From 339341b07717fc8f0802cbf0c021abe56627a9e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Nov 2021 16:06:34 +0000 Subject: [PATCH 01/32] updated benchmark IDs Signed-off-by: Mark Bolwell --- defaults/main.yml | 84 ++++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 38 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0baff22..9550b78 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -120,6 +120,8 @@ rule_2_3_4_2: true rule_2_3_5_1: true rule_2_3_5_2: true rule_2_3_5_3: true +rule_2_3_5_4: true +rule_2_3_5_5: true rule_2_3_6_1: true rule_2_3_6_2: true rule_2_3_6_3: true @@ -372,37 +374,37 @@ rule_18_9_30_4: true rule_18_9_39_2: true rule_18_9_43_1: true rule_18_9_44_1: true +rule_18_9_45_3_1: true +rule_18_9_45_3_2: true +rule_18_9_45_4_1_1: true +rule_18_9_45_4_1_2: true +rule_18_9_45_4_3_1: true +rule_18_9_45_8_3: true +rule_18_9_45_10_1: true +rule_18_9_45_11_1: true +rule_18_9_45_11_2: true +rule_18_9_45_14: true +rule_18_9_45_15: true rule_18_9_52_1: true -rule_18_9_59_2_2: true -rule_18_9_59_3_2_1: true -rule_18_9_59_3_3_1: true -rule_18_9_59_3_3_2: true -rule_18_9_59_3_3_3: true -rule_18_9_59_3_3_4: true -rule_18_9_59_3_9_1: true -rule_18_9_59_3_9_2: true -rule_18_9_59_3_9_3: true -rule_18_9_59_3_9_4: true -rule_18_9_59_3_9_5: true -rule_18_9_59_3_10_1: true -rule_18_9_59_3_10_2: true -rule_18_9_59_3_11_1: true -rule_18_9_59_3_11_2: true -rule_18_9_60_1: true -rule_18_9_61_2: true -rule_18_9_61_3: true -rule_18_9_66_1: true -rule_18_9_77_3_1: true -rule_18_9_77_3_2: true -rule_18_9_77_7_1: true -rule_18_9_77_9_1: true -rule_18_9_77_10_1: true -rule_18_9_77_10_2: true -rule_18_9_77_13_1_1: true -rule_18_9_77_13_1_2: true -rule_18_9_77_13_3_1: true -rule_18_9_77_14: true -rule_18_9_77_15: true +rule_18_9_62_2_2: true +rule_18_9_62_3_2_1: true +rule_18_9_62_3_3_1: true +rule_18_9_62_3_3_2: true +rule_18_9_62_3_3_3: true +rule_18_9_62_3_3_4: true +rule_18_9_62_3_9_1: true +rule_18_9_62_3_9_2: true +rule_18_9_62_3_9_3: true +rule_18_9_62_3_9_4: true +rule_18_9_62_3_9_5: true +rule_18_9_62_3_10_1: true +rule_18_9_62_3_10_2: true +rule_18_9_62_3_11_1: true +rule_18_9_62_3_11_2: true +rule_18_9_63_1: true +rule_18_9_64_2: true +rule_18_9_64_3: true +rule_18_9_69_1: true rule_18_9_80_1_1: true rule_18_9_84_1: true rule_18_9_84_2: true @@ -437,14 +439,13 @@ rule_19_5_1_1: true rule_19_6_6_1_1: true rule_19_7_4_1: true rule_19_7_4_2: true -rule_19_7_7_1: true -rule_19_7_7_2: true -rule_19_7_7_3: true -rule_19_7_7_4: true -rule_19_7_26_1: true -rule_19_7_41_1: true -rule_19_7_45_2_1: true - +rule_19_7_8_1: true +rule_19_7_8_2: true +rule_19_7_8_3: true +rule_19_7_8_4: true +rule_19_7_28_1: true +rule_19_7_43_1: true +rule_19_7_47_2_1: true # Section 2 Variables @@ -498,6 +499,13 @@ sys_maxsize: 32768 legalnoticecaption: "DoD Notice and Consent Banner" +# 2.2.33 +# Window Manager\Window Manager Group only exists on non Core installations +# windows_installation_type should be 'Server Core' for Core installations +# This is a variable to determine if Windows Manager should be included in this step +increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' + + # 9.1.5 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log # This is a variable to give some leway on where to store these log files From a1c51168dd2e93c5bd64060cf39433a88c034b00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Nov 2021 16:07:04 +0000 Subject: [PATCH 02/32] Added prelim tasks Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- tasks/prelim.yml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 tasks/prelim.yml diff --git a/tasks/main.yml b/tasks/main.yml index c7c927f..26ebf1f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,10 +25,10 @@ tags: - always -# - name: Include the preliminary tasks -# include_tasks: prelim.yml -# tags: -# - prelim_tasks +- name: Include the preliminary tasks + include_tasks: prelim.yml + tags: + - prelim_tasks - name: Execute the section 1 tasks import_tasks: section01.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml new file mode 100644 index 0000000..5cc2d06 --- /dev/null +++ b/tasks/prelim.yml @@ -0,0 +1,33 @@ +--- + +- name: Set system facts based on gather facts module + block: + - name: Set fact is system is standalone + set_fact: + win2019cis_is_standalone: true + when: + - ansible_windows_domain_role == 'Stand-alone server' + + - name: Set fact if domain controller role + set_fact: + win2019cis_is_domain_controller: true + when: + - ansible_windows_domain_role | regex_search('(domain controller)') + + - name: set fact if domain member server + set_fact: + win2019cis_is_domain_member: true + when: + - ansible_windows_domain_role == 'Member server' + when: + - run_audit + +- name: Get Windows installation type + win_reg_stat: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion + name: InstallationType + register: get_windows_installation_type + +- name: Set Windows installation type + set_fact: + windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" From 2ad0d2ac70be5558913fc4e47c14569d57947b49 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Nov 2021 16:07:27 +0000 Subject: [PATCH 03/32] Updated Titles and ID's Signed-off-by: Mark Bolwell --- tasks/section01.yml | 42 +-- tasks/section02.yml | 282 +++++++++------- tasks/section09.yml | 52 +-- tasks/section17.yml | 224 ++++++------ tasks/section18.yml | 804 ++++++++++++++++++++++---------------------- tasks/section19.yml | 118 +++---- 6 files changed, 773 insertions(+), 749 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index a1fb085..458f077 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,7 +1,7 @@ --- -- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" +- name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" block: - - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | AUDIT | L1 | Ensure Enforce password history is set to 24 or more passwords" assert: that: passwordhistorysize | int is version('24', '>=') fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" @@ -9,7 +9,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" win_security_policy: section: System Access key: PasswordHistorySize @@ -22,9 +22,9 @@ - rule_1.1.1 - patch -- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" +- name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" block: - - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + - name: "1.1.2 | AUDIT | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" assert: that: maximumpasswordage | int is version('60', '<=') fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" @@ -32,7 +32,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + - name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" win_security_policy: section: System Access key: MaximumPasswordAge @@ -45,9 +45,9 @@ - rule_1.1.2 - patch -- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" +- name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" block: - - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | AUDIT | L1 | Ensure Minimum password age is set to 1 or more days" assert: that: minimumpasswordage is version('1', '>=') fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" @@ -55,7 +55,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" win_security_policy: section: System Access key: MinimumPasswordAge @@ -68,9 +68,9 @@ - rule_1.1.3 - patch -- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" +- name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" block: - - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | AUDIT | L1 | Ensure Minimum password length is set to 14 or more characters" assert: that: minimumpasswordlength is version('14', '>=') fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" @@ -78,7 +78,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" win_security_policy: section: System Access key: MinimumPasswordLength @@ -91,7 +91,7 @@ - rule_1.1.4 - patch -- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" +- name: "1.1.5 | PATCH | L1 | Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: section: System Access key: PasswordComplexity @@ -104,7 +104,7 @@ - rule_1.1.5 - patch -- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" +- name: "1.1.6 | PATCH | L1 | Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: section: System Access key: ClearTextPassword @@ -118,9 +118,9 @@ - patch # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" +- name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" block: - - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" assert: that: lockoutduration | int is version('15', '<=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" @@ -128,7 +128,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | PATCH | L1 | Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: section: System Access key: LockoutDuration @@ -143,7 +143,7 @@ - patch # This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" +- name: "1.2.2 | PATCH | L1 | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" win_security_policy: section: System Access key: LockoutBadCount @@ -156,9 +156,9 @@ - rule_1.2.2 - patch -- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" +- name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" block: - - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | AUDIT | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" assert: that: resetlockoutcount | int is version('15', '>=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" @@ -166,7 +166,7 @@ ignore_errors: true register: result - - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" win_security_policy: section: System Access key: ResetLockoutCount diff --git a/tasks/section02.yml b/tasks/section02.yml index 36f8841..314c2d4 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,5 +1,5 @@ --- -- name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" +- name: "2.2.1 | PATCH | L1 | Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: name: SeTrustedCredManAccessPrivilege users: [] @@ -12,7 +12,7 @@ - rule_2.2.1 - patch -- name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +- name: "2.2.2 & 2.2.3 | PATCH | L1 | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: name: SeNetworkLogonRight users: @@ -29,7 +29,7 @@ - rule_2.2.3 - patch -- name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" +- name: "2.2.4 | PATCH | L1 | Ensure Act as part of the operating system is set to No One" win_user_right: name: SeTcbPrivilege users: [] @@ -42,7 +42,7 @@ - rule_2.2.4 - patch -- name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" +- name: "2.2.5 | PATCH | L1 | Ensure Add workstations to domain is set to Administrators DC only" win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -55,7 +55,7 @@ - rule_2.2.5 - patch -- name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.6 | PATCH | L1 | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeIncreaseQuotaPrivilege users: @@ -71,7 +71,7 @@ - rule_2.2.6 - patch -- name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" +- name: "2.2.7 | PATCH | L1 | Ensure Allow log on locally is set to Administrators" win_user_right: name: SeInteractiveLogonRight users: @@ -85,7 +85,7 @@ - rule_2.2.7 - patch -- name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +- name: "2.2.8 & 2.2.9 | PATCH | L1 | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: name: SeRemoteInteractiveLogonRight users: @@ -102,7 +102,7 @@ - rule_2.2.9 - patch -- name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" +- name: "2.2.10 | PATCH | L1 | Ensure Back up files and directories is set to Administrators" win_user_right: name: SeBackupPrivilege users: @@ -116,7 +116,7 @@ - rule_2.2.10 - patch -- name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" +- name: "2.2.11 | PATCH | L1 | Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: name: SeSystemTimePrivilege users: @@ -131,7 +131,7 @@ - rule_2.2.11 - patch -- name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" +- name: "2.2.12 | PATCH | L1 | Ensure Change the time zone is set to Administrators LOCAL SERVICE" win_user_right: name: SeTimeZonePrivilege users: @@ -146,7 +146,7 @@ - rule_2.2.12 - patch -- name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" +- name: "2.2.13 | PATCH | L1 | Ensure Create a pagefile is set to Administrators" win_user_right: name: SeCreatePagefilePrivilege users: @@ -160,7 +160,7 @@ - rule_2.2.13 - patch -- name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" +- name: "2.2.14 | PATCH | L1 | Ensure Create a token object is set to No One" win_user_right: name: SeCreateTokenPrivilege users: [] @@ -173,7 +173,7 @@ - rule_2.2.14 - patch -- name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +- name: "2.2.15 | PATCH | L1 | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: name: SeCreateGlobalPrivilege users: @@ -190,7 +190,7 @@ - rule_2.2.15 - patch -- name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" +- name: "2.2.16 | PATCH | L1 | Ensure Create permanent shared objects is set to No One" win_user_right: name: SeCreatePermanentPrivilege users: [] @@ -203,7 +203,7 @@ - rule_2.2.16 - patch -- name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" +- name: "2.2.17 | PATCH | L1 | Ensure Create symbolic links is set to Administrators DC only" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -217,9 +217,9 @@ - rule_2.2.17 - patch -- name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" block: - - name: "SCORED | 2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" + - name: "2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -227,7 +227,7 @@ action: set when: not is_hyperv_installed - - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + - name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -243,7 +243,7 @@ - rule_2.2.18 - patch -- name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" +- name: "2.2.19 | PATCH | L1 | Ensure Debug programs is set to Administrators" win_user_right: name: SeDebugPrivilege users: @@ -258,7 +258,7 @@ - patch # Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" +- name: "2.2.20 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests DC only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -272,7 +272,7 @@ - rule_2.2.20 - patch -- name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "2.2.21 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -288,7 +288,7 @@ - rule_2.2.21 - patch -- name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" +- name: "2.2.22 | PATCH | L1 | Ensure Deny log on as a batch job to include Guests" win_user_right: name: SeDenyBatchLogonRight users: @@ -302,7 +302,7 @@ - rule_2.2.22 - patch -- name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" +- name: "2.2.23 | PATCH | L1 | Ensure Deny log on as a service to include Guests" win_user_right: name: SeDenyServiceLogonRight users: @@ -316,7 +316,7 @@ - rule_2.2.23 - patch -- name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" +- name: "2.2.24 | PATCH | L1 | Ensure Deny log on locally to include Guests" win_user_right: name: SeDenyInteractiveLogonRight users: @@ -330,7 +330,7 @@ - rule_2.2.24 - patch -- name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "2.2.25 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -345,7 +345,7 @@ - rule_2.2.25 - patch -- name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "2.2.26 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -360,7 +360,7 @@ - rule_2.2.26 - patch -- name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "2.2.27 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -368,12 +368,13 @@ when: - rule_2_2_27 - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_standalone tags: - level1-domaincontroller - rule_2.2.27 - patch -- name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "2.2.28 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: name: SeEnableDelegationPrivilege users: [] @@ -386,7 +387,7 @@ - rule_2.2.28 - patch -- name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" +- name: "2.2.29 | PATCH | L1 | Ensure Force shutdown from a remote system is set to Administrators" win_user_right: name: SeRemoteShutdownPrivilege users: @@ -400,7 +401,7 @@ - rule_2.2.29 - patch -- name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.30 | PATCH | L1 | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAuditPrivilege users: @@ -415,7 +416,7 @@ - rule_2.2.30 - patch -- name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "2.2.31 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: name: SeImpersonatePrivilege users: @@ -432,7 +433,7 @@ - rule_2.2.31 - patch -- name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "2.2.32 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: name: SeImpersonatePrivilege users: @@ -450,12 +451,10 @@ - rule_2.2.32 - patch -- name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" +- name: "2.2.33 | PATCH | L1 | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: name: SeIncreaseBasePriorityPrivilege - users: - - Administrators - - Window Manager\Window Manager Group + users: "{{ increase_scheduling_priority_users }}" action: set when: - rule_2_2_33 @@ -465,7 +464,7 @@ - rule_2.2.33 - patch -- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" +- name: "2.2.34 | PATCH | L1 | Ensure Load and unload device drivers is set to Administrators" win_user_right: name: SeLoadDriverPrivilege users: @@ -479,7 +478,7 @@ - rule_2.2.34 - patch -- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" +- name: "2.2.35 | PATCH | L1 | Ensure Lock pages in memory is set to No One" win_user_right: name: SeLockMemoryPrivilege users: [] @@ -492,7 +491,7 @@ - rule_2.2.35 - patch -- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" +- name: "2.2.36 | PATCH | L2 | Ensure Log on as a batch job is set to Administrators DC Only" win_user_right: name: SeBatchLogonRight users: Administrators @@ -505,7 +504,7 @@ - rule_2.2.36 - patch -- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +- name: "2.2.37 & 2.2.38 | PATCH | L1 | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: name: SeSecurityPrivilege users: @@ -521,7 +520,7 @@ - rule_2.2.38 - patch -- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" +- name: "2.2.39 | PATCH | L1 | Ensure Modify an object label is set to No One" win_user_right: name: SeReLabelPrivilege users: [] @@ -534,7 +533,7 @@ - rule_2.2.39 - patch -- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" +- name: "2.2.40 | PATCH | L1 | Ensure Modify firmware environment values is set to Administrators" win_user_right: name: SeSystemEnvironmentPrivilege users: @@ -548,7 +547,7 @@ - rule_2.2.40 - patch -- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" +- name: "2.2.41 | PATCH | L1 | Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: name: SeManageVolumePrivilege users: @@ -562,7 +561,7 @@ - rule_2.2.41 - patch -- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" +- name: "2.2.42 | PATCH | L1 | Ensure Profile single process is set to Administrators" win_user_right: name: SeProfileSingleProcessPrivilege users: @@ -576,7 +575,7 @@ - rule_2.2.42 - patch -- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "2.2.43 | PATCH | L1 | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: name: SeSystemProfilePrivilege users: @@ -591,7 +590,7 @@ - rule_2.2.43 - patch -- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.44 | PATCH | L1 | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAssignPrimaryTokenPrivilege users: @@ -606,7 +605,7 @@ - rule_2.2.44 - patch -- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" +- name: "2.2.45 | PATCH | L1 | Ensure Restore files and directories is set to Administrators" win_user_right: name: SeRestorePrivilege users: @@ -620,7 +619,7 @@ - rule_2.2.45 - patch -- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" +- name: "2.2.46 | PATCH | L1 | Ensure Shut down the system is set to Administrators" win_user_right: name: SeShutdownPrivilege users: @@ -634,7 +633,7 @@ - rule_2.2.46 - patch -- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" +- name: "2.2.47 | PATCH | L1 | Ensure Synchronize directory service data is set to No One DC only" win_user_right: name: SeSyncAgentPrivilege users: [] @@ -647,7 +646,7 @@ - rule_2.2.47 - patch -- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" +- name: "2.2.48 | PATCH | L1 | Ensure Take ownership of files or other objects is set to Administrators" win_user_right: name: SeTakeOwnershipPrivilege users: @@ -661,7 +660,7 @@ - rule_2.2.48 - patch -- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" +- name: "2.3.1.1 | PATCH | L1 | Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableAdminAccount @@ -669,12 +668,13 @@ when: - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone tags: - level1-memberserver - rule_2.3.1.1 - patch -- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +- name: "2.3.1.2 | PATCH | L1 | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser @@ -688,7 +688,7 @@ - rule_2.3.1.2 - patch -- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" +- name: "2.3.1.3 | PATCH | L1 | Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableGuestAccount @@ -700,7 +700,7 @@ - rule_2.3.1.3 - patch -- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +- name: "2.3.1.4 | PATCH | L1 | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse @@ -714,7 +714,7 @@ - rule_2.3.1.4 - patch -- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" +- name: "2.3.1.5 | PATCH | L1 | Configure Accounts Rename administrator account" win_security_policy: section: System Access key: newadministratorname @@ -728,7 +728,7 @@ - rule_2.3.1.5 - patch -- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" +- name: "2.3.1.6 | PATCH | L1 | Configure Accounts Rename guest account" win_security_policy: section: System Access key: NewGuestName @@ -741,7 +741,7 @@ - rule_2.3.1.6 - patch -- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" +- name: "2.3.2.1 | PATCH | L1 | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: SCENoApplyLegacyAuditPolicy @@ -755,7 +755,7 @@ - rule_2.3.2.1 - patch -- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" +- name: "2.3.2.2 | PATCH | L1 | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: CrashOnAuditFail @@ -769,7 +769,7 @@ - rule_2.3.2.2 - patch -- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" +- name: "2.3.4.1 | PATCH | L1 | Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: AllocateDASD @@ -783,7 +783,7 @@ - rule_2.3.4.1 - patch -- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" +- name: "2.3.4.2 | PATCH | L1 | Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers name: AddPrinterDrivers @@ -797,7 +797,7 @@ - rule_2.3.4.2 - patch -- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +- name: "2.3.5.1 | PATCH | L1 | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: SubmitControl @@ -806,40 +806,72 @@ when: - rule_2_3_5_1 - ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone tags: - level1-domaincontroller - rule_2.3.5.1 - patch -- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +- name: "2.3.5.2 | PATCH | L1 | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: VulnerableChannelAllowList + data: 0 + type: dword + when: + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone + tags: + - level1-domaincontroller + - rule_2.3.5.2 + - patch + +- name: "2.3.5.3 | PATCH | L1 | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LdapEnforceChannelBinding + data: 2 + type: dword + when: + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone + tags: + - level1-domaincontroller + - rule_2.3.5.3 + - patch + +- name: "2.3.5.4 | PATCH | L1 | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity data: 2 type: dword when: - - rule_2_3_5_2 + - rule_2_3_5_4 - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - - rule_2.3.5.2 + - rule_2.3.5.4 - patch -- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +- name: "2.3.5.5 | PATCH | L1 | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange data: 0 type: dword when: - - rule_2_3_5_3 + - rule_2_3_5_5 - ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone tags: - level1-domaincontroller - - rule_2.3.5.3 + - rule_2.3.5.5 - patch -- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" +- name: "2.3.6.1 | PATCH | L1 | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireSignOrSeal @@ -848,13 +880,14 @@ when: - rule_2_3_6_1 - not ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.1 - patch -- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" +- name: "2.3.6.2 | PATCH | L1 | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: sealsecurechannel @@ -863,13 +896,14 @@ when: - rule_2_3_6_2 - not ansible_windows_domain_role == "Primary domain controller" + - not win2019cis_is_standalone tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.2 - patch -- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" +- name: "2.3.6.3 | PATCH | L1 | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: signsecurechannel @@ -884,7 +918,7 @@ - rule_2.3.6.3 - patch -- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" +- name: "2.3.6.4 | PATCH | L1 | Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: disablepasswordchange @@ -899,7 +933,7 @@ - rule_2.3.6.4 - patch -- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" +- name: "2.3.6.5 | PATCH | L1 | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: MaximumPasswordAge @@ -914,7 +948,7 @@ - rule_2.3.6.5 - patch -- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" +- name: "2.3.6.6 | PATCH | L1 | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireStrongKey @@ -929,7 +963,7 @@ - rule_2.3.6.6 - patch -- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +- name: "2.3.7.1 | PATCH | L1 | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD @@ -943,7 +977,7 @@ - rule_2.3.7.1 - patch -- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" +- name: "2.3.7.2 | PATCH | L1 | Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName @@ -957,7 +991,7 @@ - rule_2.3.7.2 - patch -- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" +- name: "2.3.7.3 | PATCH | L1 | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: InactivityTimeoutSecs @@ -971,7 +1005,7 @@ - rule_2.3.7.3 - patch -- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" +- name: "2.3.7.4 | PATCH | L1 | Configure Interactive logon Message text for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText @@ -985,7 +1019,7 @@ - rule_2.3.7.4 - patch -- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" +- name: "2.3.7.5 | PATCH | L1 | Configure Interactive logon Message title for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption @@ -999,7 +1033,7 @@ - rule_2.3.7.5 - patch -- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" +- name: "2.3.7.6 | PATCH | L2 | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: cachedlogonscount @@ -1012,7 +1046,7 @@ - rule_2.3.7.6 - patch -- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" +- name: "2.3.7.7 | PATCH | L1 | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: PasswordExpiryWarning @@ -1026,7 +1060,7 @@ - rule_2.3.7.7 - patch -- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +- name: "2.3.7.8 | PATCH | L1 | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon @@ -1040,7 +1074,7 @@ - rule_2.3.7.8 - patch -- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" +- name: "2.3.7.9 | PATCH | L1 | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: scremoveoption @@ -1054,7 +1088,7 @@ - rule_2.3.7.9 - patch -- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" +- name: "2.3.8.1 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: RequireSecuritySignature @@ -1068,7 +1102,7 @@ - rule_2.3.8.1 - patch -- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" +- name: "2.3.8.2 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnableSecuritySignature @@ -1082,7 +1116,7 @@ - rule_2.3.8.2 - patch -- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" +- name: "2.3.8.3 | PATCH | L1 | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnablePlainTextPassword @@ -1096,7 +1130,7 @@ - rule_2.3.8.3 - patch -- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" +- name: "2.3.9.1 | PATCH | L1 | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: autodisconnect @@ -1110,7 +1144,7 @@ - rule_2.3.9.1 - patch -- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" +- name: "2.3.9.2 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: requiresecuritysignature @@ -1124,7 +1158,7 @@ - rule_2.3.9.2 - patch -- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" +- name: "2.3.9.3 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enablesecuritysignature @@ -1138,7 +1172,7 @@ - rule_2.3.9.3 - patch -- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" +- name: "2.3.9.4 | PATCH | L1 | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enableforcedlogoff @@ -1152,7 +1186,7 @@ - rule_2.3.9.4 - patch -- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +- name: "2.3.9.5 | PATCH | L1 | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel @@ -1166,7 +1200,7 @@ - rule_2.3.9.5 - patch -- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" +- name: "2.3.10.1 | PATCH | L1 | Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: section: System Access key: LSAAnonymousNameLookup @@ -1179,7 +1213,7 @@ - rule_2.3.10.1 - patch -- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +- name: "2.3.10.2 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM @@ -1193,7 +1227,7 @@ - rule_2.3.10.2 - patch -- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +- name: "2.3.10.3 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymous @@ -1207,7 +1241,7 @@ - rule_2.3.10.3 - patch -- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" +- name: "2.3.10.4 | PATCH | L2 | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: DisableDomainCreds @@ -1221,7 +1255,7 @@ - rule_2.3.10.4 - patch -- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" +- name: "2.3.10.5 | PATCH | L1 | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: EveryoneIncludesAnonymous @@ -1235,7 +1269,7 @@ - rule_2.3.10.5 - patch -- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" +- name: "2.3.10.6 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1249,7 +1283,7 @@ - rule_2.3.10.6 - patch -- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" +- name: "2.3.10.7 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1263,7 +1297,7 @@ - rule_2.3.10.7 - patch -- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" +- name: "2.3.10.8 | PATCH | L1 | Configure Network access Remotely accessible registry paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" @@ -1277,7 +1311,7 @@ - rule_2.3.10.8 - patch -- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" +- name: "2.3.10.9 | PATCH | L1 | Configure Network access Remotely accessible registry paths and sub-paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" @@ -1291,7 +1325,7 @@ - rule_2.3.10.9 - patch -- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" +- name: "2.3.10.10 | PATCH | L1 | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: RestrictNullSessAccess @@ -1305,7 +1339,7 @@ - rule_2.3.10.10 - patch -- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +- name: "2.3.10.11 | PATCH | L1 | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM @@ -1318,7 +1352,7 @@ - rule_2.3.10.11 - patch -- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" +- name: "2.3.10.12 | PATCH | L1 | Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionShares @@ -1332,7 +1366,7 @@ - rule_2.3.10.12 - patch -- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" +- name: "2.3.10.13 | PATCH | L1 | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: ForceGuest @@ -1346,7 +1380,7 @@ - rule_2.3.10.13 - patch -- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" +- name: "2.3.11.1 | PATCH | L1 | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: UseMachineId @@ -1360,7 +1394,7 @@ - rule_2.3.11.1 - patch -- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" +- name: "2.3.11.2 | PATCH | L1 | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: allownullsessionfallback @@ -1374,7 +1408,7 @@ - rule_2.3.11.2 - patch -- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" +- name: "2.3.11.3 | PATCH | L1 | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U name: AllowOnlineID @@ -1388,7 +1422,7 @@ - rule_2.3.11.3 - patch -- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" +- name: "2.3.11.4 | PATCH | L1 | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters name: SupportedEncryptionTypes @@ -1402,7 +1436,7 @@ - rule_2.3.11.4 - patch -- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" +- name: "2.3.11.5 | PATCH | L1 | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: NoLMHash @@ -1416,7 +1450,7 @@ - rule_2.3.11.5 - patch -- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" +- name: "2.3.11.6 | PATCH | L1 | Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters name: EnableForcedLogOff @@ -1430,7 +1464,7 @@ - rule_2.3.11.6 - patch -- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" +- name: "2.3.11.7 | PATCH | L1 | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LMCompatibilityLevel @@ -1444,7 +1478,7 @@ - rule_2.3.11.7 - patch -- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" +- name: "2.3.11.8 | PATCH | L1 | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Ldap name: LDAPClientIntegrity @@ -1458,7 +1492,7 @@ - rule_2.3.11.8 - patch -- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.9 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinClientSec @@ -1472,7 +1506,7 @@ - rule_2.3.11.9 - patch -- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.10 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinServerSec @@ -1486,7 +1520,7 @@ - rule_2.3.11.10 - patch -- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" +- name: "2.3.13.1 | PATCH | L1 | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ShutdownWithoutLogon @@ -1500,7 +1534,7 @@ - rule_2.3.13.1 - patch -- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" +- name: "2.3.15.1 | PATCH | L1 | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel name: ObCaseInsensitive @@ -1514,7 +1548,7 @@ - rule_2.3.15.1 - patch -- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" +- name: "2.3.15.2 | PATCH | L1 | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: ProtectionMode @@ -1528,7 +1562,7 @@ - rule_2.3.15.2 - patch -- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" +- name: "2.3.17.1 | PATCH | L1 | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: FilterAdministratorToken @@ -1542,7 +1576,7 @@ - rule_2.3.17.1 - patch -- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +- name: "2.3.17.2 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorAdmin @@ -1556,7 +1590,7 @@ - rule_2.3.17.2 - patch -- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" +- name: "2.3.17.3 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorUser @@ -1570,7 +1604,7 @@ - rule_2.3.17.3 - patch -- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" +- name: "2.3.17.4 | PATCH | L1 | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableInstallerDetection @@ -1584,7 +1618,7 @@ - rule_2.3.17.4 - patch -- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" +- name: "2.3.17.5 | PATCH | L1 | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableSecureUIAPaths @@ -1598,7 +1632,7 @@ - rule_2.3.17.5 - patch -- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" +- name: "2.3.17.6 | PATCH | L1 | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableLUA @@ -1612,7 +1646,7 @@ - rule_2.3.17.6 - patch -- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" +- name: "2.3.17.7 | PATCH | L1 | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: PromptOnSecureDesktop @@ -1626,7 +1660,7 @@ - rule_2.3.17.7 - patch -- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" +- name: "2.3.17.8 | PATCH | L1 | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableVirtualization diff --git a/tasks/section09.yml b/tasks/section09.yml index c2bd4a2..1a90190 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,5 +1,5 @@ --- -- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" +- name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_firewall: state: enabled profile: Domain @@ -11,7 +11,7 @@ - rule_9.1.1 - patch -- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" +- name: "9.1.2 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultInboundAction @@ -25,7 +25,7 @@ - rule_9.1.2 - patch -- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" +- name: "9.1.3 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultOutboundAction @@ -39,7 +39,7 @@ - rule_9.1.3 - patch -- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" +- name: "9.1.4 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DisableNotifications @@ -54,7 +54,7 @@ - patch # title has slashes switched -- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" +- name: "9.1.5 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFilePath @@ -68,7 +68,7 @@ - rule_9.1.5 - patch -- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.1.6 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFileSize @@ -82,7 +82,7 @@ - rule_9.1.6 - patch -- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.1.7 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogDroppedPackets @@ -96,7 +96,7 @@ - rule_9.1.7 - patch -- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" +- name: "9.1.8 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogSuccessfulConnections @@ -110,7 +110,7 @@ - rule_9.1.7 - patch -- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" +- name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_firewall: state: enabled profile: Private @@ -122,7 +122,7 @@ - rule_9.2.1 - patch -- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" +- name: "9.2.2 | PATCH | L1 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultInboundAction @@ -136,7 +136,7 @@ - rule_9.2.2 - patch -- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" +- name: "9.2.3 | PATCH | L1 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultOutboundAction @@ -150,7 +150,7 @@ - rule_9.2.3 - patch -- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" +- name: "9.2.4 | PATCH | L1 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DisableNotifications @@ -165,7 +165,7 @@ - patch # title has slashes switched -- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" +- name: "9.2.5 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFilePath @@ -179,7 +179,7 @@ - rule_9.2.5 - patch -- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.2.6 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFileSize @@ -193,7 +193,7 @@ - rule_9.2.6 - patch -- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.2.7 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogDroppedPackets @@ -207,7 +207,7 @@ - rule_9.2.7 - patch -- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" +- name: "9.2.8 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogSuccessfulConnections @@ -221,7 +221,7 @@ - rule_9.2.8 - patch -- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" +- name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_firewall: state: enabled profile: Public @@ -233,7 +233,7 @@ - rule_9.3.1 - patch -- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" +- name: "9.3.2 | PATCH | L1 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultInboundAction @@ -247,7 +247,7 @@ - rule_9.3.2 - patch -- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" +- name: "9.3.3 | PATCH | L1 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultOutboundAction @@ -261,7 +261,7 @@ - rule_9.3.3 - patch -- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" +- name: "9.3.4 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DisableNotifications @@ -275,7 +275,7 @@ - rule_9.3.4 - patch -- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" +- name: "9.3.5 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalPolicyMerge @@ -290,7 +290,7 @@ - rule_9.3.5 - patch -- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" +- name: "9.3.6 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalIPsecPolicyMerge @@ -305,7 +305,7 @@ - patch # title has slashes switched -- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" +- name: "9.3.7 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFilePath @@ -319,7 +319,7 @@ - rule_9.3.7 - patch -- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.3.8 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize @@ -333,7 +333,7 @@ - rule_9.3.8 - patch -- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.3.9 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogDroppedPackets @@ -347,7 +347,7 @@ - rule_9.3.9 - patch -- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" +- name: "9.3.10 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogSuccessfulConnections diff --git a/tasks/section17.yml b/tasks/section17.yml index 685c64e..9973983 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,18 +1,18 @@ --- -- name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" +- name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" + - name: " 17.1.1 | AUDIT | L1 | Ensure Audit Credential Validation is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_1_audit changed_when: false failed_when: false - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + - name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + - name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" @@ -25,19 +25,19 @@ - rule_17.1.1 - patch -- name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" +- name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: - - name: "SCORED | 17.1.2 | AUDIT | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: " 17.1.2 | AUDIT | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_1_2_audit - - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable when: "'Success' not in rule_17_1_2_audit.stdout" - - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: @@ -48,19 +48,19 @@ - rule_17.1.2 - patch -- name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" +- name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: "SCORED | 17.1.3 | AUDIT | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: " 17.1.3 | AUDIT | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_1_3_audit - - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable when: "'Success' not in rule_17_1_3_audit.stdout" - - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: @@ -71,19 +71,19 @@ - rule_17.1.2 - patch -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" +- name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" block: - - name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" + - name: " 17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: false failed_when: false - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: @@ -95,15 +95,15 @@ - rule_17.2.1 - patch -- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" +- name: " 17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" block: - - name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to include Success DC only" + - name: " 17.2.2 | AUDIT | L1 | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_2_audit changed_when: false failed_when: false - - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" + - name: " 17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" @@ -115,15 +115,15 @@ - rule_17.2.2 - patch -- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" +- name: " 17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" block: - - name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + - name: " 17.2.3 | AUDIT | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_3_audit changed_when: false failed_when: false - - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" + - name: " 17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: @@ -134,15 +134,15 @@ - rule_17.2.3 - patch -- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" +- name: " 17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" block: - - name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + - name: " 17.2.4 | AUDIT | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_4_audit changed_when: false failed_when: false - - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" + - name: " 17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: @@ -153,15 +153,15 @@ - rule_17.2.4 - patch -- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" +- name: " 17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" block: - - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" + - name: " 17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_5_audit changed_when: false failed_when: false - - name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to include Success" + - name: " 17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: @@ -172,19 +172,19 @@ - rule_17.2.5 - patch -- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" +- name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure" block: - - name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" + - name: " 17.2.6 | AUDIT | L1 | Ensure Audit User Account Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_2_6_audit - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + - name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: @@ -195,15 +195,15 @@ - rule_17.2.6 - patch -- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" +- name: " 17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" block: - - name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to include Success" + - name: " 17.3.1 | AUDIT | L1 | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_3_1_audit - - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" + - name: " 17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: @@ -214,15 +214,15 @@ - rule_17.3.1 - patch -- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" +- name: " 17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" block: - - name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to include Success" + - name: " 17.3.2 | AUDIT | L1 | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_3_2_audit - - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" + - name: " 17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: @@ -233,15 +233,15 @@ - rule_17.3.2 - patch -- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" +- name: " 17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" block: - - name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + - name: " 17.4.1 | AUDIT | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_4_1_audit - - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" + - name: " 17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: @@ -251,15 +251,15 @@ - rule_17.4.1 - patch -- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" +- name: " 17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" block: - - name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + - name: " 17.4.2 | AUDIT | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_4_2_audit - - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" + - name: " 17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: @@ -269,15 +269,15 @@ - rule_17.4.2 - patch -- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" +- name: " 17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" block: - - name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to include Failure" + - name: " 17.5.1 | AUDIT | L1 | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_1_audit - - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" + - name: " 17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: @@ -288,15 +288,15 @@ - rule_17.5.1 - patch -- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" +- name: " 17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" block: - - name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to include Success" + - name: " 17.5.2 | AUDIT | L1 | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_2_audit - - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" + - name: " 17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: @@ -307,15 +307,15 @@ - rule_17.5.2 - patch -- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" +- name: " 17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" block: - - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" + - name: " 17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_3_audit - - name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to include Success" + - name: " 17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: @@ -326,19 +326,19 @@ - rule_17.5.3 - patch -- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" +- name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure" block: - - name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" + - name: " 17.5.4 | AUDIT | L1 | Ensure Audit Logon is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_4_audit - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" + - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable when: "'Failure' not in rule_17_5_4_audit.stdout" - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" + - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: @@ -349,19 +349,19 @@ - rule_17.5.4 - patch -- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + - name: " 17.5.5 | AUDIT | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_5_audit - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable when: "'Success' not in rule_17_5_5_audit.stdout" - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: @@ -372,15 +372,15 @@ - rule_17.5.5 - patch -- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" +- name: " 17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" block: - - name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to include Success" + - name: " 17.5.6 | AUDIT | L1 | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_6_audit - - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" + - name: " 17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: @@ -391,15 +391,15 @@ - rule_17.5.6 - patch -- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" +- name: " 17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" block: - - name: "SCORED | 17.6.1 | AUDIT | L1 Ensure Audit Detailed File Share is set to include Failure" + - name: " 17.6.1 | AUDIT | L1 | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_6_1_audit - - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" + - name: " 17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: @@ -410,15 +410,15 @@ - rule_17.6.1 - patch -- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" +- name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" block: - - name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit File Share is set to Success and Failure" + - name: " 17.6.2 | AUDIT | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_6_2_audit - - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" + - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" when: @@ -429,7 +429,7 @@ - rule_17.6.2 - patch -- name: "SCORED | 17.6.3 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" +- name: " 17.6.3 | PATCH | L1 | Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -441,15 +441,15 @@ - rule_17.6.3 - patch -- name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" +- name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" block: - - name: "SCORED | 17.6.4 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" + - name: " 17.6.4 | AUDIT | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_6_4_audit - - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" + - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" when: @@ -460,15 +460,15 @@ - rule_17.6.4 - patch -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" +- name: " 17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" block: - - name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to include Success" + - name: " 17.7.1 | AUDIT | L1 | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_7_1_audit - - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" + - name: " 17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: @@ -479,15 +479,15 @@ - rule_17.7.1 - patch -- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" +- name: " 17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" block: - - name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to include Success" + - name: " 17.7.2 | AUDIT | L1 | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_7_2_audit - - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" + - name: " 17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: @@ -498,15 +498,15 @@ - rule_17.7.2 - patch -- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" +- name: " 17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" block: - - name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to include Success" + - name: " 17.7.3 | AUDIT | L1 | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_7_3_audit - - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" + - name: " 17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: @@ -517,19 +517,19 @@ - rule_17.7.3 - patch -- name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" +- name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: "SCORED | 17.7.4 | AUDIT | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + - name: " 17.7.4 | AUDIT | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_7_4_audit - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + - name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable when: "'Success' not in rule_17_7_4_audit.stdout" - - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + - name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: @@ -540,15 +540,15 @@ - rule_17.7.4 - patch -- name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" +- name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" block: - - name: "SCORED | 17.7.5 | AUDIT | L1 Ensure Audit Other Policy Change Events is set to include Failure" + - name: " 17.7.5 | AUDIT | L1 | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_7_5_audit - - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" + - name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable when: "'Success' not in rule_17_7_5_audit.stdout" when: @@ -559,19 +559,19 @@ - rule_17.7.5 - patch -- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + - name: " 17.8.1 | AUDIT | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_8_1_audit - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in rule_17_8_1_audit.stdout" - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: @@ -582,19 +582,19 @@ - rule_17.8.1 - patch -- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" +- name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" + - name: " 17.9.1 | AUDIT | L1 | Ensure Audit IPsec Driver is set to Success and Failure" win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_9_1_audit - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + - name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: @@ -605,19 +605,19 @@ - rule_17.9.1 - patch -- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" +- name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure" block: - - name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" + - name: " 17.9.2 | AUDIT | L1 | Ensure Audit Other System Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_9_2_audit - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + - name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + - name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: @@ -628,15 +628,15 @@ - rule_17.9.2 - patch -- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" +- name: " 17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" block: - - name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to include Success" + - name: " 17.9.3 | AUDIT | L1 | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_9_3_audit - - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" + - name: " 17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: @@ -647,15 +647,15 @@ - rule_17.9.3 - patch -- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" +- name: " 17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" block: - - name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to include Success" + - name: " 17.9.4 | AUDIT | L1 | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_9_4_audit - - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" + - name: " 17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: @@ -666,20 +666,20 @@ - rule_17.9.4 - patch -- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" +- name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure" block: - - name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" + - name: " 17.9.5 | AUDIT | L1 | Ensure Audit System Integrity is set to Success and Failure" win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_9_5_audit - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + - name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" when: "'Success' not in rule_17_9_5_audit.stdout" - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" diff --git a/tasks/section18.yml b/tasks/section18.yml index bbdf407..ab10bcc 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,5 +1,5 @@ --- -- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" +- name: "18.1.1.1 | PATCH | L1 | Ensure Prevent enabling lock screen camera is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera @@ -13,7 +13,7 @@ - rule_18.1.1.1 - patch -- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" +- name: "18.1.1.2 | PATCH | L1 | Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow @@ -27,7 +27,7 @@ - rule_18.1.1.2 - patch -- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" +- name: "18.1.2.2 | PATCH | L1 | Ensure Allow users to enable online speech recognition services is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\InputPersonalization name: "AllowInputPersonalization" @@ -41,7 +41,7 @@ - rule_18.1.2.2 - patch -- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" +- name: "18.1.3 | PATCH | L2 | Ensure Allow Online Tips is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer name: AllowOnlineTips @@ -55,7 +55,7 @@ - rule_18.1.3 - patch -- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" +- name: "18.2.1 | PATCH | L1 | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} name: DllName @@ -69,7 +69,7 @@ - rule_18.2.1 - patch -- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" +- name: "18.2.2 | PATCH | L1 | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PwdExpirationProtectionEnabled @@ -83,7 +83,7 @@ - rule_18.2.2 - patch -- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" +- name: "18.2.3 | PATCH | L1 | Ensure Enable Local Admin Password Management is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: AdmPwdEnabled @@ -97,7 +97,7 @@ - rule_18.2.3 - patch -- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" +- name: "18.2.4 | PATCH | L1 | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordComplexity @@ -111,7 +111,7 @@ - rule_18.2.4 - patch -- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" +- name: "18.2.5 | PATCH | L1 | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordLength @@ -125,7 +125,7 @@ - rule_18.2.5 - patch -- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" +- name: "18.2.6 | PATCH | L1 | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordAgeDays @@ -139,7 +139,7 @@ - rule_18.2.6 - patch -- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +- name: "18.3.1 | PATCH | L1 | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LocalAccountTokenFilterPolicy @@ -153,7 +153,7 @@ - rule_18.3.1 - patch -- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" +- name: "18.3.2 | PATCH | L1 | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start @@ -167,7 +167,7 @@ - rule_18.3.2 - patch -- name: "SCORED | 18.3.3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" +- name: "18.3.3 | PATCH | L1 | Ensure Configure SMB v1 server is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -183,7 +183,7 @@ - rule_18.3.3 - patch -- name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "18.3.4 | PATCH | L1 | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -198,21 +198,7 @@ - rule_18.3.4 - patch -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters - name: LdapEnforceChannelBinding - data: 1 - type: dword - when: - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-domaincontroller - - rule_18.3.5 - - patch - -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.3.5 | PATCH | L1 | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -220,14 +206,14 @@ data: "{{ netbt_nodetype }}" datatype: dword when: - - rule_18_3_6 + - rule_18_3_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.6 + - rule_18.3.5 - patch -- name: "SCORED | 18.3.7 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" +- name: "18.3.6 | PATCH | L1 | Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -235,15 +221,16 @@ data: 0 datatype: dword when: - - rule_18_3_7 + - rule_18_3_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.7 + - rule_18.3.6 - patch +## 18.4.x -- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "18.4.1 | PATCH | L1 | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -258,7 +245,7 @@ - rule_18.4.1 - patch -- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.2 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -273,7 +260,7 @@ - rule_18.4.2 - patch -- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.3 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -288,7 +275,7 @@ - rule_18.4.3 - patch -- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "18.4.4 | PATCH | L1 | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -303,7 +290,7 @@ - rule_18.4.4 - patch -- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "18.4.5 | PATCH | L2 | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -318,7 +305,7 @@ - rule_18.4.5 - patch -- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "18.4.6 | PATCH | L1 | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -333,7 +320,7 @@ - rule_18.4.6 - patch -- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "18.4.7 | PATCH | L2 | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -348,7 +335,7 @@ - rule_18.4.7 - patch -- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "18.4.8 | PATCH | L1 | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -363,7 +350,7 @@ - rule_18.4.8 - patch -- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +- name: "18.4.9 | PATCH | L1 | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod @@ -378,7 +365,7 @@ - rule_18.4.9 - patch -- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.10 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions @@ -392,7 +379,7 @@ - rule_18.4.10 - patch -- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.11 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions @@ -406,7 +393,7 @@ - rule_18.4.11 - patch -- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +- name: "18.4.12 | PATCH | L1 | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security name: WarningLevel @@ -420,7 +407,10 @@ - rule_18.4.12 - patch -- name: "SCORED | 18.5.4.1 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" + +# 18.5.4.x + +- name: "18.5.4.1 | PATCH | L1 | Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast @@ -435,7 +425,7 @@ - rule_18.5.4.1 - patch -- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" +- name: "18.5.5.1 | PATCH | L2 | Ensure Enable Font Providers is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders @@ -449,7 +439,7 @@ - rule_18.5.5.1 - patch -- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" +- name: "18.5.8.1 | PATCH | L1 | Ensure Enable insecure guest logons is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth @@ -463,30 +453,30 @@ - rule_18.5.8.1 - patch -- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet @@ -500,30 +490,30 @@ - rule_18.5.9.1 - patch -- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet @@ -537,7 +527,7 @@ - rule_18.5.9.2 - patch -- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "18.5.10.2 | PATCH | L2 | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled @@ -551,7 +541,7 @@ - rule_18.5.10.2 - patch -- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "18.5.11.2 | PATCH | L1 | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA @@ -565,7 +555,7 @@ - rule_18.5.11.2 - patch -- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "18.5.11.3 | PATCH | L1 | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI @@ -579,7 +569,7 @@ - rule_18.5.11.3 - patch -- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "18.5.11.4 | PATCH | L1 | Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation @@ -593,16 +583,16 @@ - rule_18.5.11.4 - patch -- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" @@ -616,7 +606,7 @@ - rule_18.5.14.1 - patch -- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "18.5.19.2.1 | PATCH | L2 | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents @@ -630,37 +620,37 @@ - rule_18.5.19.2.1 - patch -- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar @@ -674,7 +664,7 @@ - rule_18.5.20.1 - patch -- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "18.5.20.2 | PATCH | L2 | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi @@ -688,7 +678,7 @@ - rule_18.5.20.2 - patch -- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +- name: "18.5.21.1 | PATCH | L1 | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections @@ -702,7 +692,7 @@ - rule_18.5.21.1 - patch -- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "18.5.21.2 | PATCH | L2 | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain @@ -716,7 +706,7 @@ - rule_18.5.21.2 - patch -- name: "SCORED | 18.7.1.1 | PATCH | L2 Ensure Turn off notifications network usage is set to Enabled" +- name: "18.7.1.1 | PATCH | L2 | Ensure Turn off notifications network usage is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications name: NoCloudApplicationNotification @@ -730,7 +720,7 @@ - rule_18.7.1.1 - patch -- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" +- name: "18.8.3.1 | PATCH | L1 | Ensure Include command line in process creation events is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled @@ -744,7 +734,7 @@ - rule_18.8.3.1 - patch -- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" +- name: "18.8.4.1 | PATCH | L1 | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters name: AllowEncryptionOracle @@ -758,7 +748,7 @@ - rule_18.8.4.1 - patch -- name: "SCORED | 18.8.4.2 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "18.8.4.2 | PATCH | L1 | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds @@ -772,7 +762,7 @@ - rule_18.8.4.2 - patch -- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" +- name: "18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: EnableVirtualizationBasedSecurity @@ -786,7 +776,7 @@ - rule_18.8.5.1 - patch -- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" +- name: "18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: RequirePlatformSecurityFeatures @@ -800,7 +790,7 @@ - rule_18.8.5.2 - patch -- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" +- name: "18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HypervisorEnforcedCodeIntegrity @@ -814,7 +804,7 @@ - rule_18.8.5.3 - patch -- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" +- name: "18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HVCIMATRequired @@ -828,7 +818,7 @@ - rule_18.8.5.4 - patch -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +- name: "18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags @@ -842,7 +832,7 @@ - rule_18.8.5.5 - patch -- name: "SCORED | 18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" +- name: "18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags @@ -856,7 +846,7 @@ - rule_18.8.5.6 - patch -- name: "SCORED | 18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" +- name: "18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: ConfigureSystemGuardLaunch @@ -870,7 +860,7 @@ - rule_18.8.5.7 - patch -- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "18.8.14.1 | PATCH | L1 | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy @@ -884,7 +874,7 @@ - rule_18.8.14.1 - patch -- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "18.8.21.2 | PATCH | L1 | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy @@ -898,7 +888,7 @@ - rule_18.8.21.2 - patch -- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "18.8.21.3 | PATCH | L1 | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges @@ -912,7 +902,7 @@ - rule_18.8.21.3 - patch -- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" +- name: "18.8.21.4 | PATCH | L1 | Ensure Continue experiences on this device is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp @@ -926,7 +916,7 @@ - rule_18.8.21.4 - patch -- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "18.8.21.5 | PATCH | L1 | Ensure Turn off background refresh of Group Policy is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent @@ -939,7 +929,7 @@ - rule_18.8.21.5 - patch -- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "18.8.22.1.1 | PATCH | L1 | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload @@ -953,7 +943,7 @@ - rule_18.8.22.1.1 - patch -- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "18.8.22.1.2 | PATCH | L2 | Ensure Turn off handwriting personalization data sharing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing @@ -967,7 +957,7 @@ - rule_18.8.22.1.2 - patch -- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "18.8.22.1.3 | PATCH | L2 | Ensure Turn off handwriting recognition error reporting is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports @@ -981,7 +971,7 @@ - rule_18.8.22.1.3 - patch -- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.4 | PATCH | L2 | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW @@ -995,7 +985,7 @@ - rule_18.8.22.1.4 - patch -- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "18.8.22.1.5 | PATCH | L1 | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices @@ -1009,7 +999,7 @@ - rule_18.8.22.1.5 - patch -- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" +- name: "18.8.22.1.6 | PATCH | L2 | Ensure Turn off printing over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting @@ -1023,7 +1013,7 @@ - rule_18.8.22.1.6 - patch -- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.7 | PATCH | L2 | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration @@ -1037,7 +1027,7 @@ - rule_18.8.22.1.7 - patch -- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "SCORED |18.8.22.1.8 | PATCH | L2 | Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates @@ -1051,7 +1041,7 @@ - rule_18.8.22.1.8 - patch -- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "18.8.22.1.9 | PATCH | L2 | Ensure Turn off the Order Prints picture task is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard @@ -1065,7 +1055,7 @@ - rule_18.8.22.1.9 - patch -- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "18.8.22.1.10 | PATCH | L2 | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard @@ -1079,7 +1069,7 @@ - rule_18.8.22.1.10 - patch -- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.11 | PATCH | L2 | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP @@ -1093,7 +1083,7 @@ - rule_18.8.22.1.11 - patch -- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.12 | PATCH | L2 | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable @@ -1107,16 +1097,16 @@ - rule_18.8.22.1.12 - patch -- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport @@ -1130,16 +1120,16 @@ - rule_18.8.22.1.13 - patch -- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled @@ -1153,7 +1143,7 @@ - rule_18.8.25.1 - patch -- name: "SCORED | 18.8.26.1 | PATCH | L1 Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" +- name: "18.8.26.1 | PATCH | L1 | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy @@ -1167,7 +1157,7 @@ - rule_18.8.26.1 - patch -- name: "SCORED | 18.8.27.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "18.8.27.1 | PATCH | L2 | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn @@ -1181,7 +1171,7 @@ - rule_18.8.27.1 - patch -- name: "SCORED | 18.8.28.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.8.28.1 | PATCH | L1 | Ensure Block user from showing account details on sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin @@ -1195,7 +1185,7 @@ - rule_18.8.28.1 - patch -- name: "SCORED | 18.8.28.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" +- name: "18.8.28.2 | PATCH | L1 | Ensure Do not display network selection UI is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI @@ -1209,7 +1199,7 @@ - rule_18.8.28.2 - patch -- name: "SCORED | 18.8.28.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "18.8.28.3 | PATCH | L1 | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers @@ -1223,7 +1213,7 @@ - rule_18.8.28.3 - patch -- name: "SCORED | 18.8.28.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "18.8.28.4 | PATCH | L1 | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers @@ -1236,7 +1226,7 @@ - rule_18.8.28.4 - patch -- name: "SCORED | 18.8.28.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "18.8.28.5 | PATCH | L1 | Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications @@ -1250,7 +1240,7 @@ - rule_18.8.28.5 - patch -- name: "SCORED | 18.8.28.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" +- name: "18.8.28.6 | PATCH | L1 | Ensure Turn off picture password sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword @@ -1264,7 +1254,7 @@ - rule_18.8.28.6 - patch -- name: "SCORED | 18.8.28.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "18.8.28.7 | PATCH | L1 | Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon @@ -1278,7 +1268,7 @@ - rule_18.8.28.7 - patch -- name: "SCORED | 18.8.31.1 | PATCH | L2 Ensure Allow Clipboard synchronization across devices is set to Disabled" +- name: "18.8.31.1 | PATCH | L2 | Ensure Allow Clipboard synchronization across devices is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard @@ -1292,7 +1282,7 @@ - rule_18.8.31.1 - patch -- name: "SCORED | 18.8.31.2 | PATCH | L2 Ensure Allow upload of User Activities is set to Disabled" +- name: "18.8.31.2 | PATCH | L2 | Ensure Allow upload of User Activities is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: UploadUserActivities @@ -1306,7 +1296,7 @@ - rule_18.8.31.2 - patch -- name: "SCORED | 18.8.34.6.1 | PATCH | L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled" +- name: "18.8.34.6.1 | PATCH | L2 | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: DCSettingIndex @@ -1320,7 +1310,7 @@ - rule_18.8.34.6.1 - patch -- name: "SCORED | 18.8.34.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "18.8.34.6.2 | PATCH | L2 | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex @@ -1334,7 +1324,7 @@ - rule_18.8.34.6.2 - patch -- name: "SCORED | 18.8.34.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "18.8.34.6.3 | PATCH | L1 | Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex @@ -1348,7 +1338,7 @@ - rule_18.8.34.6.3 - patch -- name: "SCORED | 18.8.34.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "18.8.34.6.4 | PATCH | L1 | Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex @@ -1362,7 +1352,7 @@ - rule_18.8.34.6.4 - patch -- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "18.8.36.1 | PATCH | L1 | Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited @@ -1376,7 +1366,7 @@ - rule_18.8.36.1 - patch -- name: "SCORED | 18.8.36.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "18.8.36.2 | PATCH | L1 | Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp @@ -1390,7 +1380,7 @@ - rule_18.8.36.2 - patch -- name: "SCORED | 18.8.37.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "18.8.37.1 | PATCH | L1 | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution @@ -1404,7 +1394,7 @@ - rule_18.8.37.1 - patch -- name: "SCORED | 18.8.37.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "18.8.37.2 | PATCH | L2 | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients @@ -1418,7 +1408,7 @@ - rule_18.8.37.2 - patch -- name: "SCORED | 18.8.47.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "18.8.47.5.1 | PATCH | L2 | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer @@ -1432,7 +1422,7 @@ - rule_18.8.47.5.1 - patch -- name: "SCORED | 18.8.47.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" +- name: "18.8.47.11.1 | PATCH | L2 | Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled @@ -1446,7 +1436,7 @@ - rule_18.8.47.11.1 - patch -- name: "SCORED | 18.8.49.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" +- name: "18.8.49.1 | PATCH | L2 | Ensure Turn off the advertising ID is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy @@ -1460,7 +1450,7 @@ - rule_18.8.49.1 - patch -- name: "SCORED | 18.8.52.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" +- name: "18.8.52.1.1 | PATCH | L2 | Ensure Enable Windows NTP Client is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled @@ -1474,7 +1464,7 @@ - rule_18.8.52.1.1 - patch -- name: "SCORED | 18.8.52.