From 86ab2574bfc8d698f343bf1b8b586492aa7e6e11 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Wed, 3 Apr 2024 12:23:03 -0400 Subject: [PATCH 1/4] Fix CIS control ids Signed-off-by: Mathieu Fortin --- defaults/main.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9cb7048..854d394 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -363,7 +363,7 @@ win19cis_rule_18_9_27_7: true win19cis_rule_18_9_30_1: true win19cis_rule_18_9_30_2: true win19cis_rule_18_9_32_6_1: true -win19cis_rule_18_3_32_6_2: true +win19cis_rule_18_9_32_6_2: true win19cis_rule_18_9_32_6_3: true win19cis_rule_18_9_32_6_4: true win19cis_rule_18_9_34_1: true @@ -386,7 +386,6 @@ win19cis_rule_18_10_10_1: true win19cis_rule_18_10_12_1: true win19cis_rule_18_10_12_2: true win19cis_rule_18_10_12_3: true -win19cis_rule_18_9_14_3: true win19cis_rule_18_10_13_1: true win19cis_rule_18_10_14_1: true win19cis_rule_18_10_14_2: true @@ -475,12 +474,12 @@ win19cis_rule_18_10_87_2: true # win19cis_rule_18_10_89_2_3 win19cis_rule_18_10_89_1_1: true win19cis_rule_18_10_89_1_2: true -win19cis_rule_18_10_89_2_1: true -win19cis_rule_18_10_89_2_2: true -win19cis_rule_18_10_89_2_3: true # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following # machine restart. The CIS standard calls for 0 but doing so will break all remote connections to the system. win19cis_rule_18_10_89_1_3: true +win19cis_rule_18_10_89_2_1: true +win19cis_rule_18_10_89_2_2: true +win19cis_rule_18_10_89_2_3: true win19cis_rule_18_10_89_2_4: true win19cis_rule_18_10_90_1: true # WINRM CONTROLS END # From 05618ea9ec96e80e77e83ad2f77a2ab7a29b508b Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Wed, 3 Apr 2024 17:10:35 -0400 Subject: [PATCH 2/4] Fix control id Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index e9369fc..76862be 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1761,7 +1761,7 @@ data: 0 type: dword when: - - win19cis_rule_18_3_32_6_2 + - win19cis_rule_18_9_32_6_2 tags: - level2-domaincontroller - level2-memberserver From cf805c291abb49681f3c74fb4a083347cb718dcc Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Thu, 4 Apr 2024 14:27:08 -0400 Subject: [PATCH 3/4] Adding fix for AWS EC2 Signed-off-by: Mathieu Fortin --- tasks/prelim.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ce85f4e..43aad5a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -30,6 +30,7 @@ ansible.builtin.set_fact: win19cis_cloud_based_system: true when: + - ansible_system_vendor == 'Microsoft Corporation' - ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' From 5e515c23e3e6bc07f6a3afbf492199a24b8ae8dc Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Mon, 15 Apr 2024 16:03:11 -0400 Subject: [PATCH 4/4] Various fix Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 49 ++++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 18 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index fbd3e24..3eab693 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -559,7 +559,7 @@ - patch - netbios -- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" +- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast @@ -567,7 +567,6 @@ type: dword when: - win19cis_rule_18_6_4_2 - - win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver @@ -2771,7 +2770,7 @@ ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableRealtimeMonitoring - data: 1 + data: 0 datatype: dword when: - win19cis_rule_18_10_43_10_2 @@ -3346,20 +3345,6 @@ - patch - wik -- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: - - win19cis_rule_18_10_81_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.10.81.1 - - patch - - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" block: - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." @@ -3396,6 +3381,34 @@ - automated - patch +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: + - win19cis_rule_18_10_81_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.1 + - patch + +- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - win19cis_rule_18_10_81_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.2 + - patch + - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer @@ -3658,7 +3671,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue - data: 0 + data: 1 type: dword when: - win19cis_rule_18_10_93_4_1