From 8311c70736d01dbc462e63e7d6771f38fdc85397 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 13 Dec 2024 11:45:33 -0500 Subject: [PATCH 1/2] Issue Fixes Signed-off-by: Stephen Williams --- ChangeLog.md | 7 +++++++ tasks/section01.yml | 26 +++++++++++------------ tasks/section02.yml | 50 +++++++++++++++++++++++++++++++++++++++------ tasks/section18.yml | 2 +- 4 files changed, 65 insertions(+), 20 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index e26575b..55868a4 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,13 @@ ## Release 2.0.1 +December 2024 Update +- Fixed title for 18.9.27.1 +- Issue Addressed: + - [#104](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/104) - Thanks @devallan + - [#103](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/103) - Thanks @Crombell95 + - [#101](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thanks @dennisharder-alight + June 2024 Update - Issue Addressed: - [#101] (https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thank you @dennisharder-alight diff --git a/tasks/section01.yml b/tasks/section01.yml index e793fd1..45a79d8 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -109,6 +109,19 @@ - patch - password +- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." + community.windows.win_security_policy: + section: System Access + key: RelaxMinimumPasswordLengthLimits + value: 1 + when: + - win19cis_rule_1_1_6 + tags: + - level1-memberserver + - rule_1.1.6 + - patch + - password + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards." @@ -154,19 +167,6 @@ - patch - password -- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - community.windows.win_security_policy: - section: System Access - key: RelaxMinimumPasswordLengthLimits - value: 1 - when: - - win19cis_rule_1_1_6 - tags: - - level1-memberserver - - rule_1.1.6 - - patch - - password - # We have found the order of tasks varies between cloud-based instances and VM-based instances. # The task below loads the control group in the correct order for cloud-based systems - name: diff --git a/tasks/section02.yml b/tasks/section02.yml index 6b4063d..2508421 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -862,7 +862,7 @@ - win19cis_rule_2_3_1_5 tags: - level1-domaincontroller - - level1-memberservers + - level1-memberserver - rule_2.3.1.5 - patch - securitypolicy @@ -1618,11 +1618,49 @@ - patch - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] - type: multistring + block: + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Set Fact" + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: [ + 'System\CurrentControlSet\Control\Print\Printers', + 'System\CurrentControlSet\Services\Eventlog', + 'Software\Microsoft\OLAP Server', + 'Software\Microsoft\Windows NT\CurrentVersion\Print', + 'Software\Microsoft\Windows NT\CurrentVersion\Windows', + 'System\CurrentControlSet\Control\ContentIndex', + 'System\CurrentControlSet\Control\Terminal Server', + 'System\CurrentControlSet\Control\Terminal Server\UserConfig', + 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', + 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', + 'System\CurrentControlSet\Services\SysmonLog' + ] + + - name: "2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if AD Certificate Services feature is installed." + community.windows.win_feature_info: + name: AD-Certificate + register: rule_2_3_10_9_adcs_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add CertSvc to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}" + when: rule_2_3_10_9_adcs_feature.features[0].installed + + - name: 2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if WINS feature is installed." + community.windows.win_feature_info: + name: WINS + register: rule_2_3_10_9_wins_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add WINS to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}" + when: rule_2_3_10_9_wins_feature.features[0].installed + + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Apply " + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: '{{ rule_2_3_10_9_remote_registry_paths }}' + type: multistring when: - win19cis_rule_2_3_10_9 tags: diff --git a/tasks/section18.yml b/tasks/section18.yml index d643a6f..a9b0387 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1605,7 +1605,7 @@ - rule_18.9.26.1 - patch -- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.9.27.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin From 9488a4d5485db6d5a74f9a7c035bf8281a62abbd Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 13 Dec 2024 11:46:53 -0500 Subject: [PATCH 2/2] Issue Fixes Signed-off-by: Stephen Williams --- ChangeLog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog.md b/ChangeLog.md index 55868a4..cae20ec 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -5,6 +5,7 @@ December 2024 Update - Fixed title for 18.9.27.1 - Issue Addressed: + - [#106](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/105) - Thanks @animatco - [#104](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/104) - Thanks @devallan - [#103](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/103) - Thanks @Crombell95 - [#101](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thanks @dennisharder-alight