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "18.8.52.1.2 | PATCH | L2 | Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled @@ -1488,7 +1478,7 @@ - rule_18.8.52.1.2 - patch -- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "18.9.4.1 | PATCH | L2 | Ensure Allow a Windows app to share application data between users is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData @@ -1502,7 +1492,7 @@ - rule_18.9.4.1 - patch -- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "18.9.6.1 | PATCH | L1 | Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional @@ -1516,7 +1506,7 @@ - rule_18.9.6.1 - patch -- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "18.9.8.1 | PATCH | L1 | Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume @@ -1530,7 +1520,7 @@ - rule_18.9.8.1 - patch -- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "18.9.8.2 | PATCH | L1 | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun @@ -1544,7 +1534,7 @@ - rule_18.9.8.2 - patch -- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" +- name: "18.9.8.3 | PATCH | L1 | Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun @@ -1558,7 +1548,7 @@ - rule_18.9.8.3 - patch -- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "18.9.10.1.1 | PATCH | L1 | Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing @@ -1572,7 +1562,7 @@ - rule_18.9.10.1.1 - patch -- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" +- name: "18.9.12.1 | PATCH | L2 | Ensure Allow Use of Camera is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera @@ -1586,7 +1576,7 @@ - rule_18.9.12.1 - patch -- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.13.1 | PATCH | L1 | Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures @@ -1600,7 +1590,7 @@ - rule_18.9.13.1 - patch -- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.9.14.1 | PATCH | L1 | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect name: RequirePinForPairing @@ -1614,7 +1604,7 @@ - rule_18.9.14.1 - patch -- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" +- name: "18.9.15.1 | PATCH | L1 | Ensure Do not display the password reveal button is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal @@ -1628,7 +1618,7 @@ - rule_18.9.15.1 - patch -- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.9.15.2 | PATCH | L1 | Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators @@ -1642,7 +1632,7 @@ - rule_18.9.15.2 - patch -- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +- name: "18.9.16.1 | PATCH | L1 | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: AllowTelemetry @@ -1656,7 +1646,7 @@ - rule_18.9.16.1 - patch -- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "18.9.16.2 | PATCH | L2 | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DisableEnterpriseAuthProxy @@ -1670,7 +1660,7 @@ - rule_18.9.16.2 - patch -- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" +- name: "18.9.16.3 | PATCH | L1 | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications @@ -1684,7 +1674,7 @@ - rule_18.9.16.3 - patch -- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.9.16.4 | PATCH | L1 | Ensure Toggle user control over Insider builds is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview @@ -1698,7 +1688,7 @@ - rule_18.9.16.4 - patch -- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.1.1 | PATCH | L1 | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention @@ -1712,7 +1702,7 @@ - rule_18.9.26.1.1 - patch -- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.1.2 | PATCH | L1 | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize @@ -1726,7 +1716,7 @@ - rule_18.9.26.1.2 - patch -- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.2.1 | PATCH | L1 | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: Retention @@ -1740,7 +1730,7 @@ - rule_18.9.26.2.1 - patch -- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "18.9.26.2.2 | PATCH | L1 | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize @@ -1754,7 +1744,7 @@ - rule_18.9.26.2.2 - patch -- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.3.1 | PATCH | L1 | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: Retention @@ -1768,7 +1758,7 @@ - rule_18.9.26.3.1 - patch -- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.3.2 | PATCH | L1 | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize @@ -1782,7 +1772,7 @@ - rule_18.9.26.3.2 - patch -- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.4.1 | PATCH | L1 | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention @@ -1796,7 +1786,7 @@ - rule_18.9.26.4.1 - patch -- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.4.2 | PATCH | L1 | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: MaxSize @@ -1810,7 +1800,7 @@ - rule_18.9.26.4.2 - patch -- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "18.9.30.2 | PATCH | L1 | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention @@ -1824,7 +1814,7 @@ - rule_18.9.30.2 - patch -- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" +- name: "18.9.30.3 | PATCH | L1 | Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption @@ -1838,7 +1828,7 @@ - rule_18.9.30.3 - patch -- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "18.9.30.4 | PATCH | L1 | Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior @@ -1852,21 +1842,21 @@ - rule_18.9.30.4 - patch -- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" +- name: "18.9.39.1 | PATCH | L2 | Ensure Turn off location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation data: 1 type: dword when: - - rule_18_9_39_2 + - rule_18_9_39_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.39.2 + - rule_18.9.39.1 - patch -- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "18.9.43.1 | PATCH | L2 | Ensure Allow Message Service Cloud Sync is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync @@ -1880,7 +1870,7 @@ - rule_18.9.43.1 - patch -- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "18.9.44.1 | PATCH | L1 | Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth @@ -1894,462 +1884,462 @@ - rule_18.9.44.1 - patch -- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "18.9.45.3.1 | PATCH | L1 | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 type: dword when: - - rule_18_9_52_1 + - rule_18_9_45_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.52.1 + - rule_18.9.45.3.1 - patch -- name: "SCORED | 18.9.59.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" +- name: "18.9.45.3.2 | PATCH | L2 | Ensure Join Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 type: dword when: - - rule_18_9_59_2_2 + - rule_18_9_45_3_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.45.3.2 + - patch + +- name: "18.9.45.8.3 | PATCH | L1 | Ensure Turn on behavior monitoring is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: + - rule_18_9_45_8_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.2.2 + - rule_18.9.45.8.3 - patch -- name: "SCORED | 18.9.59.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "18.9.45.4.1.1 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + name: ExploitGuard_ASR_Rules data: 1 type: dword when: - - rule_18_9_59_3_2_1 + - rule_18_9_45_4_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.2.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.45.4.1.1 - patch -- name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" +- name: "18.9.45.4.1.2 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + name: "{{ item }}" data: 1 - type: dword + type: string + loop: + - 26190899-1602-49e8-8b27-eb1d0a1ce869 + - 3b576869-a4ec-4529-8536-b80a7769e899 + - 5beb7efe-fd9a-4556-801d-275e5ffc04cc + - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 + - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b + - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + - d3e037e1-3eb8-44c8-a917-57927947596d + - d4f940ab-401b-4efc-aadc-ad5f3c50688a when: - - rule_18_9_59_3_3_1 + - rule_18_9_45_4_1_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.45.4.1.2 - patch -- name: "SCORED | 18.9.59.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" +- name: "18.9.45.4.3.1 | PATCH | L1 | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection data: 1 type: dword when: - - rule_18_9_59_3_3_2 + - rule_18_9_45_4_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.3.2 + - rule_18.9.45_4.3.1 - patch -- name: "SCORED | 18.9.59.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" +- name: "18.9.45.10.1 | PATCH | L2 | Ensure Configure Watson events is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts data: 1 type: dword when: - - rule_18_9_59_3_3_3 + - rule_18_9_45_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.59.3.3.3 + - rule_18.9.77.9.1 - patch -- name: "SCORED | 18.9.59.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "18.9.45.11.1 | PATCH | L1 | Ensure Scan removable drives is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 type: dword when: - - rule_18_9_59_3_3_4 + - rule_18_9_45_11_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.4 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.45.11.1 - patch -- name: "SCORED | 18.9.59.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" +- name: "18.9.45.11.2 | PATCH | L1 | Ensure Turn on e-mail scanning is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 type: dword when: - - rule_18_9_59_3_9_1 + - rule_18_9_45_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.9.1 + - rule_18.9.45.11.2 - patch -- name: "SCORED | 18.9.59.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" +- name: "18.9.45.14 | PATCH | L1 | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: PUAProtection data: 1 type: dword when: - - rule_18_9_59_3_9_2 + - rule_18_9_45_14 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.9.2 + - rule_18.9.45.14 - patch -- name: "SCORED | 18.9.59.3.9.3 | PATCH | L1 Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" +- name: "18.9.45.15 | PATCH | L1 | Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: SecurityLayer - data: 2 + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 type: dword when: - - rule_18_9_59_3_9_3 + - rule_18_9_45_15 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.9.3 + - rule_18.9.45.15 - patch -- name: "SCORED | 18.9.59.3.9.4 | PATCH | L1 Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" +- name: "18.9.55.1 | PATCH | L1 | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: UserAuthentication + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC data: 1 type: dword when: - - rule_18_9_59_3_9_4 + - rule_18_9_55_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.9.4 + - rule_18.9.55.1 - patch -- name: "SCORED | 18.9.59.3.9.5 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" +- name: "18.9.62.2.2 | PATCH | L1 | Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 + name: DisablePasswordSaving + data: 1 type: dword when: - - rule_18_9_59_3_9_5 + - rule_18_9_62_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.9.5 + - rule_18.9.62.2.2 - patch -- name: "SCORED | 18.9.59.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +- name: "18.9.62.3.2.1 | PATCH | L2 | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 + name: fSingleSessionPerUser + data: 1 type: dword when: - - rule_18_9_59_3_10_1 + - rule_18_9_62_3_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.59.3.10.1 + - rule_18.9.62.3.2.1 - patch -- name: "SCORED | 18.9.59.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "18.9.62.3.3.1 | PATCH | L2 | Ensure Do not allow COM port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 + name: fDisableCcm + data: 1 type: dword when: - - rule_18_9_59_3_10_2 + - rule_18_9_62_3_3_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.59.3.10.2 + - rule_18.9.62.3.3.1 - patch -- name: "SCORED | 18.9.59.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "18.9.62.3.3.2 | PATCH | L1 | Ensure Do not allow drive redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit + name: fDisableCdm data: 1 type: dword when: - - rule_18_9_59_3_11_1 + - rule_18_9_62_3_3_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.59.3.11.1 + - rule_18.9.62.3.3.2 - patch -- name: "SCORED | 18.9.59.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" +- name: "18.9.62.3.3.3 | PATCH | L2 | Ensure Do not allow LPT port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir + name: fDisableLPT data: 1 type: dword when: - - rule_18_9_59_3_11_2 + - rule_18_9_62_3_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.62.3.3.3 - patch -- name: "SCORED | 18.9.60.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" +- name: "18.9.62.3.3.4 | PATCH | L2 | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir data: 1 type: dword when: - - rule_18_9_60_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.60.1 - - patch - -- name: "SCORED | 18.9.61.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword - when: - - rule_18_9_61_2 + - rule_18_9_62_3_3_4 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.61.2 + - rule_18.9.62.3.3.4 - patch -- name: "SCORED | 18.9.61.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" +- name: "18.9.62.3.9.1 | PATCH | L1 | Ensure Always prompt for password upon connection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 type: dword when: - - rule_18_9_61_3 + - rule_18_9_62_3_9_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.61.3 + - rule_18.9.62.3.9.1 - patch -- name: "SCORED | 18.9.66.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "18.9.62.3.9.2 | PATCH | L1 | Ensure Require secure RPC communication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic data: 1 type: dword when: - - rule_18_9_66_1 + - rule_18_9_62_3_9_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.66.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 - patch -- name: "SCORED | 18.9.77.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "18.9.62.3.9.3 | PATCH | L1 | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: SecurityLayer + data: 2 type: dword when: - - rule_18_9_77_3_1 + - rule_18_9_62_3_9_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.3.1 + - rule_18.9.62.3.9.3 - patch -- name: "SCORED | 18.9.77.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" +- name: "18.9.62.3.9.4 | PATCH | L1 | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: UserAuthentication + data: 1 type: dword when: - - rule_18_9_77_3_2 + - rule_18_9_62_3_9_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.3.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.62.3.9.4 - patch -- name: "SCORED | 18.9.77.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" +- name: "18.9.62.3.9.5 | PATCH | L1 | Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 type: dword when: - - rule_18_9_77_7_1 + - rule_18_9_62_3_9_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.7.1 + - rule_18.9.62.3.9.5 - patch -- name: "SCORED | 18.9.77.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" +- name: "18.9.62.3.10.1 | PATCH | L2 | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 type: dword when: - - rule_18_9_77_9_1 + - rule_18_9_62_3_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.77.9.1 + - rule_18.9.62.3.10.1 - patch -- name: "SCORED | 18.9.77.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" +- name: "18.9.62.3.10.2 | PATCH | L2 | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 type: dword when: - - rule_18_9_77_10_1 + - rule_18_9_62_3_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.62.3.10.2 - patch -- name: "SCORED | 18.9.77.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" +- name: "18.9.62.3.11.1 | PATCH | L1 | Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 type: dword when: - - rule_18_9_77_10_2 + - rule_18_9_62_3_11_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.10.2 + - rule_18.9.59.3.11.1 - patch -- name: "SCORED | 18.9.77.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "18.9.62.3.11.2 | PATCH | L1 | Ensure Do not use temporary folders per session is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir data: 1 type: dword when: - - rule_18_9_77_13_1_1 + - rule_18_9_62_3_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.13.1.1 + - rule_18.9.62.3.11.2 - patch -- name: "SCORED | 18.9.77.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +- name: "18.9.63.1 | PATCH | L1 | Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload data: 1 - type: string - loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a + type: dword when: - - rule_18_9_77_13_1_2 + - rule_18_9_63_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.13.1.2 + - rule_18.9.63.1 - patch -- name: "SCORED | 18.9.77.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "18.9.64.2 | PATCH | L2 | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: EnableNetworkProtection - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 type: dword when: - - rule_18_9_77_13_3_1 + - rule_18_9_64_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.3.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.64.2 - patch -- name: "SCORED | 18.9.77.14 | PATCH | L1 Ensure Configure detection for potentially unwanted applications is set to Enabled Block" +- name: "18.9.64.3 | PATCH | L1 | Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: PUAProtection - data: 1 + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 type: dword when: - - rule_18_9_77_14 + - rule_18_9_64_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.77.14 + - rule_18.9.64.3 - patch -- name: "SCORED | 18.9.77.15 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "18.9.69.1 | PATCH | L2 | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 type: dword when: - - rule_18_9_77_15 + - rule_18_9_69_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.15 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 - patch -- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel @@ -2363,7 +2353,7 @@ - rule_18.9.80.1.1 - patch -- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "18.9.84.1 | PATCH | L2 | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace @@ -2377,7 +2367,7 @@ - rule_18.9.84.1 - patch -- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "18.9.84.2 | PATCH | L1 | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace @@ -2391,7 +2381,7 @@ - rule_18.9.84.2 - patch -- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" +- name: "18.9.85.1 | PATCH | L1 | Ensure Allow user control over installs is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl @@ -2405,7 +2395,7 @@ - rule_18.9.85.1 - patch -- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +- name: "18.9.85.2 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated @@ -2419,7 +2409,7 @@ - rule_18.9.85.2 - patch -- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "18.9.85.3 | PATCH | L2 | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting @@ -2433,7 +2423,7 @@ - rule_18.9.85.3 - patch -- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +- name: "18.9.86.1 | PATCH | L1 | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn @@ -2447,7 +2437,7 @@ - rule_18.9.86.1 - patch -- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" +- name: "18.9.95.1 | PATCH | L1 | Ensure Turn on PowerShell Script Block Logging is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging name: EnableScriptBlockLogging @@ -2461,7 +2451,7 @@ - rule_18.9.95.1 - patch -- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" +- name: "18.9.95.2 | PATCH | L1 | Ensure Turn on PowerShell Transcription is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting @@ -2475,7 +2465,7 @@ - rule_18.9.95.2 - patch -- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.1.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic @@ -2490,7 +2480,7 @@ - rule_18.9.97.1.1 - patch -- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.1.2 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic @@ -2505,7 +2495,7 @@ - rule_18.9.97.1.2 - patch -- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" +- name: "18.9.97.1.3 | PATCH | L1 | Ensure Disallow Digest authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest @@ -2519,7 +2509,7 @@ - rule_18.9.97.1.3 - patch -- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.2.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic @@ -2535,7 +2525,7 @@ - patch # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" +- name: "18.9.97.2.2 | PATCH | L2 | Ensure Allow remote server management through WinRM is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig @@ -2550,7 +2540,7 @@ - rule_18.9.97.2.2 - patch -- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.2.3 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic @@ -2565,7 +2555,7 @@ - rule_18.9.97.2.3 - patch -- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "18.9.97.2.4 | PATCH | L1 | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs @@ -2580,7 +2570,7 @@ - patch # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" +- name: "18.9.98.1 | PATCH | L2 | Ensure Allow Remote Shell Access is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess @@ -2595,7 +2585,7 @@ - rule_18.9.98.1 - patch -- name: "SCORED | 18.9.99.2.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" +- name: "18.9.99.2.1 | PATCH | L1 | Ensure Prevent users from modifying settings is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride @@ -2609,16 +2599,16 @@ - rule_18.9.99.2.1 - patch -- name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue @@ -2632,23 +2622,23 @@ - rule_18.9.102.1.1 - patch -- name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +- name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" block: - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel @@ -2662,16 +2652,16 @@ - rule_18.9.102.1.2 - patch -- name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays @@ -2685,7 +2675,7 @@ - rule_18.9.102.1.3 - patch -- name: "SCORED | 18.9.102.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" +- name: "18.9.102.2 | PATCH | L1 | Ensure Configure Automatic Updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate @@ -2699,7 +2689,7 @@ - rule_18.9.102.2 - patch -- name: "SCORED | 18.9.102.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +- name: "18.9.102.3 | PATCH | L1 | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay @@ -2713,7 +2703,7 @@ - rule_18.9.102.3 - patch -- name: "SCORED | 18.9.102.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +- name: "18.9.102.4 | PATCH | L1 | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers diff --git a/tasks/section19.yml b/tasks/section19.yml index b5db2dc..ec36eee 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,14 +1,14 @@ --- -- name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" +- name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive @@ -22,16 +22,16 @@ - rule_19.1.3.1 - patch -- name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" +- name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" block: - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE data: scrnsave.scr type: string - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE @@ -45,16 +45,16 @@ - rule_19.1.3.2 - patch -- name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" +- name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -68,16 +68,16 @@ - rule_19.1.3.3 - patch -- name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut @@ -91,16 +91,16 @@ - rule_19.1.3.4 - patch -- name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" +- name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" block: - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen @@ -114,16 +114,16 @@ - rule_19.5.1.1 - patch -- name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" +- name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" block: - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback @@ -137,16 +137,16 @@ - rule_19.6.6.1.1 - patch -- name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" +- name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" block: - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 2 type: dword - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation @@ -160,16 +160,16 @@ - rule_19.7.4.1 - patch -- name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" +- name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" block: - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus @@ -183,163 +183,163 @@ - rule_19.7.4.2 - patch -- name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword when: - - rule_19_7_7_1 + - rule_19_7_8_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.7.1 + - rule_19.7.8.1 - patch -- name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword when: - - rule_19_7_7_2 + - rule_19_7_8_2 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.7.2 + - rule_19.7.8.2 - patch -- name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword when: - - rule_19_7_7_3 + - rule_19_7_8_3 tags: - level2-domaincontroller - level2-memberserver - - rule_19.7.7.3 + - rule_19.7.8.3 - patch -- name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword when: - - rule_19_7_7_4 + - rule_19_7_8_4 tags: - level2-domaincontroller - level2-memberserver - - rule_19.7.7.4 + - rule_19.7.8.4 - patch -- name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword when: - - rule_19_7_26_1 + - rule_19_7_28_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.26.1 + - rule_19.7.28.1 - patch -- name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +- name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" block: - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword when: - - rule_19_7_41_1 + - rule_19_7_43_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.41.1 + - rule_19.7.43.1 - patch -- name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" +- name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" block: - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword when: - - rule_19_7_45_2_1 + - rule_19_7_47_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_19.7.45.2.1 + - rule_19.7.47.2.1 - patch From dff50cada23ef2e810e540c822861b12463e60b4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 Nov 2021 09:38:14 +0000 Subject: [PATCH 04/32] Issue #47 addressed Signed-off-by: Mark Bolwell --- tasks/section18.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index ab10bcc..4b1f2be 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -536,8 +536,8 @@ when: - rule_18_5_10_2 tags: - - level1-domaincontroller - - level1-memberserver + - level2-domaincontroller + - level2-memberserver - rule_18.5.10.2 - patch From a8d4341934596cb6f1dcc40e02909285be851c8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 Nov 2021 09:57:12 +0000 Subject: [PATCH 05/32] fix error on prelim Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5cc2d06..78e5527 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -19,8 +19,6 @@ win2019cis_is_domain_member: true when: - ansible_windows_domain_role == 'Member server' - when: - - run_audit - name: Get Windows installation type win_reg_stat: From a49ab75b1d19908dc8b2ece370bc563bcc2b19ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 Nov 2021 10:49:43 +0000 Subject: [PATCH 06/32] fixed control id Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9550b78..ce56956 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -371,7 +371,7 @@ rule_18_9_26_4_2: true rule_18_9_30_2: true rule_18_9_30_3: true rule_18_9_30_4: true -rule_18_9_39_2: true +rule_18_9_39_1: true rule_18_9_43_1: true rule_18_9_44_1: true rule_18_9_45_3_1: true @@ -385,7 +385,7 @@ rule_18_9_45_11_1: true rule_18_9_45_11_2: true rule_18_9_45_14: true rule_18_9_45_15: true -rule_18_9_52_1: true +rule_18_9_55_1: true rule_18_9_62_2_2: true rule_18_9_62_3_2_1: true rule_18_9_62_3_3_1: true From acccfae199c062cdc20f375a559a1465d84d1bb3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Nov 2021 12:11:30 +0000 Subject: [PATCH 07/32] Add control 18_9_13_2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/section18.yml | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ce56956..52c934d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -353,6 +353,7 @@ rule_18_9_8_3: true rule_18_9_10_1_1: true rule_18_9_12_1: true rule_18_9_13_1: true +rule_18_9_13_2: true rule_18_9_14_1: true rule_18_9_15_1: true rule_18_9_15_2: true diff --git a/tasks/section18.yml b/tasks/section18.yml index 4b1f2be..591372f 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1576,18 +1576,32 @@ - rule_18.9.12.1 - patch -- name: "18.9.13.1 | PATCH | L1 | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.13.1 | PATCH | L2 | Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures + name: DisableCloudOptimizedContent data: 1 type: dword when: - rule_18_9_13_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.13.1 + - patch + +- name: "18.9.13.2 | PATCH | L1 | Ensure Turn off Microsoft consumer experiences is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword + when: + - rule_18_9_13_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.13.1 + - rule_18.9.13.2 - patch - name: "18.9.14.1 | PATCH | L1 | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" From 384ef6b3c4390475bc6511ad2a33fce7f1fc8691 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 8 Dec 2021 15:07:50 -0500 Subject: [PATCH 08/32] Updated 2.3.10.9 and 2.3.9.5 Signed-off-by: George Nalen --- tasks/section02.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 314c2d4..2f8b9a3 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1194,7 +1194,8 @@ type: dword when: - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - ansible_windows_domain_role == "Member server" or + ansible_windows_domain_role == "Stand-alone server" tags: - level1-memberserver - rule_2.3.9.5 @@ -1315,7 +1316,7 @@ win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] type: multistring when: - rule_2_3_10_9 From 07ec2f8b27cff128a7efc22d79064efb33fda68c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 8 Dec 2021 15:52:09 -0500 Subject: [PATCH 09/32] updated 17.1.1, 17.6.4, 17.2.1, 17.6.2, and 17.7.5 Signed-off-by: George Nalen --- tasks/section17.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/tasks/section17.yml b/tasks/section17.yml index 9973983..0ce9e4f 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -18,7 +18,6 @@ changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - rule_17_1_1 - - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver @@ -74,21 +73,20 @@ - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" block: - name: " 17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: false failed_when: false - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver @@ -418,6 +416,10 @@ failed_when: false register: rule_17_6_2_audit + - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"File Share" /success:enable + when: "'Success' not in rule_17_6_2_audit.stdout" + - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" @@ -452,6 +454,10 @@ - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" + + - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + when: "'Failure' not in rule_17_6_4_audit.stdout" when: - rule_17_6_4 tags: @@ -549,8 +555,8 @@ register: rule_17_7_5_audit - name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable - when: "'Success' not in rule_17_7_5_audit.stdout" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable + when: "'Failure' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 tags: From bbaa5d1ea431a429be843336b4a1909f1479a792 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 8 Dec 2021 17:14:34 -0500 Subject: [PATCH 10/32] updated 18.9.45.4.1.2, 18.9.45.8.1, and 18.9.45.5.1 Signed-off-by: George Nalen --- defaults/main.yml | 3 +++ tasks/section18.yml | 45 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 52c934d..285a6c3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -380,6 +380,9 @@ rule_18_9_45_3_2: true rule_18_9_45_4_1_1: true rule_18_9_45_4_1_2: true rule_18_9_45_4_3_1: true +rule_18_9_45_5_1: true +rule_18_9_45_8_1: true +rule_18_9_45_8_2: true rule_18_9_45_8_3: true rule_18_9_45_10_1: true rule_18_9_45_11_1: true diff --git a/tasks/section18.yml b/tasks/section18.yml index 591372f..e63b57b 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1926,6 +1926,34 @@ - rule_18.9.45.3.2 - patch +- name: "18.9.45.5.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine + name: EnableFileHashComputation + data: 1 + type: dword + when: + - rule_18_9_45_5_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.45.5.1 + - patch + +- name: "18.9.45.8.1 | PATCH | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableIOAVProtection + data: 0 + type: dword + when: + - rule_18_9_45_8_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.45.8.1 + - patch + - name: "18.9.45.8.3 | PATCH | L1 | Ensure Turn on behavior monitoring is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection @@ -1972,6 +2000,7 @@ - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - d3e037e1-3eb8-44c8-a917-57927947596d - d4f940ab-401b-4efc-aadc-ad5f3c50688a + - e6db77e5-3df2-4cf1-b95a-636979351e5b when: - rule_18_9_45_4_1_2 tags: @@ -1991,7 +2020,21 @@ tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.45_4.3.1 + - rule_18.9.45.4.3.1 + - patch + +- name: "18.9.45.8.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableRealtimeMonitoring + data: 1 + datatype: dword + when: + - rule_18_9_45_8_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.45.8.2 - patch - name: "18.9.45.10.1 | PATCH | L2 | Ensure Configure Watson events is set to Disabled" From 830f36f872e8f63b1dd714193f26a2571cc4c145 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Feb 2022 09:38:15 +0000 Subject: [PATCH 11/32] added .cache directory Signed-off-by: Mark Bolwell --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c46be6d..53f8584 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ tests/Dockerfile packer_cache delete* ignore* +.cache # VSCode .vscode From 0a79a4683315a2190c5663992f08ec585cd5e310 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Feb 2022 09:38:29 +0000 Subject: [PATCH 12/32] removed .cache dir Signed-off-by: Mark Bolwell --- .cache/roles/windows_2019_cis | 1 - 1 file changed, 1 deletion(-) delete mode 120000 .cache/roles/windows_2019_cis diff --git a/.cache/roles/windows_2019_cis b/.cache/roles/windows_2019_cis deleted file mode 120000 index c25bddb..0000000 --- a/.cache/roles/windows_2019_cis +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file From af9f883cfffda949aca3279432d1b53778c76c96 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 15 Feb 2022 15:04:36 -0500 Subject: [PATCH 13/32] Updated enable firewall tasks to use registry entry to prevent false positives in scanners, issue #36 Signed-off-by: George Nalen --- tasks/section09.yml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tasks/section09.yml b/tasks/section09.yml index 1a90190..fb35c61 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,8 +1,10 @@ --- - name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" - win_firewall: - state: enabled - profile: Domain + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile + name: EnableFirewall + data: 1 + type: dword when: - rule_9_1_1 tags: @@ -111,9 +113,11 @@ - patch - name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" - win_firewall: - state: enabled - profile: Private + win_regedit: + path: HKLM:SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: EnableFirewall + data: 1 + type: dword when: - rule_9_2_1 tags: @@ -222,9 +226,11 @@ - patch - name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" - win_firewall: - state: enabled - profile: Public + win_regedit: + path: HKLM:SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: EnableFirewall + data: 1 + type: dword when: - rule_9_3_1 tags: From 283158c8705bff457cec5e1a0be0a3f5d75a0ae5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 15 Feb 2022 15:06:16 -0500 Subject: [PATCH 14/32] Updated 18.5.4.1 tags, issue #51 Signed-off-by: George Nalen --- tasks/section18.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index e63b57b..9d28b6b 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -420,8 +420,8 @@ - rule_18_5_4_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - level2-memberserver + - level1-domaincontroller + - level1-memberserver - rule_18.5.4.1 - patch From 529dc37c5454ad9510baf78f6c00249454719d4f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 15 Feb 2022 15:08:36 -0500 Subject: [PATCH 15/32] Updated 18.4.11 and 18.8.22.1.2 level tags, issue #52 Signed-off-by: George Nalen --- tasks/section18.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 9d28b6b..9cff4c2 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -388,8 +388,8 @@ when: - rule_18_4_11 tags: - - level1-domaincontroller - - level1-memberserver + - level2-domaincontroller + - level2-memberserver - rule_18.4.11 - patch @@ -952,8 +952,8 @@ when: - rule_18_8_22_1_2 tags: - - level1-domaincontroller - - level1-memberserver + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.2 - patch From 2b8969333d03b357b70ab523ab5d9e8282cb2b1e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Mar 2022 12:11:39 +0000 Subject: [PATCH 16/32] Added PR and issue templates Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 33 +++++++++++++++++++ .../feature-request-or-enhancement.md | 21 ++++++++++++ .github/ISSUE_TEMPLATE/question.md | 17 ++++++++++ .github/pull_request_template.md | 11 +++++++ 4 files changed, 82 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md create mode 100644 .github/ISSUE_TEMPLATE/question.md create mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..7ab5a90 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,33 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the Issue** +A clear and concise description of what the bug is. + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Actual Behavior** +A clear and concise description of what's happening. + +**Control(s) Affected** +What controls are being affected by the issue + +**Environment (please complete the following information):** + - git branch: [e.g devel] + - Ansible Version: [e.g. 2.10] + - Host Python Version: [e.g. Python 3.7.6] + - Ansible Server Python Version: [e.g. Python 3.7.6] + - Additional Details: + +**Additional Notes** +Anything additional goes here + +**Possible Solution** +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 0000000..bf45700 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,21 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +**Feature Request or Enhancement** + - Feature [] + - Enhancement [] + +**Summary of Request** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Suggested Code** +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..cbab6e7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,17 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +**Question** +Pose question here. + +**Environment (please complete the following information):** + - Ansible Version: [e.g. 2.10] + - Host Python Version: [e.g. Python 3.7.6] + - Ansible Server Python Version: [e.g. Python 3.7.6] + - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..1bf89d3 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,11 @@ +**Overall Review of Changes:** +A general description of the changes made that are being requested for merge + +**Issue Fixes:** +Please list (using linking) any open issues this PR addresses + +**Enhancements:** +Please list any enhancements/features that are not open issue tickets + +**How has this been tested?:** +Please give an overview of how these changes were tested. If they were not please use N/A From 74d1dbf027242b05f32cfac3c1f86c8541f9580c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Mar 2022 17:25:06 +0000 Subject: [PATCH 17/32] fixed typo Signed-off-by: Mark Bolwell --- tasks/section09.