github pages branch +- **all other branches** - Individual community member branches + +Community Contribution +---------------------- + +We encourage you (the community) to contribute to this role. Please read the rules below. -Windows Server 2019 - Other versions are not supported. \ No newline at end of file +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release \ No newline at end of file diff --git a/defaults/main.yml b/defaults/main.yml index 63d36ca..8382e3e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -208,6 +208,8 @@ rule_9_3_10: true # section17 rule_17_1_1: true +rule_17_1_2: true +rule_17_1_3: true rule_17_2_1: true rule_17_2_2: true rule_17_2_3: true @@ -257,6 +259,7 @@ rule_18_3_3: true rule_18_3_4: true rule_18_3_5: true rule_18_3_6: true +rule_18_3_7: true rule_18_4_1: true rule_18_4_2: true rule_18_4_3: true @@ -334,12 +337,12 @@ rule_18_8_36_1: true rule_18_8_36_2: true rule_18_8_37_1: true rule_18_8_37_2: true -rule_18_8_45_1: true rule_18_8_45_5_1: true -rule_18_8_45_11_1: true -rule_18_8_47_1: true -rule_18_8_50_1_1: true -rule_18_8_50_1_2: true +rule_18_8_47_5_1: true +rule_18_8_47_11_1: true +rule_18_8_49_1: true +rule_18_8_52_1_1: true +rule_18_8_52_1_2: true rule_18_9_4_1: true rule_18_9_6_1: true rule_18_9_8_1: true @@ -509,4 +512,9 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # public_firewall_log_size is the size of the log file # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB -public_firewall_log_size: 16,384 \ No newline at end of file +public_firewall_log_size: 16,384 + +# 18.3.6 +# netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType +# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS +netbt_nodetype: 2 \ No newline at end of file diff --git a/tasks/section01.yml b/tasks/section01.yml index ea51705..8ea7d90 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,105 +1,92 @@ --- -- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" - assert: - that: passwordhistorysize | int is version('24', '>=') - fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_1 - tags: - - level1 - - level2 - - rule_1.1.1 - - audit - - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" - win_security_policy: - section: System Access - key: PasswordHistorySize - value: "{{ passwordhistorysize }}" - when: rule_1_1_1 + block: + - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" + assert: + that: passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ passwordhistorysize }}" + when: + - rule_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.1 - patch -- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_2 - tags: - - level1 - - level2 - - rule_1.1.2 - - audit - - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" - when: rule_1_1_2 + block: + - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + assert: + that: maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" + when: + - rule_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.2 - patch -- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" - assert: - that: minimumpasswordage is version('1', '>=') - fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_3 - tags: - - level1 - - level2 - - rule_1.1.3 - - audit - - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" - win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ minimumpasswordage }}" - when: rule_1_1_3 + block: + - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" + assert: + that: minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ minimumpasswordage }}" + when: + - rule_1_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.3 - patch -- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" - assert: - that: minimumpasswordlength is version('14', '>=') - fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_4 - tags: - - level1 - - level2 - - rule_1.1.4 - - audit - - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" - win_security_policy: - section: System Access - key: MinimumPasswordLength - value: "{{ minimumpasswordlength }}" + block: + - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" + assert: + that: minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ minimumpasswordlength }}" when: rule_1_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.4 - patch @@ -108,10 +95,11 @@ section: System Access key: PasswordComplexity value: 1 - when: rule_1_1_5 + when: + - rule_1_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.5 - patch @@ -120,38 +108,35 @@ section: System Access key: ClearTextPassword value: "0" - when: rule_1_1_6 + when: + - rule_1_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.6 - patch - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" - assert: - that: lockoutduration | int is version('15', '<=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_1 - tags: - - level1 - - level2 - - rule_1.2.1 - - audit + block: + - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + changed_when: false + ignore_errors: true + register: result -- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" - win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" + - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" when: - rule_1_2_1 - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.1 - patch @@ -161,35 +146,33 @@ section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" - when: rule_1_2_2 + when: + - rule_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.2 - patch -- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - assert: - that: resetlockoutcount | int is version('15', '>=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_3 - tags: - - level1 - - level2 - - rule_1.2.3 - - audit - - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ resetlockoutcount }}" - when: rule_1_2_3 + block: + - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" + when: + - rule_1_2_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.3 - patch diff --git a/tasks/section02.yml b/tasks/section02.yml index 3983503..7461587 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -2,12 +2,13 @@ - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: name: SeTrustedCredManAccessPrivilege - users: + users: [] action: set - when: rule_2_2_1 + when: + - rule_2_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.1 - patch @@ -21,6 +22,8 @@ when: - rule_2_2_2 or rule_2_2_3 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.2 - rule_2.2.3 - patch @@ -28,12 +31,13 @@ - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" win_user_right: name: SeTcbPrivilege - users: + users: [] action: set - when: rule_2_2_4 + when: + - rule_2_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.4 - patch @@ -46,6 +50,7 @@ - rule_2_2_5 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.5 - patch @@ -57,10 +62,11 @@ - Local Service - Network Service action: set - when: rule_2_2_6 + when: + - rule_2_2_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.6 - patch @@ -70,10 +76,11 @@ users: - Administrators action: set - when: rule_2_2_7 + when: + - rule_2_2_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.7 - patch @@ -87,6 +94,8 @@ when: - rule_2_2_8 or rule_2_2_9 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.8 - rule_2.2.9 - patch @@ -97,10 +106,11 @@ users: - Administrators action: set - when: rule_2_2_10 + when: + - rule_2_2_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.10 - patch @@ -111,10 +121,11 @@ - Administrators - Local Service action: set - when: rule_2_2_11 + when: + - rule_2_2_11 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.11 - patch @@ -125,10 +136,11 @@ - Administrators - Local Service action: set - when: rule_2_2_12 + when: + - rule_2_2_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.12 - patch @@ -138,22 +150,24 @@ users: - Administrators action: set - when: rule_2_2_13 + when: + - rule_2_2_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.13 - patch - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" win_user_right: name: SeCreateTokenPrivilege - users: + users: [] action: set - when: rule_2_2_14 + when: + - rule_2_2_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.14 - patch @@ -166,22 +180,24 @@ - Network Service - Service action: set - when: rule_2_2_15 + when: + - rule_2_2_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.15 - patch - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" win_user_right: name: SeCreatePermanentPrivilege - users: + users: [] action: set - when: rule_2_2_16 + when: + - rule_2_2_16 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.16 - patch @@ -195,6 +211,7 @@ - rule_2_2_17 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.17 - patch @@ -209,8 +226,7 @@ - rule_2_2_18 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.18 - patch @@ -220,10 +236,11 @@ users: - Administrators action: set - when: rule_2_2_19 + when: + - rule_2_2_19 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.19 - patch @@ -238,6 +255,7 @@ - rule_2_2_20 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.20 - patch @@ -253,8 +271,7 @@ - rule_2_2_21 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.21 - patch @@ -264,10 +281,11 @@ users: - Guests action: set - when: rule_2_2_22 + when: + - rule_2_2_22 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.22 - patch @@ -277,10 +295,11 @@ users: - Guests action: set - when: rule_2_2_23 + when: + - rule_2_2_23 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.23 - patch @@ -290,10 +309,11 @@ users: - Guests action: set - when: rule_2_2_24 + when: + - rule_2_2_24 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.24 - patch @@ -308,6 +328,7 @@ - rule_2_2_25 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.25 - patch @@ -322,8 +343,7 @@ - rule_2_2_26 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.26 - patch @@ -336,20 +356,20 @@ - rule_2_2_27 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.27 - patch - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: name: SeEnableDelegationPrivilege - users: + users: [] action: set when: - rule_2_2_28 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.28 - patch @@ -359,10 +379,11 @@ users: - Administrators action: set - when: rule_2_2_29 + when: + - rule_2_2_29 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.29 - patch @@ -373,10 +394,11 @@ - Local Service - Network Service action: set - when: rule_2_2_30 + when: + - rule_2_2_30 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.30 - patch @@ -393,6 +415,7 @@ - rule_2_2_31 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.31 - patch @@ -410,8 +433,7 @@ - rule_2_2_32 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.32 - patch @@ -422,10 +444,11 @@ - Administrators - Window Manager\Window Manager Group action: set - when: rule_2_2_33 + when: + - rule_2_2_33 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.33 - patch @@ -435,22 +458,24 @@ users: - Administrators action: set - when: rule_2_2_34 + when: + - rule_2_2_34 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.34 - patch - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" win_user_right: name: SeLockMemoryPrivilege - users: + users: [] action: set - when: rule_2_2_35 + when: + - rule_2_2_35 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.35 - patch @@ -463,6 +488,7 @@ - rule_2_2_36 - ansible_windows_domain_role == "Primary domain controller" tags: + - level2-domaincontroller - rule_2.2.36 - patch @@ -475,6 +501,8 @@ when: - rule_2_2_37 or rule_2_2_38 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.37 - rule_2.2.38 - patch @@ -482,12 +510,13 @@ - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" win_user_right: name: SeReLabelPrivilege - users: + users: [] action: set - when: rule_2_2_39 + when: + - rule_2_2_39 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.39 - patch @@ -497,10 +526,11 @@ users: - Administrators action: set - when: rule_2_2_40 + when: + - rule_2_2_40 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.40 - patch @@ -510,10 +540,11 @@ users: - Administrators action: set - when: rule_2_2_41 + when: + - rule_2_2_41 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.41 - patch @@ -523,10 +554,11 @@ users: - Administrators action: set - when: rule_2_2_42 + when: + - rule_2_2_42 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.42 - patch @@ -537,10 +569,11 @@ - Administrators - NT SERVICE\WdiServiceHost action: set - when: rule_2_2_43 + when: + - rule_2_2_43 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.43 - patch @@ -551,10 +584,11 @@ - LOCAL SERVICE - NETWORK SERVICE action: set - when: rule_2_2_44 + when: + - rule_2_2_44 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.44 - patch @@ -564,10 +598,11 @@ users: - Administrators action: set - when: rule_2_2_45 + when: + - rule_2_2_45 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.45 - patch @@ -577,10 +612,11 @@ users: - Administrators action: set - when: rule_2_2_46 + when: + - rule_2_2_46 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.46 - patch @@ -593,6 +629,7 @@ - rule_2_2_47 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.47 - patch @@ -602,10 +639,11 @@ users: - Administrators action: set - when: rule_2_2_48 + when: + - rule_2_2_48 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.48 - patch @@ -618,8 +656,7 @@ - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.1 - patch @@ -629,10 +666,11 @@ name: NoConnectedUser data: 3 type: dword - when: rule_2_3_1_2 + when: + - rule_2_3_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.2 - patch @@ -641,10 +679,10 @@ section: System Access key: EnableGuestAccount value: 0 - when: rule_2_3_1_3 + when: + - rule_2_3_1_3 tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.3 - patch @@ -654,10 +692,11 @@ name: LimitBlankPasswordUse data: 1 type: dword - when: rule_2_3_1_4 + when: + - rule_2_3_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.4 - patch @@ -670,8 +709,8 @@ - rule_2_3_1_5 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.5 - patch @@ -680,10 +719,11 @@ section: System Access key: NewGuestName value: BobCooper - when: rule_2_3_1_6 + when: + - rule_2_3_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberservers - rule_2.3.1.6 - patch @@ -693,10 +733,11 @@ name: SCENoApplyLegacyAuditPolicy data: 1 type: dword - when: rule_2_3_2_1 + when: + - rule_2_3_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.1 - patch @@ -706,10 +747,11 @@ name: CrashOnAuditFail data: 0 type: dword - when: rule_2_3_2_2 + when: + - rule_2_3_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.2 - patch @@ -719,10 +761,11 @@ name: AllocateDASD data: 0 type: string - when: rule_2_3_4_1 + when: + - rule_2_3_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.1 - patch @@ -732,10 +775,11 @@ name: AddPrinterDrivers data: 1 type: dword - when: rule_2_3_4_2 + when: + - rule_2_3_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.2 - patch @@ -749,6 +793,7 @@ - rule_2_3_5_1 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.1 - patch @@ -762,6 +807,7 @@ - rule_2_3_5_2 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.2 - patch @@ -775,6 +821,7 @@ - rule_2_3_5_3 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.3 - patch @@ -788,8 +835,8 @@ - rule_2_3_6_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.1 - patch @@ -803,8 +850,8 @@ - rule_2_3_6_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.2 - patch @@ -818,8 +865,8 @@ - rule_2_3_6_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.3 - patch @@ -833,8 +880,8 @@ - rule_2_3_6_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.4 - patch @@ -848,8 +895,8 @@ - rule_2_3_6_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.5 - patch @@ -863,8 +910,8 @@ - rule_2_3_6_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.6 - patch @@ -874,10 +921,11 @@ name: DisableCAD data: 0 type: dword - when: rule_2_3_7_1 + when: + - rule_2_3_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.1 - patch @@ -887,10 +935,11 @@ name: DontDisplayLastUserName data: 1 type: dword - when: rule_2_3_7_2 + when: + - rule_2_3_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.2 - patch @@ -900,10 +949,11 @@ name: InactivityTimeoutSecs data: 900 type: dword - when: rule_2_3_7_3 + when: + - rule_2_3_7_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.3 - patch @@ -913,10 +963,11 @@ name: LegalNoticeText data: "{{ legalnoticetext }}" type: string - when: rule_2_3_7_4 + when: + - rule_2_3_7_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.4 - patch @@ -926,10 +977,11 @@ name: LegalNoticeCaption data: "{{ legalnoticecaption }}" type: string - when: rule_2_3_7_5 + when: + - rule_2_3_7_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.5 - patch @@ -939,9 +991,10 @@ name: cachedlogonscount data: 1 type: string - when: rule_2_3_7_6 + when: + - rule_2_3_7_6 tags: - - level2 + - level2-memberserver - rule_2.3.7.6 - patch @@ -951,10 +1004,11 @@ name: PasswordExpiryWarning data: 14 type: dword - when: rule_2_3_7_7 + when: + - rule_2_3_7_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.7 - patch @@ -968,8 +1022,7 @@ - rule_2_3_7_8 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.7.8 - patch @@ -979,10 +1032,11 @@ name: scremoveoption data: 1 type: string - when: rule_2_3_7_9 + when: + - rule_2_3_7_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.9 - patch @@ -992,10 +1046,11 @@ name: RequireSecuritySignature data: 1 type: dword - when: rule_2_3_8_1 + when: + - rule_2_3_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.1 - patch @@ -1005,10 +1060,11 @@ name: EnableSecuritySignature data: 1 type: dword - when: rule_2_3_8_2 + when: + - rule_2_3_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.2 - patch @@ -1018,10 +1074,11 @@ name: EnablePlainTextPassword data: 0 type: dword - when: rule_2_3_8_3 + when: + - rule_2_3_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.3 - patch @@ -1031,10 +1088,11 @@ name: autodisconnect data: 15 type: dword - when: rule_2_3_9_1 + when: + - rule_2_3_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.1 - patch @@ -1044,10 +1102,11 @@ name: requiresecuritysignature data: 1 type: dword - when: rule_2_3_9_2 + when: + - rule_2_3_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.2 - patch @@ -1057,10 +1116,11 @@ name: enablesecuritysignature data: 1 type: dword - when: rule_2_3_9_3 + when: + - rule_2_3_9_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.3 - patch @@ -1070,10 +1130,11 @@ name: enableforcedlogoff data: 1 type: dword - when: rule_2_3_9_4 + when: + - rule_2_3_9_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.4 - patch @@ -1087,8 +1148,7 @@ - rule_2_3_9_5 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.9.5 - patch @@ -1097,10 +1157,11 @@ section: System Access key: LSAAnonymousNameLookup value: 0 - when: rule_2_3_10_1 + when: + - rule_2_3_10_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.1 - patch @@ -1114,8 +1175,7 @@ - rule_2_3_10_2 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.2 - patch @@ -1129,8 +1189,7 @@ - rule_2_3_10_3 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.3 - patch @@ -1140,9 +1199,11 @@ name: DisableDomainCreds data: 1 type: dword - when: rule_2_3_10_4 + when: + - rule_2_3_10_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_2.3.10.4 - patch @@ -1152,10 +1213,11 @@ name: EveryoneIncludesAnonymous data: 0 type: dword - when: rule_2_3_10_5 + when: + - rule_2_3_10_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.5 - patch @@ -1169,6 +1231,7 @@ - rule_2_3_10_6 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.10.6 - patch @@ -1182,8 +1245,7 @@ - rule_2_3_10_7 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.7 - patch @@ -1193,10 +1255,11 @@ name: "Machine" data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] type: multistring - when: rule_2_3_10_8 + when: + - rule_2_3_10_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.8 - patch @@ -1206,10 +1269,11 @@ name: "Machine" data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] type: multistring - when: rule_2_3_10_9 + when: + - rule_2_3_10_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.9 - patch @@ -1219,10 +1283,11 @@ name: RestrictNullSessAccess data: 1 type: dword - when: rule_2_3_10_10 + when: + - rule_2_3_10_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.10 - patch @@ -1232,10 +1297,10 @@ name: RestrictRemoteSAM data: "O:BAG:BAD:(A;;RC;;;BA)" type: string - when: rule_2_3_10_11 + when: + - rule_2_3_10_11 tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.11 - patch @@ -1245,10 +1310,11 @@ name: NullSessionShares data: "" type: multistring - when: rule_2_3_10_12 + when: + - rule_2_3_10_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.12 - patch @@ -1258,10 +1324,11 @@ name: ForceGuest data: 0 type: dword - when: rule_2_3_10_13 + when: + - rule_2_3_10_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.13 - patch @@ -1271,10 +1338,11 @@ name: UseMachineId data: 1 type: dword - when: rule_2_3_11_1 + when: + - rule_2_3_11_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.1 - patch @@ -1284,10 +1352,11 @@ name: allownullsessionfallback data: 0 type: dword - when: rule_2_3_11_2 + when: + - rule_2_3_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.2 - patch @@ -1297,10 +1366,11 @@ name: AllowOnlineID data: 0 type: dword - when: rule_2_3_11_3 + when: + - rule_2_3_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.3 - patch @@ -1310,10 +1380,11 @@ name: SupportedEncryptionTypes data: 2147483644 type: dword - when: rule_2_3_11_4 + when: + - rule_2_3_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.4 - patch @@ -1323,10 +1394,11 @@ name: NoLMHash data: 1 type: dword - when: rule_2_3_11_5 + when: + - rule_2_3_11_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.5 - patch @@ -1336,10 +1408,11 @@ name: EnableForcedLogOff data: 1 type: dword - when: rule_2_3_11_6 + when: + - rule_2_3_11_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.6 - patch @@ -1349,10 +1422,11 @@ name: LMCompatibilityLevel data: 5 type: dword - when: rule_2_3_11_7 + when: + - rule_2_3_11_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.7 - patch @@ -1362,10 +1436,11 @@ name: LDAPClientIntegrity data: 1 type: dword - when: rule_2_3_11_8 + when: + - rule_2_3_11_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.8 - patch @@ -1375,10 +1450,11 @@ name: NTLMMinClientSec data: 537395200 type: dword - when: rule_2_3_11_9 + when: + - rule_2_3_11_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.9 - patch @@ -1388,10 +1464,11 @@ name: NTLMMinServerSec data: 537395200 type: dword - when: rule_2_3_11_10 + when: + - rule_2_3_11_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.10 - patch @@ -1401,10 +1478,11 @@ name: ShutdownWithoutLogon data: 0 type: dword - when: rule_2_3_13_1 + when: + - rule_2_3_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.13.1 - patch @@ -1414,10 +1492,11 @@ name: ObCaseInsensitive data: 1 type: dword - when: rule_2_3_15_1 + when: + - rule_2_3_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.1 - patch @@ -1427,10 +1506,11 @@ name: ProtectionMode data: 1 type: dword - when: rule_2_3_15_2 + when: + - rule_2_3_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.2 - patch @@ -1440,10 +1520,11 @@ name: FilterAdministratorToken data: 1 type: dword - when: rule_2_3_17_1 + when: + - rule_2_3_17_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.1 - patch @@ -1453,10 +1534,11 @@ name: ConsentPromptBehaviorAdmin data: 2 type: dword - when: rule_2_3_17_2 + when: + - rule_2_3_17_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.2 - patch @@ -1466,10 +1548,11 @@ name: ConsentPromptBehaviorUser data: 0 type: dword - when: rule_2_3_17_3 + when: + - rule_2_3_17_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.3 - patch @@ -1479,10 +1562,11 @@ name: EnableInstallerDetection data: 1 type: dword - when: rule_2_3_17_4 + when: + - rule_2_3_17_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.4 - patch @@ -1492,10 +1576,11 @@ name: EnableSecureUIAPaths data: 1 type: dword - when: rule_2_3_17_5 + when: + - rule_2_3_17_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.5 - patch @@ -1505,10 +1590,11 @@ name: EnableLUA data: 1 type: dword - when: rule_2_3_17_6 + when: + - rule_2_3_17_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.6 - patch @@ -1518,10 +1604,11 @@ name: PromptOnSecureDesktop data: 1 type: dword - when: rule_2_3_17_7 + when: + - rule_2_3_17_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.7 - patch @@ -1531,10 +1618,11 @@ name: EnableVirtualization data: 1 type: dword - when: rule_2_3_17_8 + when: + - rule_2_3_17_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.8 - patch diff --git a/tasks/section17.yml b/tasks/section17.yml index da38c82..634788d 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,518 +1,429 @@ --- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in rule_17_1_1_audit.stdout" - changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in rule_17_1_1_audit.stdout" - changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + - name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in rule_17_1_1_audit.stdout" + changed_when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in rule_17_1_1_audit.stdout" + changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - rule_17_1_1 - - rule_17_1_1_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_1_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.1.1 - patch -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 +- name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + block: + - name: "SCORED | 17.1.2 | AUDIT | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_2_audit + + - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" + when: + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.1 - - audit + - level1-domaincontroller + - rule_17.1.2 + - patch -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" +- name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_1_audit.stdout" - changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable - when: "'Failure' not in rule_17_2_1_audit.stdout" - changed_when: "'Failure' not in rule_17_2_1_audit.stdout" + - name: "SCORED | 17.1.3 | AUDIT | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_3_audit + + - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" when: - - rule_17_2_1 - - rule_17_2_1_audit is defined + - rule_17_1_3 - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" tags: - - level1 - - level2 - - rule_17.2.1 + - level1-domaincontroller + - rule_17.1.2 - patch -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + when: "'Failure' not in rule_17_2_1_audit.stdout" when: - - rule_17_2_2 + - rule_17_2_1 - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.2 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.2.1 + - patch - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + block: + - name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + changed_when: "'Success' not in rule_17_2_2_audit.stdout" + when: "'Success' not in rule_17_2_2_audit.stdout" when: - rule_17_2_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.2 - patch -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + block: + - name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - ansible_windows_domain_role == "Primary domain controller" - rule_17_2_3 - - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_17.2.3 - patch -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + block: + - name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in rule_17_2_4_audit.stdout" when: - rule_17_2_4 - - rule_17_2_4_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.4 - patch - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit - -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to include Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + block: + - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: false + failed_when: false + + - name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to include Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.5 - patch -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable - when: "'Success' not in rule_17_2_6_audit.stdout" - changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in rule_17_2_6_audit.stdout" - changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + - name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_6_audit + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in rule_17_2_6_audit.stdout" when: - rule_17_2_6 - - rule_17_2_6_audit is defined tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.6 - patch -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to include Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" + block: + - name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to include Success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_1_audit + + - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + when: "'Success' not in rule_17_3_1_audit.stdout" when: - rule_17_3_1 - - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.1 - patch -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to include Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" + block: + - name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to include Success" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_2_audit + + - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + when: "'Success' not in rule_17_3_2_audit.stdout" when: - rule_17_3_2 - - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.2 - patch -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to include Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" + block: + - name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_1_audit + + - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + when: "'Success' not in rule_17_4_1_audit.stdout" when: - rule_17_4_1 - - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.1 - patch -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to include Success DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" + block: + - name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_2_audit + + - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + when: "'Success' not in rule_17_4_2_audit.stdout" when: - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.2 - patch -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to include Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + block: + - name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to include Failure" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_1_audit + + - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - rule_17_5_1 - - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.1 - patch -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to include Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" + block: + - name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to include Success" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_2_audit + + - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + when: "'Success' not in rule_17_5_2_audit.stdout" when: - rule_17_5_2 - - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.2 - patch - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" + block: + - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_3_audit + + - name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to include Success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + when: "'Success' not in rule_17_5_3_audit.stdout" when: - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.3 - patch -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - patch - -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes + - name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_4_audit + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + when: "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_5 + - rule_17_5_4 tags: - - level1 - - level2 - - rule_17.5.5 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.5.4 + - patch - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable - changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" - - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable - changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" + - name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_5_audit + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + when: "'Success' not in rule_17_5_5_audit.stdout" + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + when: "'Failure' not in rule_17_5_5_audit.stdout" when: - rule_17_5_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.5 - patch -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to include Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" + block: + - name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to include Success" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_6_audit + + - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + when: "'Success' not in rule_17_5_6_audit.stdout" when: - rule_17_5_6 - - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.6 - patch -- name: "SCORED | 17.6.1 | AUDIT | L1 Ensure Audit Detailed File Share is set to include Failure" - win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_1 - tags: - - level1 - - level2 - - rule_17.6.1 - - audit - - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" - win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable - changed_when: "'Failure' not in rule_17_6_1_audit.stdout" + block: + - name: "SCORED | 17.6.1 | AUDIT | L1 Ensure Audit Detailed File Share is set to include Failure" + win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_1_audit + + - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" + win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable + when: "'Failure' not in rule_17_6_1_audit.stdout" when: - rule_17_6_1 - - rule_17_6_1_audit is defined - - "'Failure' not in rule_17_6_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.1 - patch -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit File Share is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 - tags: - - level1 - - level2 - - rule_17.6.2 - - audit - - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"File Share" /failure:enable - changed_when: "'Failure' not in rule_17_6_2_audit.stdout" - when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Failure' not in rule_17_6_2_audit.stdout" - tags: - - level1 - - level2 + block: + - name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit File Share is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_2_audit + + - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"File Share" /failure:enable + when: "'Failure' not in rule_17_6_2_audit.stdout" + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.6.2 - patch @@ -522,353 +433,257 @@ audit_type: success, failure when: rule_17_6_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.3 - patch -- name: "SCORED | 17.6.4 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_4 - tags: - - level1 - - level2 - - rule_17.6.4 - - audit - - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_4_audit.stdout" + block: + - name: "SCORED | 17.6.4 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_4_audit + + - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + when: "'Success' not in rule_17_6_4_audit.stdout" when: - rule_17_6_4 - - rule_17_6_4_audit is defined - - "'Success' not in rule_17_6_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.4 - patch -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 - tags: - - level1 - - level2 - - rule_17.7.1 - - audit - - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" + block: + - name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_1_audit + + - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + when: "'Success' not in rule_17_7_1_audit.stdout" when: - rule_17_7_1 - - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.1 - patch -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" + block: + - name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_2_audit + + - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + when: "'Success' not in rule_17_7_2_audit.stdout" when: - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.2 - patch -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 - tags: - - level1 - - level2 - - rule_17.7.3 - - audit - - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" + block: + - name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_3_audit + + - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + when: "'Success' not in rule_17_7_3_audit.stdout" when: - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.3 - patch -- name: "SCORED | 17.7.4 | AUDIT | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_4 - tags: - - level1 - - level2 - - rule_17.7.4 - - audit - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_4_audit.stdout" - when: - - rule_17_7_4_audit is defined - - "'Success' not in rule_17_7_4_audit.stdout" - - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable - changed_when: "'Failure' not in rule_17_7_4_audit.stdout" - when: - - rule_17_7_4_audit is defined - - "'Failure' not in rule_17_7_4_audit.stdout" - when: rule_17_7_4 - tags: - - level1 - - level2 + - name: "SCORED | 17.7.4 | AUDIT | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_4_audit + + - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable + when: "'Success' not in rule_17_7_4_audit.stdout" + + - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable + when: "'Failure' not in rule_17_7_4_audit.stdout" + when: + - rule_17_7_4 + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.7.4 - patch -- name: "SCORED | 17.7.5 | AUDIT | L1 Ensure Audit Other Policy Change Events is set to include Failure" - win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_5 - tags: - - level1 - - level2 - - rule_17.7.5 - - audit - - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable - changed_when: "'Success' not in rule_17_7_5_audit.stdout" + block: + - name: "SCORED | 17.7.5 | AUDIT | L1 Ensure Audit Other Policy Change Events is set to include Failure" + win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_5_audit + + - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + when: "'Success' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 - - rule_17_7_5_audit is defined - - "'Success' not in rule_17_7_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.5 - patch -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - audit - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" - - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" - - when: rule_17_8_1 + - name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_8_1_audit + + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + when: "'Success' not in rule_17_8_1_audit.stdout" + + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + when: "'Failure' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.8.1 - patch -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" - - when: rule_17_9_1 - tags: - - level1 - - level2 + - name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_1_audit + + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + when: "'Success' not in rule_17_9_1_audit.stdout" + + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + when: "'Failure' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1 + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.9.1 - patch -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - audit - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" - when: rule_17_9_2 - tags: - - level1 - - level2 + - name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_2_audit + + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + when: "'Success' not in rule_17_9_2_audit.stdout" + + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + when: "'Failure' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2 + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.9.2 - patch -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to include Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_3 - tags: - - level1 - - level2 - - rule_17.9.3 - - audit - - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" + block: + - name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to include Success" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_3_audit + + - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + when: "'Success' not in rule_17_9_3_audit.stdout" when: - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.3 - patch -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to include Success" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_4 - tags: - - level1 - - level2 - - rule_17.9.4 - - audit - - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" + block: + - name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to include Success" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_4_audit + + - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + when: "'Success' not in rule_17_9_4_audit.stdout" when: - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.4 - patch -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" block: - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" - - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" - when: rule_17_9_5 - tags: - - level1 - - level2 + - name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_5_audit + + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" + + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5 + tags: + - level1-domaincontroller + - level1-memberserver - rule_17.9.5 - patch - diff --git a/tasks/section18.yml b/tasks/section18.yml index 8f7d12b..736cb8f 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -5,10 +5,11 @@ name: NoLockScreenCamera data: 1 type: dword - when: rule_18_1_1_1 + when: + - rule_18_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.1 - patch @@ -18,276 +19,205 @@ name: NoLockScreenSlideshow data: 1 type: dword - when: rule_18_1_1_2 + when: + - rule_18_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.2 - patch -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" + block: + - name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_1_2_2_audit + + - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" + command: "echo true" when: - is_implemented - rule_18_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.2.2 - patch -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" + block: + - name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_1_2_2_audit + + - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" when: - is_implemented - rule_18_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.1.3 - patch -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - audit - - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_1_audit + + - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" when: - is_implemented - rule_18_2_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.1 - patch -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - audit - - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_2_audit + + - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_2_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.2 - patch -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - audit - - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_3_audit + + - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_2_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.3 - patch -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - audit - - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_4_audit + + - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" when: - is_implemented - rule_18_2_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.4 - patch -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - audit - - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_2_5_audit + + - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" when: - is_implemented - rule_18_2_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.5 - patch -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - audit - - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" + block: + - name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_6_audit + + - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" when: - is_implemented - rule_18_2_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.6 - patch -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - audit - - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" + block: + - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_1_audit + + - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" when: - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.3.1 - patch -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - audit - - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" + block: + - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_2_audit + + - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" + command: "echo true" when: - is_implemented - rule_18_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.2 - patch -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" +- name: "SCORED | 18.3.3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -295,68 +225,79 @@ type: dword state: present notify: reboot_windows - when: rule_18_3_3 + when: + - rule_18_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.3 - patch -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation data: 1 type: dword state: present - when: rule_18_3_4 + when: + - rule_18_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.4 - patch -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" + block: + - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" + command: "echo true" + changed_when: false + failed_when: false + register: rule_18_3_5_audit + + - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" + command: "echo true" when: - is_implemented - rule_18_3_5 - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller - rule_18.3.5 - - audit + - patch -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" +- name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters + state: present + name: NodeType + value: "{{ netbt_nodetype }}" + datatype: dword when: - - is_implemented - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_3_6 tags: - - level1 - - level2 - - rule_18.3.5 + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 - patch -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" +- name: "SCORED | 18.3.7 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present value: UseLogonCredential data: 0 datatype: dword - when: rule_18_3_6 + when: + - rule_18_3_7 tags: - - level1 - - level2 - - rule_18.3.6 + - level1-domaincontroller + - level1-memberserver + - rule_18.3.7 - patch + - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon @@ -364,10 +305,11 @@ value: AutoAdminLogon data: 0 datatype: dword - when: rule_18_4_1 + when: + - rule_18_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.1 - patch @@ -378,10 +320,11 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_2 + when: + - rule_18_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.2 - patch @@ -392,10 +335,11 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_3 + when: + - rule_18_4_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.3 - patch @@ -406,10 +350,11 @@ value: EnableICMPRedirect data: 0 datatype: dword - when: rule_18_4_4 + when: + - rule_18_4_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.4 - patch @@ -420,9 +365,11 @@ value: KeepAliveTime data: 300000 datatype: dword - when: rule_18_4_5 + when: + - rule_18_4_5 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.5 - patch @@ -433,10 +380,11 @@ name: NoNameReleaseOnDemand data: 1 type: dword - when: rule_18_4_6 + when: + - rule_18_4_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.6 - patch @@ -447,9 +395,11 @@ name: PerformRouterDiscovery data: 0 type: dword - when: rule_18_4_7 + when: + - rule_18_4_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.7 - patch @@ -460,10 +410,11 @@ data: 1 type: dword state: present - when: rule_18_4_8 + when: + - rule_18_4_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.8 - patch @@ -474,10 +425,11 @@ data: 5 type: string state: present - when: rule_18_4_9 + when: + - rule_18_4_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.9 - patch @@ -487,9 +439,11 @@ name: TcpMaxDataRetransmissions data: 3 type: dword - when: rule_18_4_10 + when: + - rule_18_4_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.10 - patch @@ -499,9 +453,11 @@ name: TcpMaxDataRetransmissions data: 3 type: dword - when: rule_18_4_11 + when: + - rule_18_4_11 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.11 - patch @@ -511,42 +467,27 @@ name: WarningLevel data: 90 type: dword - when: rule_18_4_12 - tags: - - level1 - - level2 - - rule_18.4.12 - - patch - - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_4_12 tags: - - level1 - - level2 - - rule_18.5.4.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 - patch -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "SCORED | 18.5.4.1 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast data: 0 type: dword when: - - rule_18_5_4_2 + - rule_18_5_4_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_18.5.4.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.5.4.1 - patch - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" @@ -555,9 +496,11 @@ name: EnableFontProviders data: 0 type: dword - when: rule_18_5_5_1 + when: + - rule_18_5_5_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.5.1 - patch @@ -569,8 +512,8 @@ type: dword when: rule_18_5_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.8.1 - patch @@ -603,9 +546,11 @@ name: ProhibitLLTDIOOnPrivateNet data: 0 type: dword - when: rule_18_5_9_1 + when: + - rule_18_5_9_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.1 - patch @@ -638,9 +583,11 @@ name: ProhibitRspndrOnPrivateNet data: 0 type: dword - when: rule_18_5_9_2 + when: + - rule_18_5_9_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.2 - patch @@ -650,9 +597,11 @@ name: Disabled data: 1 type: dword - when: rule_18_5_10_2 + when: + - rule_18_5_10_2 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.10.2 - patch @@ -662,10 +611,11 @@ name: NC_AllowNetBridge_NLA data: 0 type: dword - when: rule_18_5_11_2 + when: + - rule_18_5_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.2 - patch @@ -675,10 +625,11 @@ name: NC_ShowSharedAccessUI data: 0 type: dword - when: rule_18_5_11_3 + when: + - rule_18_5_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.3 - patch @@ -688,10 +639,11 @@ name: NC_StdDomainUserSetLocation data: 1 type: dword - when: rule_18_5_11_4 + when: + - rule_18_5_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.4 - patch @@ -709,10 +661,11 @@ name: "\\\\*\\SYSVOL" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - when: rule_18_5_14_1 + when: + - rule_18_5_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.14.1 - patch @@ -722,9 +675,11 @@ name: DisabledComponents data: 255 type: dword - when: rule_18_5_19_2_1 + when: + - rule_18_5_19_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.19.2.1 - patch @@ -764,9 +719,11 @@ name: DisableWPDRegistrar data: 0 type: dword - when: rule_18_5_20_1 + when: + - rule_18_5_20_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.1 - patch @@ -776,9 +733,11 @@ name: DisableWcnUi data: 1 type: dword - when: rule_18_5_20_2 + when: + - rule_18_5_20_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.2 - patch @@ -788,10 +747,11 @@ name: fMinimizeConnections data: 1 type: dword - when: rule_18_5_21_1 + when: + - rule_18_5_21_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.21.1 - patch @@ -805,7 +765,7 @@ - rule_18_5_21_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_18.5.21.2 - patch @@ -815,9 +775,11 @@ name: NoCloudApplicationNotification data: 1 type: dword - when: rule_18_7_1_1 + when: + - rule_18_7_1_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.7.1.1 - patch @@ -827,10 +789,11 @@ name: ProcessCreationIncludeCmdLine_Enabled data: 0 type: dword - when: rule_18_8_3_1 + when: + - rule_18_8_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.3.1 - patch @@ -840,10 +803,11 @@ name: AllowEncryptionOracle data: 0 type: dword - when: rule_18_8_4_1 + when: + - rule_18_8_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.4.1 - patch @@ -853,10 +817,11 @@ name: AllowProtectedCreds data: 1 type: dword - when: rule_18_8_4_2 + when: + - rule_18_8_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.4.2 - patch @@ -866,8 +831,11 @@ name: EnableVirtualizationBasedSecurity data: 1 type: dword - when: rule_18_8_5_1 + when: + - rule_18_8_5_1 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.1 - patch @@ -877,8 +845,11 @@ name: RequirePlatformSecurityFeatures data: 3 type: dword - when: rule_18_8_5_2 + when: + - rule_18_8_5_2 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.2 - patch @@ -888,8 +859,11 @@ name: HypervisorEnforcedCodeIntegrity data: 1 type: dword - when: rule_18_8_5_3 + when: + - rule_18_8_5_3 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.3 - patch @@ -899,8 +873,11 @@ name: HVCIMATRequired data: 1 type: dword - when: rule_18_8_5_4 + when: + - rule_18_8_5_4 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.4 - patch @@ -914,6 +891,7 @@ - rule_18_8_5_5 - not ansible_windows_domain_role == "Primary domain controller" tags: + - ngws-memberserver - rule_18.8.5.5 - patch @@ -927,6 +905,7 @@ - rule_18_8_5_6 - ansible_windows_domain_role == "Primary domain controller" tags: + - ngws-domaincontroller - rule_18.8.5.6 - patch @@ -936,8 +915,11 @@ name: ConfigureSystemGuardLaunch data: 1 type: dword - when: rule_18_8_5_7 + when: + - rule_18_8_5_7 tags: + - ngws-domaincontroller + - ngws-memberserver - rule_18.8.5.7 - patch @@ -947,10 +929,11 @@ name: DriverLoadPolicy data: 3 type: dword - when: rule_18_8_14_1 + when: + - rule_18_8_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.14.1 - patch @@ -960,10 +943,11 @@ name: NoBackgroundPolicy data: 0 type: dword - when: rule_18_8_21_2 + when: + - rule_18_8_21_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.2 - patch @@ -973,10 +957,11 @@ name: NoGPOListChanges data: 0 type: dword - when: rule_18_8_21_3 + when: + - rule_18_8_21_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.3 - patch @@ -986,10 +971,11 @@ name: EnableCdp data: 0 type: dword - when: rule_18_8_21_4 + when: + - rule_18_8_21_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.4 - patch @@ -998,10 +984,11 @@ path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent delete_key: yes - when: rule_18_8_21_5 + when: + - rule_18_8_21_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.5 - patch @@ -1011,10 +998,11 @@ name: DisableWebPnPDownload data: 1 type: dword - when: rule_18_8_22_1_1 + when: + - rule_18_8_22_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.1 - patch @@ -1024,9 +1012,11 @@ name: PreventHandwritingDataSharing data: 1 type: dword - when: rule_18_8_22_1_2 + when: + - rule_18_8_22_1_2 tags: - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.2 - patch @@ -1036,9 +1026,11 @@ name: PreventHandwritingErrorReports data: 1 type: dword - when: rule_18_8_22_1_3 + when: + - rule_18_8_22_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.3 - patch @@ -1048,9 +1040,11 @@ name: ExitOnMSICW data: 1 type: dword - when: rule_18_8_22_1_4 + when: + - rule_18_8_22_1_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.4 - patch @@ -1060,10 +1054,11 @@ name: NoWebServices data: 1 type: dword - when: rule_18_8_22_1_5 + when: + - rule_18_8_22_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.5 - patch @@ -1073,10 +1068,11 @@ name: DisableHTTPPrinting data: 1 type: dword - when: rule_18_8_22_1_6 + when: + - rule_18_8_22_1_6 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.6 - patch @@ -1086,9 +1082,11 @@ name: NoRegistration data: 1 type: dword - when: rule_18_8_22_1_7 + when: + - rule_18_8_22_1_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.7 - patch @@ -1098,9 +1096,11 @@ name: DisableContentFileUpdates data: 1 type: dword - when: rule_18_8_22_1_8 + when: + - rule_18_8_22_1_8 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.8 - patch @@ -1110,9 +1110,11 @@ name: NoOnlinePrintsWizard data: 1 type: dword - when: rule_18_8_22_1_9 + when: + - rule_18_8_22_1_9 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.9 - patch @@ -1122,9 +1124,11 @@ name: NoPublishingWizard data: 1 type: dword - when: rule_18_8_22_1_10 + when: + - rule_18_8_22_1_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.10 - patch @@ -1134,9 +1138,11 @@ name: CEIP data: 2 type: dword - when: rule_18_8_22_1_11 + when: + - rule_18_8_22_1_11 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.11 - patch @@ -1146,9 +1152,11 @@ name: CEIPEnable data: 0 type: dword - when: rule_18_8_22_1_12 + when: + - rule_18_8_22_1_12 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.12 - patch @@ -1166,9 +1174,11 @@ name: DoReport data: 0 type: dword - when: rule_18_8_22_1_13 + when: + - rule_18_8_22_1_13 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.13 - patch @@ -1186,9 +1196,11 @@ name: DevicePKInitEnabled data: 1 type: dword - when: rule_18_8_25_1 + when: + - rule_18_8_25_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.25.1 - patch @@ -1198,10 +1210,11 @@ name: DeviceEnumerationPolicy data: 0 type: dword - when: rule_18_8_26_1 + when: + - rule_18_8_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.26.1 - patch @@ -1211,9 +1224,11 @@ name: BlockUserInputMethodsForSignIn data: 1 type: dword - when: rule_18_8_27_1 + when: + - rule_18_8_27_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.27.1 - patch @@ -1223,10 +1238,11 @@ name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword - when: rule_18_8_28_1 + when: + - rule_18_8_28_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.1 - patch @@ -1236,10 +1252,11 @@ name: DontDisplayNetworkSelectionUI data: 1 type: dword - when: rule_18_8_28_2 + when: + - rule_18_8_28_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.2 - patch @@ -1249,10 +1266,11 @@ name: DontEnumerateConnectedUsers data: 1 type: dword - when: rule_18_8_28_3 + when: + - rule_18_8_28_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.3 - patch @@ -1262,10 +1280,10 @@ name: EnumerateLocalUsers data: 0 type: dword - when: rule_18_8_28_4 + when: + - rule_18_8_28_4 tags: - - level1 - - level2 + - level1-memberserver - rule_18.8.28.4 - patch @@ -1275,10 +1293,11 @@ name: DisableLockScreenAppNotifications data: 1 type: dword - when: rule_18_8_28_5 + when: + - rule_18_8_28_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.5 - patch @@ -1288,10 +1307,11 @@ name: BlockDomainPicturePassword data: 1 type: dword - when: rule_18_8_28_6 + when: + - rule_18_8_28_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.6 - patch @@ -1301,10 +1321,11 @@ name: AllowDomainPINLogon data: 0 type: dword - when: rule_18_8_28_7 + when: + - rule_18_8_28_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.28.7 - patch @@ -1314,9 +1335,11 @@ name: AllowCrossDeviceClipboard data: 0 type: dword - when: rule_18_8_31_1 + when: + - rule_18_8_31_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.31.1 - patch @@ -1326,9 +1349,11 @@ name: UploadUserActivities data: 0 type: dword - when: rule_18_8_31_2 + when: + - rule_18_8_31_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.31.2 - patch @@ -1338,9 +1363,11 @@ name: DCSettingIndex data: 0 type: dword - when: rule_18_8_34_6_1 + when: + - rule_18_8_34_6_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.34.6.1 - patch @@ -1350,9 +1377,11 @@ name: ACSettingIndex data: 0 type: dword - when: rule_18_8_34_6_2 + when: + - rule_18_8_34_6_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.34.6.2 - patch @@ -1362,10 +1391,11 @@ name: DCSettingIndex data: 1 type: dword - when: rule_18_8_34_6_3 + when: + - rule_18_8_34_6_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.34.6.3 - patch @@ -1375,10 +1405,11 @@ name: ACSettingIndex data: 1 type: dword - when: rule_18_8_34_6_4 + when: + - rule_18_8_34_6_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.34.6.4 - patch @@ -1388,10 +1419,11 @@ name: fAllowUnsolicited data: 0 type: dword - when: rule_18_8_36_1 + when: + - rule_18_8_36_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.36.1 - patch @@ -1401,10 +1433,11 @@ name: fAllowToGetHelp data: 0 type: dword - when: rule_18_8_36_2 + when: + - rule_18_8_36_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.36.2 - patch @@ -1418,8 +1451,7 @@ - rule_18_8_37_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.8.37.1 - patch @@ -1433,70 +1465,78 @@ - rule_18_8_37_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_18.8.37.2 - patch -- name: "SCORED | 18.8.45.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "SCORED | 18.8.47.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword - when: rule_18_8_45_5_1 + when: + - rule_18_8_47_5_1 tags: - - level2 - - rule_18.8.45.5.