Merge pull request #106 from ansible-lockdown/dec24_updates

Dec24 Issue Updates
ansible-lockdown · Dec 13, 2024 · 15752ab · 15752ab
2 parents 201ce3d + 9488a4d
commit 15752ab
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 20 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -2,6 +2,14 @@
 
 ## Release 2.0.1
 
+December 2024 Update
+- Fixed title for 18.9.27.1
+- Issue Addressed:
+    - [#106](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/105) - Thanks @animatco
+    - [#104](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/104) - Thanks @devallan
+    - [#103](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/103) - Thanks @Crombell95
+    - [#101](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thanks @dennisharder-alight
+
 June 2024 Update
 - Issue Addressed:
     - [#101] (https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thank you @dennisharder-alight

diff --git a/tasks/section01.yml b/tasks/section01.yml
@@ -109,6 +109,19 @@
       - patch
       - password
 
+- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
+  community.windows.win_security_policy:
+      section: System Access
+      key: RelaxMinimumPasswordLengthLimits
+      value: 1
+  when:
+      - win19cis_rule_1_1_6
+  tags:
+      - level1-memberserver
+      - rule_1.1.6
+      - patch
+      - password
+
 - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters"
   block:
       - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards."
@@ -154,19 +167,6 @@
       - patch
       - password
 
-- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
-  community.windows.win_security_policy:
-      section: System Access
-      key: RelaxMinimumPasswordLengthLimits
-      value: 1
-  when:
-      - win19cis_rule_1_1_6
-  tags:
-      - level1-memberserver
-      - rule_1.1.6
-      - patch
-      - password
-
 # We have found the order of tasks varies between cloud-based instances and VM-based instances.
 # The task below loads the control group in the correct order for cloud-based systems
 - name:

diff --git a/tasks/section02.yml b/tasks/section02.yml
@@ -862,7 +862,7 @@
       - win19cis_rule_2_3_1_5
   tags:
       - level1-domaincontroller
-      - level1-memberservers
+      - level1-memberserver
       - rule_2.3.1.5
       - patch
       - securitypolicy
@@ -1618,11 +1618,49 @@
       - patch
 
 - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
-  ansible.windows.win_regedit:
-      path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
-      name: "Machine"
-      data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog']
-      type: multistring
+  block:
+      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Set Fact"
+        ansible.builtin.set_fact:
+            rule_2_3_10_9_remote_registry_paths: [
+                'System\CurrentControlSet\Control\Print\Printers',
+                'System\CurrentControlSet\Services\Eventlog',
+                'Software\Microsoft\OLAP Server',
+                'Software\Microsoft\Windows NT\CurrentVersion\Print',
+                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
+                'System\CurrentControlSet\Control\ContentIndex',
+                'System\CurrentControlSet\Control\Terminal Server',
+                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
+                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
+                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
+                'System\CurrentControlSet\Services\SysmonLog'
+            ]
+
+      - name: "2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if AD Certificate Services feature is installed."
+        community.windows.win_feature_info:
+            name: AD-Certificate
+        register: rule_2_3_10_9_adcs_feature
+
+      - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add CertSvc to paths."
+        ansible.builtin.set_fact:
+            rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
+        when: rule_2_3_10_9_adcs_feature.features[0].installed
+
+      - name: 2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if WINS feature is installed."
+        community.windows.win_feature_info:
+            name: WINS
+        register: rule_2_3_10_9_wins_feature
+
+      - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add WINS to paths."
+        ansible.builtin.set_fact:
+            rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
+        when: rule_2_3_10_9_wins_feature.features[0].installed
+
+      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Apply "
+        ansible.windows.win_regedit:
+            path: HKLM:\SYSTEM\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
+            name: "Machine"
+            data: '{{ rule_2_3_10_9_remote_registry_paths }}'
+            type: multistring
   when:
       - win19cis_rule_2_3_10_9
   tags:

diff --git a/tasks/section18.yml b/tasks/section18.yml
@@ -1605,7 +1605,7 @@
       - rule_18.9.26.1
       - patch
 
-- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled"
+- name: "18.9.27.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\System
       name: BlockUserFromShowingAccountDetailsOnSignin