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section09.yml b/tasks/section09.yml index fb35c61..e46e418 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -227,7 +227,7 @@ - name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_regedit: - path: HKLM:SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: EnableFirewall data: 1 type: dword From 3561a9650d285b40d862bc6352118d71b8689c0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Mar 2022 17:29:49 +0000 Subject: [PATCH 18/32] updated version Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dad434f..c3635b2 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ This role **will make changes to the system** that could break things. This is n This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. To use release version please point to main branch -Based on [Windows Server 2019 CIS v1.1.0 01-14-2020](https://downloads.cisecurity.org/#/). +Based on [Windows Server 2019 CIS v1.2.1 05-08-2021](https://downloads.cisecurity.org/#/). Documentation ------------- @@ -66,4 +66,4 @@ We encourage you (the community) to contribute to this role. Please read the rul - Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. - All community Pull Requests are pulled into the devel branch - Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved -- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release \ No newline at end of file +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release From f15d4aa51069174ce0f03a7d63a4cc8e200252be Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 30 Mar 2022 13:40:06 -0400 Subject: [PATCH 19/32] issue #54 fix Signed-off-by: George Nalen --- tasks/section17.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section17.yml b/tasks/section17.yml index 0ce9e4f..51e1afd 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -334,7 +334,7 @@ - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable - when: "'Failure' not in rule_17_5_4_audit.stdout" + when: "'Success' not in rule_17_5_4_audit.stdout" - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable From d18689c908476e0d066a9d855b5c01a34108dfe0 Mon Sep 17 00:00:00 2001 From: Kristian Date: Sat, 27 Aug 2022 21:32:30 +0200 Subject: [PATCH 20/32] Check_mode: false added to section 17. Signed-off-by: Kristian --- tasks/section17.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tasks/section17.yml b/tasks/section17.yml index 51e1afd..a42fc10 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -6,6 +6,7 @@ register: rule_17_1_1_audit changed_when: false failed_when: false + check_mode: false - name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable @@ -30,6 +31,7 @@ win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_1_2_audit - name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" @@ -53,6 +55,7 @@ win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_1_3_audit - name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" @@ -77,6 +80,7 @@ register: rule_17_2_1_audit changed_when: false failed_when: false + check_mode: false - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable @@ -100,6 +104,7 @@ register: rule_17_2_2_audit changed_when: false failed_when: false + check_mode: false - name: " 17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable @@ -120,6 +125,7 @@ register: rule_17_2_3_audit changed_when: false failed_when: false + check_mode: false - name: " 17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable @@ -139,6 +145,7 @@ register: rule_17_2_4_audit changed_when: false failed_when: false + check_mode: false - name: " 17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable @@ -158,6 +165,7 @@ register: rule_17_2_5_audit changed_when: false failed_when: false + check_mode: false - name: " 17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable @@ -176,6 +184,7 @@ win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_2_6_audit - name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" @@ -199,6 +208,7 @@ win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_3_1_audit - name: " 17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" @@ -218,6 +228,7 @@ win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_3_2_audit - name: " 17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" @@ -237,6 +248,7 @@ win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_4_1_audit - name: " 17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" @@ -255,6 +267,7 @@ win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_4_2_audit - name: " 17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" @@ -273,6 +286,7 @@ win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_1_audit - name: " 17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" @@ -292,6 +306,7 @@ win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_2_audit - name: " 17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" @@ -311,6 +326,7 @@ win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_3_audit - name: " 17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" @@ -330,6 +346,7 @@ win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_4_audit - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" @@ -353,6 +370,7 @@ win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_5_audit - name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" @@ -376,6 +394,7 @@ win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_5_6_audit - name: " 17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" @@ -395,6 +414,7 @@ win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_6_1_audit - name: " 17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" @@ -414,6 +434,7 @@ win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_6_2_audit - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" @@ -449,6 +470,7 @@ win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_6_4_audit - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" @@ -472,6 +494,7 @@ win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_7_1_audit - name: " 17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" @@ -510,6 +533,7 @@ win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_7_3_audit - name: " 17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" @@ -529,6 +553,7 @@ win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_7_4_audit - name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" @@ -552,6 +577,7 @@ win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_7_5_audit - name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" @@ -571,6 +597,7 @@ win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_8_1_audit - name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" @@ -594,6 +621,7 @@ win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_9_1_audit - name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" @@ -617,6 +645,7 @@ win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_9_2_audit - name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" @@ -640,6 +669,7 @@ win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_9_3_audit - name: " 17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" @@ -659,6 +689,7 @@ win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_9_4_audit - name: " 17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" @@ -678,6 +709,7 @@ win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_9_5_audit - name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" From 76c174f0c69a7a59ceb237bc45fadd8d9b7c7abb Mon Sep 17 00:00:00 2001 From: Kristian Date: Sat, 27 Aug 2022 23:00:16 +0200 Subject: [PATCH 21/32] Check mode added to section 17 2. time Signed-off-by: Kristian --- tasks/section17.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section17.yml b/tasks/section17.yml index a42fc10..bc7f58b 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -514,6 +514,7 @@ win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false + check_mode: false register: rule_17_7_2_audit - name: " 17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" From f7addebd7a674b9269b53954e1b29b9cf69cbc7f Mon Sep 17 00:00:00 2001 From: Kristian Ebdrup Date: Wed, 14 Sep 2022 21:15:06 +0200 Subject: [PATCH 22/32] fix issue #59 Signed-off-by: Kristian Ebdrup --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 9cff4c2..a10b39a 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -133,7 +133,7 @@ type: dword when: - rule_18_2_6 - - ansible_windows_domain_role == "Memmber Server" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.6 From 24c0ef8bd9297147990c8d365f7b376e9e35ea2b Mon Sep 17 00:00:00 2001 From: Kristian Ebdrup Date: Wed, 14 Sep 2022 21:16:17 +0200 Subject: [PATCH 23/32] Added role dependencies Signed-off-by: Kristian Ebdrup --- meta/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index c6e3de7..478487b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -20,4 +20,6 @@ galaxy_info: - microsoft - windows - dependencies: [] + dependencies: + - ansible.windows + - community.windows From 0763bfcc9a47a89dbc522eb0d239222080a04a89 Mon Sep 17 00:00:00 2001 From: Kristian Ebdrup Date: Wed, 14 Sep 2022 21:22:19 +0200 Subject: [PATCH 24/32] fix hklm:software to hklm:\software + double space Signed-off-by: Kristian Ebdrup --- tasks/section09.yml | 54 ++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tasks/section09.yml b/tasks/section09.yml index e46e418..17924c4 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,5 +1,5 @@ --- -- name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" +- name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile name: EnableFirewall @@ -13,7 +13,7 @@ - rule_9.1.1 - patch -- name: "9.1.2 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" +- name: "9.1.2 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultInboundAction @@ -27,7 +27,7 @@ - rule_9.1.2 - patch -- name: "9.1.3 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" +- name: "9.1.3 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultOutboundAction @@ -41,7 +41,7 @@ - rule_9.1.3 - patch -- name: "9.1.4 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" +- name: "9.1.4 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DisableNotifications @@ -56,7 +56,7 @@ - patch # title has slashes switched -- name: "9.1.5 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" +- name: "9.1.5 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFilePath @@ -70,7 +70,7 @@ - rule_9.1.5 - patch -- name: "9.1.6 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.1.6 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFileSize @@ -84,7 +84,7 @@ - rule_9.1.6 - patch -- name: "9.1.7 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.1.7 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogDroppedPackets @@ -98,7 +98,7 @@ - rule_9.1.7 - patch -- name: "9.1.8 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" +- name: "9.1.8 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogSuccessfulConnections @@ -112,9 +112,9 @@ - rule_9.1.7 - patch -- name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" +- name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_regedit: - path: HKLM:SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: EnableFirewall data: 1 type: dword @@ -126,7 +126,7 @@ - rule_9.2.1 - patch -- name: "9.2.2 | PATCH | L1 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" +- name: "9.2.2 | PATCH | L1 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultInboundAction @@ -140,7 +140,7 @@ - rule_9.2.2 - patch -- name: "9.2.3 | PATCH | L1 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" +- name: "9.2.3 | PATCH | L1 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultOutboundAction @@ -154,7 +154,7 @@ - rule_9.2.3 - patch -- name: "9.2.4 | PATCH | L1 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" +- name: "9.2.4 | PATCH | L1 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DisableNotifications @@ -169,7 +169,7 @@ - patch # title has slashes switched -- name: "9.2.5 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" +- name: "9.2.5 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFilePath @@ -183,7 +183,7 @@ - rule_9.2.5 - patch -- name: "9.2.6 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.2.6 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFileSize @@ -197,7 +197,7 @@ - rule_9.2.6 - patch -- name: "9.2.7 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.2.7 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogDroppedPackets @@ -211,7 +211,7 @@ - rule_9.2.7 - patch -- name: "9.2.8 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" +- name: "9.2.8 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogSuccessfulConnections @@ -225,7 +225,7 @@ - rule_9.2.8 - patch -- name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" +- name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: EnableFirewall @@ -239,7 +239,7 @@ - rule_9.3.1 - patch -- name: "9.3.2 | PATCH | L1 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" +- name: "9.3.2 | PATCH | L1 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultInboundAction @@ -253,7 +253,7 @@ - rule_9.3.2 - patch -- name: "9.3.3 | PATCH | L1 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" +- name: "9.3.3 | PATCH | L1 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultOutboundAction @@ -267,7 +267,7 @@ - rule_9.3.3 - patch -- name: "9.3.4 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" +- name: "9.3.4 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DisableNotifications @@ -281,7 +281,7 @@ - rule_9.3.4 - patch -- name: "9.3.5 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" +- name: "9.3.5 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalPolicyMerge @@ -296,7 +296,7 @@ - rule_9.3.5 - patch -- name: "9.3.6 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" +- name: "9.3.6 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalIPsecPolicyMerge @@ -311,7 +311,7 @@ - patch # title has slashes switched -- name: "9.3.7 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" +- name: "9.3.7 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFilePath @@ -325,7 +325,7 @@ - rule_9.3.7 - patch -- name: "9.3.8 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.3.8 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize @@ -339,7 +339,7 @@ - rule_9.3.8 - patch -- name: "9.3.9 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.3.9 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogDroppedPackets @@ -353,7 +353,7 @@ - rule_9.3.9 - patch -- name: "9.3.10 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" +- name: "9.3.10 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogSuccessfulConnections From 71323b79366b0f94338d9be1786f11e55c7e9ff5 Mon Sep 17 00:00:00 2001 From: Kristian Ebdrup Date: Wed, 14 Sep 2022 21:32:54 +0200 Subject: [PATCH 25/32] Fixes to double spaces and space at start of tasks Signed-off-by: Kristian Ebdrup --- tasks/main.yml | 1 - tasks/section17.yml | 228 ++++++++++++++++++++++---------------------- tasks/section18.yml | 2 +- 3 files changed, 115 insertions(+), 116 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 26ebf1f..c3e0ed9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Gather distribution info setup: gather_subset: distribution,!all,!min diff --git a/tasks/section17.yml b/tasks/section17.yml index bc7f58b..bbc2e93 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,19 +1,19 @@ --- -- name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure" +- name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure" block: - - name: " 17.1.1 | AUDIT | L1 | Ensure Audit Credential Validation is set to Success and Failure" + - name: "17.1.1 | AUDIT | L1 | Ensure Audit Credential Validation is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_1_audit changed_when: false failed_when: false check_mode: false - - name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" + - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - name: " 17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Failure" + - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" @@ -25,20 +25,20 @@ - rule_17.1.1 - patch -- name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" +- name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: - - name: " 17.1.2 | AUDIT | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | AUDIT | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_2_audit - - name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable when: "'Success' not in rule_17_1_2_audit.stdout" - - name: " 17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: @@ -49,20 +49,20 @@ - rule_17.1.2 - patch -- name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" +- name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: " 17.1.3 | AUDIT | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | AUDIT | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_3_audit - - name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable when: "'Success' not in rule_17_1_3_audit.stdout" - - name: " 17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: @@ -73,20 +73,20 @@ - rule_17.1.2 - patch -- name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" +- name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" block: - - name: " 17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" + - name: "17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: false failed_when: false check_mode: false - - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" - - name: " 17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: @@ -97,16 +97,16 @@ - rule_17.2.1 - patch -- name: " 17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" +- name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" block: - - name: " 17.2.2 | AUDIT | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | AUDIT | L1 | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_2_audit changed_when: false failed_when: false check_mode: false - - name: " 17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" @@ -118,16 +118,16 @@ - rule_17.2.2 - patch -- name: " 17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" +- name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" block: - - name: " 17.2.3 | AUDIT | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | AUDIT | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_3_audit changed_when: false failed_when: false check_mode: false - - name: " 17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: @@ -138,16 +138,16 @@ - rule_17.2.3 - patch -- name: " 17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" +- name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" block: - - name: " 17.2.4 | AUDIT | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | AUDIT | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_4_audit changed_when: false failed_when: false check_mode: false - - name: " 17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: @@ -158,16 +158,16 @@ - rule_17.2.4 - patch -- name: " 17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" +- name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" block: - - name: " 17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_5_audit changed_when: false failed_when: false check_mode: false - - name: " 17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: @@ -178,20 +178,20 @@ - rule_17.2.5 - patch -- name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure" +- name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure" block: - - name: " 17.2.6 | AUDIT | L1 | Ensure Audit User Account Management is set to Success and Failure" + - name: "17.2.6 | AUDIT | L1 | Ensure Audit User Account Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_6_audit - - name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" + - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" - - name: " 17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: @@ -202,16 +202,16 @@ - rule_17.2.6 - patch -- name: " 17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" +- name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" block: - - name: " 17.3.1 | AUDIT | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | AUDIT | L1 | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_1_audit - - name: " 17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: @@ -222,16 +222,16 @@ - rule_17.3.1 - patch -- name: " 17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" +- name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" block: - - name: " 17.3.2 | AUDIT | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | AUDIT | L1 | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_2_audit - - name: " 17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: @@ -242,16 +242,16 @@ - rule_17.3.2 - patch -- name: " 17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" +- name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" block: - - name: " 17.4.1 | AUDIT | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | AUDIT | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_1_audit - - name: " 17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: @@ -261,16 +261,16 @@ - rule_17.4.1 - patch -- name: " 17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" +- name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" block: - - name: " 17.4.2 | AUDIT | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | AUDIT | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_2_audit - - name: " 17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: @@ -280,16 +280,16 @@ - rule_17.4.2 - patch -- name: " 17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" +- name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" block: - - name: " 17.5.1 | AUDIT | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | AUDIT | L1 | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_1_audit - - name: " 17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: @@ -300,16 +300,16 @@ - rule_17.5.1 - patch -- name: " 17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" +- name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" block: - - name: " 17.5.2 | AUDIT | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | AUDIT | L1 | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_2_audit - - name: " 17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: @@ -320,16 +320,16 @@ - rule_17.5.2 - patch -- name: " 17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" +- name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" block: - - name: " 17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_3_audit - - name: " 17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: @@ -340,20 +340,20 @@ - rule_17.5.3 - patch -- name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure" +- name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure" block: - - name: " 17.5.4 | AUDIT | L1 | Ensure Audit Logon is set to Success and Failure" + - name: "17.5.4 | AUDIT | L1 | Ensure Audit Logon is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_4_audit - - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" + - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable when: "'Success' not in rule_17_5_4_audit.stdout" - - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" + - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: @@ -364,20 +364,20 @@ - rule_17.5.4 - patch -- name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: " 17.5.5 | AUDIT | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" + - name: "17.5.5 | AUDIT | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_5_audit - - name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable when: "'Success' not in rule_17_5_5_audit.stdout" - - name: " 17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: @@ -388,16 +388,16 @@ - rule_17.5.5 - patch -- name: " 17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" +- name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" block: - - name: " 17.5.6 | AUDIT | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | AUDIT | L1 | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_6_audit - - name: " 17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: @@ -408,16 +408,16 @@ - rule_17.5.6 - patch -- name: " 17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" +- name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" block: - - name: " 17.6.1 | AUDIT | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | AUDIT | L1 | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_1_audit - - name: " 17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: @@ -428,20 +428,20 @@ - rule_17.6.1 - patch -- name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" +- name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" block: - - name: " 17.6.2 | AUDIT | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | AUDIT | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_2_audit - - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /success:enable when: "'Success' not in rule_17_6_2_audit.stdout" - - name: " 17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" when: @@ -452,7 +452,7 @@ - rule_17.6.2 - patch -- name: " 17.6.3 | PATCH | L1 | Ensure Audit Other Object Access Events is set to Success and Failure" +- name: "17.6.3 | PATCH | L1 | Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -464,20 +464,20 @@ - rule_17.6.3 - patch -- name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" +- name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" block: - - name: " 17.6.4 | AUDIT | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | AUDIT | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_4_audit - - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" - - name: " 17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable when: "'Failure' not in rule_17_6_4_audit.stdout" when: @@ -488,16 +488,16 @@ - rule_17.6.4 - patch -- name: " 17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" +- name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" block: - - name: " 17.7.1 | AUDIT | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | AUDIT | L1 | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_1_audit - - name: " 17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: @@ -508,16 +508,16 @@ - rule_17.7.1 - patch -- name: " 17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" +- name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" block: - - name: " 17.7.2 | AUDIT | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | AUDIT | L1 | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_2_audit - - name: " 17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: @@ -528,16 +528,16 @@ - rule_17.7.2 - patch -- name: " 17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" +- name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" block: - - name: " 17.7.3 | AUDIT | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | AUDIT | L1 | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_3_audit - - name: " 17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: @@ -548,20 +548,20 @@ - rule_17.7.3 - patch -- name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" +- name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: " 17.7.4 | AUDIT | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + - name: "17.7.4 | AUDIT | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_4_audit - - name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable when: "'Success' not in rule_17_7_4_audit.stdout" - - name: " 17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: @@ -572,16 +572,16 @@ - rule_17.7.4 - patch -- name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" +- name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" block: - - name: " 17.7.5 | AUDIT | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | AUDIT | L1 | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_5_audit - - name: " 17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable when: "'Failure' not in rule_17_7_5_audit.stdout" when: @@ -592,20 +592,20 @@ - rule_17.7.5 - patch -- name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: " 17.8.1 | AUDIT | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" + - name: "17.8.1 | AUDIT | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_8_1_audit - - name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in rule_17_8_1_audit.stdout" - - name: " 17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: @@ -616,20 +616,20 @@ - rule_17.8.1 - patch -- name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure" +- name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: " 17.9.1 | AUDIT | L1 | Ensure Audit IPsec Driver is set to Success and Failure" + - name: "17.9.1 | AUDIT | L1 | Ensure Audit IPsec Driver is set to Success and Failure" win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_1_audit - - name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in rule_17_9_1_audit.stdout" - - name: " 17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Failure" + - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: @@ -640,20 +640,20 @@ - rule_17.9.1 - patch -- name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure" +- name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure" block: - - name: " 17.9.2 | AUDIT | L1 | Ensure Audit Other System Events is set to Success and Failure" + - name: "17.9.2 | AUDIT | L1 | Ensure Audit Other System Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_2_audit - - name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" + - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in rule_17_9_2_audit.stdout" - - name: " 17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Failure" + - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: @@ -664,16 +664,16 @@ - rule_17.9.2 - patch -- name: " 17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" +- name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" block: - - name: " 17.9.3 | AUDIT | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | AUDIT | L1 | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_3_audit - - name: " 17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: @@ -684,16 +684,16 @@ - rule_17.9.3 - patch -- name: " 17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" +- name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" block: - - name: " 17.9.4 | AUDIT | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | AUDIT | L1 | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_4_audit - - name: " 17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: @@ -704,21 +704,21 @@ - rule_17.9.4 - patch -- name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure" +- name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure" block: - - name: " 17.9.5 | AUDIT | L1 | Ensure Audit System Integrity is set to Success and Failure" + - name: "17.9.5 | AUDIT | L1 | Ensure Audit System Integrity is set to Success and Failure" win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_5_audit - - name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" + - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" when: "'Success' not in rule_17_9_5_audit.stdout" - - name: " 17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" diff --git a/tasks/section18.yml b/tasks/section18.yml index a10b39a..fe60d04 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1027,7 +1027,7 @@ - rule_18.8.22.1.7 - patch -- name: "SCORED |18.8.22.1.8 | PATCH | L2 | Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "SCORED | 18.8.22.1.8 | PATCH | L2 | Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates From edb15131542e9c3dadf8db17ca91afd9c1287341 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 08:23:59 -0400 Subject: [PATCH 26/32] README Updates Signed-off-by: George Nalen --- README.md | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index c3635b2..d465c25 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,26 @@ -Windows Server 2019 CIS -========= +# Windows Server 2019 CIS + ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic) -Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default. +Configure a Windows Server 2019 system to be [CIS](https://downloads.cisecurity.org/#/) compliant. + + Based on [CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022](https://learn.cisecurity.org/l/799323/2022-03-15/rshpk) + + ## Join us + + On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users + + ## Caution(s) -Caution(s) -------- This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. To use release version please point to main branch -Based on [Windows Server 2019 CIS v1.2.1 05-08-2021](https://downloads.cisecurity.org/#/). +Based on [Windows Server 2019 CIS v1.3.0 03-18-2022](https://downloads.cisecurity.org/#/). + +## Documentation -Documentation -------------- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
@@ -22,8 +28,8 @@ Documentation [Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)
[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)