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 - patch -- name: "SCORED | 18.8.45.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" +- name: "SCORED | 18.8.47.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword - when: rule_18_8_45_11_1 + when: + - rule_18_8_47_11_1 tags: - - level2 - - rule_18.8.45.11.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 - patch -- name: "SCORED | 18.8.47.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" +- name: "SCORED | 18.8.49.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword - when: rule_18_8_47_1 + when: + - rule_18_8_49_1 tags: - - level2 - - rule_18.8.47.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 - patch -- name: "SCORED | 18.8.50.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" +- name: "SCORED | 18.8.52.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword - when: rule_18_8_50_1_1 + when: + - rule_18_8_52_1_1 tags: - - level2 - - rule_18.8.50.1.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 - patch -- name: "SCORED | 18.8.50.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "SCORED | 18.8.52.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled data: 1 type: dword when: - - rule_18_8_50_1_2 + - rule_18_8_52_1_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 - - rule_18.8.50.1.2 + - level2-memberserver + - rule_18.8.52.1.2 - patch - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" @@ -1505,9 +1545,11 @@ name: AllowSharedLocalAppData data: 0 type: dword - when: rule_18_9_4_1 + when: + - rule_18_9_4_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.4.1 - patch @@ -1517,10 +1559,11 @@ name: MSAOptional data: 1 type: dword - when: rule_18_9_6_1 + when: + - rule_18_9_6_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.6.1 - patch @@ -1530,10 +1573,11 @@ name: NoAutoplayfornonVolume data: 1 type: dword - when: rule_18_9_8_1 + when: + - rule_18_9_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.1 - patch @@ -1543,10 +1587,11 @@ name: NoAutorun data: 1 type: dword - when: rule_18_9_8_2 + when: + - rule_18_9_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.2 - patch @@ -1556,10 +1601,11 @@ name: NoDriveTypeAutoRun data: 255 type: dword - when: rule_18_9_8_3 + when: + - rule_18_9_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.3 - patch @@ -1569,10 +1615,11 @@ name: EnhancedAntiSpoofing data: 1 type: dword - when: rule_18_9_10_1_1 + when: + - rule_18_9_10_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.10.1.1 - patch @@ -1582,9 +1629,11 @@ name: AllowCamera data: 1 type: dword - when: rule_18_9_12_1 + when: + - rule_18_9_12_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.12.1 - patch @@ -1594,10 +1643,11 @@ name: DisableWindowsConsumerFeatures data: 1 type: dword - when: rule_18_9_13_1 + when: + - rule_18_9_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.13.1 - patch @@ -1607,10 +1657,11 @@ name: RequirePinForPairing data: 1 type: dword - when: rule_18_9_14_1 + when: + - rule_18_9_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.14.1 - patch @@ -1620,10 +1671,11 @@ name: DisablePasswordReveal data: 1 type: dword - when: rule_18_9_15_1 + when: + - rule_18_9_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.1 - patch @@ -1633,10 +1685,11 @@ name: EnumerateAdministrators data: 0 type: dword - when: rule_18_9_15_2 + when: + - rule_18_9_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.2 - patch @@ -1646,10 +1699,11 @@ name: AllowTelemetry data: 0 type: dword - when: rule_18_9_16_1 + when: + - rule_18_9_16_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.1 - patch @@ -1659,9 +1713,11 @@ name: DisableEnterpriseAuthProxy data: 0 type: dword - when: rule_18_9_16_2 + when: + - rule_18_9_16_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.16.2 - patch @@ -1671,10 +1727,11 @@ name: DoNotShowFeedbackNotifications data: 1 type: dword - when: rule_18_9_16_3 + when: + - rule_18_9_16_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.3 - patch @@ -1684,10 +1741,11 @@ name: AllowBuildPreview data: 0 type: dword - when: rule_18_9_16_4 + when: + - rule_18_9_16_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.4 - patch @@ -1697,10 +1755,11 @@ name: Retention data: 0 type: dword - when: rule_18_9_26_1_1 + when: + - rule_18_9_26_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.1 - patch @@ -1710,10 +1769,11 @@ name: MaxSize data: 65538 type: dword - when: rule_18_9_26_1_2 + when: + - rule_18_9_26_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.2 - patch @@ -1723,10 +1783,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_2_1 + when: + - rule_18_9_26_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.1 - patch @@ -1736,10 +1797,11 @@ name: MaxSize data: 196608 type: dword - when: rule_18_9_26_2_2 + when: + - rule_18_9_26_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.2 - patch @@ -1749,10 +1811,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_3_1 + when: + - rule_18_9_26_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.1 - patch @@ -1762,10 +1825,11 @@ name: MaxSize data: 32768 type: dword - when: rule_18_9_26_3_2 + when: + - rule_18_9_26_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.2 - patch @@ -1775,10 +1839,11 @@ name: Retention data: 0 type: string - when: rule_18_9_26_4_1 + when: + - rule_18_9_26_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.1 - patch @@ -1788,10 +1853,11 @@ name: MaxSize data: 65538 type: dword - when: rule_18_9_26_4_2 + when: + - rule_18_9_26_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.2 - patch @@ -1801,10 +1867,11 @@ name: NoDataExecutionPrevention data: 0 type: dword - when: rule_18_9_30_2 + when: + - rule_18_9_30_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.2 - patch @@ -1814,10 +1881,11 @@ name: NoHeapTerminationOnCorruption data: 0 type: dword - when: rule_18_9_30_3 + when: + - rule_18_9_30_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.3 - patch @@ -1827,10 +1895,11 @@ name: PreXPSP2ShellProtocolBehavior data: 0 type: dword - when: rule_18_9_30_4 + when: + - rule_18_9_30_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.4 - patch @@ -1840,9 +1909,11 @@ name: DisableLocation data: 1 type: dword - when: rule_18_9_39_2 + when: + - rule_18_9_39_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.39.2 - patch @@ -1852,9 +1923,11 @@ name: AllowMessageSync data: 0 type: dword - when: rule_18_9_43_1 + when: + - rule_18_9_43_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.43.1 - patch @@ -1864,10 +1937,11 @@ name: DisableUserAuth data: 1 type: dword - when: rule_18_9_44_1 + when: + - rule_18_9_44_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.44.1 - patch @@ -1877,10 +1951,11 @@ name: DisableFileSyncNGSC data: 1 type: dword - when: rule_18_9_52_1 + when: + - rule_18_9_52_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.52.1 - patch @@ -1890,10 +1965,11 @@ name: DisablePasswordSaving data: 1 type: dword - when: rule_18_9_59_2_2 + when: + - rule_18_9_59_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.2.2 - patch @@ -1903,9 +1979,11 @@ name: fSingleSessionPerUser data: 1 type: dword - when: rule_18_9_59_3_2_1 + when: + - rule_18_9_59_3_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.2.1 - patch @@ -1915,9 +1993,11 @@ name: fDisableCcm data: 1 type: dword - when: rule_18_9_59_3_3_1 + when: + - rule_18_9_59_3_3_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.1 - patch @@ -1927,10 +2007,11 @@ name: fDisableCdm data: 1 type: dword - when: rule_18_9_59_3_3_2 + when: + - rule_18_9_59_3_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.3.2 - patch @@ -1940,9 +2021,11 @@ name: fDisableLPT data: 1 type: dword - when: rule_18_9_59_3_3_3 + when: + - rule_18_9_59_3_3_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.3 - patch @@ -1952,9 +2035,11 @@ name: fDisablePNPRedir data: 1 type: dword - when: rule_18_9_59_3_3_4 + when: + - rule_18_9_59_3_3_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.3.4 - patch @@ -1964,10 +2049,11 @@ name: fPromptForPassword data: 1 type: dword - when: rule_18_9_59_3_9_1 + when: + - rule_18_9_59_3_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.1 - patch @@ -1977,10 +2063,11 @@ name: fEncryptRPCTraffic data: 1 type: dword - when: rule_18_9_59_3_9_2 + when: + - rule_18_9_59_3_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.2 - patch @@ -1990,10 +2077,11 @@ name: SecurityLayer data: 2 type: dword - when: rule_18_9_59_3_9_3 + when: + - rule_18_9_59_3_9_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.3 - patch @@ -2003,10 +2091,11 @@ name: UserAuthentication data: 1 type: dword - when: rule_18_9_59_3_9_4 + when: + - rule_18_9_59_3_9_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.4 - patch @@ -2016,10 +2105,11 @@ name: MinEncryptionLevel data: 3 type: dword - when: rule_18_9_59_3_9_5 + when: + - rule_18_9_59_3_9_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.9.5 - patch @@ -2029,9 +2119,11 @@ name: MaxIdleTime data: 3600000 type: dword - when: rule_18_9_59_3_10_1 + when: + - rule_18_9_59_3_10_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.10.1 - patch @@ -2041,9 +2133,11 @@ name: MaxDisconnectionTime data: 28800000 type: dword - when: rule_18_9_59_3_10_2 + when: + - rule_18_9_59_3_10_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.10.2 - patch @@ -2053,10 +2147,11 @@ name: DeleteTempDirsOnExit data: 1 type: dword - when: rule_18_9_59_3_11_1 + when: + - rule_18_9_59_3_11_1 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.59.3.11.1 - patch @@ -2066,10 +2161,11 @@ name: PerSessionTempDir data: 1 type: dword - when: rule_18_9_59_3_11_2 + when: + - rule_18_9_59_3_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.11.2 - patch @@ -2079,10 +2175,11 @@ name: DisableEnclosureDownload data: 1 type: dword - when: rule_18_9_60_1 + when: + - rule_18_9_60_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.60.1 - patch @@ -2092,9 +2189,11 @@ name: AllowCloudSearch data: 0 type: dword - when: rule_18_9_61_2 + when: + - rule_18_9_61_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.61.2 - patch @@ -2104,10 +2203,11 @@ name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword - when: rule_18_9_61_3 + when: + - rule_18_9_61_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.61.3 - patch @@ -2117,9 +2217,11 @@ name: NoGenTicket data: 1 type: dword - when: rule_18_9_66_1 + when: + - rule_18_9_66_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.66.1 - patch @@ -2129,10 +2231,11 @@ name: LocalSettingOverrideSpynetReporting data: 0 type: dword - when: rule_18_9_77_3_1 + when: + - rule_18_9_77_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.3.1 - patch @@ -2142,9 +2245,11 @@ name: SpynetReporting data: 0 type: dword - when: rule_18_9_77_3_2 + when: + - rule_18_9_77_3_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.77.3.2 - patch @@ -2154,10 +2259,11 @@ name: DisableBehaviorMonitoring data: 0 type: dword - when: rule_18_9_77_7_1 + when: + - rule_18_9_77_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.7.1 - patch @@ -2167,9 +2273,11 @@ name: DisableGenericRePorts data: 1 type: dword - when: rule_18_9_77_9_1 + when: + - rule_18_9_77_9_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.77.9.1 - patch @@ -2179,10 +2287,11 @@ name: DisableRemovableDriveScanning data: 0 type: dword - when: rule_18_9_77_10_1 + when: + - rule_18_9_77_10_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.10.1 - patch @@ -2192,10 +2301,11 @@ name: DisableEmailScanning data: 0 type: dword - when: rule_18_9_77_10_2 + when: + - rule_18_9_77_10_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.10.2 - patch @@ -2205,10 +2315,11 @@ name: ExploitGuard_ASR_Rules data: 1 type: dword - when: rule_18_9_77_13_1_1 + when: + - rule_18_9_77_13_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.1.1 - patch @@ -2230,10 +2341,11 @@ - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - d3e037e1-3eb8-44c8-a917-57927947596d - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_77_13_1_2 + when: + - rule_18_9_77_13_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.1.2 - patch @@ -2243,10 +2355,11 @@ name: ExploitGuard_ASR_Rules data: 1 type: dword - when: rule_18_9_77_13_3_1 + when: + - rule_18_9_77_13_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.13.3.1 - patch @@ -2256,10 +2369,11 @@ name: PUAProtection data: 1 type: dword - when: rule_18_9_77_14 + when: + - rule_18_9_77_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.14 - patch @@ -2269,10 +2383,11 @@ name: DisableAntiSpyware data: 0 type: dword - when: rule_18_9_77_15 + when: + - rule_18_9_77_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.77.15 - patch @@ -2284,16 +2399,18 @@ name: EnableSmartScreen data: 1 type: dword + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel data: Block type: string - when: rule_18_9_80_1_1 + when: + - rule_18_9_80_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.80.1.1 - patch @@ -2303,9 +2420,11 @@ name: AllowSuggestedAppsInWindowsInkWorkspace data: 0 type: dword - when: rule_18_9_84_1 + when: + - rule_18_9_84_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.84.1 - patch @@ -2315,10 +2434,11 @@ name: AllowWindowsInkWorkspace data: 1 type: dword - when: rule_18_9_84_2 + when: + - rule_18_9_84_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.84.2 - patch @@ -2328,10 +2448,11 @@ name: EnableUserControl data: 0 type: dword - when: rule_18_9_85_1 + when: + - rule_18_9_85_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.1 - patch @@ -2341,10 +2462,11 @@ name: AlwaysInstallElevated data: 0 type: dword - when: rule_18_9_85_2 + when: + - rule_18_9_85_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.2 - patch @@ -2354,9 +2476,11 @@ name: SafeForScripting data: 0 type: dword - when: rule_18_9_85_3 + when: + - rule_18_9_85_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.85.3 - patch @@ -2366,10 +2490,11 @@ name: DisableAutomaticRestartSignOn data: 1 type: dword - when: rule_18_9_86_1 + when: + - rule_18_9_86_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.86.1 - patch @@ -2379,10 +2504,11 @@ name: EnableScriptBlockLogging data: 1 type: dword - when: rule_18_9_95_1 + when: + - rule_18_9_95_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.1 - patch @@ -2392,10 +2518,11 @@ name: EnableTranscripting data: 1 type: dword - when: rule_18_9_95_2 + when: + - rule_18_9_95_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.2 - patch @@ -2409,8 +2536,8 @@ - rule_18_9_97_1_1 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.1 - patch @@ -2424,8 +2551,8 @@ - rule_18_9_97_1_2 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.2 - patch @@ -2437,8 +2564,8 @@ type: dword when: rule_18_9_97_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.3 - patch @@ -2452,8 +2579,8 @@ - rule_18_9_97_2_1 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.1 - patch @@ -2468,7 +2595,8 @@ - rule_18_9_97_2_2 - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.97.2.2 - patch @@ -2482,8 +2610,8 @@ - rule_18_9_97_2_3 - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.3 - patch @@ -2493,10 +2621,11 @@ name: DisableRunAs data: 1 type: dword - when: rule_18_9_97_2_4 + when: + - rule_18_9_97_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.4 - patch @@ -2511,7 +2640,8 @@ - rule_18_9_98_1 - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.98.1 - patch @@ -2521,10 +2651,11 @@ name: DisallowExploitProtectionOverride data: 1 type: dword - when: rule_18_9_99_2_1 + when: + - rule_18_9_99_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.99.2.1 - patch @@ -2536,16 +2667,18 @@ name: ManagePreviewBuilds data: 1 type: dword + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword - when: rule_18_9_102_1_1 + when: + - rule_18_9_102_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.1 - patch @@ -2557,22 +2690,25 @@ name: DeferFeatureUpdates data: 1 type: dword + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel data: 16 type: dword - when: rule_18_9_102_1_2 + when: + - rule_18_9_102_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.2 - patch @@ -2584,16 +2720,18 @@ name: DeferQualityUpdates data: 1 type: dword + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword - when: rule_18_9_102_1_3 + when: + - rule_18_9_102_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.1.3 - patch @@ -2603,10 +2741,11 @@ name: NoAutoUpdate data: 0 type: dword - when: rule_18_9_102_2 + when: + - rule_18_9_102_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.2 - patch @@ -2616,10 +2755,11 @@ name: ScheduledInstallDay data: 0 type: dword - when: rule_18_9_102_3 + when: + - rule_18_9_102_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.3 - patch @@ -2629,10 +2769,11 @@ name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword - when: rule_18_9_102_4 + when: + - rule_18_9_102_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.102.4 - patch diff --git a/tasks/section19.yml b/tasks/section19.yml index ca42ed1..e564c5d 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -7,16 +7,18 @@ name: ScreenSaveActive data: 1 type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - when: rule_19_1_3_1 + when: + - rule_19_1_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.1 - patch @@ -28,16 +30,18 @@ name: SCRNSAVE.EXE data: scrnsave.scr type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE data: scrnsave.scr type: string - when: rule_19_1_3_2 + when: + - rule_19_1_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.2 - patch @@ -49,16 +53,18 @@ name: ScreenSaverIsSecure data: 1 type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - when: rule_19_1_3_3 + when: + - rule_19_1_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.3 - patch @@ -70,16 +76,18 @@ name: ScreenSaveTimeOut data: 900 type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - when: rule_19_1_3_4 + when: + - rule_19_1_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.4 - patch @@ -91,16 +99,18 @@ name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - when: rule_19_5_1_1 + when: + - rule_19_5_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.5.1.1 - patch @@ -112,15 +122,18 @@ name: NoImplicitFeedback data: 1 type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - when: rule_19_6_6_1_1 + when: + - rule_19_6_6_1_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.6.6.1.1 - patch @@ -132,16 +145,18 @@ name: SaveZoneInformation data: 3 type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 3 type: dword - when: rule_19_7_4_1 + when: + - rule_19_7_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.1 - patch @@ -153,16 +168,18 @@ name: ScanWithAntiVirus data: 3 type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - when: rule_19_7_4_2 + when: + - rule_19_7_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.2 - patch @@ -174,16 +191,18 @@ name: ConfigureWindowsSpotlight data: 2 type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - when: rule_19_7_7_1 + when: + - rule_19_7_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.1 - patch @@ -195,16 +214,18 @@ name: DisableThirdPartySuggestions data: 1 type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - when: rule_19_7_7_2 + when: + - rule_19_7_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.2 - patch @@ -216,15 +237,18 @@ name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - when: rule_19_7_7_3 + when: + - rule_19_7_7_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.3 - patch @@ -236,15 +260,18 @@ name: DisableWindowsSpotlightFeatures data: 1 type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - when: rule_19_7_7_4 + when: + - rule_19_7_7_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.4 - patch @@ -256,16 +283,18 @@ name: NoInplaceSharing data: 1 type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - when: rule_19_7_26_1 + when: + - rule_19_7_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.26.1 - patch @@ -277,16 +306,18 @@ name: AlwaysInstallElevated data: 0 type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - when: rule_19_7_41_1 + when: + - rule_19_7_41_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.41.1 - patch @@ -298,15 +329,17 @@ name: PreventCodecDownload data: 1 type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - when: rule_19_7_45_2_1 + when: + - rule_19_7_45_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.45.2.1 - patch -