-Requirements ------------- +## Requirements + **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - [Main Ansible documentation page](https://docs.ansible.com) From 02c5554f10b453c97c0f712a4dc5f20ef7448f5c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 08:37:03 -0400 Subject: [PATCH 27/32] updated defaults/main.yml for new section and added notes on section toggles Signed-off-by: George Nalen --- defaults/main.yml | 83 +++++++++++++++++++++++++++++++++------------ tasks/section19.yml | 15 ++++---- 2 files changed, 69 insertions(+), 29 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 285a6c3..fa43ef0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,34 @@ --- -section01_patch: yes -section02_patch: yes -section09_patch: yes -section17_patch: yes -section18_patch: yes -section19_patch: yes + +# Section 1 Account Policies +# 1.1.x Password Policy, 1.2.x Account Lockout Policy +section01_patch: true + +# Section 2 Local Policies +# 2.2.x User Rights Assignment, 2.3.x Security Options +section02_patch: true + +# Section 5 System Services +# 5.x Printers +section05_patch: true + +# Section 9 Windows Defender Firewall with Advanced Security (formerly Windows Firewall with Advanced Security) +# 9.1.x Domain Profile, 9.2.x Private Profile, 9.3.x Public Profile +section09_patch: true + +# Section 17 Advanced Audit Policy Configuration +# 17.1.x Account Logon, 17.2.x Account Management, 17.3.x Detailed Tracking, 17.4.x DS Access, 17.5.x Logon/Logoff +# 17.6.x Object Access, 17.7.x Policy Change, 17.8.x Privilege Use, 17.9.x System +section17_patch: true + +# Section 18 Administrative Templates (Computer) +# 18.1.x Control Panel, 18.2.x LAPS, 18.3.x MS Security Guide, 18.4.x MSS (Legacy), 18.5.x Network, 18.6.x Printers +# 18.7.x Start Menu and Taskbar, 18.8.x System, 18.9.x Windows Components +section18_patch: true + +# Section 19 Administrative Templates (User) +# 19.1.x Control Panel, 19.5.x Start Menu and Taskbar, 19.6.x System, 19.7.x Windows Components +section19_patch: true min_ansible_version: "2.6" @@ -180,6 +204,10 @@ rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true +# section 5 +rule_5_1: true +rule_5_2: true + # section09 rule_9_1_1: true rule_9_1_2: true @@ -290,6 +318,9 @@ rule_18_5_20_1: true rule_18_5_20_2: true rule_18_5_21_1: true rule_18_5_21_2: true +rule_18_6_1: true +rule_18_6_2: true +rule_18_6_3: true rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true @@ -301,6 +332,7 @@ rule_18_8_5_4: true rule_18_8_5_5: true rule_18_8_5_6: true rule_18_8_5_7: true +rule_18_8_7_2: true rule_18_8_14_1: true rule_18_8_21_2: true rule_18_8_21_3: true @@ -339,6 +371,7 @@ rule_18_8_36_1: true rule_18_8_36_2: true rule_18_8_37_1: true rule_18_8_37_2: true +rule_18_8_40_1: true rule_18_8_45_5_1: true rule_18_8_47_5_1: true rule_18_8_47_11_1: true @@ -353,14 +386,18 @@ rule_18_9_8_3: true rule_18_9_10_1_1: true rule_18_9_12_1: true rule_18_9_13_1: true -rule_18_9_13_2: true rule_18_9_14_1: true +rule_18_9_14_2: true rule_18_9_15_1: true rule_18_9_15_2: true -rule_18_9_16_1: true -rule_18_9_16_2: true -rule_18_9_16_3: true -rule_18_9_16_4: true +rule_18_9_17_1: true +rule_18_9_17_2: true +rule_18_9_17_3: true +rule_18_9_17_4: true +rule_18_9_17_5: true +rule_18_9_17_6: true +rule_18_9_17_7: true +rule_18_9_17_8: true rule_18_9_26_1_1: true rule_18_9_26_1_2: true rule_18_9_26_2_1: true @@ -381,14 +418,15 @@ rule_18_9_45_4_1_1: true rule_18_9_45_4_1_2: true rule_18_9_45_4_3_1: true rule_18_9_45_5_1: true -rule_18_9_45_8_1: true -rule_18_9_45_8_2: true -rule_18_9_45_8_3: true rule_18_9_45_10_1: true rule_18_9_45_11_1: true rule_18_9_45_11_2: true rule_18_9_45_14: true rule_18_9_45_15: true +rule_18_9_47_9_1: true +rule_18_9_47_9_2: true +rule_18_9_47_9_3: true +rule_18_9_47_9_4: true rule_18_9_55_1: true rule_18_9_62_2_2: true rule_18_9_62_3_2_1: true @@ -416,8 +454,6 @@ rule_18_9_85_1: true rule_18_9_85_2: true rule_18_9_85_3: true rule_18_9_86_1: true -rule_18_9_95_1: true -rule_18_9_95_2: true rule_18_9_97_1_1: true rule_18_9_97_1_2: true rule_18_9_97_1_3: true @@ -427,12 +463,14 @@ rule_18_9_97_2_3: true rule_18_9_97_2_4: true rule_18_9_98_1: true rule_18_9_99_2_1: true -rule_18_9_102_1_1: true -rule_18_9_102_1_2: true -rule_18_9_102_1_3: true -rule_18_9_102_2: true -rule_18_9_102_3: true -rule_18_9_102_4: true +rule_18_9_100_1: true +rule_18_9_100_2: true +rule_18_9_108_1_1: true +rule_18_9_108_2_1: true +rule_18_9_108_2_2: true +rule_18_9_108_4_1: true +rule_18_9_108_4_2: true +rule_18_9_108_4_3: true # section19 rule_19_1_3_1: true @@ -447,6 +485,7 @@ rule_19_7_8_1: true rule_19_7_8_2: true rule_19_7_8_3: true rule_19_7_8_4: true +rule_19_7_8_5: true rule_19_7_28_1: true rule_19_7_43_1: true rule_19_7_47_2_1: true diff --git a/tasks/section19.yml b/tasks/section19.yml index ec36eee..65f0f1e 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -22,20 +22,20 @@ - rule_19.1.3.1 - patch -- name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" +- name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" block: - - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr + name: ScreenSaverIsSecure + data: 1 type: string - - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr + name: ScreenSaverIsSecure + data: 1 type: string when: - rule_19_1_3_2 @@ -44,6 +44,7 @@ - level1-memberserver - rule_19.1.3.2 - patch + - screensaver - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" block: From 5e6d5519264fd9fcbd29b96ade6236fda1e49426 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 08:56:18 -0400 Subject: [PATCH 28/32] updates for changes based on CIS change log Signed-off-by: George Nalen --- defaults/main.yml | 12 ++++++++--- tasks/section01.yml | 50 +++++++++++++++++++-------------------------- tasks/section05.yml | 20 ++++++++++++++++++ tasks/section19.yml | 15 ++++++++++++++ 4 files changed, 65 insertions(+), 32 deletions(-) create mode 100644 tasks/section05.yml diff --git a/defaults/main.yml b/defaults/main.yml index fa43ef0..26a2864 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -509,11 +509,17 @@ sedebugprivilege: "*S-1-5-32-544" pass_age: 60 -lockoutduration: 15 -lockoutbadcount: 3 +# 1.2.2 +# lockoutbadcount must be 5 or few, but not 0 (zero) +lockoutbadcount: 5 + resetlockoutcount: 15 passwordhistorysize: 24 -maximumpasswordage: 60 + +# 1.1.2 +# maximumpasswordage must be 365 or fewer, but not 0 (zero) +maximumpasswordage: 365 + minimumpasswordage: 1 minimumpasswordlength: 14 diff --git a/tasks/section01.yml b/tasks/section01.yml index 458f077..dcbb54c 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,4 +1,5 @@ --- + - name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" block: - name: "1.1.1 | AUDIT | L1 | Ensure Enforce password history is set to 24 or more passwords" @@ -22,21 +23,11 @@ - rule_1.1.1 - patch -- name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - block: - - name: "1.1.2 | AUDIT | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - changed_when: false - ignore_errors: true - register: result - - - name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" +- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" when: - rule_1_1_2 tags: @@ -44,6 +35,7 @@ - level1-memberserver - rule_1.1.2 - patch + - password - name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" block: @@ -117,6 +109,20 @@ - rule_1.1.6 - patch +# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +- name: "1.2.2 | PATCH | L1 | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" + win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ lockoutbadcount }}" + when: + - rule_1_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch + # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" block: @@ -142,20 +148,6 @@ - rule_1.2.1 - patch -# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "1.2.2 | PATCH | L1 | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" - win_security_policy: - section: System Access - key: LockoutBadCount - value: "{{ lockoutbadcount }}" - when: - - rule_1_2_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.2 - - patch - - name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" block: - name: "1.2.3 | AUDIT | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" diff --git a/tasks/section05.yml b/tasks/section05.yml new file mode 100644 index 0000000..4e30849 --- /dev/null +++ b/tasks/section05.yml @@ -0,0 +1,20 @@ +--- + +- name: | + "5.1 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled + 5.2 | PATCH | Ensure 'Print Spooler (Spooler) is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Spooler + name: Start + data: 4 + type: dword + when: + - rule_5_1 or + rule_5_2 + tags: + - level1-domaincontroller + - level2-domainmember + - rule_5.1 + - rule_5.2 + - patch + - printer diff --git a/tasks/section19.yml b/tasks/section19.yml index 65f0f1e..07531c2 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -276,6 +276,21 @@ - rule_19.7.8.4 - patch +- name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + win_regedit: + path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + when: + - rule_19_7_8_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_19.7.8.4 + - patch + - spotlight + - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" From e7c082845a1cd7e74089c1655e8523aae364be72 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 09:06:44 -0400 Subject: [PATCH 29/32] removed level from titles Signed-off-by: George Nalen --- tasks/section01.yml | 36 +++--- tasks/section02.yml | 231 +++++++++++++++++++-------------------- tasks/section09.yml | 53 ++++----- tasks/section17.yml | 229 ++++++++++++++++++++------------------- tasks/section18.yml | 259 ++++++++++++++++++++++---------------------- tasks/section19.yml | 61 ++++++----- 6 files changed, 437 insertions(+), 432 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index dcbb54c..51ba2f6 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,8 +1,8 @@ --- -- name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" +- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords" block: - - name: "1.1.1 | AUDIT | L1 | Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords" assert: that: passwordhistorysize | int is version('24', '>=') fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" @@ -10,7 +10,7 @@ ignore_errors: true register: result - - name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords" win_security_policy: section: System Access key: PasswordHistorySize @@ -37,9 +37,9 @@ - patch - password -- name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" +- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" block: - - name: "1.1.3 | AUDIT | L1 | Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days" assert: that: minimumpasswordage is version('1', '>=') fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" @@ -47,7 +47,7 @@ ignore_errors: true register: result - - name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" win_security_policy: section: System Access key: MinimumPasswordAge @@ -60,9 +60,9 @@ - rule_1.1.3 - patch -- name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" +- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: - - name: "1.1.4 | AUDIT | L1 | Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters" assert: that: minimumpasswordlength is version('14', '>=') fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" @@ -70,7 +70,7 @@ ignore_errors: true register: result - - name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" win_security_policy: section: System Access key: MinimumPasswordLength @@ -83,7 +83,7 @@ - rule_1.1.4 - patch -- name: "1.1.5 | PATCH | L1 | Ensure Password must meet complexity requirements is set to Enabled" +- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: section: System Access key: PasswordComplexity @@ -96,7 +96,7 @@ - rule_1.1.5 - patch -- name: "1.1.6 | PATCH | L1 | Ensure Store passwords using reversible encryption is set to Disabled" +- name: "1.1.6 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: section: System Access key: ClearTextPassword @@ -110,7 +110,7 @@ - patch # This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "1.2.2 | PATCH | L1 | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" +- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" win_security_policy: section: System Access key: LockoutBadCount @@ -124,9 +124,9 @@ - patch # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -- name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" +- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" block: - - name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" assert: that: lockoutduration | int is version('15', '<=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" @@ -134,7 +134,7 @@ ignore_errors: true register: result - - name: "1.2.1 | PATCH | L1 | Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: section: System Access key: LockoutDuration @@ -148,9 +148,9 @@ - rule_1.2.1 - patch -- name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" +- name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" block: - - name: "1.2.3 | AUDIT | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | AUDIT | Ensure Reset account lockout counter after is set to 15 or more minutes" assert: that: resetlockoutcount | int is version('15', '>=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" @@ -158,7 +158,7 @@ ignore_errors: true register: result - - name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" win_security_policy: section: System Access key: ResetLockoutCount diff --git a/tasks/section02.yml b/tasks/section02.yml index 2f8b9a3..f171517 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,5 +1,6 @@ --- -- name: "2.2.1 | PATCH | L1 | Ensure Access Credential Manager as a trusted caller is set to No One" + +- name: "2.2.1 | PATCH | Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: name: SeTrustedCredManAccessPrivilege users: [] @@ -12,7 +13,7 @@ - rule_2.2.1 - patch -- name: "2.2.2 & 2.2.3 | PATCH | L1 | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +- name: "2.2.2 & 2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: name: SeNetworkLogonRight users: @@ -29,7 +30,7 @@ - rule_2.2.3 - patch -- name: "2.2.4 | PATCH | L1 | Ensure Act as part of the operating system is set to No One" +- name: "2.2.4 | PATCH | Ensure Act as part of the operating system is set to No One" win_user_right: name: SeTcbPrivilege users: [] @@ -42,7 +43,7 @@ - rule_2.2.4 - patch -- name: "2.2.5 | PATCH | L1 | Ensure Add workstations to domain is set to Administrators DC only" +- name: "2.2.5 | PATCH | Ensure Add workstations to domain is set to Administrators DC only" win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -55,7 +56,7 @@ - rule_2.2.5 - patch -- name: "2.2.6 | PATCH | L1 | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.6 | PATCH | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeIncreaseQuotaPrivilege users: @@ -71,7 +72,7 @@ - rule_2.2.6 - patch -- name: "2.2.7 | PATCH | L1 | Ensure Allow log on locally is set to Administrators" +- name: "2.2.7 | PATCH | Ensure Allow log on locally is set to Administrators" win_user_right: name: SeInteractiveLogonRight users: @@ -85,7 +86,7 @@ - rule_2.2.7 - patch -- name: "2.2.8 & 2.2.9 | PATCH | L1 | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +- name: "2.2.8 & 2.2.9 | PATCH | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: name: SeRemoteInteractiveLogonRight users: @@ -102,7 +103,7 @@ - rule_2.2.9 - patch -- name: "2.2.10 | PATCH | L1 | Ensure Back up files and directories is set to Administrators" +- name: "2.2.10 | PATCH | Ensure Back up files and directories is set to Administrators" win_user_right: name: SeBackupPrivilege users: @@ -116,7 +117,7 @@ - rule_2.2.10 - patch -- name: "2.2.11 | PATCH | L1 | Ensure Change the system time is set to Administrators LOCAL SERVICE" +- name: "2.2.11 | PATCH | Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: name: SeSystemTimePrivilege users: @@ -131,7 +132,7 @@ - rule_2.2.11 - patch -- name: "2.2.12 | PATCH | L1 | Ensure Change the time zone is set to Administrators LOCAL SERVICE" +- name: "2.2.12 | PATCH | Ensure Change the time zone is set to Administrators LOCAL SERVICE" win_user_right: name: SeTimeZonePrivilege users: @@ -146,7 +147,7 @@ - rule_2.2.12 - patch -- name: "2.2.13 | PATCH | L1 | Ensure Create a pagefile is set to Administrators" +- name: "2.2.13 | PATCH | Ensure Create a pagefile is set to Administrators" win_user_right: name: SeCreatePagefilePrivilege users: @@ -160,7 +161,7 @@ - rule_2.2.13 - patch -- name: "2.2.14 | PATCH | L1 | Ensure Create a token object is set to No One" +- name: "2.2.14 | PATCH | Ensure Create a token object is set to No One" win_user_right: name: SeCreateTokenPrivilege users: [] @@ -173,7 +174,7 @@ - rule_2.2.14 - patch -- name: "2.2.15 | PATCH | L1 | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +- name: "2.2.15 | PATCH | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: name: SeCreateGlobalPrivilege users: @@ -190,7 +191,7 @@ - rule_2.2.15 - patch -- name: "2.2.16 | PATCH | L1 | Ensure Create permanent shared objects is set to No One" +- name: "2.2.16 | PATCH | Ensure Create permanent shared objects is set to No One" win_user_right: name: SeCreatePermanentPrivilege users: [] @@ -203,7 +204,7 @@ - rule_2.2.16 - patch -- name: "2.2.17 | PATCH | L1 | Ensure Create symbolic links is set to Administrators DC only" +- name: "2.2.17 | PATCH | Ensure Create symbolic links is set to Administrators DC only" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -217,7 +218,7 @@ - rule_2.2.17 - patch -- name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" block: - name: "2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" win_user_right: @@ -227,7 +228,7 @@ action: set when: not is_hyperv_installed - - name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -243,7 +244,7 @@ - rule_2.2.18 - patch -- name: "2.2.19 | PATCH | L1 | Ensure Debug programs is set to Administrators" +- name: "2.2.19 | PATCH | Ensure Debug programs is set to Administrators" win_user_right: name: SeDebugPrivilege users: @@ -258,7 +259,7 @@ - patch # Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "2.2.20 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests DC only" +- name: "2.2.20 | PATCH | Ensure Deny access to this computer from the network to include Guests DC only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -272,7 +273,7 @@ - rule_2.2.20 - patch -- name: "2.2.21 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "2.2.21 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -288,7 +289,7 @@ - rule_2.2.21 - patch -- name: "2.2.22 | PATCH | L1 | Ensure Deny log on as a batch job to include Guests" +- name: "2.2.22 | PATCH | Ensure Deny log on as a batch job to include Guests" win_user_right: name: SeDenyBatchLogonRight users: @@ -302,7 +303,7 @@ - rule_2.2.22 - patch -- name: "2.2.23 | PATCH | L1 | Ensure Deny log on as a service to include Guests" +- name: "2.2.23 | PATCH | Ensure Deny log on as a service to include Guests" win_user_right: name: SeDenyServiceLogonRight users: @@ -316,7 +317,7 @@ - rule_2.2.23 - patch -- name: "2.2.24 | PATCH | L1 | Ensure Deny log on locally to include Guests" +- name: "2.2.24 | PATCH | Ensure Deny log on locally to include Guests" win_user_right: name: SeDenyInteractiveLogonRight users: @@ -330,7 +331,7 @@ - rule_2.2.24 - patch -- name: "2.2.25 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "2.2.25 | PATCH | Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -345,7 +346,7 @@ - rule_2.2.25 - patch -- name: "2.2.26 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "2.2.26 | PATCH | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -360,7 +361,7 @@ - rule_2.2.26 - patch -- name: "2.2.27 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "2.2.27 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -374,7 +375,7 @@ - rule_2.2.27 - patch -- name: "2.2.28 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "2.2.28 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: name: SeEnableDelegationPrivilege users: [] @@ -387,7 +388,7 @@ - rule_2.2.28 - patch -- name: "2.2.29 | PATCH | L1 | Ensure Force shutdown from a remote system is set to Administrators" +- name: "2.2.29 | PATCH | Ensure Force shutdown from a remote system is set to Administrators" win_user_right: name: SeRemoteShutdownPrivilege users: @@ -401,7 +402,7 @@ - rule_2.2.29 - patch -- name: "2.2.30 | PATCH | L1 | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.30 | PATCH | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAuditPrivilege users: @@ -416,7 +417,7 @@ - rule_2.2.30 - patch -- name: "2.2.31 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "2.2.31 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: name: SeImpersonatePrivilege users: @@ -433,7 +434,7 @@ - rule_2.2.31 - patch -- name: "2.2.32 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "2.2.32 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: name: SeImpersonatePrivilege users: @@ -451,7 +452,7 @@ - rule_2.2.32 - patch -- name: "2.2.33 | PATCH | L1 | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" +- name: "2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: name: SeIncreaseBasePriorityPrivilege users: "{{ increase_scheduling_priority_users }}" @@ -464,7 +465,7 @@ - rule_2.2.33 - patch -- name: "2.2.34 | PATCH | L1 | Ensure Load and unload device drivers is set to Administrators" +- name: "2.2.34 | PATCH | Ensure Load and unload device drivers is set to Administrators" win_user_right: name: SeLoadDriverPrivilege users: @@ -478,7 +479,7 @@ - rule_2.2.34 - patch -- name: "2.2.35 | PATCH | L1 | Ensure Lock pages in memory is set to No One" +- name: "2.2.35 | PATCH | Ensure Lock pages in memory is set to No One" win_user_right: name: SeLockMemoryPrivilege users: [] @@ -504,7 +505,7 @@ - rule_2.2.36 - patch -- name: "2.2.37 & 2.2.38 | PATCH | L1 | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +- name: "2.2.37 & 2.2.38 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: name: SeSecurityPrivilege users: @@ -520,7 +521,7 @@ - rule_2.2.38 - patch -- name: "2.2.39 | PATCH | L1 | Ensure Modify an object label is set to No One" +- name: "2.2.39 | PATCH | Ensure Modify an object label is set to No One" win_user_right: name: SeReLabelPrivilege users: [] @@ -533,7 +534,7 @@ - rule_2.2.39 - patch -- name: "2.2.40 | PATCH | L1 | Ensure Modify firmware environment values is set to Administrators" +- name: "2.2.40 | PATCH | Ensure Modify firmware environment values is set to Administrators" win_user_right: name: SeSystemEnvironmentPrivilege users: @@ -547,7 +548,7 @@ - rule_2.2.40 - patch -- name: "2.2.41 | PATCH | L1 | Ensure Perform volume maintenance tasks is set to Administrators" +- name: "2.2.41 | PATCH | Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: name: SeManageVolumePrivilege users: @@ -561,7 +562,7 @@ - rule_2.2.41 - patch -- name: "2.2.42 | PATCH | L1 | Ensure Profile single process is set to Administrators" +- name: "2.2.42 | PATCH | Ensure Profile single process is set to Administrators" win_user_right: name: SeProfileSingleProcessPrivilege users: @@ -575,7 +576,7 @@ - rule_2.2.42 - patch -- name: "2.2.43 | PATCH | L1 | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "2.2.43 | PATCH | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: name: SeSystemProfilePrivilege users: @@ -590,7 +591,7 @@ - rule_2.2.43 - patch -- name: "2.2.44 | PATCH | L1 | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.44 | PATCH | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAssignPrimaryTokenPrivilege users: @@ -605,7 +606,7 @@ - rule_2.2.44 - patch -- name: "2.2.45 | PATCH | L1 | Ensure Restore files and directories is set to Administrators" +- name: "2.2.45 | PATCH | Ensure Restore files and directories is set to Administrators" win_user_right: name: SeRestorePrivilege users: @@ -619,7 +620,7 @@ - rule_2.2.45 - patch -- name: "2.2.46 | PATCH | L1 | Ensure Shut down the system is set to Administrators" +- name: "2.2.46 | PATCH | Ensure Shut down the system is set to Administrators" win_user_right: name: SeShutdownPrivilege users: @@ -633,7 +634,7 @@ - rule_2.2.46 - patch -- name: "2.2.47 | PATCH | L1 | Ensure Synchronize directory service data is set to No One DC only" +- name: "2.2.47 | PATCH | Ensure Synchronize directory service data is set to No One DC only" win_user_right: name: SeSyncAgentPrivilege users: [] @@ -646,7 +647,7 @@ - rule_2.2.47 - patch -- name: "2.2.48 | PATCH | L1 | Ensure Take ownership of files or other objects is set to Administrators" +- name: "2.2.48 | PATCH | Ensure Take ownership of files or other objects is set to Administrators" win_user_right: name: SeTakeOwnershipPrivilege users: @@ -660,7 +661,7 @@ - rule_2.2.48 - patch -- name: "2.3.1.1 | PATCH | L1 | Ensure Accounts Administrator account status is set to Disabled MS only" +- name: "2.3.1.1 | PATCH | Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableAdminAccount @@ -674,7 +675,7 @@ - rule_2.3.1.1 - patch -- name: "2.3.1.2 | PATCH | L1 | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +- name: "2.3.1.2 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser @@ -688,7 +689,7 @@ - rule_2.3.1.2 - patch -- name: "2.3.1.3 | PATCH | L1 | Ensure Accounts Guest account status is set to Disabled MS only" +- name: "2.3.1.3 | PATCH | Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableGuestAccount @@ -700,7 +701,7 @@ - rule_2.3.1.3 - patch -- name: "2.3.1.4 | PATCH | L1 | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +- name: "2.3.1.4 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse @@ -714,7 +715,7 @@ - rule_2.3.1.4 - patch -- name: "2.3.1.5 | PATCH | L1 | Configure Accounts Rename administrator account" +- name: "2.3.1.5 | PATCH | Configure Accounts Rename administrator account" win_security_policy: section: System Access key: newadministratorname @@ -728,7 +729,7 @@ - rule_2.3.1.5 - patch -- name: "2.3.1.6 | PATCH | L1 | Configure Accounts Rename guest account" +- name: "2.3.1.6 | PATCH | Configure Accounts Rename guest account" win_security_policy: section: System Access key: NewGuestName @@ -741,7 +742,7 @@ - rule_2.3.1.6 - patch -- name: "2.3.2.1 | PATCH | L1 | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" +- name: "2.3.2.1 | PATCH | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: SCENoApplyLegacyAuditPolicy @@ -755,7 +756,7 @@ - rule_2.3.2.1 - patch -- name: "2.3.2.2 | PATCH | L1 | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" +- name: "2.3.2.2 | PATCH | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: CrashOnAuditFail @@ -769,7 +770,7 @@ - rule_2.3.2.2 - patch -- name: "2.3.4.1 | PATCH | L1 | Ensure Devices Allowed to format and eject removable media is set to Administrators" +- name: "2.3.4.1 | PATCH | Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: AllocateDASD @@ -783,7 +784,7 @@ - rule_2.3.4.1 - patch -- name: "2.3.4.2 | PATCH | L1 | Ensure Devices Prevent users from installing printer drivers is set to Enabled" +- name: "2.3.4.2 | PATCH | Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers name: AddPrinterDrivers @@ -797,7 +798,7 @@ - rule_2.3.4.2 - patch -- name: "2.3.5.1 | PATCH | L1 | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +- name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: SubmitControl @@ -812,7 +813,7 @@ - rule_2.3.5.1 - patch -- name: "2.3.5.2 | PATCH | L1 | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" +- name: "2.3.5.2 | PATCH | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: VulnerableChannelAllowList @@ -827,7 +828,7 @@ - rule_2.3.5.2 - patch -- name: "2.3.5.3 | PATCH | L1 | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" +- name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LdapEnforceChannelBinding @@ -842,7 +843,7 @@ - rule_2.3.5.3 - patch -- name: "2.3.5.4 | PATCH | L1 | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +- name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity @@ -856,7 +857,7 @@ - rule_2.3.5.4 - patch -- name: "2.3.5.5 | PATCH | L1 | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +- name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange @@ -871,7 +872,7 @@ - rule_2.3.5.5 - patch -- name: "2.3.6.1 | PATCH | L1 | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" +- name: "2.3.6.1 | PATCH | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireSignOrSeal @@ -887,7 +888,7 @@ - rule_2.3.6.1 - patch -- name: "2.3.6.2 | PATCH | L1 | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" +- name: "2.3.6.2 | PATCH | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: sealsecurechannel @@ -903,7 +904,7 @@ - rule_2.3.6.2 - patch -- name: "2.3.6.3 | PATCH | L1 | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" +- name: "2.3.6.3 | PATCH | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: signsecurechannel @@ -918,7 +919,7 @@ - rule_2.3.6.3 - patch -- name: "2.3.6.4 | PATCH | L1 | Ensure Domain member Disable machine account password changes is set to Disabled" +- name: "2.3.6.4 | PATCH | Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: disablepasswordchange @@ -933,7 +934,7 @@ - rule_2.3.6.4 - patch -- name: "2.3.6.5 | PATCH | L1 | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" +- name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: MaximumPasswordAge @@ -948,7 +949,7 @@ - rule_2.3.6.5 - patch -- name: "2.3.6.6 | PATCH | L1 | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" +- name: "2.3.6.6 | PATCH | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireStrongKey @@ -963,7 +964,7 @@ - rule_2.3.6.6 - patch -- name: "2.3.7.1 | PATCH | L1 | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +- name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD @@ -977,7 +978,7 @@ - rule_2.3.7.1 - patch -- name: "2.3.7.2 | PATCH | L1 | Ensure Interactive logon Dont display last signed-in is set to Enabled" +- name: "2.3.7.2 | PATCH | Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName @@ -991,7 +992,7 @@ - rule_2.3.7.2 - patch -- name: "2.3.7.3 | PATCH | L1 | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" +- name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: InactivityTimeoutSecs @@ -1005,7 +1006,7 @@ - rule_2.3.7.3 - patch -- name: "2.3.7.4 | PATCH | L1 | Configure Interactive logon Message text for users attempting to log on" +- name: "2.3.7.4 | PATCH | Configure Interactive logon Message text for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText @@ -1019,7 +1020,7 @@ - rule_2.3.7.4 - patch -- name: "2.3.7.5 | PATCH | L1 | Configure Interactive logon Message title for users attempting to log on" +- name: "2.3.7.5 | PATCH | Configure Interactive logon Message title for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption @@ -1046,7 +1047,7 @@ - rule_2.3.7.6 - patch -- name: "2.3.7.7 | PATCH | L1 | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" +- name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: PasswordExpiryWarning @@ -1060,7 +1061,7 @@ - rule_2.3.7.7 - patch -- name: "2.3.7.8 | PATCH | L1 | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +- name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon @@ -1074,7 +1075,7 @@ - rule_2.3.7.8 - patch -- name: "2.3.7.9 | PATCH | L1 | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" +- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: scremoveoption @@ -1088,7 +1089,7 @@ - rule_2.3.7.9 - patch -- name: "2.3.8.1 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications always is set to Enabled" +- name: "2.3.8.1 | PATCH | Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: RequireSecuritySignature @@ -1102,7 +1103,7 @@ - rule_2.3.8.1 - patch -- name: "2.3.8.2 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" +- name: "2.3.8.2 | PATCH | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnableSecuritySignature @@ -1116,7 +1117,7 @@ - rule_2.3.8.2 - patch -- name: "2.3.8.3 | PATCH | L1 | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" +- name: "2.3.8.3 | PATCH | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnablePlainTextPassword @@ -1130,7 +1131,7 @@ - rule_2.3.8.3 - patch -- name: "2.3.9.1 | PATCH | L1 | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" +- name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: autodisconnect @@ -1144,7 +1145,7 @@ - rule_2.3.9.1 - patch -- name: "2.3.9.2 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications always is set to Enabled" +- name: "2.3.9.2 | PATCH | Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: requiresecuritysignature @@ -1158,7 +1159,7 @@ - rule_2.3.9.2 - patch -- name: "2.3.9.3 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" +- name: "2.3.9.3 | PATCH | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enablesecuritysignature @@ -1172,7 +1173,7 @@ - rule_2.3.9.3 - patch -- name: "2.3.9.4 | PATCH | L1 | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" +- name: "2.3.9.4 | PATCH | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enableforcedlogoff @@ -1186,7 +1187,7 @@ - rule_2.3.9.4 - patch -- name: "2.3.9.5 | PATCH | L1 | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +- name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel @@ -1201,7 +1202,7 @@ - rule_2.3.9.5 - patch -- name: "2.3.10.1 | PATCH | L1 | Ensure Network access Allow anonymous SIDName translation is set to Disabled" +- name: "2.3.10.1 | PATCH | Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: section: System Access key: LSAAnonymousNameLookup @@ -1214,7 +1215,7 @@ - rule_2.3.10.1 - patch -- name: "2.3.10.2 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +- name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM @@ -1228,7 +1229,7 @@ - rule_2.3.10.2 - patch -- name: "2.3.10.3 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +- name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymous @@ -1256,7 +1257,7 @@ - rule_2.3.10.4 - patch -- name: "2.3.10.5 | PATCH | L1 | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" +- name: "2.3.10.5 | PATCH | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: EveryoneIncludesAnonymous @@ -1270,7 +1271,7 @@ - rule_2.3.10.5 - patch -- name: "2.3.10.6 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously DC only" +- name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1284,7 +1285,7 @@ - rule_2.3.10.6 - patch -- name: "2.3.10.7 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously MS only" +- name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1298,7 +1299,7 @@ - rule_2.3.10.7 - patch -- name: "2.3.10.8 | PATCH | L1 | Configure Network access Remotely accessible registry paths" +- name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" @@ -1312,7 +1313,7 @@ - rule_2.3.10.8 - patch -- name: "2.3.10.9 | PATCH | L1 | Configure Network access Remotely accessible registry paths and sub-paths" +- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" @@ -1326,7 +1327,7 @@ - rule_2.3.10.9 - patch -- name: "2.3.10.10 | PATCH | L1 | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" +- name: "2.3.10.10 | PATCH | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: RestrictNullSessAccess @@ -1340,7 +1341,7 @@ - rule_2.3.10.10 - patch -- name: "2.3.10.11 | PATCH | L1 | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +- name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM @@ -1353,7 +1354,7 @@ - rule_2.3.10.11 - patch -- name: "2.3.10.12 | PATCH | L1 | Ensure Network access Shares that can be accessed anonymously is set to None" +- name: "2.3.10.12 | PATCH | Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionShares @@ -1367,7 +1368,7 @@ - rule_2.3.10.12 - patch -- name: "2.3.10.13 | PATCH | L1 | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" +- name: "2.3.10.13 | PATCH | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: ForceGuest @@ -1381,7 +1382,7 @@ - rule_2.3.10.13 - patch -- name: "2.3.11.1 | PATCH | L1 | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" +- name: "2.3.11.1 | PATCH | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: UseMachineId @@ -1395,7 +1396,7 @@ - rule_2.3.11.1 - patch -- name: "2.3.11.2 | PATCH | L1 | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" +- name: "2.3.11.2 | PATCH | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: allownullsessionfallback @@ -1409,7 +1410,7 @@ - rule_2.3.11.2 - patch -- name: "2.3.11.3 | PATCH | L1 | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" +- name: "2.3.11.3 | PATCH | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U name: AllowOnlineID @@ -1423,7 +1424,7 @@ - rule_2.3.11.3 - patch -- name: "2.3.11.4 | PATCH | L1 | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" +- name: "2.3.11.4 | PATCH | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters name: SupportedEncryptionTypes @@ -1437,7 +1438,7 @@ - rule_2.3.11.4 - patch -- name: "2.3.11.5 | PATCH | L1 | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" +- name: "2.3.11.5 | PATCH | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: NoLMHash @@ -1451,7 +1452,7 @@ - rule_2.3.11.5 - patch -- name: "2.3.11.6 | PATCH | L1 | Ensure Network security Force logoff when logon hours expire is set to Enabled" +- name: "2.3.11.6 | PATCH | Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters name: EnableForcedLogOff @@ -1465,7 +1466,7 @@ - rule_2.3.11.6 - patch -- name: "2.3.11.7 | PATCH | L1 | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" +- name: "2.3.11.7 | PATCH | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LMCompatibilityLevel @@ -1479,7 +1480,7 @@ - rule_2.3.11.7 - patch -- name: "2.3.11.8 | PATCH | L1 | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" +- name: "2.3.11.8 | PATCH | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Ldap name: LDAPClientIntegrity @@ -1493,7 +1494,7 @@ - rule_2.3.11.8 - patch -- name: "2.3.11.9 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.9 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinClientSec @@ -1507,7 +1508,7 @@ - rule_2.3.11.9 - patch -- name: "2.3.11.10 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.10 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinServerSec @@ -1521,7 +1522,7 @@ - rule_2.3.11.10 - patch -- name: "2.3.13.1 | PATCH | L1 | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" +- name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ShutdownWithoutLogon @@ -1535,7 +1536,7 @@ - rule_2.3.13.1 - patch -- name: "2.3.15.1 | PATCH | L1 | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" +- name: "2.3.15.1 | PATCH | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel name: ObCaseInsensitive @@ -1549,7 +1550,7 @@ - rule_2.3.15.1 - patch -- name: "2.3.15.2 | PATCH | L1 | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" +- name: "2.3.15.2 | PATCH | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: ProtectionMode @@ -1563,7 +1564,7 @@ - rule_2.3.15.2 - patch -- name: "2.3.17.1 | PATCH | L1 | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" +- name: "2.3.17.1 | PATCH | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: FilterAdministratorToken @@ -1577,7 +1578,7 @@ - rule_2.3.17.1 - patch -- name: "2.3.17.2 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +- name: "2.3.17.2 | PATCH | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorAdmin @@ -1591,7 +1592,7 @@ - rule_2.3.17.2 - patch -- name: "2.3.17.3 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" +- name: "2.3.17.3 | PATCH | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorUser @@ -1605,7 +1606,7 @@ - rule_2.3.17.3 - patch -- name: "2.3.17.4 | PATCH | L1 | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" +- name: "2.3.17.4 | PATCH | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableInstallerDetection @@ -1619,7 +1620,7 @@ - rule_2.3.17.4 - patch -- name: "2.3.17.5 | PATCH | L1 | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" +- name: "2.3.17.5 | PATCH | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableSecureUIAPaths @@ -1633,7 +1634,7 @@ - rule_2.3.17.5 - patch -- name: "2.3.17.6 | PATCH | L1 | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" +- name: "2.3.17.6 | PATCH | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableLUA @@ -1647,7 +1648,7 @@ - rule_2.3.17.6 - patch -- name: "2.3.17.7 | PATCH | L1 | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" +- name: "2.3.17.7 | PATCH | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: PromptOnSecureDesktop @@ -1661,7 +1662,7 @@ - rule_2.3.17.7 - patch -- name: "2.3.17.8 | PATCH | L1 | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" +- name: "2.3.17.8 | PATCH | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableVirtualization diff --git a/tasks/section09.yml b/tasks/section09.yml index 17924c4..779891d 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,5 +1,6 @@ --- -- name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + +- name: "9.1.1 | PATCH | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile name: EnableFirewall @@ -13,7 +14,7 @@ - rule_9.1.1 - patch -- name: "9.1.2 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" +- name: "9.1.2 | PATCH | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultInboundAction @@ -27,7 +28,7 @@ - rule_9.1.2 - patch -- name: "9.1.3 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" +- name: "9.1.3 | PATCH | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultOutboundAction @@ -41,7 +42,7 @@ - rule_9.1.3 - patch -- name: "9.1.4 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" +- name: "9.1.4 | PATCH | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DisableNotifications @@ -56,7 +57,7 @@ - patch # title has slashes switched -- name: "9.1.5 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" +- name: "9.1.5 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFilePath @@ -70,7 +71,7 @@ - rule_9.1.5 - patch -- name: "9.1.6 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.1.6 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFileSize @@ -84,7 +85,7 @@ - rule_9.1.6 - patch -- name: "9.1.7 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.1.7 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogDroppedPackets @@ -98,7 +99,7 @@ - rule_9.1.7 - patch -- name: "9.1.8 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" +- name: "9.1.8 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogSuccessfulConnections @@ -112,7 +113,7 @@ - rule_9.1.7 - patch -- name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" +- name: "9.2.1 | PATCH | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: EnableFirewall @@ -126,7 +127,7 @@ - rule_9.2.1 - patch -- name: "9.2.2 | PATCH | L1 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" +- name: "9.2.2 | PATCH | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultInboundAction @@ -140,7 +141,7 @@ - rule_9.2.2 - patch -- name: "9.2.3 | PATCH | L1 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" +- name: "9.2.3 | PATCH | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultOutboundAction @@ -154,7 +155,7 @@ - rule_9.2.3 - patch -- name: "9.2.4 | PATCH | L1 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" +- name: "9.2.4 | PATCH | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DisableNotifications @@ -169,7 +170,7 @@ - patch # title has slashes switched -- name: "9.2.5 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" +- name: "9.2.5 | PATCH | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFilePath @@ -183,7 +184,7 @@ - rule_9.2.5 - patch -- name: "9.2.6 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.2.6 | PATCH | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFileSize @@ -197,7 +198,7 @@ - rule_9.2.6 - patch -- name: "9.2.7 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.2.7 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogDroppedPackets @@ -211,7 +212,7 @@ - rule_9.2.7 - patch -- name: "9.2.8 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" +- name: "9.2.8 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogSuccessfulConnections @@ -225,7 +226,7 @@ - rule_9.2.8 - patch -- name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" +- name: "9.3.1 | PATCH | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: EnableFirewall @@ -239,7 +240,7 @@ - rule_9.3.1 - patch -- name: "9.3.2 | PATCH | L1 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" +- name: "9.3.2 | PATCH | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultInboundAction @@ -253,7 +254,7 @@ - rule_9.3.2 - patch -- name: "9.3.3 | PATCH | L1 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" +- name: "9.3.3 | PATCH | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultOutboundAction @@ -267,7 +268,7 @@ - rule_9.3.3 - patch -- name: "9.3.4 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" +- name: "9.3.4 | PATCH | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DisableNotifications @@ -281,7 +282,7 @@ - rule_9.3.4 - patch -- name: "9.3.5 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" +- name: "9.3.5 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalPolicyMerge @@ -296,7 +297,7 @@ - rule_9.3.5 - patch -- name: "9.3.6 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" +- name: "9.3.6 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalIPsecPolicyMerge @@ -311,7 +312,7 @@ - patch # title has slashes switched -- name: "9.3.7 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" +- name: "9.3.7 | PATCH | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFilePath @@ -325,7 +326,7 @@ - rule_9.3.7 - patch -- name: "9.3.8 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize @@ -339,7 +340,7 @@ - rule_9.3.8 - patch -- name: "9.3.9 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.3.9 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogDroppedPackets @@ -353,7 +354,7 @@ - rule_9.3.9 - patch -- name: "9.3.10 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" +- name: "9.3.10 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogSuccessfulConnections diff --git a/tasks/section17.yml b/tasks/section17.yml index bbc2e93..1285ad3 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,19 +1,20 @@ --- -- name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure" + +- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "17.1.1 | AUDIT | L1 | Ensure Audit Credential Validation is set to Success and Failure" + - name: "17.1.1 | AUDIT | Ensure Audit Credential Validation is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_1_audit changed_when: false failed_when: false check_mode: false - - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Failure" + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" @@ -25,20 +26,20 @@ - rule_17.1.1 - patch -- name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" +- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: - - name: "17.1.2 | AUDIT | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | AUDIT | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_2_audit - - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable when: "'Success' not in rule_17_1_2_audit.stdout" - - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: @@ -49,20 +50,20 @@ - rule_17.1.2 - patch -- name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" +- name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: "17.1.3 | AUDIT | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | AUDIT | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_3_audit - - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable when: "'Success' not in rule_17_1_3_audit.stdout" - - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: @@ -73,20 +74,20 @@ - rule_17.1.2 - patch -- name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" +- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure" block: - - name: "17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" + - name: "17.2.1 | AUDIT | Ensure Audit Application Group Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" - - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: @@ -97,16 +98,16 @@ - rule_17.2.1 - patch -- name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" +- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" block: - - name: "17.2.2 | AUDIT | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_2_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" @@ -118,16 +119,16 @@ - rule_17.2.2 - patch -- name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" +- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" block: - - name: "17.2.3 | AUDIT | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_3_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: @@ -138,16 +139,16 @@ - rule_17.2.3 - patch -- name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" +- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" block: - - name: "17.2.4 | AUDIT | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_4_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: @@ -158,16 +159,16 @@ - rule_17.2.4 - patch -- name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" +- name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success" block: - - name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_5_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | PATCH | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: @@ -178,20 +179,20 @@ - rule_17.2.5 - patch -- name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure" +- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure" block: - - name: "17.2.6 | AUDIT | L1 | Ensure Audit User Account Management is set to Success and Failure" + - name: "17.2.6 | AUDIT | Ensure Audit User Account Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_6_audit - - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" - - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: @@ -202,16 +203,16 @@ - rule_17.2.6 - patch -- name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" +- name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success" block: - - name: "17.3.1 | AUDIT | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | AUDIT | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_1_audit - - name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: @@ -222,16 +223,16 @@ - rule_17.3.1 - patch -- name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" +- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success" block: - - name: "17.3.2 | AUDIT | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | AUDIT | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_2_audit - - name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: @@ -242,16 +243,16 @@ - rule_17.3.2 - patch -- name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" +- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" block: - - name: "17.4.1 | AUDIT | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_1_audit - - name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: @@ -261,16 +262,16 @@ - rule_17.4.1 - patch -- name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" +- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" block: - - name: "17.4.2 | AUDIT | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_2_audit - - name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: @@ -280,16 +281,16 @@ - rule_17.4.2 - patch -- name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" +- name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure" block: - - name: "17.5.1 | AUDIT | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | AUDIT | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_1_audit - - name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: @@ -300,16 +301,16 @@ - rule_17.5.1 - patch -- name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" +- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success" block: - - name: "17.5.2 | AUDIT | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | AUDIT | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_2_audit - - name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: @@ -320,16 +321,16 @@ - rule_17.5.2 - patch -- name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" +- name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success" block: - - name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_3_audit - - name: "17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: @@ -340,20 +341,20 @@ - rule_17.5.3 - patch -- name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure" +- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure" block: - - name: "17.5.4 | AUDIT | L1 | Ensure Audit Logon is set to Success and Failure" + - name: "17.5.4 | AUDIT | Ensure Audit Logon is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_4_audit - - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable when: "'Success' not in rule_17_5_4_audit.stdout" - - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: @@ -364,20 +365,20 @@ - rule_17.5.4 - patch -- name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: "17.5.5 | AUDIT | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" + - name: "17.5.5 | AUDIT | Ensure Audit Other LogonLogoff Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_5_audit - - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable when: "'Success' not in rule_17_5_5_audit.stdout" - - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: @@ -388,16 +389,16 @@ - rule_17.5.5 - patch -- name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" +- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success" block: - - name: "17.5.6 | AUDIT | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | AUDIT | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_6_audit - - name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: @@ -408,16 +409,16 @@ - rule_17.5.6 - patch -- name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" +- name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure" block: - - name: "17.6.1 | AUDIT | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | AUDIT | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_1_audit - - name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: @@ -428,20 +429,20 @@ - rule_17.6.1 - patch -- name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" +- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" block: - - name: "17.6.2 | AUDIT | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | AUDIT | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_2_audit - - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /success:enable when: "'Success' not in rule_17_6_2_audit.stdout" - - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" when: @@ -452,7 +453,7 @@ - rule_17.6.2 - patch -- name: "17.6.3 | PATCH | L1 | Ensure Audit Other Object Access Events is set to Success and Failure" +- name: "17.6.3 | PATCH | Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -464,20 +465,20 @@ - rule_17.6.3 - patch -- name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" +- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" block: - - name: "17.6.4 | AUDIT | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | AUDIT | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_4_audit - - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" - - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable when: "'Failure' not in rule_17_6_4_audit.stdout" when: @@ -488,16 +489,16 @@ - rule_17.6.4 - patch -- name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" +- name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success" block: - - name: "17.7.1 | AUDIT | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | AUDIT | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_1_audit - - name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: @@ -508,16 +509,16 @@ - rule_17.7.1 - patch -- name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" +- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success" block: - - name: "17.7.2 | AUDIT | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | AUDIT | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_2_audit - - name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: @@ -528,16 +529,16 @@ - rule_17.7.2 - patch -- name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" +- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success" block: - - name: "17.7.3 | AUDIT | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | AUDIT | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_3_audit - - name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: @@ -548,20 +549,20 @@ - rule_17.7.3 - patch -- name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" +- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: "17.7.4 | AUDIT | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + - name: "17.7.4 | AUDIT | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_4_audit - - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable when: "'Success' not in rule_17_7_4_audit.stdout" - - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: @@ -572,16 +573,16 @@ - rule_17.7.4 - patch -- name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" +- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure" block: - - name: "17.7.5 | AUDIT | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | AUDIT | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_5_audit - - name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable when: "'Failure' not in rule_17_7_5_audit.stdout" when: @@ -592,20 +593,20 @@ - rule_17.7.5 - patch -- name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: "17.8.1 | AUDIT | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" + - name: "17.8.1 | AUDIT | Ensure Audit Sensitive Privilege Use is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_8_1_audit - - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in rule_17_8_1_audit.stdout" - - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: @@ -616,20 +617,20 @@ - rule_17.8.1 - patch -- name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure" +- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: "17.9.1 | AUDIT | L1 | Ensure Audit IPsec Driver is set to Success and Failure" + - name: "17.9.1 | AUDIT | Ensure Audit IPsec Driver is set to Success and Failure" win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_1_audit - - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in rule_17_9_1_audit.stdout" - - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Failure" + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: @@ -640,20 +641,20 @@ - rule_17.9.1 - patch -- name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure" +- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure" block: - - name: "17.9.2 | AUDIT | L1 | Ensure Audit Other System Events is set to Success and Failure" + - name: "17.9.2 | AUDIT | Ensure Audit Other System Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_2_audit - - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in rule_17_9_2_audit.stdout" - - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Failure" + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: @@ -664,16 +665,16 @@ - rule_17.9.2 - patch -- name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" +- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success" block: - - name: "17.9.3 | AUDIT | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | AUDIT | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_3_audit - - name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: @@ -684,16 +685,16 @@ - rule_17.9.3 - patch -- name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" +- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success" block: - - name: "17.9.4 | AUDIT | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | AUDIT | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_4_audit - - name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: @@ -704,21 +705,21 @@ - rule_17.9.4 - patch -- name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure" +- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure" block: - - name: "17.9.5 | AUDIT | L1 | Ensure Audit System Integrity is set to Success and Failure" + - name: "17.9.5 | AUDIT | Ensure Audit System Integrity is set to Success and Failure" win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_5_audit - - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" when: "'Success' not in rule_17_9_5_audit.stdout" - - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" diff --git a/tasks/section18.yml b/tasks/section18.yml index fe60d04..af206e8 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,5 +1,6 @@ --- -- name: "18.1.1.1 | PATCH | L1 | Ensure Prevent enabling lock screen camera is set to Enabled" + +- name: "18.1.1.1 | PATCH | Ensure Prevent enabling lock screen camera is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera @@ -13,7 +14,7 @@ - rule_18.1.1.1 - patch -- name: "18.1.1.2 | PATCH | L1 | Ensure Prevent enabling lock screen slide show is set to Enabled" +- name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow @@ -27,7 +28,7 @@ - rule_18.1.1.2 - patch -- name: "18.1.2.2 | PATCH | L1 | Ensure Allow users to enable online speech recognition services is set to Disabled" +- name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\InputPersonalization name: "AllowInputPersonalization" @@ -55,7 +56,7 @@ - rule_18.1.3 - patch -- name: "18.2.1 | PATCH | L1 | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" +- name: "18.2.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} name: DllName @@ -69,7 +70,7 @@ - rule_18.2.1 - patch -- name: "18.2.2 | PATCH | L1 | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" +- name: "18.2.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PwdExpirationProtectionEnabled @@ -83,7 +84,7 @@ - rule_18.2.2 - patch -- name: "18.2.3 | PATCH | L1 | Ensure Enable Local Admin Password Management is set to Enabled MS only" +- name: "18.2.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: AdmPwdEnabled @@ -97,7 +98,7 @@ - rule_18.2.3 - patch -- name: "18.2.4 | PATCH | L1 | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" +- name: "18.2.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordComplexity @@ -111,7 +112,7 @@ - rule_18.2.4 - patch -- name: "18.2.5 | PATCH | L1 | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" +- name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordLength @@ -125,7 +126,7 @@ - rule_18.2.5 - patch -- name: "18.2.6 | PATCH | L1 | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" +- name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordAgeDays @@ -139,7 +140,7 @@ - rule_18.2.6 - patch -- name: "18.3.1 | PATCH | L1 | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +- name: "18.3.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LocalAccountTokenFilterPolicy @@ -153,7 +154,7 @@ - rule_18.3.1 - patch -- name: "18.3.2 | PATCH | L1 | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" +- name: "18.3.2 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start @@ -167,7 +168,7 @@ - rule_18.3.2 - patch -- name: "18.3.3 | PATCH | L1 | Ensure Configure SMB v1 server is set to Disabled" +- name: "18.3.3 | PATCH | Ensure Configure SMB v1 server is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -183,7 +184,7 @@ - rule_18.3.3 - patch -- name: "18.3.4 | PATCH | L1 | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "18.3.4 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -198,7 +199,7 @@ - rule_18.3.4 - patch -- name: "18.3.5 | PATCH | L1 | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.3.5 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -213,7 +214,7 @@ - rule_18.3.5 - patch -- name: "18.3.6 | PATCH | L1 | Ensure WDigest Authentication is set to Disabled" +- name: "18.3.6 | PATCH | Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -230,7 +231,7 @@ ## 18.4.x -- name: "18.4.1 | PATCH | L1 | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "18.4.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -245,7 +246,7 @@ - rule_18.4.1 - patch -- name: "18.4.2 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -260,7 +261,7 @@ - rule_18.4.2 - patch -- name: "18.4.3 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -275,7 +276,7 @@ - rule_18.4.3 - patch -- name: "18.4.4 | PATCH | L1 | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "18.4.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -305,7 +306,7 @@ - rule_18.4.5 - patch -- name: "18.4.6 | PATCH | L1 | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "18.4.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -335,7 +336,7 @@ - rule_18.4.7 - patch -- name: "18.4.8 | PATCH | L1 | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "18.4.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -350,7 +351,7 @@ - rule_18.4.8 - patch -- name: "18.4.9 | PATCH | L1 | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +- name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod @@ -393,7 +394,7 @@ - rule_18.4.11 - patch -- name: "18.4.12 | PATCH | L1 | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +- name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security name: WarningLevel @@ -410,7 +411,7 @@ # 18.5.4.x -- name: "18.5.4.1 | PATCH | L1 | Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "18.5.4.1 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast @@ -439,7 +440,7 @@ - rule_18.5.5.1 - patch -- name: "18.5.8.1 | PATCH | L1 | Ensure Enable insecure guest logons is set to Disabled" +- name: "18.5.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth @@ -541,7 +542,7 @@ - rule_18.5.10.2 - patch -- name: "18.5.11.2 | PATCH | L1 | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "18.5.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA @@ -555,7 +556,7 @@ - rule_18.5.11.2 - patch -- name: "18.5.11.3 | PATCH | L1 | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "18.5.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI @@ -569,7 +570,7 @@ - rule_18.5.11.3 - patch -- name: "18.5.11.4 | PATCH | L1 | Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "18.5.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation @@ -583,16 +584,16 @@ - rule_18.5.11.4 - patch -- name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" @@ -678,7 +679,7 @@ - rule_18.5.20.2 - patch -- name: "18.5.21.1 | PATCH | L1 | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +- name: "18.5.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections @@ -720,7 +721,7 @@ - rule_18.7.1.1 - patch -- name: "18.8.3.1 | PATCH | L1 | Ensure Include command line in process creation events is set to Disabled" +- name: "18.8.3.1 | PATCH | Ensure Include command line in process creation events is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled @@ -734,7 +735,7 @@ - rule_18.8.3.1 - patch -- name: "18.8.4.1 | PATCH | L1 | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" +- name: "18.8.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters name: AllowEncryptionOracle @@ -748,7 +749,7 @@ - rule_18.8.4.1 - patch -- name: "18.8.4.2 | PATCH | L1 | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "18.8.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds @@ -860,7 +861,7 @@ - rule_18.8.5.7 - patch -- name: "18.8.14.1 | PATCH | L1 | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "18.8.14.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy @@ -874,7 +875,7 @@ - rule_18.8.14.1 - patch -- name: "18.8.21.2 | PATCH | L1 | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "18.8.21.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy @@ -888,7 +889,7 @@ - rule_18.8.21.2 - patch -- name: "18.8.21.3 | PATCH | L1 | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "18.8.21.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges @@ -902,7 +903,7 @@ - rule_18.8.21.3 - patch -- name: "18.8.21.4 | PATCH | L1 | Ensure Continue experiences on this device is set to Disabled" +- name: "18.8.21.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp @@ -916,7 +917,7 @@ - rule_18.8.21.4 - patch -- name: "18.8.21.5 | PATCH | L1 | Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "18.8.21.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent @@ -929,7 +930,7 @@ - rule_18.8.21.5 - patch -- name: "18.8.22.1.1 | PATCH | L1 | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "18.8.22.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload @@ -985,7 +986,7 @@ - rule_18.8.22.1.4 - patch -- name: "18.8.22.1.5 | PATCH | L1 | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "18.8.22.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices @@ -1143,7 +1144,7 @@ - rule_18.8.25.1 - patch -- name: "18.8.26.1 | PATCH | L1 | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" +- name: "18.8.26.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy @@ -1171,7 +1172,7 @@ - rule_18.8.27.1 - patch -- name: "18.8.28.1 | PATCH | L1 | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.8.28.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin @@ -1185,7 +1186,7 @@ - rule_18.8.28.1 - patch -- name: "18.8.28.2 | PATCH | L1 | Ensure Do not display network selection UI is set to Enabled" +- name: "18.8.28.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI @@ -1199,7 +1200,7 @@ - rule_18.8.28.2 - patch -- name: "18.8.28.3 | PATCH | L1 | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "18.8.28.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers @@ -1213,7 +1214,7 @@ - rule_18.8.28.3 - patch -- name: "18.8.28.4 | PATCH | L1 | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "18.8.28.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers @@ -1226,7 +1227,7 @@ - rule_18.8.28.4 - patch -- name: "18.8.28.5 | PATCH | L1 | Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "18.8.28.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications @@ -1240,7 +1241,7 @@ - rule_18.8.28.5 - patch -- name: "18.8.28.6 | PATCH | L1 | Ensure Turn off picture password sign-in is set to Enabled" +- name: "18.8.28.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword @@ -1254,7 +1255,7 @@ - rule_18.8.28.6 - patch -- name: "18.8.28.7 | PATCH | L1 | Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "18.8.28.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon @@ -1324,7 +1325,7 @@ - rule_18.8.34.6.2 - patch -- name: "18.8.34.6.3 | PATCH | L1 | Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "18.8.34.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex @@ -1338,7 +1339,7 @@ - rule_18.8.34.6.3 - patch -- name: "18.8.34.6.4 | PATCH | L1 | Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "18.8.34.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex @@ -1352,7 +1353,7 @@ - rule_18.8.34.6.4 - patch -- name: "18.8.36.1 | PATCH | L1 | Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "18.8.36.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited @@ -1366,7 +1367,7 @@ - rule_18.8.36.1 - patch -- name: "18.8.36.2 | PATCH | L1 | Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "18.8.36.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp @@ -1380,7 +1381,7 @@ - rule_18.8.36.2 - patch -- name: "18.8.37.1 | PATCH | L1 | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "18.8.37.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution @@ -1492,7 +1493,7 @@ - rule_18.9.4.1 - patch -- name: "18.9.6.1 | PATCH | L1 | Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "18.9.6.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional @@ -1506,7 +1507,7 @@ - rule_18.9.6.1 - patch -- name: "18.9.8.1 | PATCH | L1 | Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "18.9.8.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume @@ -1520,7 +1521,7 @@ - rule_18.9.8.1 - patch -- name: "18.9.8.2 | PATCH | L1 | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "18.9.8.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun @@ -1534,7 +1535,7 @@ - rule_18.9.8.2 - patch -- name: "18.9.8.3 | PATCH | L1 | Ensure Turn off Autoplay is set to Enabled All drives" +- name: "18.9.8.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun @@ -1548,7 +1549,7 @@ - rule_18.9.8.3 - patch -- name: "18.9.10.1.1 | PATCH | L1 | Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "18.9.10.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing @@ -1590,7 +1591,7 @@ - rule_18.9.13.1 - patch -- name: "18.9.13.2 | PATCH | L1 | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.13.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures @@ -1604,7 +1605,7 @@ - rule_18.9.13.2 - patch -- name: "18.9.14.1 | PATCH | L1 | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.9.14.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect name: RequirePinForPairing @@ -1618,7 +1619,7 @@ - rule_18.9.14.1 - patch -- name: "18.9.15.1 | PATCH | L1 | Ensure Do not display the password reveal button is set to Enabled" +- name: "18.9.15.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal @@ -1632,7 +1633,7 @@ - rule_18.9.15.1 - patch -- name: "18.9.15.2 | PATCH | L1 | Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.9.15.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators @@ -1646,7 +1647,7 @@ - rule_18.9.15.2 - patch -- name: "18.9.16.1 | PATCH | L1 | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +- name: "18.9.16.1 | PATCH | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: AllowTelemetry @@ -1674,7 +1675,7 @@ - rule_18.9.16.2 - patch -- name: "18.9.16.3 | PATCH | L1 | Ensure Do not show feedback notifications is set to Enabled" +- name: "18.9.16.3 | PATCH | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications @@ -1688,7 +1689,7 @@ - rule_18.9.16.3 - patch -- name: "18.9.16.4 | PATCH | L1 | Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.9.16.4 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview @@ -1702,7 +1703,7 @@ - rule_18.9.16.4 - patch -- name: "18.9.26.1.1 | PATCH | L1 | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention @@ -1716,7 +1717,7 @@ - rule_18.9.26.1.1 - patch -- name: "18.9.26.1.2 | PATCH | L1 | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize @@ -1730,7 +1731,7 @@ - rule_18.9.26.1.2 - patch -- name: "18.9.26.2.1 | PATCH | L1 | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: Retention @@ -1744,7 +1745,7 @@ - rule_18.9.26.2.1 - patch -- name: "18.9.26.2.2 | PATCH | L1 | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "18.9.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize @@ -1758,7 +1759,7 @@ - rule_18.9.26.2.2 - patch -- name: "18.9.26.3.1 | PATCH | L1 | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: Retention @@ -1772,7 +1773,7 @@ - rule_18.9.26.3.1 - patch -- name: "18.9.26.3.2 | PATCH | L1 | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize @@ -1786,7 +1787,7 @@ - rule_18.9.26.3.2 - patch -- name: "18.9.26.4.1 | PATCH | L1 | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention @@ -1800,7 +1801,7 @@ - rule_18.9.26.4.1 - patch -- name: "18.9.26.4.2 | PATCH | L1 | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: MaxSize @@ -1814,7 +1815,7 @@ - rule_18.9.26.4.2 - patch -- name: "18.9.30.2 | PATCH | L1 | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "18.9.30.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention @@ -1828,7 +1829,7 @@ - rule_18.9.30.2 - patch -- name: "18.9.30.3 | PATCH | L1 | Ensure Turn off heap termination on corruption is set to Disabled" +- name: "18.9.30.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption @@ -1842,7 +1843,7 @@ - rule_18.9.30.3 - patch -- name: "18.9.30.4 | PATCH | L1 | Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "18.9.30.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior @@ -1884,7 +1885,7 @@ - rule_18.9.43.1 - patch -- name: "18.9.44.1 | PATCH | L1 | Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "18.9.44.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth @@ -1898,7 +1899,7 @@ - rule_18.9.44.1 - patch -- name: "18.9.45.3.1 | PATCH | L1 | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "18.9.45.3.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting @@ -1954,7 +1955,7 @@ - rule_18.9.45.8.1 - patch -- name: "18.9.45.8.3 | PATCH | L1 | Ensure Turn on behavior monitoring is set to Enabled" +- name: "18.9.45.8.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableBehaviorMonitoring @@ -1968,7 +1969,7 @@ - rule_18.9.45.8.3 - patch -- name: "18.9.45.4.1.1 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "18.9.45.4.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR name: ExploitGuard_ASR_Rules @@ -1982,7 +1983,7 @@ - rule_18.9.45.4.1.1 - patch -- name: "18.9.45.4.1.2 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +- name: "18.9.45.4.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules name: "{{ item }}" @@ -2009,7 +2010,7 @@ - rule_18.9.45.4.1.2 - patch -- name: "18.9.45.4.3.1 | PATCH | L1 | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "18.9.45.4.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection name: EnableNetworkProtection @@ -2051,7 +2052,7 @@ - rule_18.9.77.9.1 - patch -- name: "18.9.45.11.1 | PATCH | L1 | Ensure Scan removable drives is set to Enabled" +- name: "18.9.45.11.1 | PATCH | Ensure Scan removable drives is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning @@ -2065,7 +2066,7 @@ - rule_18.9.45.11.1 - patch -- name: "18.9.45.11.2 | PATCH | L1 | Ensure Turn on e-mail scanning is set to Enabled" +- name: "18.9.45.11.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning @@ -2079,7 +2080,7 @@ - rule_18.9.45.11.2 - patch -- name: "18.9.45.14 | PATCH | L1 | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" +- name: "18.9.45.14 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: PUAProtection @@ -2093,7 +2094,7 @@ - rule_18.9.45.14 - patch -- name: "18.9.45.15 | PATCH | L1 | Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "18.9.45.15 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: DisableAntiSpyware @@ -2107,7 +2108,7 @@ - rule_18.9.45.15 - patch -- name: "18.9.55.1 | PATCH | L1 | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "18.9.55.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC @@ -2121,7 +2122,7 @@ - rule_18.9.55.1 - patch -- name: "18.9.62.2.2 | PATCH | L1 | Ensure Do not allow passwords to be saved is set to Enabled" +- name: "18.9.62.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving @@ -2163,7 +2164,7 @@ - rule_18.9.62.3.3.1 - patch -- name: "18.9.62.3.3.2 | PATCH | L1 | Ensure Do not allow drive redirection is set to Enabled" +- name: "18.9.62.3.3.2 | PATCH | Ensure Do not allow drive redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm @@ -2205,7 +2206,7 @@ - rule_18.9.62.3.3.4 - patch -- name: "18.9.62.3.9.1 | PATCH | L1 | Ensure Always prompt for password upon connection is set to Enabled" +- name: "18.9.62.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword @@ -2219,7 +2220,7 @@ - rule_18.9.62.3.9.1 - patch -- name: "18.9.62.3.9.2 | PATCH | L1 | Ensure Require secure RPC communication is set to Enabled" +- name: "18.9.62.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic @@ -2233,7 +2234,7 @@ - rule_18.9.59.3.9.2 - patch -- name: "18.9.62.3.9.3 | PATCH | L1 | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" +- name: "18.9.62.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: SecurityLayer @@ -2247,7 +2248,7 @@ - rule_18.9.62.3.9.3 - patch -- name: "18.9.62.3.9.4 | PATCH | L1 | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" +- name: "18.9.62.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: UserAuthentication @@ -2261,7 +2262,7 @@ - rule_18.9.62.3.9.4 - patch -- name: "18.9.62.3.9.5 | PATCH | L1 | Ensure Set client connection encryption level is set to Enabled High Level" +- name: "18.9.62.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel @@ -2303,7 +2304,7 @@ - rule_18.9.62.3.10.2 - patch -- name: "18.9.62.3.11.1 | PATCH | L1 | Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "18.9.62.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit @@ -2317,7 +2318,7 @@ - rule_18.9.59.3.11.1 - patch -- name: "18.9.62.3.11.2 | PATCH | L1 | Ensure Do not use temporary folders per session is set to Disabled" +- name: "18.9.62.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir @@ -2331,7 +2332,7 @@ - rule_18.9.62.3.11.2 - patch -- name: "18.9.63.1 | PATCH | L1 | Ensure Prevent downloading of enclosures is set to Enabled" +- name: "18.9.63.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload @@ -2359,7 +2360,7 @@ - rule_18.9.64.2 - patch -- name: "18.9.64.3 | PATCH | L1 | Ensure Allow indexing of encrypted files is set to Disabled" +- name: "18.9.64.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems @@ -2387,16 +2388,16 @@ - rule_18.9.66.1 - patch -- name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + - name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel @@ -2424,7 +2425,7 @@ - rule_18.9.84.1 - patch -- name: "18.9.84.2 | PATCH | L1 | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "18.9.84.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace @@ -2438,7 +2439,7 @@ - rule_18.9.84.2 - patch -- name: "18.9.85.1 | PATCH | L1 | Ensure Allow user control over installs is set to Disabled" +- name: "18.9.85.1 | PATCH | Ensure Allow user control over installs is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl @@ -2452,7 +2453,7 @@ - rule_18.9.85.1 - patch -- name: "18.9.85.2 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" +- name: "18.9.85.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated @@ -2480,7 +2481,7 @@ - rule_18.9.85.3 - patch -- name: "18.9.86.1 | PATCH | L1 | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +- name: "18.9.86.1 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn @@ -2494,7 +2495,7 @@ - rule_18.9.86.1 - patch -- name: "18.9.95.1 | PATCH | L1 | Ensure Turn on PowerShell Script Block Logging is set to Disabled" +- name: "18.9.95.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging name: EnableScriptBlockLogging @@ -2508,7 +2509,7 @@ - rule_18.9.95.1 - patch -- name: "18.9.95.2 | PATCH | L1 | Ensure Turn on PowerShell Transcription is set to Disabled" +- name: "18.9.95.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting @@ -2522,7 +2523,7 @@ - rule_18.9.95.2 - patch -- name: "18.9.97.1.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic @@ -2537,7 +2538,7 @@ - rule_18.9.97.1.1 - patch -- name: "18.9.97.1.2 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic @@ -2552,7 +2553,7 @@ - rule_18.9.97.1.2 - patch -- name: "18.9.97.1.3 | PATCH | L1 | Ensure Disallow Digest authentication is set to Enabled" +- name: "18.9.97.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest @@ -2566,7 +2567,7 @@ - rule_18.9.97.1.3 - patch -- name: "18.9.97.2.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic @@ -2597,7 +2598,7 @@ - rule_18.9.97.2.2 - patch -- name: "18.9.97.2.3 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic @@ -2612,7 +2613,7 @@ - rule_18.9.97.2.3 - patch -- name: "18.9.97.2.4 | PATCH | L1 | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "18.9.97.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs @@ -2642,7 +2643,7 @@ - rule_18.9.98.1 - patch -- name: "18.9.99.2.1 | PATCH | L1 | Ensure Prevent users from modifying settings is set to Enabled" +- name: "18.9.99.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride @@ -2656,16 +2657,16 @@ - rule_18.9.99.2.1 - patch -- name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue @@ -2679,23 +2680,23 @@ - rule_18.9.102.1.1 - patch -- name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +- name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" block: - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel @@ -2709,16 +2710,16 @@ - rule_18.9.102.1.2 - patch -- name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays @@ -2732,7 +2733,7 @@ - rule_18.9.102.1.3 - patch -- name: "18.9.102.2 | PATCH | L1 | Ensure Configure Automatic Updates is set to Enabled" +- name: "18.9.102.2 | PATCH | Ensure Configure Automatic Updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate @@ -2746,7 +2747,7 @@ - rule_18.9.102.2 - patch -- name: "18.9.102.3 | PATCH | L1 | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +- name: "18.9.102.3 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay @@ -2760,7 +2761,7 @@ - rule_18.9.102.3 - patch -- name: "18.9.102.4 | PATCH | L1 | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +- name: "18.9.102.4 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers diff --git a/tasks/section19.yml b/tasks/section19.yml index 07531c2..f735f6b 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,14 +1,15 @@ --- -- name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + +- name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" block: - - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive @@ -46,16 +47,16 @@ - patch - screensaver -- name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" +- name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" block: - - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -69,16 +70,16 @@ - rule_19.1.3.3 - patch -- name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut @@ -92,16 +93,16 @@ - rule_19.1.3.4 - patch -- name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" +- name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" block: - - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen @@ -138,16 +139,16 @@ - rule_19.6.6.1.1 - patch -- name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" +- name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" block: - - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 2 type: dword - - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation @@ -161,16 +162,16 @@ - rule_19.7.4.1 - patch -- name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" +- name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" block: - - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus @@ -184,16 +185,16 @@ - rule_19.7.4.2 - patch -- name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight @@ -207,16 +208,16 @@ - rule_19.7.8.1 - patch -- name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions @@ -291,16 +292,16 @@ - patch - spotlight -- name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing @@ -314,16 +315,16 @@ - rule_19.7.28.1 - patch -- name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" +- name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" block: - - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated From 88c5e6c92e95fb197bb90c470a1ae1a19e524f2f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 09:09:35 -0400 Subject: [PATCH 30/32] updated description tags on section01 Signed-off-by: George Nalen --- tasks/section01.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/section01.yml b/tasks/section01.yml index 51ba2f6..d29e514 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -22,6 +22,7 @@ - level1-memberserver - rule_1.1.1 - patch + - password - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0" win_security_policy: @@ -59,6 +60,7 @@ - level1-memberserver - rule_1.1.3 - patch + - password - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: @@ -82,6 +84,7 @@ - level1-memberserver - rule_1.1.4 - patch + - password - name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: @@ -95,6 +98,7 @@ - level1-memberserver - rule_1.1.5 - patch + - password - name: "1.1.6 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: @@ -108,6 +112,7 @@ - level1-memberserver - rule_1.1.6 - patch + - password # This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" @@ -122,6 +127,7 @@ - level1-memberserver - rule_1.2.2 - patch + - account # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" @@ -147,6 +153,7 @@ - level1-memberserver - rule_1.2.1 - patch + - account - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" block: @@ -170,3 +177,4 @@ - level1-memberserver - rule_1.2.3 - patch + - account From d9ae7f76d99aa9bf18e419e202ad7271ffe5e766 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 24 Oct 2022 14:01:18 -0400 Subject: [PATCH 31/32] updated tags Signed-off-by: George Nalen --- tasks/section02.yml | 137 ++++++- tasks/section09.yml | 52 +++ tasks/section18.yml | 954 +++++++++++++++++++++++++++++++++----------- tasks/section19.yml | 86 ++-- 4 files changed, 946 insertions(+), 283 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index f171517..9d7b936 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -12,6 +12,7 @@ - level1-memberserver - rule_2.2.1 - patch + - userrights - name: "2.2.2 & 2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: @@ -29,6 +30,7 @@ - rule_2.2.2 - rule_2.2.3 - patch + - userrights - name: "2.2.4 | PATCH | Ensure Act as part of the operating system is set to No One" win_user_right: @@ -42,6 +44,7 @@ - level1-memberserver - rule_2.2.4 - patch + - userrights - name: "2.2.5 | PATCH | Ensure Add workstations to domain is set to Administrators DC only" win_user_right: @@ -55,6 +58,7 @@ - level1-domaincontroller - rule_2.2.5 - patch + - userrights - name: "2.2.6 | PATCH | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: @@ -71,6 +75,7 @@ - level1-memberserver - rule_2.2.6 - patch + - userrights - name: "2.2.7 | PATCH | Ensure Allow log on locally is set to Administrators" win_user_right: @@ -85,6 +90,7 @@ - level1-memberserver - rule_2.2.7 - patch + - userrights - name: "2.2.8 & 2.2.9 | PATCH | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: @@ -102,6 +108,7 @@ - rule_2.2.8 - rule_2.2.9 - patch + - userrights - name: "2.2.10 | PATCH | Ensure Back up files and directories is set to Administrators" win_user_right: @@ -116,6 +123,7 @@ - level1-memberserver - rule_2.2.10 - patch + - userrights - name: "2.2.11 | PATCH | Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: @@ -146,6 +154,7 @@ - level1-memberserver - rule_2.2.12 - patch + - userrights - name: "2.2.13 | PATCH | Ensure Create a pagefile is set to Administrators" win_user_right: @@ -160,6 +169,7 @@ - level1-memberserver - rule_2.2.13 - patch + - userrights - name: "2.2.14 | PATCH | Ensure Create a token object is set to No One" win_user_right: @@ -173,6 +183,7 @@ - level1-memberserver - rule_2.2.14 - patch + - userrights - name: "2.2.15 | PATCH | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: @@ -190,6 +201,7 @@ - level1-memberserver - rule_2.2.15 - patch + - userrights - name: "2.2.16 | PATCH | Ensure Create permanent shared objects is set to No One" win_user_right: @@ -203,6 +215,7 @@ - level1-memberserver - rule_2.2.16 - patch + - userrights - name: "2.2.17 | PATCH | Ensure Create symbolic links is set to Administrators DC only" win_user_right: @@ -217,6 +230,7 @@ - level1-domaincontroller - rule_2.2.17 - patch + - userrights - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" block: @@ -243,6 +257,7 @@ - level1-memberserver - rule_2.2.18 - patch + - userrights - name: "2.2.19 | PATCH | Ensure Debug programs is set to Administrators" win_user_right: @@ -257,6 +272,7 @@ - level1-memberserver - rule_2.2.19 - patch + - userrights # Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes - name: "2.2.20 | PATCH | Ensure Deny access to this computer from the network to include Guests DC only" @@ -272,6 +288,7 @@ - level1-domaincontroller - rule_2.2.20 - patch + - userrights - name: "2.2.21 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: @@ -288,6 +305,7 @@ - level1-memberserver - rule_2.2.21 - patch + - userrights - name: "2.2.22 | PATCH | Ensure Deny log on as a batch job to include Guests" win_user_right: @@ -302,6 +320,7 @@ - level1-memberserver - rule_2.2.22 - patch + - userrights - name: "2.2.23 | PATCH | Ensure Deny log on as a service to include Guests" win_user_right: @@ -316,6 +335,7 @@ - level1-memberserver - rule_2.2.23 - patch + - userrights - name: "2.2.24 | PATCH | Ensure Deny log on locally to include Guests" win_user_right: @@ -330,6 +350,7 @@ - level1-memberserver - rule_2.2.24 - patch + - userrights - name: "2.2.25 | PATCH | Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: @@ -345,6 +366,7 @@ - level1-domaincontroller - rule_2.2.25 - patch + - guest - name: "2.2.26 | PATCH | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: @@ -360,6 +382,7 @@ - level1-memberserver - rule_2.2.26 - patch + - guest - name: "2.2.27 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: @@ -374,6 +397,8 @@ - level1-domaincontroller - rule_2.2.27 - patch + - userrights + - administrators - name: "2.2.28 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: @@ -387,6 +412,7 @@ - level1-memberserver - rule_2.2.28 - patch + - userrights - name: "2.2.29 | PATCH | Ensure Force shutdown from a remote system is set to Administrators" win_user_right: @@ -401,6 +427,8 @@ - level1-memberserver - rule_2.2.29 - patch + - userrights + - administrators - name: "2.2.30 | PATCH | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: @@ -416,6 +444,8 @@ - level1-memberserver - rule_2.2.30 - patch + - userrights + - services - name: "2.2.31 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: @@ -433,6 +463,9 @@ - level1-domaincontroller - rule_2.2.31 - patch + - userrights + - services + - administrators - name: "2.2.32 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: @@ -451,6 +484,9 @@ - level1-memberserver - rule_2.2.32 - patch + - userrights + - administrators + - services - name: "2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: @@ -464,6 +500,7 @@ - level1-memberserver - rule_2.2.33 - patch + - userrights - name: "2.2.34 | PATCH | Ensure Load and unload device drivers is set to Administrators" win_user_right: @@ -478,6 +515,7 @@ - level1-memberserver - rule_2.2.34 - patch + - userrights - name: "2.2.35 | PATCH | Ensure Lock pages in memory is set to No One" win_user_right: @@ -491,8 +529,9 @@ - level1-memberserver - rule_2.2.35 - patch + - userrights -- name: "2.2.36 | PATCH | L2 | Ensure Log on as a batch job is set to Administrators DC Only" +- name: "2.2.36 | PATCH | Ensure Log on as a batch job is set to Administrators DC Only" win_user_right: name: SeBatchLogonRight users: Administrators @@ -504,6 +543,8 @@ - level2-domaincontroller - rule_2.2.36 - patch + - userrights + - administrators - name: "2.2.37 & 2.2.38 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: @@ -520,6 +561,8 @@ - rule_2.2.37 - rule_2.2.38 - patch + - userrights + - administrators - name: "2.2.39 | PATCH | Ensure Modify an object label is set to No One" win_user_right: @@ -533,6 +576,7 @@ - level1-memberserver - rule_2.2.39 - patch + - userrights - name: "2.2.40 | PATCH | Ensure Modify firmware environment values is set to Administrators" win_user_right: @@ -547,6 +591,8 @@ - level1-memberserver - rule_2.2.40 - patch + - userrights + - administrators - name: "2.2.41 | PATCH | Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: @@ -561,6 +607,8 @@ - level1-memberserver - rule_2.2.41 - patch + - userrights + - administrators - name: "2.2.42 | PATCH | Ensure Profile single process is set to Administrators" win_user_right: @@ -575,6 +623,8 @@ - level1-memberserver - rule_2.2.42 - patch + - userrights + - administrators - name: "2.2.43 | PATCH | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: @@ -590,6 +640,9 @@ - level1-memberserver - rule_2.2.43 - patch + - userrights + - administrator + - service - name: "2.2.44 | PATCH | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: @@ -605,6 +658,8 @@ - level1-memberserver - rule_2.2.44 - patch + - userrights + - service - name: "2.2.45 | PATCH | Ensure Restore files and directories is set to Administrators" win_user_right: @@ -619,6 +674,8 @@ - level1-memberserver - rule_2.2.45 - patch + - userright + - administrator - name: "2.2.46 | PATCH | Ensure Shut down the system is set to Administrators" win_user_right: @@ -633,6 +690,8 @@ - level1-memberserver - rule_2.2.46 - patch + - userright + - administrator - name: "2.2.47 | PATCH | Ensure Synchronize directory service data is set to No One DC only" win_user_right: @@ -646,6 +705,7 @@ - level1-domaincontroller - rule_2.2.47 - patch + - userright - name: "2.2.48 | PATCH | Ensure Take ownership of files or other objects is set to Administrators" win_user_right: @@ -660,6 +720,8 @@ - level1-memberserver - rule_2.2.48 - patch + - userright + - administrator - name: "2.3.1.1 | PATCH | Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: @@ -674,6 +736,7 @@ - level1-memberserver - rule_2.3.1.1 - patch + - securitypolicy - name: "2.3.1.2 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: @@ -688,6 +751,7 @@ - level1-memberserver - rule_2.3.1.2 - patch + - securitypolicy - name: "2.3.1.3 | PATCH | Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: @@ -700,6 +764,7 @@ - level1-memberserver - rule_2.3.1.3 - patch + - securitypolicy - name: "2.3.1.4 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: @@ -714,6 +779,7 @@ - level1-memberserver - rule_2.3.1.4 - patch + - account - name: "2.3.1.5 | PATCH | Configure Accounts Rename administrator account" win_security_policy: @@ -728,6 +794,7 @@ - level1-memberserver - rule_2.3.1.5 - patch + - securitypolicy - name: "2.3.1.6 | PATCH | Configure Accounts Rename guest account" win_security_policy: @@ -741,6 +808,7 @@ - level1-memberservers - rule_2.3.1.6 - patch + - securitypolicy - name: "2.3.2.1 | PATCH | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: @@ -755,6 +823,7 @@ - level1-memberserver - rule_2.3.2.1 - patch + - auditpolicy - name: "2.3.2.2 | PATCH | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: @@ -769,6 +838,7 @@ - level1-memberserver - rule_2.3.2.2 - patch + - auditpolicy - name: "2.3.4.1 | PATCH | Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: @@ -783,6 +853,7 @@ - level1-memberserver - rule_2.3.4.1 - patch + - devices - name: "2.3.4.2 | PATCH | Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: @@ -797,6 +868,7 @@ - level1-memberserver - rule_2.3.4.2 - patch + - devices - name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: @@ -812,6 +884,7 @@ - level1-domaincontroller - rule_2.3.5.1 - patch + - scheduledtasks - name: "2.3.5.2 | PATCH | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" win_regedit: @@ -827,6 +900,7 @@ - level1-domaincontroller - rule_2.3.5.2 - patch + - logon - name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" win_regedit: @@ -842,6 +916,7 @@ - level1-domaincontroller - rule_2.3.5.3 - patch + - ladp - name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: @@ -856,6 +931,7 @@ - level1-domaincontroller - rule_2.3.5.4 - patch + - ladp - name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: @@ -871,6 +947,7 @@ - level1-domaincontroller - rule_2.3.5.5 - patch + - account - name: "2.3.6.1 | PATCH | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: @@ -887,6 +964,7 @@ - level1-memberserver - rule_2.3.6.1 - patch + - encryption - name: "2.3.6.2 | PATCH | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: @@ -903,6 +981,7 @@ - level1-memberserver - rule_2.3.6.2 - patch + - encryption - name: "2.3.6.3 | PATCH | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: @@ -918,6 +997,7 @@ - level1-memberserver - rule_2.3.6.3 - patch + - logon - name: "2.3.6.4 | PATCH | Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: @@ -933,6 +1013,7 @@ - level1-memberserver - rule_2.3.6.4 - patch + - logon - name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: @@ -948,6 +1029,7 @@ - level1-memberserver - rule_2.3.6.5 - patch + - account - name: "2.3.6.6 | PATCH | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: @@ -963,6 +1045,7 @@ - level1-memberserver - rule_2.3.6.6 - patch + - logon - name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: @@ -977,6 +1060,7 @@ - level1-memberserver - rule_2.3.7.1 - patch + - logon - name: "2.3.7.2 | PATCH | Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: @@ -991,6 +1075,7 @@ - level1-memberserver - rule_2.3.7.2 - patch + - logon - name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: @@ -1005,6 +1090,7 @@ - level1-memberserver - rule_2.3.7.3 - patch + - logon - name: "2.3.7.4 | PATCH | Configure Interactive logon Message text for users attempting to log on" win_regedit: @@ -1019,6 +1105,7 @@ - level1-memberserver - rule_2.3.7.4 - patch + - logon - name: "2.3.7.5 | PATCH | Configure Interactive logon Message title for users attempting to log on" win_regedit: @@ -1033,8 +1120,9 @@ - level1-memberserver - rule_2.3.7.5 - patch + - logon -- name: "2.3.7.6 | PATCH | L2 | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" +- name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: cachedlogonscount @@ -1046,6 +1134,7 @@ - level2-memberserver - rule_2.3.7.6 - patch + - logon - name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: @@ -1060,6 +1149,7 @@ - level1-memberserver - rule_2.3.7.7 - patch + - logon - name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: @@ -1074,6 +1164,7 @@ - level1-memberserver - rule_2.3.7.8 - patch + - logon - name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: @@ -1088,6 +1179,7 @@ - level1-memberserver - rule_2.3.7.9 - patch + - logon - name: "2.3.8.1 | PATCH | Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: @@ -1102,6 +1194,7 @@ - level1-memberserver - rule_2.3.8.1 - patch + - logon - name: "2.3.8.2 | PATCH | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: @@ -1116,6 +1209,7 @@ - level1-memberserver - rule_2.3.8.2 - patch + - logon - name: "2.3.8.3 | PATCH | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: @@ -1130,6 +1224,7 @@ - level1-memberserver - rule_2.3.8.3 - patch + - encryption - name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: @@ -1144,6 +1239,7 @@ - level1-memberserver - rule_2.3.9.1 - patch + - account - name: "2.3.9.2 | PATCH | Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: @@ -1158,6 +1254,7 @@ - level1-memberserver - rule_2.3.9.2 - patch + - account - name: "2.3.9.3 | PATCH | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: @@ -1172,6 +1269,7 @@ - level1-memberserver - rule_2.3.9.3 - patch + - account - name: "2.3.9.4 | PATCH | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: @@ -1186,6 +1284,7 @@ - level1-memberserver - rule_2.3.9.4 - patch + - account - name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: @@ -1201,6 +1300,7 @@ - level1-memberserver - rule_2.3.9.5 - patch + - account - name: "2.3.10.1 | PATCH | Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: @@ -1214,6 +1314,7 @@ - level1-memberserver - rule_2.3.10.1 - patch + - securitypolicy - name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: @@ -1228,6 +1329,7 @@ - level1-memberserver - rule_2.3.10.2 - patch + - sam - name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: @@ -1242,8 +1344,9 @@ - level1-memberserver - rule_2.3.10.3 - patch + - sam -- name: "2.3.10.4 | PATCH | L2 | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" +- name: "2.3.10.4 | PATCH | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: DisableDomainCreds @@ -1256,6 +1359,7 @@ - level2-memberserver - rule_2.3.10.4 - patch + - accounts - name: "2.3.10.5 | PATCH | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: @@ -1270,6 +1374,7 @@ - level1-memberserver - rule_2.3.10.5 - patch + - accounts - name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: @@ -1284,6 +1389,7 @@ - level1-domaincontroller - rule_2.3.10.6 - patch + - namedpipes - name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: @@ -1298,6 +1404,7 @@ - level1-memberserver - rule_2.3.10.7 - patch + - namedpipes - name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths" win_regedit: @@ -1340,6 +1447,7 @@ - level1-memberserver - rule_2.3.10.10 - patch + - namedpipes - name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: @@ -1353,6 +1461,7 @@ - level1-memberserver - rule_2.3.10.11 - patch + - sam - name: "2.3.10.12 | PATCH | Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: @@ -1367,6 +1476,7 @@ - level1-memberserver - rule_2.3.10.12 - patch + - shares - name: "2.3.10.13 | PATCH | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: @@ -1381,6 +1491,7 @@ - level1-memberserver - rule_2.3.10.13 - patch + - guest - name: "2.3.11.1 | PATCH | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: @@ -1395,6 +1506,7 @@ - level1-memberserver - rule_2.3.11.1 - patch + - ntlm - name: "2.3.11.2 | PATCH | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: @@ -1409,6 +1521,7 @@ - level1-memberserver - rule_2.3.11.2 - patch + - localsystem - name: "2.3.11.3 | PATCH | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: @@ -1423,6 +1536,7 @@ - level1-memberserver - rule_2.3.11.3 - patch + - authentication - name: "2.3.11.4 | PATCH | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: @@ -1437,6 +1551,7 @@ - level1-memberserver - rule_2.3.11.4 - patch + - encryption - name: "2.3.11.5 | PATCH | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: @@ -1451,6 +1566,7 @@ - level1-memberserver - rule_2.3.11.5 - patch + - network - name: "2.3.11.6 | PATCH | Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: @@ -1465,6 +1581,7 @@ - level1-memberserver - rule_2.3.11.6 - patch + - network - name: "2.3.11.7 | PATCH | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: @@ -1479,6 +1596,7 @@ - level1-memberserver - rule_2.3.11.7 - patch + - network - name: "2.3.11.8 | PATCH | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: @@ -1493,6 +1611,7 @@ - level1-memberserver - rule_2.3.11.8 - patch + - ladp - name: "2.3.11.9 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: @@ -1507,6 +1626,7 @@ - level1-memberserver - rule_2.3.11.9 - patch + - ntlm - name: "2.3.11.10 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: @@ -1521,6 +1641,7 @@ - level1-memberserver - rule_2.3.11.10 - patch + - ntlm - name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: @@ -1535,6 +1656,8 @@ - level1-memberserver - rule_2.3.13.1 - patch + - system + - shutdown - name: "2.3.15.1 | PATCH | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: @@ -1577,6 +1700,7 @@ - level1-memberserver - rule_2.3.17.1 - patch + - uac - name: "2.3.17.2 | PATCH | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: @@ -1591,6 +1715,7 @@ - level1-memberserver - rule_2.3.17.2 - patch + - uac - name: "2.3.17.3 | PATCH | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: @@ -1605,6 +1730,7 @@ - level1-memberserver - rule_2.3.17.3 - patch + - uac - name: "2.3.17.4 | PATCH | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: @@ -1619,6 +1745,7 @@ - level1-memberserver - rule_2.3.17.4 - patch + - uac - name: "2.3.17.5 | PATCH | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: @@ -1633,6 +1760,7 @@ - level1-memberserver - rule_2.3.17.5 - patch + - uac - name: "2.3.17.6 | PATCH | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: @@ -1647,6 +1775,7 @@ - level1-memberserver - rule_2.3.17.6 - patch + - uac - name: "2.3.17.7 | PATCH | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: @@ -1661,6 +1790,7 @@ - level1-memberserver - rule_2.3.17.7 - patch + - uac - name: "2.3.17.8 | PATCH | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: @@ -1675,3 +1805,4 @@ - level1-memberserver - rule_2.3.17.8 - patch + - uac diff --git a/tasks/section09.yml b/tasks/section09.yml index 779891d..5919adc 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -13,6 +13,8 @@ - level1-memberserver - rule_9.1.1 - patch + - firewall + - domain - name: "9.1.2 | PATCH | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: @@ -27,6 +29,8 @@ - level1-memberserver - rule_9.1.2 - patch + - firewall + - domain - name: "9.1.3 | PATCH | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: @@ -41,6 +45,8 @@ - level1-memberserver - rule_9.1.3 - patch + - firewall + - domain - name: "9.1.4 | PATCH | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: @@ -55,6 +61,8 @@ - level1-memberserver - rule_9.1.4 - patch + - firewall + - domain # title has slashes switched - name: "9.1.5 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" @@ -70,6 +78,8 @@ - level1-memberserver - rule_9.1.5 - patch + - firewall + - domain - name: "9.1.6 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: @@ -84,6 +94,8 @@ - level1-memberserver - rule_9.1.6 - patch + - firewall + - domain - name: "9.1.7 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: @@ -98,6 +110,8 @@ - level1-memberserver - rule_9.1.7 - patch + - firewall + - domain - name: "9.1.8 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: @@ -112,6 +126,8 @@ - level1-memberserver - rule_9.1.7 - patch + - firewall + - domain - name: "9.2.1 | PATCH | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_regedit: @@ -126,6 +142,8 @@ - level1-memberserver - rule_9.2.1 - patch + - firewall + - private - name: "9.2.2 | PATCH | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: @@ -140,6 +158,8 @@ - level1-memberserver - rule_9.2.2 - patch + - firewall + - private - name: "9.2.3 | PATCH | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: @@ -154,6 +174,8 @@ - level1-memberserver - rule_9.2.3 - patch + - firewall + - private - name: "9.2.4 | PATCH | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: @@ -168,6 +190,8 @@ - level1-memberserver - rule_9.2.4 - patch + - firewall + - private # title has slashes switched - name: "9.2.5 | PATCH | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" @@ -183,6 +207,8 @@ - level1-memberserver - rule_9.2.5 - patch + - firewall + - private - name: "9.2.6 | PATCH | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: @@ -197,6 +223,8 @@ - level1-memberserver - rule_9.2.6 - patch + - firewall + - private - name: "9.2.7 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: @@ -211,6 +239,8 @@ - level1-memberserver - rule_9.2.7 - patch + - firewall + - private - name: "9.2.8 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: @@ -225,6 +255,8 @@ - level1-memberserver - rule_9.2.8 - patch + - firewall + - private - name: "9.3.1 | PATCH | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_regedit: @@ -239,6 +271,8 @@ - level1-memberserver - rule_9.3.1 - patch + - firewall + - public - name: "9.3.2 | PATCH | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: @@ -253,6 +287,8 @@ - level1-memberserver - rule_9.3.2 - patch + - firewall + - public - name: "9.3.3 | PATCH | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: @@ -267,6 +303,8 @@ - level1-memberserver - rule_9.3.3 - patch + - firewall + - public - name: "9.3.4 | PATCH | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: @@ -281,6 +319,8 @@ - level1-memberserver - rule_9.3.4 - patch + - firewall + - public - name: "9.3.5 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: @@ -296,6 +336,8 @@ - level1-memberserver - rule_9.3.5 - patch + - firewall + - public - name: "9.3.6 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: @@ -310,6 +352,8 @@ - level1-memberserver - rule_9.3.6 - patch + - firewall + - public # title has slashes switched - name: "9.3.7 | PATCH | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" @@ -325,6 +369,8 @@ - level1-memberserver - rule_9.3.7 - patch + - firewall + - public - name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: @@ -339,6 +385,8 @@ - level1-memberserver - rule_9.3.8 - patch + - firewall + - public - name: "9.3.9 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: @@ -353,6 +401,8 @@ - level1-memberserver - rule_9.3.9 - patch + - firewall + - public - name: "9.3.10 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: @@ -367,3 +417,5 @@ - level1-memberserver - rule_9.3.10 - patch + - firewall + - public diff --git a/tasks/section18.yml b/tasks/section18.yml index af206e8..8d703ee 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -13,6 +13,7 @@ - level1-memberserver - rule_18.1.1.1 - patch + - camera - name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: @@ -27,6 +28,7 @@ - level1-memberserver - rule_18.1.1.2 - patch + - lockscreen - name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled" win_regedit: @@ -41,8 +43,9 @@ - level1-memberserver - rule_18.1.2.2 - patch + - onlinespeech -- name: "18.1.3 | PATCH | L2 | Ensure Allow Online Tips is set to Disabled" +- name: "18.1.3 | PATCH | Ensure Allow Online Tips is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer name: AllowOnlineTips @@ -55,6 +58,7 @@ - level2-memberserver - rule_18.1.3 - patch + - onlinetips - name: "18.2.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" win_regedit: @@ -69,6 +73,8 @@ - level1-memberserver - rule_18.2.1 - patch + - laps + - gpo - name: "18.2.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" win_regedit: @@ -83,6 +89,7 @@ - level1-memberserver - rule_18.2.2 - patch + - accounts - name: "18.2.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" win_regedit: @@ -97,6 +104,8 @@ - level1-memberserver - rule_18.2.3 - patch + - accounts + - admin - name: "18.2.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" win_regedit: @@ -111,6 +120,7 @@ - level1-memberserver - rule_18.2.4 - patch + - accounts - name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" win_regedit: @@ -125,6 +135,7 @@ - level1-memberserver - rule_18.2.5 - patch + - accounts - name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" win_regedit: @@ -139,6 +150,7 @@ - level1-memberserver - rule_18.2.6 - patch + - accounts - name: "18.3.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" win_regedit: @@ -153,6 +165,7 @@ - level1-memberserver - rule_18.3.1 - patch + - uac - name: "18.3.2 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" win_regedit: @@ -167,6 +180,7 @@ - level1-memberserver - rule_18.3.2 - patch + - smb - name: "18.3.3 | PATCH | Ensure Configure SMB v1 server is set to Disabled" win_regedit: @@ -183,6 +197,7 @@ - level1-memberserver - rule_18.3.3 - patch + - smb - name: "18.3.4 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: @@ -198,8 +213,25 @@ - level1-memberserver - rule_18.3.4 - patch + - sehop -- name: "18.3.5 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.3.5 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: RestrictDriverInstallationToAdministrators + data: 1 + type: dword + when: + - rule_18_3_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.5 + - patch + - printers + - drivers + +- name: "18.3.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -207,14 +239,15 @@ data: "{{ netbt_nodetype }}" datatype: dword when: - - rule_18_3_5 + - rule_18_3_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.5 + - rule_18.3.6 - patch + - netbt -- name: "18.3.6 | PATCH | Ensure WDigest Authentication is set to Disabled" +- name: "18.3.7 | PATCH | Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -222,12 +255,13 @@ data: 0 datatype: dword when: - - rule_18_3_6 + - rule_18_3_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.6 + - rule_18.3.7 - patch + - wdigest ## 18.4.x @@ -245,6 +279,8 @@ - level1-memberserver - rule_18.4.1 - patch + - mss + - logon - name: "18.4.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -260,6 +296,8 @@ - level1-memberserver - rule_18.4.2 - patch + - mss + - iprouting - name: "18.4.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -275,6 +313,8 @@ - level1-memberserver - rule_18.4.3 - patch + - mss + - iprouting - name: "18.4.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: @@ -290,8 +330,10 @@ - level1-memberserver - rule_18.4.4 - patch + - mss + - icmps -- name: "18.4.5 | PATCH | L2 | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "18.4.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -305,6 +347,8 @@ - level2-memberserver - rule_18.4.5 - patch + - mss + - keepalive - name: "18.4.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: @@ -320,8 +364,10 @@ - level1-memberserver - rule_18.4.6 - patch + - mss + - noname -- name: "18.4.7 | PATCH | L2 | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "18.4.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -335,6 +381,7 @@ - level2-memberserver - rule_18.4.7 - patch + - mss - name: "18.4.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: @@ -350,6 +397,7 @@ - level1-memberserver - rule_18.4.8 - patch + - mss - name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: @@ -365,8 +413,9 @@ - level1-memberserver - rule_18.4.9 - patch + - mss -- name: "18.4.10 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions @@ -379,8 +428,9 @@ - level2-memberserver - rule_18.4.10 - patch + - mss -- name: "18.4.11 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions @@ -393,6 +443,7 @@ - level2-memberserver - rule_18.4.11 - patch + - mss - name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: @@ -407,26 +458,42 @@ - level1-memberserver - rule_18.4.12 - patch - + - mss # 18.5.4.x -- name: "18.5.4.1 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "18.5.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: DoHPolicy + data: 2 + type: dword + when: + - rule_18_5_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.4.1 + - patch + - dns + +- name: "18.5.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast data: 0 type: dword when: - - rule_18_5_4_1 + - rule_18_5_4_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.4.1 + - rule_18.5.4.2 - patch + - dns -- name: "18.5.5.1 | PATCH | L2 | Ensure Enable Font Providers is set to Disabled" +- name: "18.5.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders @@ -439,6 +506,7 @@ - level2-memberserver - rule_18.5.5.1 - patch + - dns - name: "18.5.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" win_regedit: @@ -453,31 +521,32 @@ - level1-memberserver - rule_18.5.8.1 - patch + - fonts -- name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" block: - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet @@ -490,31 +559,33 @@ - level2-memberserver - rule_18.5.9.1 - patch + - mapper + - drivers -- name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet @@ -527,8 +598,10 @@ - level2-memberserver - rule_18.5.9.2 - patch + - rspndr + - driver -- name: "18.5.10.2 | PATCH | L2 | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "18.5.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled @@ -541,6 +614,7 @@ - level2-memberserver - rule_18.5.10.2 - patch + - p2p - name: "18.5.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: @@ -555,6 +629,7 @@ - level1-memberserver - rule_18.5.11.2 - patch + - networkconnections - name: "18.5.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: @@ -569,6 +644,7 @@ - level1-memberserver - rule_18.5.11.3 - patch + - networkconnections - name: "18.5.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: @@ -583,6 +659,7 @@ - level1-memberserver - rule_18.5.11.4 - patch + - networkconnections - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: @@ -606,8 +683,10 @@ - level1-memberserver - rule_18.5.14.1 - patch + - paths + - unc -- name: "18.5.19.2.1 | PATCH | L2 | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "18.5.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents @@ -620,38 +699,39 @@ - level2-memberserver - rule_18.5.19.2.1 - patch + - ipv6 -- name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar @@ -664,8 +744,9 @@ - level2-memberserver - rule_18.5.20.1 - patch + - wireless -- name: "18.5.20.2 | PATCH | L2 | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "18.5.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi @@ -678,6 +759,7 @@ - level2-memberserver - rule_18.5.20.2 - patch + - connectnow - name: "18.5.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: @@ -692,8 +774,9 @@ - level1-memberserver - rule_18.5.21.1 - patch + - gpo -- name: "18.5.21.2 | PATCH | L2 | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "18.5.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain @@ -706,8 +789,54 @@ - level2-memberserver - rule_18.5.21.2 - patch + - gpo -- name: "18.7.1.1 | PATCH | L2 | Ensure Turn off notifications network usage is set to Enabled" +- name: "18.6.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + name: RegisterSpoolerRemoteRpcEndPoint + data: 2 + type: dword + when: + - rule_18_6_1 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.6.1 + - patch + - printers + +- name: "18.6.2 | PATCH | Ensure Point and Print Restrictions: When installing drivers for a new connection is set to Enabled: Show warning and elevation prompt" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: NoWarningNoElevationOnInstall + data: 0 + type: dword + when: + - rule_18_6_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.6.2 + - patch + - printers + +- name: "18.6.3 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: UpdatePromptSettings + data: 0 + type: dword + when: + - rule_18_6_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.6.3 + - patch + - printers + +- name: "18.7.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications name: NoCloudApplicationNotification @@ -720,6 +849,7 @@ - level2-memberserver - rule_18.7.1.1 - patch + - notifications - name: "18.8.3.1 | PATCH | Ensure Include command line in process creation events is set to Disabled" win_regedit: @@ -748,6 +878,7 @@ - level1-memberserver - rule_18.8.4.1 - patch + - encryption_oracle - name: "18.8.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: @@ -762,6 +893,7 @@ - level1-memberserver - rule_18.8.4.2 - patch + - credentialsdelecation - name: "18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" win_regedit: @@ -776,6 +908,7 @@ - ngws-memberserver - rule_18.8.5.1 - patch + - vbs - name: "18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" win_regedit: @@ -790,6 +923,7 @@ - ngws-memberserver - rule_18.8.5.2 - patch + - vbs - name: "18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" win_regedit: @@ -804,6 +938,7 @@ - ngws-memberserver - rule_18.8.5.3 - patch + - vbs - name: "18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" win_regedit: @@ -818,6 +953,7 @@ - ngws-memberserver - rule_18.8.5.4 - patch + - vbs - name: "18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" win_regedit: @@ -832,6 +968,7 @@ - ngws-memberserver - rule_18.8.5.5 - patch + - vbs - name: "18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" win_regedit: @@ -846,6 +983,7 @@ - ngws-domaincontroller - rule_18.8.5.6 - patch + - vbs - name: "18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" win_regedit: @@ -860,6 +998,22 @@ - ngws-memberserver - rule_18.8.5.7 - patch + - vbs + +- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + name: PreventDeviceMetadataFromNetwork + data: 1 + type: dword + when: + - rule_18_8_7_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.7.2 + - patch + - metadata - name: "18.8.14.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: @@ -874,6 +1028,7 @@ - level1-memberserver - rule_18.8.14.1 - patch + - drivers - name: "18.8.21.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: @@ -888,6 +1043,7 @@ - level1-memberserver - rule_18.8.21.2 - patch + - gpo - name: "18.8.21.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: @@ -902,6 +1058,7 @@ - level1-memberserver - rule_18.8.21.3 - patch + - gpo - name: "18.8.21.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" win_regedit: @@ -929,6 +1086,7 @@ - level1-memberserver - rule_18.8.21.5 - patch + - gpo - name: "18.8.22.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: @@ -943,8 +1101,10 @@ - level1-memberserver - rule_18.8.22.1.1 - patch + - drivers + - printers -- name: "18.8.22.1.2 | PATCH | L2 | Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "18.8.22.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing @@ -957,8 +1117,9 @@ - level2-memberserver - rule_18.8.22.1.2 - patch + - handwriting -- name: "18.8.22.1.3 | PATCH | L2 | Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "18.8.22.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports @@ -971,8 +1132,9 @@ - level2-memberserver - rule_18.8.22.1.3 - patch + - handwriting -- name: "18.8.22.1.4 | PATCH | L2 | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW @@ -985,6 +1147,8 @@ - level2-memberserver - rule_18.8.22.1.4 - patch + - wizard + - internetconnectionwizard - name: "18.8.22.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: @@ -999,8 +1163,10 @@ - level1-memberserver - rule_18.8.22.1.5 - patch + - wizard + - internetdownloadwizard -- name: "18.8.22.1.6 | PATCH | L2 | Ensure Turn off printing over HTTP is set to Enabled" +- name: "18.8.22.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting @@ -1013,8 +1179,9 @@ - level2-memberserver - rule_18.8.22.1.6 - patch + - printers -- name: "18.8.22.1.7 | PATCH | L2 | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration @@ -1027,8 +1194,10 @@ - level2-memberserver - rule_18.8.22.1.7 - patch + - wizard + - registration -- name: "SCORED | 18.8.22.1.8 | PATCH | L2 | Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "18.8.22.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates @@ -1041,8 +1210,9 @@ - level2-memberserver - rule_18.8.22.1.8 - patch + - search -- name: "18.8.22.1.9 | PATCH | L2 | Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "18.8.22.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard @@ -1055,8 +1225,9 @@ - level2-memberserver - rule_18.8.22.1.9 - patch + - printers -- name: "18.8.22.1.10 | PATCH | L2 | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "18.8.22.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard @@ -1069,8 +1240,9 @@ - level2-memberserver - rule_18.8.22.1.10 - patch + - wizard -- name: "18.8.22.1.11 | PATCH | L2 | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP @@ -1083,8 +1255,9 @@ - level2-memberserver - rule_18.8.22.1.11 - patch + - wmcei -- name: "18.8.22.1.12 | PATCH | L2 | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable @@ -1097,17 +1270,18 @@ - level2-memberserver - rule_18.8.22.1.12 - patch + - wmcei -- name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport @@ -1120,17 +1294,18 @@ - level2-memberserver - rule_18.8.22.1.13 - patch + - errorreporting -- name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled @@ -1143,6 +1318,7 @@ - level2-memberserver - rule_18.8.25.1 - patch + - certifcates - name: "18.8.26.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: @@ -1157,8 +1333,9 @@ - level1-memberserver - rule_18.8.26.1 - patch + - dma -- name: "18.8.27.1 | PATCH | L2 | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "18.8.27.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn @@ -1185,6 +1362,7 @@ - level1-memberserver - rule_18.8.28.1 - patch + - accounts - name: "18.8.28.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" win_regedit: @@ -1213,6 +1391,7 @@ - level1-memberserver - rule_18.8.28.3 - patch + - enumerate - name: "18.8.28.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: @@ -1226,6 +1405,7 @@ - level1-memberserver - rule_18.8.28.4 - patch + - enumerate - name: "18.8.28.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: @@ -1240,6 +1420,7 @@ - level1-memberserver - rule_18.8.28.5 - patch + - notifications - name: "18.8.28.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" win_regedit: @@ -1254,6 +1435,7 @@ - level1-memberserver - rule_18.8.28.6 - patch + - logon - name: "18.8.28.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: @@ -1268,8 +1450,9 @@ - level1-memberserver - rule_18.8.28.7 - patch + - pin -- name: "18.8.31.1 | PATCH | L2 | Ensure Allow Clipboard synchronization across devices is set to Disabled" +- name: "18.8.31.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard @@ -1282,8 +1465,9 @@ - level2-memberserver - rule_18.8.31.1 - patch + - clipboard -- name: "18.8.31.2 | PATCH | L2 | Ensure Allow upload of User Activities is set to Disabled" +- name: "18.8.31.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: UploadUserActivities @@ -1297,7 +1481,7 @@ - rule_18.8.31.2 - patch -- name: "18.8.34.6.1 | PATCH | L2 | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" +- name: "18.8.34.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: DCSettingIndex @@ -1310,8 +1494,9 @@ - level2-memberserver - rule_18.8.34.6.1 - patch + - power -- name: "18.8.34.6.2 | PATCH | L2 | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "18.8.34.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex @@ -1324,6 +1509,7 @@ - level2-memberserver - rule_18.8.34.6.2 - patch + - power - name: "18.8.34.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: @@ -1338,6 +1524,8 @@ - level1-memberserver - rule_18.8.34.6.3 - patch + - power + - logon - name: "18.8.34.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: @@ -1352,6 +1540,7 @@ - level1-memberserver - rule_18.8.34.6.4 - patch + - logon - name: "18.8.36.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: @@ -1366,6 +1555,7 @@ - level1-memberserver - rule_18.8.36.1 - patch + - cora - name: "18.8.36.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: @@ -1380,6 +1570,7 @@ - level1-memberserver - rule_18.8.36.2 - patch + - csra - name: "18.8.37.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: @@ -1394,8 +1585,9 @@ - level1-memberserver - rule_18.8.37.1 - patch + - rpc -- name: "18.8.37.2 | PATCH | L2 | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "18.8.37.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients @@ -1408,8 +1600,24 @@ - level2-memberserver - rule_18.8.37.2 - patch + - rpc + +- name: "18.8.40.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled: Audit or higher" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM + name: SamNGCKeyROCAValidation + data: 1 + type: dword + when: + - rule_18_8_40_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_18.8.40.1 + - patch + - sam -- name: "18.8.47.5.1 | PATCH | L2 | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "18.8.47.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer @@ -1422,8 +1630,9 @@ - level2-memberserver - rule_18.8.47.5.1 - patch + - msdt -- name: "18.8.47.11.1 | PATCH | L2 | Ensure EnableDisable PerfTrack is set to Disabled" +- name: "18.8.47.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled @@ -1436,8 +1645,9 @@ - level2-memberserver - rule_18.8.47.11.1 - patch + - pertrack -- name: "18.8.49.1 | PATCH | L2 | Ensure Turn off the advertising ID is set to Enabled" +- name: "18.8.49.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy @@ -1450,8 +1660,9 @@ - level2-memberserver - rule_18.8.49.1 - patch + - advertising -- name: "18.8.52.1.1 | PATCH | L2 | Ensure Enable Windows NTP Client is set to Enabled" +- name: "18.8.52.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled @@ -1464,8 +1675,9 @@ - level2-memberserver - rule_18.8.52.1.1 - patch + - ntp -- name: "18.8.52.1.2 | PATCH | L2 | Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "18.8.52.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled @@ -1478,8 +1690,9 @@ - level2-memberserver - rule_18.8.52.1.2 - patch + - ntp -- name: "18.9.4.1 | PATCH | L2 | Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "18.9.4.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData @@ -1492,6 +1705,7 @@ - level2-memberserver - rule_18.9.4.1 - patch + - data - name: "18.9.6.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: @@ -1506,6 +1720,7 @@ - level1-memberserver - rule_18.9.6.1 - patch + - accounts - name: "18.9.8.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: @@ -1520,6 +1735,7 @@ - level1-memberserver - rule_18.9.8.1 - patch + - autoplay - name: "18.9.8.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: @@ -1534,6 +1750,7 @@ - level1-memberserver - rule_18.9.8.2 - patch + - autorun - name: "18.9.8.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: @@ -1548,6 +1765,7 @@ - level1-memberserver - rule_18.9.8.3 - patch + - autoplay - name: "18.9.10.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: @@ -1562,8 +1780,9 @@ - level1-memberserver - rule_18.9.10.1.1 - patch + - antispoofing -- name: "18.9.12.1 | PATCH | L2 | Ensure Allow Use of Camera is set to Disabled" +- name: "18.9.12.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera @@ -1576,132 +1795,257 @@ - level2-memberserver - rule_18.9.12.1 - patch + - camera -- name: "18.9.13.1 | PATCH | L2 | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.14.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableCloudOptimizedContent + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableConsumerAccountStateContent data: 1 type: dword when: - - rule_18_9_13_1 + - rule_18_9_14_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.13.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 - patch + - cloud -- name: "18.9.13.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.14.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures data: 1 type: dword when: - - rule_18_9_13_2 + - rule_18_9_14_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.13.2 + - rule_18.9.14.2 - patch + - cloud -- name: "18.9.14.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.9.15.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect name: RequirePinForPairing data: 1 type: dword when: - - rule_18_9_14_1 + - rule_18_9_15_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.1 + - rule_18.9.15.1 - patch + - pin -- name: "18.9.15.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" +- name: "18.9.16.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal data: 1 type: dword when: - - rule_18_9_15_1 + - rule_18_9_16_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.1 + - rule_18.9.16.1 - patch + - gui -- name: "18.9.15.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.9.16.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators data: 0 type: dword when: - - rule_18_9_15_2 + - rule_18_9_16_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.2 + - rule_18.9.16.2 - patch + - accounts -- name: "18.9.16.1 | PATCH | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +- name: "18.9.17.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: AllowTelemetry - data: 0 + data: 1 type: dword when: - - rule_18_9_16_1 + - rule_18_9_17_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.1 + - rule_18.9.17.1 - patch + - diagnostrics -- name: "18.9.16.2 | PATCH | L2 | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "18.9.17.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection name: DisableEnterpriseAuthProxy data: 0 type: dword when: - - rule_18_9_16_2 + - rule_18_9_17_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.16.2 + - rule_18.9.17.2 - patch + - datacollection -- name: "18.9.16.3 | PATCH | Ensure Do not show feedback notifications is set to Enabled" +- name: "18.9.17.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: DisableOneSettingsDownloads + data: 1 + type: dword + when: + - rule_18_9_17_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.3 + - patch + - onesettings + +- name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications data: 1 type: dword when: - - rule_18_9_16_3 + - rule_18_9_17_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.3 + - rule_18.9.17.4 - patch + - datacollection -- name: "18.9.16.4 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.9.17.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: EnableOneSettingsAuditing + data: 1 + type: dword + when: + - rule_18_9_17_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.5 + - patch + - datacollection + +- name: "18.9.17.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: LimitDiagnosticLogCollection + data: 1 + type: dword + when: + - rule_18_9_17_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.6 + - patch + - datacollection + +- name: "18.9.17.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: LimitDumpCollection + data: 1 type: dword when: - - rule_18_9_16_4 + - rule_18_9_17_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.4 + - rule_18.9.17.7 - patch + - datacollection + +- name: "18.9.17.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: + - rule_18_9_17_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.8 + - patch + +# - name: "18.9.16.1 | PATCH | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: AllowTelemetry +# data: 0 +# type: dword +# when: +# - rule_18_9_16_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.1 +# - patch + +# - name: "18.9.16.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DisableEnterpriseAuthProxy +# data: 0 +# type: dword +# when: +# - rule_18_9_16_2 +# tags: +# - level2-domaincontroller +# - level2-memberserver +# - rule_18.9.16.2 +# - patch + +# - name: "18.9.16.3 | PATCH | Ensure Do not show feedback notifications is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DoNotShowFeedbackNotifications +# data: 1 +# type: dword +# when: +# - rule_18_9_16_3 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.3 +# - patch + +# - name: "18.9.16.4 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds +# name: AllowBuildPreview +# data: 0 +# type: dword +# when: +# - rule_18_9_16_4 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.4 +# - patch - name: "18.9.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: @@ -1716,6 +2060,7 @@ - level1-memberserver - rule_18.9.26.1.1 - patch + - eventlog - name: "18.9.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: @@ -1730,6 +2075,7 @@ - level1-memberserver - rule_18.9.26.1.2 - patch + - eventlog - name: "18.9.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: @@ -1744,6 +2090,7 @@ - level1-memberserver - rule_18.9.26.2.1 - patch + - eventlog - name: "18.9.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: @@ -1758,6 +2105,7 @@ - level1-memberserver - rule_18.9.26.2.2 - patch + - eventlog - name: "18.9.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: @@ -1772,6 +2120,7 @@ - level1-memberserver - rule_18.9.26.3.1 - patch + - eventlog - name: "18.9.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: @@ -1786,6 +2135,7 @@ - level1-memberserver - rule_18.9.26.3.2 - patch + - eventlog - name: "18.9.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: @@ -1800,6 +2150,7 @@ - level1-memberserver - rule_18.9.26.4.1 - patch + - eventlog - name: "18.9.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: @@ -1814,6 +2165,7 @@ - level1-memberserver - rule_18.9.26.4.2 - patch + - eventlog - name: "18.9.30.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: @@ -1828,6 +2180,7 @@ - level1-memberserver - rule_18.9.30.2 - patch + - dep - name: "18.9.30.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: @@ -1842,6 +2195,7 @@ - level1-memberserver - rule_18.9.30.3 - patch + - heap - name: "18.9.30.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: @@ -1856,8 +2210,9 @@ - level1-memberserver - rule_18.9.30.4 - patch + - shell -- name: "18.9.39.1 | PATCH | L2 | Ensure Turn off location is set to Enabled" +- name: "18.9.39.1 | PATCH | Ensure Turn off location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation @@ -1870,8 +2225,9 @@ - level2-memberserver - rule_18.9.39.1 - patch + - location -- name: "18.9.43.1 | PATCH | L2 | Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "18.9.43.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync @@ -1884,6 +2240,7 @@ - level2-memberserver - rule_18.9.43.1 - patch + - msc - name: "18.9.44.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: @@ -1898,6 +2255,7 @@ - level1-memberserver - rule_18.9.44.1 - patch + - account - name: "18.9.45.3.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: @@ -1912,8 +2270,9 @@ - level1-memberserver - rule_18.9.45.3.1 - patch + - maps -- name: "18.9.45.3.2 | PATCH | L2 | Ensure Join Microsoft MAPS is set to Disabled" +- name: "18.9.45.3.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting @@ -1926,6 +2285,7 @@ - level2-memberserver - rule_18.9.45.3.2 - patch + - maps - name: "18.9.45.5.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" win_regedit: @@ -1940,34 +2300,21 @@ - level2-memberserver - rule_18.9.45.5.1 - patch - -- name: "18.9.45.8.1 | PATCH | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableIOAVProtection - data: 0 - type: dword - when: - - rule_18_9_45_8_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.1 - - patch - -- name: "18.9.45.8.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: - - rule_18_9_45_8_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.3 - - patch + - defender + +# - name: "18.9.45.8.1 | PATCH | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection +# name: DisableIOAVProtection +# data: 0 +# type: dword +# when: +# - rule_18_9_45_8_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.45.8.1 +# - patch - name: "18.9.45.4.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: @@ -1982,6 +2329,7 @@ - level1-memberserver - rule_18.9.45.4.1.1 - patch + - defender - name: "18.9.45.4.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: @@ -2009,6 +2357,7 @@ - level1-memberserver - rule_18.9.45.4.1.2 - patch + - defender - name: "18.9.45.4.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: @@ -2023,22 +2372,9 @@ - level1-memberserver - rule_18.9.45.4.3.1 - patch + - defender -- name: "18.9.45.8.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableRealtimeMonitoring - data: 1 - datatype: dword - when: - - rule_18_9_45_8_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.2 - - patch - -- name: "18.9.45.10.1 | PATCH | L2 | Ensure Configure Watson events is set to Disabled" +- name: "18.9.45.10.1 | PATCH | Ensure Configure Watson events is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts @@ -2051,6 +2387,7 @@ - level2-memberserver - rule_18.9.77.9.1 - patch + - defender - name: "18.9.45.11.1 | PATCH | Ensure Scan removable drives is set to Enabled" win_regedit: @@ -2065,6 +2402,7 @@ - level1-memberserver - rule_18.9.45.11.1 - patch + - defender - name: "18.9.45.11.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" win_regedit: @@ -2079,6 +2417,7 @@ - level1-memberserver - rule_18.9.45.11.2 - patch + - defender - name: "18.9.45.14 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: @@ -2093,6 +2432,7 @@ - level1-memberserver - rule_18.9.45.14 - patch + - defender - name: "18.9.45.15 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: @@ -2107,6 +2447,71 @@ - level1-memberserver - rule_18.9.45.15 - patch + - defender + +- name: "18.9.47.9.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableIOAVProtection + data: 0 + type: dword + when: + - rule_18_9_47_9_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.1 + - patch + - defender + - real_time_protection + +- name: "18.9.47.9.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableRealtimeMonitoring + data: 1 + datatype: dword + when: + - rule_18_9_47_9_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.2 + - patch + - defender + - real_time_protection + +- name: "18.9.47.9.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: + - rule_18_9_47_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.3 + - patch + - defender + - real_time_protection + +- name: "18.9.47.9.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableScriptScanning + data: 0 + type: dword + when: + - rule_18_9_47_9_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.4 + - patch + - defender + - real_time_protection - name: "18.9.55.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: @@ -2121,6 +2526,7 @@ - level1-memberserver - rule_18.9.55.1 - patch + - onedrive - name: "18.9.62.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: @@ -2135,8 +2541,9 @@ - level1-memberserver - rule_18.9.62.2.2 - patch + - terminalservices -- name: "18.9.62.3.2.1 | PATCH | L2 | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "18.9.62.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser @@ -2149,8 +2556,9 @@ - level2-memberserver - rule_18.9.62.3.2.1 - patch + - terminalservices -- name: "18.9.62.3.3.1 | PATCH | L2 | Ensure Do not allow COM port redirection is set to Enabled" +- name: "18.9.62.3.3.1 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm @@ -2163,6 +2571,7 @@ - level2-memberserver - rule_18.9.62.3.3.1 - patch + - terminalservices - name: "18.9.62.3.3.2 | PATCH | Ensure Do not allow drive redirection is set to Enabled" win_regedit: @@ -2177,8 +2586,9 @@ - level1-memberserver - rule_18.9.62.3.3.2 - patch + - terminalservices -- name: "18.9.62.3.3.3 | PATCH | L2 | Ensure Do not allow LPT port redirection is set to Enabled" +- name: "18.9.62.3.3.3 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT @@ -2191,8 +2601,9 @@ - level2-memberserver - rule_18.9.62.3.3.3 - patch + - terminalservices -- name: "18.9.62.3.3.4 | PATCH | L2 | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "18.9.62.3.3.4 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir @@ -2205,6 +2616,7 @@ - level2-memberserver - rule_18.9.62.3.3.4 - patch + - terminalservicess - name: "18.9.62.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" win_regedit: @@ -2219,6 +2631,7 @@ - level1-memberserver - rule_18.9.62.3.9.1 - patch + - terminalservices - name: "18.9.62.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" win_regedit: @@ -2233,6 +2646,7 @@ - level1-memberserver - rule_18.9.59.3.9.2 - patch + - terminalservices - name: "18.9.62.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: @@ -2247,6 +2661,7 @@ - level1-memberserver - rule_18.9.62.3.9.3 - patch + - terminalservices - name: "18.9.62.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: @@ -2261,6 +2676,7 @@ - level1-memberserver - rule_18.9.62.3.9.4 - patch + - terminalservices - name: "18.9.62.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: @@ -2275,8 +2691,9 @@ - level1-memberserver - rule_18.9.62.3.9.5 - patch + - terminalservices -- name: "18.9.62.3.10.1 | PATCH | L2 | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +- name: "18.9.62.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxIdleTime @@ -2289,8 +2706,9 @@ - level2-memberserver - rule_18.9.62.3.10.1 - patch + - terminalservices -- name: "18.9.62.3.10.2 | PATCH | L2 | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "18.9.62.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime @@ -2303,6 +2721,7 @@ - level2-memberserver - rule_18.9.62.3.10.2 - patch + - terminalservices - name: "18.9.62.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: @@ -2317,6 +2736,7 @@ - level1-memberserver - rule_18.9.59.3.11.1 - patch + - terminalservices - name: "18.9.62.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" win_regedit: @@ -2331,6 +2751,7 @@ - level1-memberserver - rule_18.9.62.3.11.2 - patch + - terminalservices - name: "18.9.63.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: @@ -2345,8 +2766,9 @@ - level1-memberserver - rule_18.9.63.1 - patch + - enclosure -- name: "18.9.64.2 | PATCH | L2 | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +- name: "18.9.64.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch @@ -2359,6 +2781,8 @@ - level2-memberserver - rule_18.9.64.2 - patch + - search + - cloud - name: "18.9.64.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: @@ -2373,8 +2797,10 @@ - level1-memberserver - rule_18.9.64.3 - patch + - search + - encrypted -- name: "18.9.69.1 | PATCH | L2 | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "18.9.69.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket @@ -2387,6 +2813,7 @@ - level2-memberserver - rule_18.9.66.1 - patch + - kms - name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: @@ -2410,8 +2837,9 @@ - level1-memberserver - rule_18.9.80.1.1 - patch + - defender -- name: "18.9.84.1 | PATCH | L2 | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "18.9.84.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace @@ -2424,6 +2852,7 @@ - level2-memberserver - rule_18.9.84.1 - patch + - wik - name: "18.9.84.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: @@ -2438,6 +2867,7 @@ - level1-memberserver - rule_18.9.84.2 - patch + - wik - name: "18.9.85.1 | PATCH | Ensure Allow user control over installs is set to Disabled" win_regedit: @@ -2467,7 +2897,7 @@ - rule_18.9.85.2 - patch -- name: "18.9.85.3 | PATCH | L2 | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "18.9.85.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting @@ -2480,6 +2910,7 @@ - level2-memberserver - rule_18.9.85.3 - patch + - ie - name: "18.9.86.1 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: @@ -2494,34 +2925,23 @@ - level1-memberserver - rule_18.9.86.1 - patch + - logon + +# - name: "18.9.95.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging +# name: EnableScriptBlockLogging +# data: 0 +# type: dword +# when: +# - rule_18_9_95_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.95.1 +# - patch -- name: "18.9.95.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 0 - type: dword - when: - - rule_18_9_95_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.1 - - patch -- name: "18.9.95.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 0 - type: dword - when: - - rule_18_9_95_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.2 - - patch - name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: @@ -2537,6 +2957,7 @@ - level1-memberserver - rule_18.9.97.1.1 - patch + - winrm - name: "18.9.97.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: @@ -2552,6 +2973,7 @@ - level1-memberserver - rule_18.9.97.1.2 - patch + - winrm - name: "18.9.97.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" win_regedit: @@ -2566,6 +2988,7 @@ - level1-memberserver - rule_18.9.97.1.3 - patch + - winrm - name: "18.9.97.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: @@ -2581,9 +3004,10 @@ - level1-memberserver - rule_18.9.97.2.1 - patch + - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.97.2.2 | PATCH | L2 | Ensure Allow remote server management through WinRM is set to Disabled" +- name: "18.9.97.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig @@ -2597,6 +3021,7 @@ - level2-memberserver - rule_18.9.97.2.2 - patch + - winrm - name: "18.9.97.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: @@ -2612,6 +3037,8 @@ - level1-memberserver - rule_18.9.97.2.3 - patch + - winrm + - encryption - name: "18.9.97.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: @@ -2626,9 +3053,10 @@ - level1-memberserver - rule_18.9.97.2.4 - patch + - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.98.1 | PATCH | L2 | Ensure Allow Remote Shell Access is set to Disabled" +- name: "18.9.98.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess @@ -2642,6 +3070,7 @@ - level2-memberserver - rule_18.9.98.1 - patch + - winrm - name: "18.9.99.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" win_regedit: @@ -2656,121 +3085,158 @@ - level1-memberserver - rule_18.9.99.2.1 - patch + - accounts + +- name: "19.9.100.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging + name: EnableScriptBlockLogging + data: 1 + type: dword + when: + - rule_18_9_100_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.100.1 + - patch + - powershell + +- name: "18.9.100.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword + when: + - rule_18_9_100_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.100.2 + - patch + - powershell + +- name: "18.9.108.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: + - rule_18_9_108_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.1.1 + - patch + - winupdate + +- name: "18.9.108.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: + - rule_18_9_108_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.2.1 + - patch + - winupdate + +- name: "18.9.108.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: + - rule_18_9_108_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.2.2 + - patch + - winupdate -- name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "18.9.102.1.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword when: - - rule_18_9_102_1_1 + - rule_18_9_108_4_1 tags: - level1-domaincontroller - level1-memberserver - rule_18.9.102.1.1 - patch + - winupdate -- name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +- name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'" block: - - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword - - name: "18.9.102.1.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel data: 16 type: dword when: - - rule_18_9_102_1_2 + - rule_18_9_108_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.2 + - rule_18.9.108.4.2 - patch + - winupdate -- name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "18.9.102.1.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword when: - - rule_18_9_102_1_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.3 - - patch - -- name: "18.9.102.2 | PATCH | Ensure Configure Automatic Updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: - - rule_18_9_102_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.2 - - patch - -- name: "18.9.102.3 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: - - rule_18_9_102_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.3 - - patch - -- name: "18.9.102.4 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: - - rule_18_9_102_4 + - rule_18_9_108_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.4 + - rule_18.9.108.4.3 - patch + - winupdate diff --git a/tasks/section19.yml b/tasks/section19.yml index f735f6b..c1a0854 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -22,6 +22,7 @@ - level1-memberserver - rule_19.1.3.1 - patch + - screensaver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" block: @@ -47,16 +48,16 @@ - patch - screensaver -- name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" +- name: "19.1.3.3 | PATCH |Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "19.1.3.3 | PATCH | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -69,29 +70,30 @@ - level1-memberserver - rule_19.1.3.3 - patch + - screensaver -- name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - block: - - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# block: +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# win_regedit: +# path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop +# name: ScreenSaveTimeOut +# data: 900 +# type: string - - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string - when: - - rule_19_1_3_4 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.4 - - patch +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# win_regedit: +# path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop +# name: ScreenSaveTimeOut +# data: 900 +# type: string +# when: +# - rule_19_1_3_4 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_19.1.3.4 +# - patch - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" block: @@ -115,17 +117,18 @@ - level1-memberserver - rule_19.5.1.1 - patch + - toast -- name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" +- name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" block: - - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback @@ -138,6 +141,7 @@ - level2-memberserver - rule_19.6.6.1.1 - patch + - help - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" block: @@ -161,6 +165,7 @@ - level1-memberserver - rule_19.7.4.1 - patch + - attachments - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" block: @@ -184,6 +189,7 @@ - level1-memberserver - rule_19.7.4.2 - patch + - antivirus - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: @@ -207,6 +213,7 @@ - level1-memberserver - rule_19.7.8.1 - patch + - spotlight - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: @@ -230,17 +237,18 @@ - level1-memberserver - rule_19.7.8.2 - patch + - spotlight -- name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData @@ -253,17 +261,18 @@ - level2-memberserver - rule_19.7.8.3 - patch + - tailoredexperiences -- name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures @@ -276,6 +285,7 @@ - level2-memberserver - rule_19.7.8.4 - patch + - spotlight - name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" win_regedit: @@ -314,6 +324,8 @@ - level1-memberserver - rule_19.7.28.1 - patch + - profiles + - sharing - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" block: @@ -337,17 +349,18 @@ - level1-memberserver - rule_19.7.43.1 - patch + - permissions -- name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" +- name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" block: - - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload @@ -360,3 +373,4 @@ - level2-memberserver - rule_19.7.47.2.1 - patch + - codec From f1fa7d06bac48915379feac31d765e8961362593 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 25 Oct 2022 13:55:25 -0400 Subject: [PATCH 32/32] updates after linting Signed-off-by: George Nalen --- .ansible-lint | 9 +++++++++ .yamllint | 16 +++++++++++++++- collections/requirements.yml | 4 ++++ defaults/main.yml | 13 +++++++------ handlers/main.yml | 1 + meta/main.yml | 1 + site.yml | 6 ++---- tasks/main.yml | 6 ++++++ tasks/prelim.yml | 8 ++++---- tasks/section18.yml | 10 ++++------ tasks/section19.yml | 2 +- 11 files changed, 54 insertions(+), 22 deletions(-) create mode 100644 collections/requirements.yml diff --git a/.ansible-lint b/.ansible-lint index f2a7e7c..470d43e 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,15 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index 93378b9..33c0076 100755 --- a/.yamllint +++ b/.yamllint @@ -9,12 +9,26 @@ extends: default rules: indentation: + # Requiring 4 space indentation spaces: 4 - truthy: disable + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + #truthy: disable braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + indentation: + indent-sequences: consistent + level: error line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..c0d1d51 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- + +collections: +- name: community.windows diff --git a/defaults/main.yml b/defaults/main.yml index 26a2864..6005ded 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,21 +35,21 @@ min_ansible_version: "2.6" # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. -complexity_high: no +complexity_high: false # Show "changed" for complex items not remediated per complexity-high setting # to make them stand out. "changed" items on a second run of the role would # indicate items requiring manual review. -audit_complex: yes +audit_complex: true # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. -disruption_high: no +disruption_high: false # Show "changed" for disruptive items not remediated per disruption-high # setting to make them stand out. -audit_disruptive: yes +audit_disruptive: true skip_for_travis: false @@ -57,7 +57,7 @@ workaround_for_disa_benchmark: true workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container -system_is_container: no +system_is_container: false # set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false @@ -390,6 +390,8 @@ rule_18_9_14_1: true rule_18_9_14_2: true rule_18_9_15_1: true rule_18_9_15_2: true +rule_18_9_16_1: true +rule_18_9_16_2: true rule_18_9_17_1: true rule_18_9_17_2: true rule_18_9_17_3: true @@ -554,7 +556,6 @@ legalnoticecaption: "DoD Notice and Consent Banner" # This is a variable to determine if Windows Manager should be included in this step increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' - # 9.1.5 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log # This is a variable to give some leway on where to store these log files diff --git a/handlers/main.yml b/handlers/main.yml index 6e8efd4..bcc9fd2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,5 @@ --- + - name: reboot_windows win_reboot: reboot_timeout: 3600 diff --git a/meta/main.yml b/meta/main.yml index 478487b..85b0cd9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: windows_2019_cis + namespace: mindpointgroup min_ansible_version: 2.6 platforms: diff --git a/site.yml b/site.yml index 644ad68..2161d3d 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,6 @@ --- -- hosts: all - vars: - is_container: false + +- hosts: all # noqa: name[play] roles: - role: "{{ playbook_dir }}" - system_is_container: "{{ is_container | default(false) }}" diff --git a/tasks/main.yml b/tasks/main.yml index c3e0ed9..8b13cad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,6 +41,12 @@ tags: - section02 +- name: Execute the section 5 tasks + import_tasks: section05.yml + when: section05_patch | bool + tags: + - section05 + - name: Execute the section 9 tasks import_tasks: section09.yml when: section09_patch | bool diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 78e5527..c4ab829 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,15 +17,15 @@ - name: set fact if domain member server set_fact: win2019cis_is_domain_member: true - when: + when: - ansible_windows_domain_role == 'Member server' - name: Get Windows installation type win_reg_stat: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion - name: InstallationType + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion + name: InstallationType register: get_windows_installation_type - name: Set Windows installation type set_fact: - windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" + windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" diff --git a/tasks/section18.yml b/tasks/section18.yml index 8d703ee..18d3946 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -115,7 +115,7 @@ type: dword when: - rule_18_2_4 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role != "Member Server" tags: - level1-memberserver - rule_18.2.4 @@ -1078,7 +1078,7 @@ win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent - delete_key: yes + delete_key: false when: - rule_18_8_21_5 tags: @@ -1916,7 +1916,7 @@ - rule_18.9.17.3 - patch - onesettings - + - name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection @@ -2941,8 +2941,6 @@ # - rule_18.9.95.1 # - patch - - - name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client @@ -3060,7 +3058,7 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - rule_18_9_98_1 diff --git a/tasks/section19.yml b/tasks/section19.yml index c1a0854..5600eb8 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -48,7 +48,7 @@ - patch - screensaver -- name: "19.1.3.3 | PATCH |Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: