From 50ec7782c30acbd25ed471f1a4e7b4f6d699fbf4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 28 Sep 2023 14:35:14 -0400 Subject: [PATCH 01/18] Typo fixes and Yaml clean up Signed-off-by: Frederick Witty --- .../workflows/devel_pipeline_validation.yml | 20 +++++++------- .../workflows/main_pipeline_validation.yml | 18 ++++++------- .github/workflows/update_galaxy.yml | 2 +- .yamllint | 1 + CONTRIBUTING.rst | 22 +++++++-------- ChangeLog.md | 7 ++++- LICENSE | 2 +- README.md | 14 +++++----- meta/main.yml | 3 ++- tasks/main.yml | 27 ++++++++++++------- tasks/section01_cloud_lockout_order.yml | 1 + tasks/warning_facts.yml | 2 +- 12 files changed, 66 insertions(+), 53 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 0aae7a5..b15929f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,13 +1,11 @@ --- -# This is a basic workflow to help you get started with Actions - name: Devel Pipeline Validation # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: @@ -32,16 +30,16 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance. playbook-test: # The type of runner that the job will run on. runs-on: ubuntu-latest env: ENABLE_DEBUG: false - # Imported as a variable by terraform. + # Imported as a variable by Terraform. TF_VAR_repository: ${{ github.event.repository.name }} ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} @@ -75,7 +73,7 @@ jobs: - name: user details run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json - # Show the Os Var and Benchmark Type And Load + # Show the OS Var, Benchmark Type and Load - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | @@ -84,7 +82,7 @@ jobs: pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -93,7 +91,7 @@ jobs: id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -102,7 +100,7 @@ jobs: id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -110,7 +108,7 @@ jobs: - name: Terraform_Apply id: apply env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file WIN_USERNAME: ${{ secrets.WIN_USERNAME }} WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} OSVAR: ${{ vars.OSVAR }} diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 438dd55..59cc942 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,13 +1,11 @@ --- -# This is a basic workflow to help you get started with Actions - name: Main Pipeline Validation # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: @@ -22,14 +20,14 @@ on: # yamllint disable-line rule:truthy # A workflow run is made up of one or more jobs that can run sequentially or in parallel # This setion contains all the jobs below that are running in the workflow. jobs: - # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance. playbook-test: # The type of runner that the job will run on. runs-on: ubuntu-latest env: ENABLE_DEBUG: false - # Imported as a variable by terraform. + # Imported as a variable by Terraform. TF_VAR_repository: ${{ github.event.repository.name }} ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} @@ -63,7 +61,7 @@ jobs: - name: user details run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json - # Show the Os Var and Benchmark Type And Load + # Show the OS Var, Benchmark Type And Load - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | @@ -72,7 +70,7 @@ jobs: pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -81,7 +79,7 @@ jobs: id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +88,7 @@ jobs: id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -98,7 +96,7 @@ jobs: - name: Terraform_Apply id: apply env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from github variables this is used to load the relevant OS.tfvars file WIN_USERNAME: ${{ secrets.WIN_USERNAME }} WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} OSVAR: ${{ vars.OSVAR }} diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 14ea5bf..250ce79 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,4 +1,4 @@ -# This is a basic workflow to help you get started with Actions +--- name: Update Galaxy diff --git a/.yamllint b/.yamllint index 65faae6..db1b758 100755 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,5 @@ --- + extends: default ignore: | diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 23ce2fb..60fcb9a 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -6,13 +6,13 @@ Rules 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch -4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +4) All pull requests go into the devel branch. There are automated checks for signed commits, Signed-off-by in commit messages, and functional testing) +5) Be open and nice to each other Workflow -------- -- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge -- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Your work is done in your own individual branch. Make sure to to Signed-off-by and GPG sign all commits you intend to merge +- All community Pull Requests are to the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release Signing your contribution @@ -30,24 +30,24 @@ The process is to certify the below DCO 1.1 text By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license + have the right to submit it under the open-source license indicated in the file; or (b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source + of my knowledge, is covered under an appropriate open-source license and I have the right under that license to submit that work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am + by me, under the same open-source license (unless I am permitted to submit under a different license), as indicated in the file; or - (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified + (c) The contribution was provided directly to me by another + contributor who certified (a), (b), or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is + personal information I submit with it, including my Signed-off-by) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. :: @@ -64,4 +64,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. +option to `git commit` to automatically include the Signed-off-by message. diff --git a/ChangeLog.md b/ChangeLog.md index d5084a1..6ba176c 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,11 +1,16 @@ # Changelog +## Release 2.0.0 + +October 2023 Update +- Update Controls to CIS V2.0.0 released 04-05-2023 + ## Release 1.3.0 August 2023 Update - Updated Workflows To Central Repo - Renamed them to better run across all repos. -- Removed Templates & PR Temmplate from repo and adjusted to Org level. +- Removed Templates & PR Template from repo and adjusted to Org level. - Updated Readme Layout to add new pipeline badges. - Section1_Cloud moved from tasks/main and renamed to section1_cloud_lockout_order and in section1.yml workflow. - Updated Tags in tasks/main. diff --git a/LICENSE b/LICENSE index 39810af..4ed247b 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise +Copyright (c) 2023 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 4314f3c..80206ef 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Windows 2019 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [ Microsoft Windows Server 2019 Benchmark v2.0.0 - 04-05-2023 ](https://www.cisecurity.org/cis-benchmarks/) --- @@ -40,7 +40,7 @@ ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -98,7 +98,7 @@ Currently this release does not have a auditing tool that is up to date. - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** @@ -119,7 +119,7 @@ This role is designed that the end user should not have to edit the tasks themse ## Tags -There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control has it's own set of tags noting what level, what OS element it relates to, if it's a patch or audit, and the rule number. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb. @@ -127,7 +127,7 @@ Below is an example of the tag section from a control within this role. Using th tags: - level1-domaincontroller - level1-memberserver - - win19cis_rule_18.3.3 + - rule_18.3.3 - patch - smb ``` @@ -136,9 +136,9 @@ Below is an example of the tag section from a control within this role. Using th We encourage you (the community) to contribute to this role. Please read the rules below. -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge. - All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release ## Pipeline Testing diff --git a/meta/main.yml b/meta/main.yml index 06d3bed..4298d27 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,7 @@ --- + galaxy_info: - author: "Ryan Speelman, Stephen Williams, George Nalen" + author: "Stephen Williams, George Nalen, Mark Bolwell, Frederick Witty Jr." description: "Ansible Role to Apply The Windows Server 2019 CIS Benchmark" company: "MindPoint Group" license: MIT diff --git a/tasks/main.yml b/tasks/main.yml index c90386c..cff664f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Display Banner ansible.builtin.debug: msg: "{{ lockdown_banner.split('\n') }}" @@ -31,49 +32,57 @@ - always - name: Include the preliminary tasks - ansible.builtin.include_tasks: prelim.yml + ansible.builtin.include_tasks: + file: prelim.yml tags: - always - prelim_tasks - name: Execute the section 1 tasks - ansible.builtin.import_tasks: section01.yml + ansible.builtin.import_tasks: + file: section01.yml when: win19cis_section01 tags: - section01 - name: Execute the section 2 tasks - ansible.builtin.import_tasks: section02.yml + ansible.builtin.import_tasks: + file: section02.yml when: win19cis_section02 tags: - section02 - name: Execute the section 5 tasks - ansible.builtin.import_tasks: section05.yml + ansible.builtin.import_tasks: + file: section05.yml when: win19cis_section05 tags: - section05 - name: Execute the section 9 tasks - ansible.builtin.import_tasks: section09.yml + ansible.builtin.import_tasks: + file: section09.yml when: win19cis_section09 tags: - section09 - name: Execute the section 17 tasks - ansible.builtin.import_tasks: section17.yml + ansible.builtin.import_tasks: + file: section17.yml when: win19cis_section17 tags: - section17 - name: Execute the section 18 tasks - ansible.builtin.import_tasks: section18.yml + ansible.builtin.import_tasks: + file: section18.yml when: win19cis_section18 tags: - section18 - name: Execute the section 19 tasks - ansible.builtin.import_tasks: section19.yml + ansible.builtin.import_tasks: + file: section19.yml when: win19cis_section19 tags: - section19 @@ -81,6 +90,6 @@ - name: If Warnings found Output count and control IDs affected ansible.builtin.debug: msg: - - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID’s are listed below:" + - "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:" - "{{ warn_control_list }}" when: warn_count != 0 diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index b783b76..8456603 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -1,4 +1,5 @@ --- + # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS # CONTROL 1.2.2, CONTROL 1.2.1, CONTROL 1.2.3 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 37560bd..a98e642 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -12,7 +12,7 @@ # # warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s # -# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 - name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." ansible.builtin.set_fact: From e1d103eebca7b56405672351717dc4f05aabb440 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 5 Oct 2023 08:24:21 -0400 Subject: [PATCH 02/18] Update DC/MS Only Controls on When conditions -1 Signed-off-by: Frederick Witty --- README.md | 4 +-- tasks/section02.yml | 85 +++++++++++++++++++++++++-------------------- tasks/section17.yml | 10 +++--- tasks/section18.yml | 27 +++++++------- 4 files changed, 69 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 80206ef..49e3c65 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Windows 2019 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ Microsoft Windows Server 2019 Benchmark v2.0.0 - 04-05-2023 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [ Microsoft Windows Server 2019 Benchmark v2.0.0 - 04-14-2023 ](https://www.cisecurity.org/cis-benchmarks/) --- @@ -77,7 +77,7 @@ Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -Currently this release does not have a auditing tool that is up to date. +Currently this release does not have an auditing tool that is up to date. ## Documentation diff --git a/tasks/section02.yml b/tasks/section02.yml index 1569223..e4dd4a6 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -14,20 +14,35 @@ - patch - userrights -- name: "2.2.2 & 2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators, Authenticated Users, & ENTERPRISE DOMAIN CONTROLLERS DC only." +- name: "2.2.2 | PATCH | Ensure Access this computer from the network is set to Administrators, Authenticated Users, & ENTERPRISE DOMAIN CONTROLLERS DC only | Domain Controller" ansible.windows.win_user_right: name: SeNetworkLogonRight users: - Administrators - Authenticated Users + - ENTERPRISE DOMAIN CONTROLLERS action: set when: - - win19cis_rule_2_2_2 or - win19cis_rule_2_2_3 + - win19cis_rule_2_2_2 + - win2019cis_is_domain_controller tags: - level1-domaincontroller - - level1-memberserver - rule_2.2.2 + - patch + - userrights + +- name: "2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators, Authenticated Users, & ENTERPRISE DOMAIN CONTROLLERS MS only | Member Server" + ansible.windows.win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - win19cis_rule_2_2_3 + - win2019cis_is_domain_member + tags: + - level1-memberserver - rule_2.2.3 - patch - userrights @@ -53,7 +68,7 @@ action: set when: - win19cis_rule_2_2_5 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.5 @@ -225,7 +240,7 @@ action: set when: - win19cis_rule_2_2_17 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.17 @@ -252,7 +267,7 @@ when: win19cis_hyperv_installed when: - win19cis_rule_2_2_18 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.2.18 @@ -282,7 +297,7 @@ action: add when: - win19cis_rule_2_2_20 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.20 @@ -299,7 +314,7 @@ action: add when: - win19cis_rule_2_2_21 - - ansible_windows_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.2.21 @@ -360,7 +375,7 @@ action: add when: - win19cis_rule_2_2_25 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.25 @@ -376,7 +391,7 @@ action: set when: - win19cis_rule_2_2_26 - - ansible_windows_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.2.26 @@ -390,8 +405,7 @@ action: set when: - win19cis_rule_2_2_27 - - ansible_windows_domain_role == "Primary domain controller" - - win2019cis_is_standalone + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.27 @@ -406,7 +420,7 @@ action: set when: - win19cis_rule_2_2_28 - - ansible_windows_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.2.28 @@ -457,7 +471,7 @@ action: set when: - win19cis_rule_2_2_31 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.31 @@ -478,7 +492,7 @@ action: set when: - win19cis_rule_2_2_32 - - ansible_windows_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.2.32 @@ -537,7 +551,7 @@ action: set when: - win19cis_rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level2-domaincontroller - rule_2.2.36 @@ -565,7 +579,7 @@ when: win19cis_exchange_server_running when: - win19cis_rule_2_2_37 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.37 @@ -725,7 +739,7 @@ action: set when: - win19cis_rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.47 @@ -755,8 +769,7 @@ value: 0 when: - win19cis_rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" - - not win2019cis_is_standalone + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.1.1 @@ -785,6 +798,7 @@ value: 0 when: - win19cis_rule_2_3_1_3 + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.1.3 @@ -935,8 +949,7 @@ type: dword when: - win19cis_rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" - - not win2019cis_is_standalone + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.1 @@ -951,8 +964,7 @@ type: dword when: - win19cis_rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" - - not win2019cis_is_standalone + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.2 @@ -967,8 +979,7 @@ type: dword when: - win19cis_rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" - - not win2019cis_is_standalone + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.3 @@ -983,7 +994,7 @@ type: dword when: - win19cis_rule_2_3_5_4 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.4 @@ -998,8 +1009,7 @@ type: dword when: - win19cis_rule_2_3_5_5 - - ansible_windows_domain_role == "Primary domain controller" - - not win2019cis_is_standalone + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.5 @@ -1247,6 +1257,7 @@ when: win19cis_cached_logons_count <= 4 when: - win19cis_rule_2_3_7_6 + - win2019cis_is_domain_member tags: - level2-memberserver - rule_2.3.7.6 @@ -1298,7 +1309,7 @@ type: dword when: - win19cis_rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.7.8 @@ -1449,8 +1460,7 @@ type: dword when: - win19cis_rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" or - ansible_windows_domain_role == "Stand-alone server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.9.5 @@ -1479,7 +1489,7 @@ type: dword when: - win19cis_rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.2 @@ -1494,7 +1504,7 @@ type: dword when: - win19cis_rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.3 @@ -1539,7 +1549,7 @@ type: multistring when: - win19cis_rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.10.6 @@ -1554,7 +1564,7 @@ type: multistring when: - win19cis_rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.7 @@ -1612,6 +1622,7 @@ type: string when: - win19cis_rule_2_3_10_11 + - win2019cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.11 diff --git a/tasks/section17.yml b/tasks/section17.yml index 6192ae9..d423f69 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -42,7 +42,7 @@ when: "'Failure' not in rule_17_1_2_audit.stdout" when: - win19cis_rule_17_1_2 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.1.2 @@ -111,7 +111,7 @@ when: "'Success' not in rule_17_2_2_audit.stdout" when: - win19cis_rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.2 @@ -131,7 +131,7 @@ when: "'Success' not in rule_17_2_3_audit.stdout" when: - win19cis_rule_17_2_3 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.3 @@ -151,7 +151,7 @@ when: "'Success' not in rule_17_2_4_audit.stdout" when: - win19cis_rule_17_2_4 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.4 @@ -275,7 +275,7 @@ when: "'Success' not in rule_17_4_2_audit.stdout" when: - win19cis_rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.4.2 diff --git a/tasks/section18.yml b/tasks/section18.yml index e20265f..3083d77 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -68,7 +68,7 @@ type: string when: - win19cis_rule_18_2_1 - - ansible_windows_domain_role == "Member Server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.2.1 @@ -84,7 +84,7 @@ type: dword when: - win19cis_rule_18_2_2 - - ansible_windows_domain_role == "Member Server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.2.2 @@ -99,7 +99,7 @@ type: dword when: - win19cis_rule_18_2_3 - - ansible_windows_domain_role == "Member Server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.2.3 @@ -115,7 +115,7 @@ type: dword when: - win19cis_rule_18_2_4 - - ansible_windows_domain_role != "Member Server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.2.4 @@ -146,7 +146,7 @@ when: win19cis_laps_password_length >= 15 when: - win19cis_rule_18_2_5 - - ansible_windows_domain_role == "Member Server" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.2.5 @@ -192,7 +192,7 @@ type: dword when: - win19cis_rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.3.1 @@ -545,7 +545,7 @@ type: dword when: - win19cis_rule_18_5_4_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver @@ -844,7 +844,7 @@ type: dword when: - win19cis_rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.5.21.2 @@ -1023,7 +1023,7 @@ type: dword when: - win19cis_rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - ngws-memberserver - rule_18.8.5.5 @@ -1038,7 +1038,7 @@ type: dword when: - win19cis_rule_18_8_5_6 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - ngws-domaincontroller - rule_18.8.5.6 @@ -1462,6 +1462,7 @@ type: dword when: - win19cis_rule_18_8_28_4 + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.8.28.4 @@ -1641,7 +1642,7 @@ type: dword when: - win19cis_rule_18_8_37_1 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.8.37.1 @@ -1656,7 +1657,7 @@ type: dword when: - win19cis_rule_18_8_37_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.8.37.2 @@ -1746,7 +1747,7 @@ type: dword when: - win19cis_rule_18_8_53_1_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.8.53.1.2 From 9154fc727971251373b40e8132784f85c1671388 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 10 Oct 2023 16:42:17 -0400 Subject: [PATCH 03/18] Update section18+19 -1 Signed-off-by: Frederick Witty --- defaults/main.yml | 582 ++++--- tasks/section01.yml | 31 +- tasks/section01_cloud_lockout_order.yml | 6 +- tasks/section02.yml | 10 +- tasks/section09.yml | 6 +- tasks/section18.yml | 1901 ++++++++++++++--------- tasks/section19.yml | 120 +- 7 files changed, 1604 insertions(+), 1052 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5178586..e28f27d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,25 +49,26 @@ win_skip_for_test: false # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules +# section01 win19cis_rule_1_1_1: true win19cis_rule_1_1_2: true win19cis_rule_1_1_3: true win19cis_rule_1_1_4: true win19cis_rule_1_1_5: true -# win19cis_rule_1_1_6 set To false this control cannot be implemented on 2019. +# win19cis_rule_1_1_6 set To false this control cannot be implemented in 2022. # This setting is only available within the built-in OS security template of -# Windows 10 Release 2004 and Server 2022 (or newer). Control Commented out for now. +# Windows 10 Release 2004 and Server 2022 (or newer). Control is Commented out for now. win19cis_rule_1_1_6: false win19cis_rule_1_1_7: true -# We have found the order of these three tasks below varies between cloud based instances -# and VM based instances locally. The task below breaks out to run in a different order -# for cloud based systems and local based systems. Notes are applied in the section01.yml file. +# We have found the order of these three tasks below varies between cloud-based instances +# and VM-based instances locally. The task below breaks out to run in a different order +# for cloud-based systems and local-based systems. Notes are applied in the section01.yml file. win19cis_rule_1_2_1: true win19cis_rule_1_2_2: true win19cis_rule_1_2_3: true +win19cis_rule_1_2_4: true -# Section 2 rules +# section02 win19cis_rule_2_2_1: true win19cis_rule_2_2_2: true win19cis_rule_2_2_3: true @@ -123,7 +124,6 @@ win19cis_rule_2_3_1_4: true # Setting win19cis_rule_2_3_1_5 Control To True Will Break Ansible Connection # Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. win19cis_rule_2_3_1_5: true -win19cis_rule_2_3_1_6: true win19cis_rule_2_3_2_1: true win19cis_rule_2_3_2_2: true win19cis_rule_2_3_4_1: true @@ -191,11 +191,11 @@ win19cis_rule_2_3_17_6: true win19cis_rule_2_3_17_7: true win19cis_rule_2_3_17_8: true -# Section 5 rules +# section05 win19cis_rule_5_1: true win19cis_rule_5_2: true -# Section 9 rules +# section09 win19cis_rule_9_1_1: true win19cis_rule_9_1_2: true win19cis_rule_9_1_3: true @@ -225,7 +225,7 @@ win19cis_rule_9_3_8: true win19cis_rule_9_3_9: true win19cis_rule_9_3_10: true -# Section 17 rules +# section17 win19cis_rule_17_1_1: true win19cis_rule_17_1_2: true win19cis_rule_17_1_3: true @@ -261,24 +261,17 @@ win19cis_rule_17_9_3: true win19cis_rule_17_9_4: true win19cis_rule_17_9_5: true -# Section 18 rules +# section18 win19cis_rule_18_1_1_1: true win19cis_rule_18_1_1_2: true win19cis_rule_18_1_2_2: true win19cis_rule_18_1_3: true -win19cis_rule_18_2_1: true -win19cis_rule_18_2_2: true -win19cis_rule_18_2_3: true -win19cis_rule_18_2_4: true -win19cis_rule_18_2_5: true -win19cis_rule_18_2_6: true win19cis_rule_18_3_1: true win19cis_rule_18_3_2: true win19cis_rule_18_3_3: true win19cis_rule_18_3_4: true win19cis_rule_18_3_5: true win19cis_rule_18_3_6: true -win19cis_rule_18_3_7: true win19cis_rule_18_4_1: true win19cis_rule_18_4_2: true win19cis_rule_18_4_3: true @@ -286,196 +279,222 @@ win19cis_rule_18_4_4: true win19cis_rule_18_4_5: true win19cis_rule_18_4_6: true win19cis_rule_18_4_7: true -win19cis_rule_18_4_8: true -win19cis_rule_18_4_9: true -win19cis_rule_18_4_10: true -win19cis_rule_18_4_11: true -win19cis_rule_18_4_12: true -win19cis_rule_18_5_4_1: true -win19cis_rule_18_5_4_2: true -win19cis_rule_18_5_5_1: true -win19cis_rule_18_5_8_1: true -win19cis_rule_18_5_9_1: true -win19cis_rule_18_5_9_2: true -win19cis_rule_18_5_10_2: true -win19cis_rule_18_5_11_2: true +win19cis_rule_18_5_1: true +win19cis_rule_18_5_2: true +win19cis_rule_18_5_3: true +win19cis_rule_18_5_4: true +win19cis_rule_18_5_5: true +win19cis_rule_18_5_6: true +win19cis_rule_18_5_7: true +win19cis_rule_18_5_8: true +win19cis_rule_18_5_9: true +win19cis_rule_18_5_10: true +win19cis_rule_18_5_11: true +win19cis_rule_18_5_12: true +win19cis_rule_18_6_4_1: true +win19cis_rule_18_6_4_2: true +win19cis_rule_18_6_4_3: true +win19cis_rule_18_6_5_1: true +win19cis_rule_18_6_8_1: true +win19cis_rule_18_6_9_1: true +win19cis_rule_18_6_9_2: true +win19cis_rule_18_6_10_2: true +win19cis_rule_18_6_11_2: true win19cis_rule_18_5_11_3: true -win19cis_rule_18_5_11_4: true -win19cis_rule_18_5_14_1: true -win19cis_rule_18_5_19_2_1: true -win19cis_rule_18_5_20_1: true -win19cis_rule_18_5_20_2: true -win19cis_rule_18_5_21_1: true -win19cis_rule_18_5_21_2: true -win19cis_rule_18_6_1: true -win19cis_rule_18_6_2: true -win19cis_rule_18_6_3: true -win19cis_rule_18_7_1_1: true -win19cis_rule_18_8_3_1: true -win19cis_rule_18_8_4_1: true -win19cis_rule_18_8_4_2: true -win19cis_rule_18_8_5_1: true -win19cis_rule_18_8_5_2: true -win19cis_rule_18_8_5_3: true -win19cis_rule_18_8_5_4: true -win19cis_rule_18_8_5_5: true -win19cis_rule_18_8_5_6: true -win19cis_rule_18_8_5_7: true -win19cis_rule_18_8_7_2: true -win19cis_rule_18_8_14_1: true -win19cis_rule_18_8_21_2: true -win19cis_rule_18_8_21_3: true -win19cis_rule_18_8_21_4: true -win19cis_rule_18_8_21_5: true -win19cis_rule_18_8_22_1_1: true -win19cis_rule_18_8_22_1_2: true -win19cis_rule_18_8_22_1_3: true -win19cis_rule_18_8_22_1_4: true -win19cis_rule_18_8_22_1_5: true -win19cis_rule_18_8_22_1_6: true -win19cis_rule_18_8_22_1_7: true -win19cis_rule_18_8_22_1_8: true -win19cis_rule_18_8_22_1_9: true -win19cis_rule_18_8_22_1_10: true -win19cis_rule_18_8_22_1_11: true -win19cis_rule_18_8_22_1_12: true -win19cis_rule_18_8_22_1_13: true -win19cis_rule_18_8_25_1: true -win19cis_rule_18_8_26_1: true -win19cis_rule_18_8_27_1: true -win19cis_rule_18_8_28_1: true -win19cis_rule_18_8_28_2: true -win19cis_rule_18_8_28_3: true -win19cis_rule_18_8_28_4: true -win19cis_rule_18_8_28_5: true -win19cis_rule_18_8_28_6: true -win19cis_rule_18_8_28_7: true -win19cis_rule_18_8_31_1: true -win19cis_rule_18_8_31_2: true -win19cis_rule_18_8_34_6_1: true -win19cis_rule_18_8_34_6_2: true -win19cis_rule_18_8_34_6_3: true -win19cis_rule_18_8_34_6_4: true -win19cis_rule_18_8_36_1: true -win19cis_rule_18_8_36_2: true -win19cis_rule_18_8_37_1: true -win19cis_rule_18_8_37_2: true -win19cis_rule_18_8_40_1: true -win19cis_rule_18_8_48_5_1: true -win19cis_rule_18_8_48_11_1: true -win19cis_rule_18_8_50_1: true -win19cis_rule_18_8_53_1_1: true -win19cis_rule_18_8_53_1_2: true +win19cis_rule_18_6_11_4: true +win19cis_rule_18_6_14_1: true +win19cis_rule_18_6_19_2_1: true +win19cis_rule_18_6_20_1: true +win19cis_rule_18_6_20_2: true +win19cis_rule_18_6_21_1: true +win19cis_rule_18_6_21_2: true +win19cis_rule_18_7_1: true +win19cis_rule_18_7_2: true +win19cis_rule_18_7_3: true +win19cis_rule_18_7_4: true +win19cis_rule_18_7_5: true +win19cis_rule_18_7_6: true +win19cis_rule_18_7_7: true +win19cis_rule_18_7_8: true +win19cis_rule_18_7_9: true +win19cis_rule_18_7_10: true +win19cis_rule_18_7_11: true +win19cis_rule_18_8_1_1: true +win19cis_rule_18_9_3_1: true win19cis_rule_18_9_4_1: true -win19cis_rule_18_9_6_1: true -win19cis_rule_18_9_8_1: true -win19cis_rule_18_9_8_2: true -win19cis_rule_18_9_8_3: true -win19cis_rule_18_9_10_1_1: true -win19cis_rule_18_9_12_1: true +win19cis_rule_18_9_4_2: true +win19cis_rule_18_9_5_1: true +win19cis_rule_18_9_5_2: true +win19cis_rule_18_9_5_3: true +win19cis_rule_18_9_5_4: true +win19cis_rule_18_9_5_5: true +win19cis_rule_18_9_5_6: true +win19cis_rule_18_9_5_7: true +win19cis_rule_18_8_7_2: true win19cis_rule_18_9_13_1: true -win19cis_rule_18_9_14_1: true -win19cis_rule_18_9_14_2: true -win19cis_rule_18_9_15_1: true -win19cis_rule_18_9_15_2: true -win19cis_rule_18_9_16_1: true -win19cis_rule_18_9_16_2: true -win19cis_rule_18_9_17_1: true -win19cis_rule_18_9_17_2: true -win19cis_rule_18_9_17_3: true -win19cis_rule_18_9_17_4: true -win19cis_rule_18_9_17_5: true -win19cis_rule_18_9_17_6: true -win19cis_rule_18_9_17_7: true -win19cis_rule_18_9_17_8: true -win19cis_rule_18_9_27_1_1: true -win19cis_rule_18_9_27_1_2: true -win19cis_rule_18_9_27_2_1: true -win19cis_rule_18_9_27_2_2: true -win19cis_rule_18_9_27_3_1: true -win19cis_rule_18_9_27_3_2: true -win19cis_rule_18_9_27_4_1: true -win19cis_rule_18_9_27_4_2: true -win19cis_rule_18_9_31_2: true -win19cis_rule_18_9_31_3: true -win19cis_rule_18_9_31_4: true -win19cis_rule_18_9_41_1: true -win19cis_rule_18_9_45_1: true -win19cis_rule_18_9_46_1: true -win19cis_rule_18_9_47_4_1: true -win19cis_rule_18_9_47_4_2: true -win19cis_rule_18_9_47_5_1_1: true -win19cis_rule_18_9_47_5_1_2: true -win19cis_rule_18_9_47_5_3_1: true -win19cis_rule_18_9_47_6_1: true -win19cis_rule_18_9_47_9_1: true -win19cis_rule_18_9_47_9_2: true -win19cis_rule_18_9_47_9_3: true -win19cis_rule_18_9_47_9_4: true -win19cis_rule_18_9_47_11_1: true -win19cis_rule_18_9_47_12_1: true -win19cis_rule_18_9_47_12_2: true -win19cis_rule_18_9_47_15: true -win19cis_rule_18_9_47_16: true -win19cis_rule_18_9_58_1: true -win19cis_rule_18_9_64_1: true -win19cis_rule_18_9_65_2_2: true -win19cis_rule_18_9_65_3_2_1: true -win19cis_rule_18_9_65_3_3_1: true -win19cis_rule_18_9_65_3_3_2: true -win19cis_rule_18_9_65_3_3_3: true -win19cis_rule_18_9_65_3_3_4: true -win19cis_rule_18_9_65_3_9_1: true -win19cis_rule_18_9_65_3_9_2: true -win19cis_rule_18_9_65_3_9_3: true -win19cis_rule_18_9_65_3_9_4: true -win19cis_rule_18_9_65_3_9_5: true -win19cis_rule_18_9_65_3_10_1: true -win19cis_rule_18_9_65_3_10_2: true -win19cis_rule_18_9_65_3_11_1: true -win19cis_rule_18_9_65_3_11_2: true -win19cis_rule_18_9_66_1: true -win19cis_rule_18_9_67_2: true -win19cis_rule_18_9_67_3: true -win19cis_rule_18_9_72_1: true -win19cis_rule_18_9_85_1_1: true -win19cis_rule_18_9_89_1: true -win19cis_rule_18_9_89_2: true -win19cis_rule_18_9_90_1: true -win19cis_rule_18_9_90_2: true -win19cis_rule_18_9_90_3: true -win19cis_rule_18_9_91_1: true -win19cis_rule_18_9_100_1: true -win19cis_rule_18_9_100_2: true +win19cis_rule_18_9_19_2: true +win19cis_rule_18_9_19_3: true +win19cis_rule_18_9_19_4: true +win19cis_rule_18_9_19_5: true +win19cis_rule_18_9_20_1_1: true +win19cis_rule_18_9_20_1_2: true +win19cis_rule_18_9_20_1_3: true +win19cis_rule_18_9_20_1_4: true +win19cis_rule_18_9_20_1_5: true +win19cis_rule_18_9_20_1_6: true +win19cis_rule_18_9_20_1_7: true +win19cis_rule_18_9_20_1_8: true +win19cis_rule_18_9_20_1_9: true +win19cis_rule_18_9_20_1_10: true +win19cis_rule_18_9_20_1_11: true +win19cis_rule_18_9_20_1_12: true +win19cis_rule_18_9_20_1_13: true +win19cis_rule_18_9_23_1: true +win19cis_rule_18_9_24_1: true +win19cis_rule_18_9_25_1: true +win19cis_rule_18_9_25_2: true +win19cis_rule_18_9_26_1: true +win19cis_rule_18_9_27_1: true +win19cis_rule_18_9_27_2: true +win19cis_rule_18_9_27_3: true +win19cis_rule_18_9_27_4: true +win19cis_rule_18_9_27_5: true +win19cis_rule_18_9_27_6: true +win19cis_rule_18_9_27_7: true +win19cis_rule_18_9_30_1: true +win19cis_rule_18_9_30_2: true +win19cis_rule_18_9_32_6_1: true +win19cis_rule_18_3_32_6_2: true +win19cis_rule_18_9_32_6_3: true +win19cis_rule_18_9_32_6_4: true +win19cis_rule_18_9_34_1: true +win19cis_rule_18_9_34_2: true +win19cis_rule_18_9_35_1: true +win19cis_rule_18_9_35_2: true +win19cis_rule_18_9_38_1: true +win19cis_rule_18_9_46_5_1: true +win19cis_rule_18_9_46_11_1: true +win19cis_rule_18_9_48_1: true +win19cis_rule_18_9_50_1_1: true +win19cis_rule_18_9_50_1_2: true +win19cis_rule_18_10_3_1: true +win19cis_rule_18_10_5_1: true +win19cis_rule_18_10_7_1: true +win19cis_rule_18_10_7_2: true +win19cis_rule_18_10_7_3: true +win19cis_rule_18_10_8_1_1: true +win19cis_rule_18_10_10_1: true +win19cis_rule_18_10_12_1: true +win19cis_rule_18_10_12_2: true +win19cis_rule_18_10_12_3: true +win19cis_rule_18_9_14_3: true +win19cis_rule_18_10_13_1: true +win19cis_rule_18_10_14_1: true +win19cis_rule_18_10_14_2: true +win19cis_rule_18_10_15_1: true +win19cis_rule_18_10_15_2: true +win19cis_rule_18_10_15_3: true +win19cis_rule_18_10_15_4: true +win19cis_rule_18_10_15_5: true +win19cis_rule_18_10_15_6: true +win19cis_rule_18_10_15_7: true +win19cis_rule_18_10_15_8: true +win19cis_rule_18_10_17_1: true +win19cis_rule_18_10_17_2: true +win19cis_rule_18_10_17_3: true +win19cis_rule_18_10_17_4: true +win19cis_rule_18_10_26_1_1: true +win19cis_rule_18_10_26_1_2: true +win19cis_rule_18_10_26_2_1: true +win19cis_rule_18_10_26_2_2: true +win19cis_rule_18_10_26_3_1: true +win19cis_rule_18_10_26_3_2: true +win19cis_rule_18_10_26_4_1: true +win19cis_rule_18_10_26_4_2: true +win19cis_rule_18_10_29_2: true +win19cis_rule_18_10_29_3: true +win19cis_rule_18_10_29_4: true +win19cis_rule_18_10_37_1: true +win19cis_rule_18_10_41_1: true +win19cis_rule_18_10_42_1: true +win19cis_rule_18_10_43_5_1: true +win19cis_rule_18_10_43_5_2: true +win19cis_rule_18_10_43_6_1_1: true +win19cis_rule_18_10_43_6_1_2: true +win19cis_rule_18_10_43_6_3_1: true +win19cis_rule_18_10_43_7_1: true +win19cis_rule_18_10_43_10_1: true +win19cis_rule_18_10_43_10_2: true +win19cis_rule_18_10_43_10_3: true +win19cis_rule_18_10_43_10_4: true +win19cis_rule_18_10_43_12_1: true +win19cis_rule_18_10_43_13_1: true +win19cis_rule_18_10_43_13_2: true +win19cis_rule_18_10_43_16: true +win19cis_rule_18_10_43_17: true +win19cis_rule_18_10_51_1: true +win19cis_rule_18_10_56_1: true +win19cis_rule_18_10_57_2_2: true +win19cis_rule_18_10_57_3_2_1: true +win19cis_rule_18_10_57_3_3_1: true +win19cis_rule_18_10_57_3_3_2: true +win19cis_rule_18_10_57_3_3_3: true +win19cis_rule_18_10_57_3_3_4: true +win19cis_rule_18_10_57_3_3_5: true +win19cis_rule_18_10_57_3_3_6: true +win19cis_rule_18_10_57_3_9_1: true +win19cis_rule_18_10_57_3_9_2: true +win19cis_rule_18_10_57_3_9_3: true +win19cis_rule_18_10_57_3_9_4: true +win19cis_rule_18_10_57_3_9_5: true +win19cis_rule_18_10_57_3_10_1: true +win19cis_rule_18_10_57_3_10_2: true +win19cis_rule_18_10_57_3_11_1: true +win19cis_rule_18_10_57_3_11_2: true +win19cis_rule_18_10_58_1: true +win19cis_rule_18_10_59_2: true +win19cis_rule_18_10_59_3: true +win19cis_rule_18_10_59_4: true +win19cis_rule_18_10_63_1: true +win19cis_rule_18_10_76_2_1: true +win19cis_rule_18_10_80_1: true +win19cis_rule_18_10_80_2: true +win19cis_rule_18_10_81_1: true +win19cis_rule_18_10_81_2: true +win19cis_rule_18_10_81_3: true +win19cis_rule_18_10_82_1: true +win19cis_rule_18_10_82_2: true +win19cis_rule_18_10_87_1: true +win19cis_rule_18_10_87_2: true # WINRM CONTROLS # -# Setting The Following Controls To True Will Break Ansible Connection +# Setting The Following Controls To True Will Break the Ansible Connection # Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. -# win19cis_rule_18_9_102_1_1 -# win19cis_rule_18_9_102_1_2 -# win19cis_rule_18_9_102_2_1 -# win19cis_rule_18_9_102_2_2 -# win19cis_rule_18_9_102_2_3 -# win19cis_rule_18_9_103_1 -win19cis_rule_18_9_102_1_1: true -win19cis_rule_18_9_102_1_2: true -win19cis_rule_18_9_102_1_3: true -win19cis_rule_18_9_102_2_1: true +# win19cis_rule_18_10_89_1_1 +# win19cis_rule_18_10_89_1_2 +# win19cis_rule_18_10_89_2_1 +# win19cis_rule_18_10_89_2_2 +# win19cis_rule_18_10_89_2_3 +win19cis_rule_18_10_89_1_1: true +win19cis_rule_18_10_89_1_2: true +win19cis_rule_18_10_89_2_1: true +win19cis_rule_18_10_89_2_2: true +win19cis_rule_18_10_89_2_3: true # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following # machine restart. The CIS standard calls for 0 but doing so will break all remote connections to the system. -win19cis_rule_18_9_102_2_2: true -win19cis_rule_18_9_102_2_3: true -win19cis_rule_18_9_102_2_4: true +win19cis_rule_18_10_89_1_3: true +win19cis_rule_18_10_89_2_4: true +win19cis_rule_18_10_90_1: true # WINRM CONTROLS END # -win19cis_rule_18_9_103_1: true -win19cis_rule_18_9_105_2_1: true -win19cis_rule_18_9_108_1_1: true -win19cis_rule_18_9_108_2_1: true -win19cis_rule_18_9_108_2_2: true -win19cis_rule_18_9_108_4_1: true -win19cis_rule_18_9_108_4_2: true -win19cis_rule_18_9_108_4_3: true - -# Section 19 rules +win19cis_rule_18_10_92_2_1: true +win19cis_rule_18_10_93_1_1: true +win19cis_rule_18_10_93_2_1: true +win19cis_rule_18_10_93_2_2: true +win19cis_rule_18_10_93_4_1: true +win19cis_rule_18_10_93_4_2: true +win19cis_rule_18_10_93_4_3: true + + +# section19 win19cis_rule_19_1_3_1: true win19cis_rule_19_1_3_2: true win19cis_rule_19_1_3_3: true @@ -483,14 +502,14 @@ win19cis_rule_19_5_1_1: true win19cis_rule_19_6_6_1_1: true win19cis_rule_19_7_4_1: true win19cis_rule_19_7_4_2: true -win19cis_rule_19_7_8_1: true -win19cis_rule_19_7_8_2: true -win19cis_rule_19_7_8_3: true -win19cis_rule_19_7_8_4: true -win19cis_rule_19_7_8_5: true -win19cis_rule_19_7_28_1: true -win19cis_rule_19_7_43_1: true -win19cis_rule_19_7_47_2_1: true +win19cis_rule_19_7_7_1: true +win19cis_rule_19_7_7_2: true +win19cis_rule_19_7_7_3: true +win19cis_rule_19_7_7_4: true +win19cis_rule_19_7_7_5: true +win19cis_rule_19_7_25_1: true +win19cis_rule_19_7_40_1: true +win19cis_rule_19_7_42_2_1: true # Section 1 Variables @@ -498,18 +517,18 @@ win19cis_rule_19_7_47_2_1: true # win19cis_max_passwords_saved is the variable used to dictate the number of unique passwords # that have to be associated with a user account before you can reuse an old password. # The recommended state for this setting is 24 Or More passwords. -# NOTE: As Of the publication if this benchmark, Microsoft has a maximum limit of 24 saved passwords. -# This may change at a later date but we have left it setup as a variable for that reason. +# NOTE: As Of the publication of this benchmark, Microsoft has a maximum limit of 24 saved passwords. +# This may change at a later date but we have left it set up as a variable for that reason. win19cis_max_passwords_saved: 24 # 1.1.2 -# win19cis_maximum_password_age is the policy setting defines how long a user can use their +# win19cis_maximum_password_age is the policy setting that defines how long a user can use their # password before it expires. # The recommended state for this setting is 365 or fewer days, but not 0 (zero). win19cis_maximum_password_age: 365 # 1.1.3 -# win19cis_minimum_password_age is the policy setting determines the number of days that you +# win19cis_minimum_password_age is the policy setting that determines the number of days that you # must use a password before you can change it. The range of values for this policy setting is # between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) # The default value for this setting is 0 days. @@ -517,7 +536,7 @@ win19cis_maximum_password_age: 365 win19cis_minimum_password_age: 1 # 1.1.4 -# win19cis_minimum_password_length is the policy setting determines the least number of characters +# win19cis_minimum_password_length is the policy setting that determines the least number of characters # that make up a password for a user account. # The recommended state for this setting is: 14 or more character(s). win19cis_minimum_password_length: 14 @@ -525,19 +544,25 @@ win19cis_minimum_password_length: 14 # 1.2.1 # win19cis_account_lockout_duration is the policy setting determines the length of time that # must pass before a locked account is unlocked and a user can try to log on again. -# NOTE: If the value for this policy setting is configured to 0, locked out accounts will remain locked out +# NOTE: If the value for this policy setting is configured to 0, locked-out accounts will remain locked-out # until an administrator manually unlocks them. # The recommended state for this setting is: 15 or more minute(s). win19cis_account_lockout_duration: 15 # 1.2.2 -# win19cis_lockout_bad_count is the policy setting determines the number of failed logon +# win19cis_lockout_bad_count is the policy setting that determines the number of failed logon # attempts before the account is locked. # The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. win19cis_bad_login_lockout_count: 5 # 1.2.3 -# win19cis_account_lockout_counter_reset is the policy setting determines the length of time before the +# win19cis_allow_admin_account_lockout is the policy setting that determines whether the built-in +# Administrator account is subject to the following Account Lockout Policy settings. +# 1 = enabled or 0 = disabled +win19cis_allow_admin_account_lockout: 1 + +# 1.2.4 +# win19cis_account_lockout_counter_reset is the policy setting that determines the length of time before the # Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. # NOTE: If the Account lockout threshold is defined (win19cis_account_lockout_duration), this reset # time must be less than or equal to the value for the Account lockout duration setting. @@ -547,36 +572,33 @@ win19cis_account_lockout_counter_reset: 15 # Section 2 Variables # 2.2.18 -# win19cis_hyperv_installed is the toggle that will address if there is Hyper-V installed on the system. -# By default, only Administrators can create symbolic links this is when it is left as false. -# When true The recommended state for this setting is: Administrators and (when the Hyper-V Role is installed) -# NT VIRTUAL MACHINE\Virtual Machines +# is_hyperv_installed is Hyper-V installed win19cis_hyperv_installed: false # 2.2.33 -# Window Manager\Window Manager Group only exists on non Core installations +# Window Manager\Window Manager Group only exists on non-Core installations # windows_installation_type should be 'Server Core' for Core installations # This is a variable to determine if Windows Manager should be included in this step win19cis_increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' # 2.2.37 -# win19cis_exchange_server_running is the policy setting determines which users can change the auditing options for +# win19cis_exchange_server_running is the policy setting that determines which users can change the auditing options for # files and directories and clear the Security log. Setting to true will set both groups to be added. # False will only add Administrators. # True will add administrators and (when Exchange is running in the environment) Exchange Servers. # The recommended state for this setting is: Administrators and when Exchange is running in the environment) Exchange Servers. win19cis_exchange_server_running: false -# 2.3.1.5 +# 2.3.1.4 # win19cis_admin_username is the name the administrator account will be renamed to win19cis_admin_username: adminchangethis -# 2.3.1.6 +# 2.3.1.5 # win19cis_guest_username is the name the guest account will be renamed to win19cis_guest_username: guestchangethis # 2.3.6.5 -# win19cis_domain_member_maximum_password_age is the policy setting determines the maximum allowable age for a +# win19cis_domain_member_maximum_password_age is the policy setting that determines the maximum allowable age for a # computer account password. By default, domain members automatically change their domain passwords every 30 days. # The recommended state for this setting is: 30 or fewer days, but not 0. win19cis_domain_member_maximum_password_age: 30 @@ -606,24 +628,24 @@ win19cis_legal_notice: | -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # 2.3.7.5 -# win19cis_legal_notice_caption is the policy setting specifies the text displayed in the title bar of the window that users see +# win19cis_legal_notice_caption is the policy setting that specifies the text displayed in the title bar of the window that users see # when they log on to the system. Configure this setting in a manner that is consistent with the security and operational # requirements of your organization. win19cis_legal_notice_caption: "DoD Notice and Consent Banner" # 2.3.7.6 -# win19cis_cached_logons_count is the number that is assigned to this policy setting indicates the number of users whose +# win19cis_cached_logons_count is the number that is assigned to this policy setting and indicates the number of users whose # logon information the computer will cache locally. If this value is set to 0, the logon cache feature is disabled. # The recommended state for this setting is: 4 or fewer logon(s). win19cis_cached_logons_count: 1 # 2.3.7.7 -# win19cis_password_expiry_warning_days is the policy setting determines how far in advance users are warned that their password will expire. +# win19cis_password_expiry_warning_days is the policy setting that determines how far in advance users are warned that their password will expire. # The recommended state for this setting is: between 5 and 14 days. win19cis_password_expiry_warning_days: 14 # 2.3.9.1 -# win19cis_smb_auto_disconnect_time is the policy setting allows you to specify the amount of continuous idle time that must pass in an +# win19cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an # SMB session before the session is suspended because of inactivity. # The recommended state for this setting is: 15 or fewer minute(s). win19cis_smb_auto_disconnect_time: 15 @@ -632,7 +654,7 @@ win19cis_smb_auto_disconnect_time: 15 # 9.1.5 # win19cis_domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win19cis_domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' # 9.1.6 @@ -642,84 +664,132 @@ win19cis_domain_firewall_log_size: 16384 # 9.2.5 # private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win19cis_private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' # 9.2.6 # private_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB win19cis_private_firewall_log_size: 16384 # 9.3.7 # win19cis_public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win19cis_public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # public_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB win19cis_public_firewall_log_size: 16384 # Section 18 Variables -# Control 18.2.5 -# win19cis_laps_password_length is the LAPS tool password length. -# The recommended state for this setting is: Enabled: 15 or more. -win19cis_laps_password_length: 15 - -# Control 18.2.6 -# win19cis_laps_password_age_days is the LAPS tool password age in days. -# The recommended state for this setting is: Enabled: 30 or fewer. -win19cis_laps_password_age_days: 30 - -# 18.3.6 +# 18.4.6 # win19cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType -# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS +# Options are a B-node value of 1, P-node value of 2, M-node value of 4, and H-node value of 8. P-node is the recommended setting from CIS win19cis_netbt_nodetype: 2 -# 18.4.9 +# 18.5.9 # win19cis_screen_saver_grace_period is the grace period between when the screen saver is launched and when the console is actually # locked automatically when screen saver locking is enabled. # The recommended state for this setting is: Enabled: 5 or fewer seconds. win19cis_screen_saver_grace_period: 5 -# 18.4.12 +# 18.5.12 # win19cis_log_threshold_audit_event is the setting that can generate a security audit in the Security event log when the # log reaches a user-defined threshold. # The recommended state for this setting is: Enabled: 90% or less. win19cis_log_threshold_audit_event: 90 -# 18.9.27.1.2 +# 18.6.4.1 +# win19cis_doh_policy os the setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol +# for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). +# The recommended state for this setting is: Enabled: Allow DoH. +# Note: Possible Valid Settings +# 2 - Enabled: Allow DoH +# 3 - Enabled: Require DoH +# Default: 2 +win19cis_doh_policy: 2 + +# 18.6.4.2 +# win19cis_enable_netbios_policy is the policy that setting specifies if the Domain Name System (DNS) client will perform name resolution +# over Network Basic Input/Output System (NetBIOS). +# The recommended state for this setting is: Enabled: Disable NetBIOS name resolution on public networks. +# Note: Possible Valid Settings +# 0 - Enabled: Disable NetBIOS name resolution +# 2 - Enabled: Disable NetBIOS name resolution on public networks +# Default: 2 +win19cis_enable_netbios_policy: 2 + +# 18.7.6 +# win19cis_force_kerberos_for_rpc is the policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the +# print spooler are allowed to use. +# The recommended state for this setting is: Enabled: Negotiate or higher. +# 0 - Negotiate +# 1 - Kerberos +# Default: 0 +win19cis_force_kerberos_for_rpc: 0 + +# 18.10.13.1 +# win19cis_require_pin_for_pairing is the policy setting that controls whether or not a PIN is required for pairing to a wireless display device. +# The recommended state for this setting is: Enabled: First Time OR Enabled: Always. +# 1 - First Time +# 2 - Always +# Default: 1 +win19cis_require_pin_for_pairing: 1 + +# 18.10.15.1 +# win19cis_allow_telemetry is the policy setting that determines the amount of diagnostic and usage data reported to Microsoft +# Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. +# 0 - Diagnostic data off (not recommended) +# 1 - Send required diagnostic data. +# Default: 1 +win19cis_allow_telemetry: 1 + +# 18.10.26.1.2 # win19cis_application_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can be # configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. # The recommended state for this setting is: Enabled: 32,768 or greater win19cis_application_max_log_file_size: 32768 -# 18.9.27.2.2 +# 18.10.26.2.2 # win19cis_security_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can # be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. # The recommended state for this setting is: Enabled: 196,608 or greater. win19cis_security_max_log_file_size: 196608 -# 18.9.27.3.2 -# win19cis_setup_max_log_file_size is the setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be +# 18.10.26.3.2 +# win19cis_setup_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can be # configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.# # The recommended state for this setting is: Enabled: 32,768 or greater. win19cis_setup_max_log_file_size: 32768 -# 18.9.27.4.2 +# 18.10.26.4.2 # win19cis_system_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size # can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. # The recommended state for this setting is: Enabled: 32,768 or greater. win19cis_system_max_log_file_size: 32768 -# 18.9.65.3.10.1 -# win19cis_idle_rdp_session_disconnect_time is the setting allows you to specify the maximum amount of time that an active Remote Desktop +# 18.10.57.3.10.1 +# win19cis_idle_rdp_session_disconnect_time is the setting that allows you to specify the maximum amount of time that an active Remote Desktop # Services session can be idle (without user input) before it is automatically disconnected. # The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0). # 1 min = 60000, 5 min = 300000, 10 min = 600000, 15 min = 900000 win19cis_idle_rdp_session_disconnect_time: 900000 +# 18.10.80.2 +# win19cis_allow_windows_ink_workspace is the policy setting that determines whether Windows Ink items are allowed above the lock screen. +# The recommended state for this setting is: Enabled: On, but disallow access above lock OR Enabled: Disabled. +# 0 - Enabled: Disabled +# 1 - Enabled: On, but disallow access above lock +win19cis_allow_windows_ink_workspace: 1 + +# 18.10.93.4.2 +# win19cis_defer_feature_updates_period_in_days is the policy setting that determines when Preview Build or Feature Updates are received. +# Recommended setting: Enabled: 180 or more days +# Default: 180 +win19cis_defer_feature_updates_period_in_days: 180 + # Section 19 Variables # 19.1.3.3 diff --git a/tasks/section01.yml b/tasks/section01.yml index d155b8a..0632781 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -5,7 +5,7 @@ - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more then 24 saved passwords warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of maximum passwords set in win19cis_max_passwords_saved please read" + - "Warning!! You have an invalid number of maximum passwords set in win19cis_max_passwords_saved please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_max_passwords_saved > 24 or @@ -39,7 +39,7 @@ - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time." ansible.builtin.debug: msg: - - "Warning!! You have a invalid age set for win19cis_maximum_password_age please read" + - "Warning!! You have an invalid age set for win19cis_maximum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_maximum_password_age > 365 or @@ -75,7 +75,7 @@ - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimim password age." ansible.builtin.debug: msg: - - "Warning!! You have a invalid age set for win19cis_minimum_password_age please read" + - "Warning!! You have an invalid age set for win19cis_minimum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_maximum_password_age > 999 or @@ -111,7 +111,7 @@ - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid length set for win19cis_minimum_password_length please read" + - "Warning!! You have an invalid length set for win19cis_minimum_password_length please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_maximum_password_age < 14 @@ -183,9 +183,12 @@ “1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. 1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes 1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." - ansible.builtin.import_tasks: section01_cloud_lockout_order.yml + ansible.builtin.import_tasks: + file: section01_cloud_lockout_order.yml when: - win19cis_cloud_based_system + win2019cis_is_domain_controller or + win2019cis_is_domain_member tags: - section01_cloud_lockout_order @@ -196,7 +199,7 @@ - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of attempts set for win19cis_bad_login_lockout_count please read" + - "Warning!! You have an invalid number of attempts set for win19cis_bad_login_lockout_count please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_bad_login_lockout_count > 5 or @@ -220,7 +223,9 @@ - win19cis_bad_login_lockout_count > 0 when: - win19cis_rule_1_2_2 - - not win19cis_cloud_based_system + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver @@ -233,7 +238,7 @@ - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for win19cis_account_lockout_counter_reset please read" + - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_counter_reset please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or @@ -257,7 +262,9 @@ - win19cis_account_lockout_counter_reset <= win19cis_account_lockout_duration when: - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver @@ -271,7 +278,7 @@ - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for win19cis_account_lockout_duration please read" + - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_duration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_account_lockout_duration < 15 @@ -289,7 +296,9 @@ when: win19cis_account_lockout_duration >= 15 when: - win19cis_rule_1_2_1 - - not win19cis_cloud_based_system + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index 8456603..557f4fc 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -7,7 +7,7 @@ - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of attempts set for win19cis_bad_login_lockout_count please read" + - "Warning!! You have an invalid number of attempts set for win19cis_bad_login_lockout_count please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_bad_login_lockout_count > 5 or @@ -44,7 +44,7 @@ - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for win19cis_account_lockout_duration please read" + - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_duration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_account_lockout_duration < 15 @@ -77,7 +77,7 @@ - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for win19cis_account_lockout_counter_reset please read" + - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_counter_reset please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or diff --git a/tasks/section02.yml b/tasks/section02.yml index e4dd4a6..765cd7e 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1087,7 +1087,7 @@ - name: "2.3.6.5 | AUDIT | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for win19cis_domain_member_maximum_password_age please read" + - "Warning!! You have an invalid number of days set for win19cis_domain_member_maximum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_domain_member_maximum_password_age > 30 or @@ -1171,7 +1171,7 @@ - name: "2.3.7.3 | AUDIT | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of seconds set for win19cis_inactivity_timeout_seconds please read" + - "Warning!! You have an invalid number of seconds set for win19cis_inactivity_timeout_seconds please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_inactivity_timeout_seconds > 900 or @@ -1238,7 +1238,7 @@ - name: "2.3.7.6 | AUDIT| Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of logons set for win19cis_cached_logons_count please read" + - "Warning!! You have an invalid number of logons set for win19cis_cached_logons_count please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_cached_logons_count > 4 @@ -1269,7 +1269,7 @@ - name: "2.3.7.7 | AUDIT | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for win19cis_password_expiry_warning_days please read" + - "Warning!! You have an invalid number of days set for win19cis_password_expiry_warning_days please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_password_expiry_warning_days < 5 or @@ -1381,7 +1381,7 @@ - name: "2.3.9.1 | AUDIT | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for win19cis_smb_auto_disconnect_time please read" + - "Warning!! You have an invalid number of minutes set for win19cis_smb_auto_disconnect_time please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_smb_auto_disconnect_time > 15 diff --git a/tasks/section09.yml b/tasks/section09.yml index f701770..ed1c391 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -86,7 +86,7 @@ - name: "9.1.6 | AUDIT | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid size set for win19cis_domain_firewall_log_size please read" + - "Warning!! You have an invalid size set for win19cis_domain_firewall_log_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_domain_firewall_log_size < 16384 @@ -231,7 +231,7 @@ - name: "9.2.6 | AUDIT | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid size set for win19cis_private_firewall_log_size please read" + - "Warning!! You have an invalid size set for win19cis_private_firewall_log_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_private_firewall_log_size < 16384 @@ -409,7 +409,7 @@ - name: "9.3.8 | AUDIT | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid size set for win19cis_public_firewall_log_size please read" + - "Warning!! You have an invalid size set for win19cis_public_firewall_log_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_public_firewall_log_size < 16384 diff --git a/tasks/section18.yml b/tasks/section18.yml index 3083d77..8abbfb5 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -60,84 +60,84 @@ - patch - onlinetips -- name: "18.2.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" +- name: "18.3.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} name: DllName data: C:\Program Files\LAPS\CSE\AdmPwd.dll type: string when: - - win19cis_rule_18_2_1 + - win19cis_rule_18_3_1 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.1 + - rule_18.3.1 - patch - laps - gpo -- name: "18.2.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" +- name: "18.3.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PwdExpirationProtectionEnabled data: 1 type: dword when: - - win19cis_rule_18_2_2 + - win19cis_rule_18_3_2 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.2 + - rule_18.3.2 - patch - accounts -- name: "18.2.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" +- name: "18.3.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: AdmPwdEnabled data: 1 type: dword when: - - win19cis_rule_18_2_3 + - win19cis_rule_18_3_3 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.3 + - rule_18.3.3 - patch - accounts - admin -- name: "18.2.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" +- name: "18.3.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordComplexity data: 4 type: dword when: - - win19cis_rule_18_2_4 + - win19cis_rule_18_3_4 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.4 + - rule_18.3.4 - patch - accounts -- name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" +- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" block: - - name: "18.2.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warning Check For Variable Standards." + - name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid password length set for win19cis_laps_password_length please read" + - "Warning!! You have an invalid password length set for win19cis_laps_password_length please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_laps_password_length < 15 - - name: "18.2.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warn Count." + - name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: '18.2.5' + warn_control_id: '18.3.5' when: win19cis_laps_password_length < 15 - - name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Set Variable." + - name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Set Variable." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordLength @@ -145,30 +145,30 @@ type: dword when: win19cis_laps_password_length >= 15 when: - - win19cis_rule_18_2_5 + - win19cis_rule_18_3_5 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.5 + - rule_18.3.5 - patch - accounts -- name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" +- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" block: - - name: "18.2.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards." + - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid password length set for win19cis_laps_password_length please read" + - "Warning!! You have an invalid password length set for win19cis_laps_password_length please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_laps_password_age_days > 30 - - name: "18.2.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warn Count." + - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: '18.2.6' + warn_control_id: '18.3.6' when: win19cis_laps_password_age_days > 30 - - name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Set Variable." + - name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Set Variable." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordAgeDays @@ -176,45 +176,60 @@ type: dword when: win19cis_laps_password_age_days <= 30 when: - - win19cis_rule_18_2_6 - - ansible_windows_domain_role == "Member Server" + - win19cis_rule_18_3_6 + - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.2.6 + - rule_18.3.6 - patch - accounts -- name: "18.3.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +- name: "18.4.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LocalAccountTokenFilterPolicy data: 0 type: dword when: - - win19cis_rule_18_3_1 + - win19cis_rule_18_4_1 - win2019cis_is_domain_member tags: - level1-memberserver - - rule_18.3.1 + - rule_18.4.1 - patch - uac -- name: "18.3.2 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" +- name: "18.4.2 | PATCH | Ensure Configure RPC packet level privacy setting for incoming connections is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Print + name: RpcAuthnLevelPrivacyEnabled + data: 1 + type: dword + when: + - win19cis_rule_18_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch + - RPC + +- name: "18.4.3 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start data: 4 type: dword when: - - win19cis_rule_18_3_2 + - win19cis_rule_18_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.2 + - rule_18.4.3 - patch - smb -- name: "18.3.3 | PATCH | Ensure Configure SMB v1 server is set to Disabled" +- name: "18.4.4 | PATCH | Ensure Configure SMB v1 server is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -223,15 +238,15 @@ state: present notify: reboot_windows when: - - win19cis_rule_18_3_3 + - win19cis_rule_18_4_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.3 + - rule_18.4.4 - patch - smb -- name: "18.3.4 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "18.4.5 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -239,31 +254,15 @@ type: dword state: present when: - - win19cis_rule_18_3_4 + - win19cis_rule_18_4_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.4 + - rule_18.4.5 - patch - sehop -- name: "18.3.5 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint - name: RestrictDriverInstallationToAdministrators - data: 1 - type: dword - when: - - win19cis_rule_18_3_5 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.5 - - patch - - printers - - drivers - -- name: "18.3.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.4.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -271,15 +270,15 @@ data: "{{ win19cis_netbt_nodetype }}" datatype: dword when: - - win19cis_rule_18_3_6 + - win19cis_rule_18_4_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.6 + - rule_18.4.6 - patch - netbt -- name: "18.3.7 | PATCH | Ensure WDigest Authentication is set to Disabled" +- name: "18.4.7 | PATCH | Ensure WDigest Authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -287,15 +286,15 @@ data: 0 datatype: dword when: - - win19cis_rule_18_3_7 + - win19cis_rule_18_4_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.7 + - rule_18.4.7 - patch - wdigest -- name: "18.4.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -303,16 +302,16 @@ data: 0 datatype: string when: - - win19cis_rule_18_4_1 + - win19cis_rule_18_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.1 + - rule_18.5.1 - patch - mss - logon -- name: "18.4.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.5.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -320,16 +319,16 @@ data: 2 datatype: dword when: - - win19cis_rule_18_4_2 + - win19cis_rule_18_5_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.2 + - rule_18.5.2 - patch - mss - iprouting -- name: "18.4.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.5.3 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -337,16 +336,16 @@ data: 2 datatype: dword when: - - win19cis_rule_18_4_3 + - win19cis_rule_18_5_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.3 + - rule_18.5.3 - patch - mss - iprouting -- name: "18.4.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "18.5.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -354,16 +353,16 @@ data: 0 datatype: dword when: - - win19cis_rule_18_4_4 + - win19cis_rule_18_5_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.4 + - rule_18.5.4 - patch - mss - icmps -- name: "18.4.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "18.5.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -371,16 +370,16 @@ data: 300000 datatype: dword when: - - win19cis_rule_18_4_5 + - win19cis_rule_18_5_5 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.5 + - rule_18.5.5 - patch - mss - keepalive -- name: "18.4.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "18.5.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -388,16 +387,16 @@ data: 1 type: dword when: - - win19cis_rule_18_4_6 + - win19cis_rule_18_5_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.6 + - rule_18.5.6 - patch - mss - noname -- name: "18.4.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "18.5.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -405,15 +404,15 @@ data: 0 type: dword when: - - win19cis_rule_18_4_7 + - win19cis_rule_18_5_7 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.7 + - rule_18.5.7 - patch - mss -- name: "18.4.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "18.5.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -421,30 +420,31 @@ type: dword state: present when: - - win19cis_rule_18_4_8 + - win19cis_rule_18_5_8 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.8 + - rule_18.5.8 - patch - mss -- name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +- name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" block: - - name: "18.4.9 | AUDIT | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Warning Check For Variable Standards." + - name: "18.5.9 | AUDIT | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid time set for win19cis_screen_saver_grace_period please read" + - "Warning!! You have an invalid time set for win19cis_screen_saver_grace_period please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_screen_saver_grace_period > 5 - - name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.4.9' + warn_control_id: '18.5.9' when: win19cis_screen_saver_grace_period > 5 - - name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable." + - name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable." ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod @@ -453,60 +453,61 @@ state: present when: win19cis_screen_saver_grace_period <= 5 when: - - win19cis_rule_18_4_9 + - win19cis_rule_18_5_9 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.9 + - rule_18.5.9 - patch - mss -- name: "18.4.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.5.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword when: - - win19cis_rule_18_4_10 + - win19cis_rule_18_5_10 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.10 + - rule_18.5.10 - patch - mss -- name: "18.4.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.5.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword when: - - win19cis_rule_18_4_11 + - win19cis_rule_18_5_11 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.11 + - rule_18.5.11 - patch - mss -- name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +- name: "18.5.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" block: - - name: "18.4.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warning Check For Variable Standards." + - name: "18.5.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid percentage set for win19cis_log_threshold_audit_event please read" + - "Warning!! You have an invalid percentage set for win19cis_log_threshold_audit_event please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_log_threshold_audit_event > 90 - - name: "18.4.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.5.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.4.12' + warn_control_id: '18.5.12' when: win19cis_log_threshold_audit_event > 90 - - name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable." + - name: "18.5.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable." ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security name: WarningLevel @@ -514,184 +515,241 @@ type: dword when: win19cis_log_threshold_audit_event <= 90 when: - - win19cis_rule_18_4_12 + - win19cis_rule_18_5_12 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.12 + - rule_18.5.12 - patch - mss -- name: "18.5.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient - name: DoHPolicy - data: 2 - type: dword +- name: "18.6.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher" + block: + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_doh_policy. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_doh_policy != 2 + - win19cis_doh_policy != 3 + + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.6.4.1' + when: + - win19cis_doh_policy != 2 + - win19cis_doh_policy != 3 + + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: DoHPolicy + data: "{{ win19cis_doh_policy }}" + type: dword + when: win19cis_doh_policy == 2 or win19cis_doh_policy == 3 when: - - win19cis_rule_18_5_4_1 + - win19cis_rule_18_6_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.4.1 + - level1-corporate-enterprise-environment + - rule_18.6.4.1 + - automated - patch - - dns + - dns-over-https + +- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'" + block: + - name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_enable_netbios_policy. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_enable_netbios_policy != 2 + - win19cis_enable_netbios_policy != 0 + + - name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.6.4.2' + when: + - win19cis_enable_netbios_policy != 2 + - win19cis_enable_netbios_policy != 0 -- name: "18.5.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only" + - name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: EnableNetbios + data: "{{ win19cis_enable_netbios_policy }}" + type: dword + when: win19cis_enable_netbios_policy == 2 or win19cis_enable_netbios_policy == 0 + when: + - win19cis_rule_18_6_4_2 + tags: + - level1-corporate-enterprise-environment + - rule_18.6.4.2 + - automated + - patch + - netbios + +- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 0 + data: 1 type: dword when: - - win19cis_rule_18_5_4_2 - - win2019cis_is_domain_member + - win19cis_rule_18_6_4_3 + - win2022cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.4.2 + - rule_18.6.4.3 - patch - dns -- name: "18.5.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" +- name: "18.6.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders data: 0 type: dword when: - - win19cis_rule_18_5_5_1 + - win19cis_rule_18_6_5_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.5.1 + - rule_18.6.5.1 - patch - dns -- name: "18.5.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" +- name: "18.6.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth data: 0 type: dword when: - - win19cis_rule_18_5_8_1 + - win19cis_rule_18_6_8_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.8.1 + - rule_18.6.8.1 - patch - fonts -- name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper I/O LLTDIO driver is set to Disabled" block: - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet data: 0 type: dword when: - - win19cis_rule_18_5_9_1 + - win19cis_rule_18_6_9_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.9.1 + - rule_18.6.9.1 - patch - mapper - drivers -- name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet data: 0 type: dword when: - - win19cis_rule_18_5_9_2 + - win19cis_rule_18_6_9_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.9.2 + - rule_18.6.9.2 - patch - rspndr - driver -- name: "18.5.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "18.6.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled data: 1 type: dword when: - - win19cis_rule_18_5_10_2 + - win19cis_rule_18_6_10_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.10.2 + - rule_18.6.10.2 - patch - p2p -- name: "18.5.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "18.6.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA data: 0 type: dword when: - - win19cis_rule_18_5_11_2 + - win19cis_rule_18_6_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.2 + - rule_18.6.11.2 - patch - networkconnections -- name: "18.5.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "18.6.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI @@ -702,361 +760,505 @@ tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.3 + - rule_18.6.11.3 - patch - networkconnections -- name: "18.5.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "18.6.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation data: 1 type: dword when: - - win19cis_rule_18_5_11_4 + - win19cis_rule_18_6_11_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.4 + - rule_18.6.11.4 - patch - networkconnections -- name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string when: - - win19cis_rule_18_5_14_1 + - win19cis_rule_18_6_14_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.14.1 + - rule_18.6.14.1 - patch - paths - unc -- name: "18.5.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents data: 255 type: dword when: - - win19cis_rule_18_5_19_2_1 + - win19cis_rule_18_6_19_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.19.2.1 + - rule_18.6.19.2.1 - patch - ipv6 -- name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar data: 0 type: dword when: - - win19cis_rule_18_5_20_1 + - win19cis_rule_18_6_20_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.20.1 + - rule_18.6.20.1 - patch - wireless -- name: "18.5.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "18.6.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi data: 1 type: dword when: - - win19cis_rule_18_5_20_2 + - win19cis_rule_18_6_20_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.20.2 + - rule_18.6.20.2 - patch - connectnow -- name: "18.5.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +- name: "18.6.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections data: 3 type: dword when: - - win19cis_rule_18_5_21_1 + - win19cis_rule_18_6_21_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.21.1 + - rule_18.6.21.1 - patch - gpo -- name: "18.5.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "18.6.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain data: 1 type: dword when: - - win19cis_rule_18_5_21_2 - - win2019cis_is_domain_member + - win19cis_rule_18_6_21_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.5.21.2 + - rule_18.6.21.2 - patch - gpo -- name: "18.6.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" +- name: "18.7.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers name: RegisterSpoolerRemoteRpcEndPoint data: 2 type: dword when: - - win19cis_rule_18_6_1 + - win19cis_rule_18_7_1 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.1 + - patch + - printers + +- name: "18.7.2 | PATCH | Ensure Configure Redirection Guard is set to Enabled Redirection Guard Enabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + name: RedirectionguardPolicy + data: 2 + type: dword + when: + - win19cis_rule_18_7_2 tags: - level1-domaincontroller - level2-memberserver - - rule_18.6.1 + - rule_18.7.2 - patch - printers -- name: "18.6.2 | PATCH | Ensure Point and Print Restrictions: When installing drivers for a new connection is set to Enabled: Show warning and elevation prompt" +- name: "18.7.3 | PATCH | Ensure Configure RPC connection settings Protocol to use for outgoing RPC connections is set to Enabled RPC over TCP" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcUseNamedPipeProtocol + data: 0 + type: dword + when: + - win19cis_rule_18_7_3 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.3 + - patch + - printers + +- name: "18.7.4 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcAuthentication + data: 0 + type: dword + when: + - win19cis_rule_18_7_4 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.4 + - patch + - printers + +- name: "18.7.5 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcProtocols + data: 5 + type: dword + when: + - win19cis_rule_18_7_5 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.5 + - patch + - printers + +- name: "18.7.6 | PATCH | Ensure Configure RPC listener settings Authentication protocol to use for incoming RPC connections is set to Enabled Negotiate or higher" + block: + - name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_force_kerberos_for_rpc. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_force_kerberos_for_rpc != 0 + - win19cis_force_kerberos_for_rpc != 1 + + - name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.7.6' + when: + - win19cis_force_kerberos_for_rpc != 0 + - win19cis_force_kerberos_for_rpc != 1 + + - name: "18.7.6 | PATCH | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: ForceKerberosForRpc + data: "{{ win19cis_force_kerberos_for_rpc }}" + type: dword + when: + - win19cis_force_kerberos_for_rpc == 0 or win19cis_force_kerberos_for_rpc == 1 + when: + - win19cis_rule_18_7_6 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.6 + - patch + - printers + +- name: "18.7.7 | PATCH | Ensure Configure RPC over TCP port is set to Enabled: 0" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcTcpPort + data: 0 + type: dword + when: + - win19cis_rule_18_7_7 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.7 + - patch + - printers + +- name: "18.7.8 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: RestrictDriverInstallationToAdministrators + data: 1 + type: dword + when: + - win19cis_rule_18_7_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.7.8 + - patch + - printers + - drivers + +- name: "18.7.9 | PATCH | Ensure Manage processing of Queue-specific files is set to Enabled: Limit Queue-specific files to Color profiles" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + name: CopyFilesPolicy + data: 1 + type: dword + when: + - win19cis_rule_18_7_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.7.9 + - patch + - printers + - drivers + +- name: "18.7.10 | PATCH | Ensure Point and Print Restrictions When installing drivers for a new connection is set to Enabled Show warning and elevation prompt" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: NoWarningNoElevationOnInstall data: 0 type: dword when: - - win19cis_rule_18_6_2 + - win19cis_rule_18_7_10 tags: - level1-domaincontroller - level1-memberserver - - rule_18.6.2 + - rule_18.7.10 - patch - printers -- name: "18.6.3 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" +- name: "18.7.11 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: UpdatePromptSettings data: 0 type: dword when: - - win19cis_rule_18_6_3 + - win19cis_rule_18_7_11 tags: - level1-domaincontroller - level1-memberserver - - rule_18.6.3 + - rule_18.7.11 - patch - printers -- name: "18.7.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" +- name: "18.8.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications name: NoCloudApplicationNotification data: 1 type: dword when: - - win19cis_rule_18_7_1_1 + - win19cis_rule_18_8_1_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.7.1.1 + - rule_18.8.1.1 - patch - notifications -- name: "18.8.3.1 | PATCH | Ensure Include command line in process creation events is set to Enabled." +- name: "18.9.3.1 | PATCH | Ensure Include command line in process creation events is set to Enabled." ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled data: 1 type: dword when: - - win19cis_rule_18_8_3_1 + - win19cis_rule_18_9_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.3.1 + - rule_18.9.3.1 - patch -- name: "18.8.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" +- name: "18.9.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters name: AllowEncryptionOracle data: 0 type: dword when: - - win19cis_rule_18_8_4_1 + - win19cis_rule_18_9_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.4.1 + - rule_18.9.4.1 - patch - encryption_oracle -- name: "18.8.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "18.9.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds data: 1 type: dword when: - - win19cis_rule_18_8_4_2 + - win19cis_rule_18_9_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.4.2 + - rule_18.9.4.2 - patch - credentialsdelecation -- name: "18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" +- name: "18.9.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: EnableVirtualizationBasedSecurity data: 1 type: dword when: - - win19cis_rule_18_8_5_1 + - win19cis_rule_18_9_5_1 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.1 + - rule_18.9.5.1 - patch - vbs -- name: "18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" +- name: "18.9.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: RequirePlatformSecurityFeatures data: 3 type: dword when: - - win19cis_rule_18_8_5_2 + - win19cis_rule_18_9_5_2 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.2 + - rule_18.9.5.2 - patch - vbs -- name: "18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" +- name: "18.9.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HypervisorEnforcedCodeIntegrity data: 1 type: dword when: - - win19cis_rule_18_8_5_3 + - win19cis_rule_18_9_5_3 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.3 + - rule_18.9.5.3 - patch - vbs -- name: "18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" +- name: "18.9.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HVCIMATRequired data: 1 type: dword when: - - win19cis_rule_18_8_5_4 + - win19cis_rule_18_9_5_4 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.4 + - rule_18.9.5.4 - patch - vbs -- name: "18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +- name: "18.9.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags data: 1 type: dword when: - - win19cis_rule_18_8_5_5 - - win2019cis_is_domain_member + - win19cis_rule_18_9_5_5 + - win2022cis_is_domain_member tags: - ngws-memberserver - - rule_18.8.5.5 + - rule_18.9.5.5 - patch - vbs -- name: "18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" +- name: "18.9.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags data: 0 type: dword when: - - win19cis_rule_18_8_5_6 - - win2019cis_is_domain_controller + - win19cis_rule_18_9_5_6 + - win2022cis_is_domain_controller tags: - ngws-domaincontroller - - rule_18.8.5.6 + - rule_18.9.5.6 - patch - vbs -- name: "18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" +- name: "18.9.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: ConfigureSystemGuardLaunch data: 1 type: dword when: - - win19cis_rule_18_8_5_7 + - win19cis_rule_18_9_5_7 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.7 + - rule_18.9.5.7 - patch - vbs @@ -1075,1015 +1277,1166 @@ - patch - metadata -- name: "18.8.14.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "18.9.13.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy data: 3 type: dword when: - - win19cis_rule_18_8_14_1 + - win19cis_rule_18_9_13_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.14.1 + - rule_18.9.13.1 - patch - drivers -- name: "18.8.21.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "18.9.19.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy data: 0 type: dword when: - - win19cis_rule_18_8_21_2 + - win19cis_rule_18_9_19_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.2 + - rule_18.9.19.2 - patch - gpo -- name: "18.8.21.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "18.9.19.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges data: 0 type: dword when: - - win19cis_rule_18_8_21_3 + - win19cis_rule_18_9_19_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.3 + - rule_18.9.19.3 - patch - gpo -- name: "18.8.21.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" +- name: "18.9.19.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp data: 0 type: dword when: - - win19cis_rule_18_8_21_4 + - win19cis_rule_18_9_19_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.4 + - rule_18.9.19.4 - patch -- name: "18.8.21.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "18.9.19.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy name: DisableBkGndGroupPolicy data: 1 type: dword when: - - win19cis_rule_18_8_21_5 + - win19cis_rule_18_9_19_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.5 + - rule_18.9.19.5 - patch - gpo -- name: "18.8.22.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "18.9.20.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload data: 1 type: dword when: - - win19cis_rule_18_8_22_1_1 + - win19cis_rule_18_9_20_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.22.1.1 + - rule_18.9.20.1.1 - patch - drivers - printers -- name: "18.8.22.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "18.9.20.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing data: 1 type: dword when: - - win19cis_rule_18_8_22_1_2 + - win19cis_rule_18_9_20_1_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.2 + - rule_18.9.20.1.2 - patch - handwriting -- name: "18.8.22.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "18.9.20.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports data: 1 type: dword when: - - win19cis_rule_18_8_22_1_3 + - win19cis_rule_18_9_20_1_3 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.3 + - rule_18.9.20.1.3 - patch - handwriting -- name: "18.8.22.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.9.20.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW data: 1 type: dword when: - - win19cis_rule_18_8_22_1_4 + - win19cis_rule_18_9_20_1_4 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.4 + - rule_18.9.20.1.4 - patch - wizard - internetconnectionwizard -- name: "18.8.22.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "18.9.20.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices data: 1 type: dword when: - - win19cis_rule_18_8_22_1_5 + - win19cis_rule_18_9_20_1_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.22.1.5 + - rule_18.9.20.1.5 - patch - wizard - internetdownloadwizard -- name: "18.8.22.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" +- name: "18.9.20.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting data: 1 type: dword when: - - win19cis_rule_18_8_22_1_6 + - win19cis_rule_18_9_20_1_6 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.6 + - rule_18.9.20.1.6 - patch - printers -- name: "18.8.22.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.9.20.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration data: 1 type: dword when: - - win19cis_rule_18_8_22_1_7 + - win19cis_rule_18_9_20_1_7 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.7 + - rule_18.9.20.1.7 - patch - wizard - registration -- name: "18.8.22.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "18.9.20.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates data: 1 type: dword when: - - win19cis_rule_18_8_22_1_8 + - win19cis_rule_18_9_20_1_8 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.8 + - rule_18.9.20.1.8 - patch - search -- name: "18.8.22.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "18.9.20.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard data: 1 type: dword when: - - win19cis_rule_18_8_22_1_9 + - win19cis_rule_18_9_20_1_9 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.9 + - rule_18.9.20.1.9 - patch - printers -- name: "18.8.22.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "18.9.20.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard data: 1 type: dword when: - - win19cis_rule_18_8_22_1_10 + - win19cis_rule_18_9_20_1_10 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.10 + - rule_18.8.20.1.10 - patch - wizard -- name: "18.8.22.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "18.9.20.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP data: 2 type: dword when: - - win19cis_rule_18_8_22_1_11 + - win19cis_rule_18_9_20_1_11 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.11 + - rule_18.9.20.1.11 - patch - wmcei -- name: "18.8.22.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "18.9.20.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable data: 0 type: dword when: - - win19cis_rule_18_8_22_1_12 + - win19cis_rule_18_9_20_1_12 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.12 + - rule_18.9.20.1.12 - patch - wmcei -- name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + - name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport data: 0 type: dword when: - - win19cis_rule_18_8_22_1_13 + - win19cis_rule_18_9_20_1_13 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.13 + - rule_18.9.20.1.13 - patch - errorreporting -- name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled data: 1 type: dword when: - - win19cis_rule_18_8_25_1 + - win19cis_rule_18_9_23_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.25.1 + - rule_18.9.23.1 - patch - certifcates -- name: "18.8.26.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" +- name: "18.9.24.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy data: 0 type: dword when: - - win19cis_rule_18_8_26_1 + - win19cis_rule_18_9_24_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.26.1 + - rule_18.9.24.1 - patch - dma -- name: "18.8.27.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "18.9.25.1 | PATCH | Ensure Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: AllowCustomSSPsAPs + data: 0 + type: dword + when: + - win19cis_rule_18_9_25_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.25.1 + - patch + - lsass + +- name: "18.9.25.2 | PATCH | Ensure Configures LSASS to run as a protected process is set to Enabled: Enabled with UEFI Lock" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + name: RunAsPPL + data: 1 + type: dword + when: + - win19cis_rule_18_9_25_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.25.2 + - patch + - lsa + +- name: "18.9.26.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn data: 1 type: dword when: - - win19cis_rule_18_8_27_1 + - win19cis_rule_18_9_26_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.27.1 + - rule_18.9.26.1 - patch -- name: "18.8.28.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword when: - - win19cis_rule_18_8_28_1 + - win19cis_rule_18_9_27_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.1 + - rule_18.9.27.1 - patch - accounts -- name: "18.8.28.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" +- name: "18.9.27.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI data: 1 type: dword when: - - win19cis_rule_18_8_28_2 + - win19cis_rule_18_9_27_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.2 + - rule_18.9.27.2 - patch -- name: "18.8.28.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "18.9.27.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers data: 1 type: dword when: - - win19cis_rule_18_8_28_3 + - win19cis_rule_18_9_27_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.3 + - rule_18.9.27.3 - patch - enumerate -- name: "18.8.28.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "18.9.27.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers data: 0 type: dword when: - - win19cis_rule_18_8_28_4 - - win2019cis_is_domain_member + - win19cis_rule_18_9_27_4 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.8.28.4 + - rule_18.9.27.4 - patch - enumerate -- name: "18.8.28.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "18.9.27.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications data: 1 type: dword when: - - win19cis_rule_18_8_28_5 + - win19cis_rule_18_9_27_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.5 + - rule_18.9.27.5 - patch - notifications -- name: "18.8.28.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" +- name: "18.9.27.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword data: 1 type: dword when: - - win19cis_rule_18_8_28_6 + - win19cis_rule_18_9_27_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.6 + - rule_18.9.27.6 - patch - logon -- name: "18.8.28.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "18.9.27.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon data: 0 type: dword when: - - win19cis_rule_18_8_28_7 + - win19cis_rule_18_9_27_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.7 + - rule_18.9.27.7 - patch - pin -- name: "18.8.31.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" +- name: "18.9.30.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard data: 0 type: dword when: - - win19cis_rule_18_8_31_1 + - win19cis_rule_18_9_30_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.31.1 + - rule_18.9.30.1 - patch - clipboard -- name: "18.8.31.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" +- name: "18.9.30.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: UploadUserActivities data: 0 type: dword when: - - win19cis_rule_18_8_31_2 + - win19cis_rule_18_9_30_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.31.2 + - rule_18.9.30.2 - patch -- name: "18.8.34.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" +- name: "18.9.32.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: DCSettingIndex data: 0 type: dword when: - - win19cis_rule_18_8_34_6_1 + - win19cis_rule_18_9_32_6_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.34.6.1 + - rule_18.9.32.6.1 - patch - power -- name: "18.8.34.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "18.9.32.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex data: 0 type: dword when: - - win19cis_rule_18_8_34_6_2 + - win19cis_rule_18_3_32_6_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.34.6.2 + - rule_18.9.32.6.2 - patch - power -- name: "18.8.34.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "18.9.32.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex data: 1 type: dword when: - - win19cis_rule_18_8_34_6_3 + - win19cis_rule_18_9_32_6_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.34.6.3 + - rule_18.9.32.6.3 - patch - power - logon -- name: "18.8.34.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "18.9.32.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex data: 1 type: dword when: - - win19cis_rule_18_8_34_6_4 + - win19cis_rule_18_9_32_6_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.34.6.4 + - rule_18.9.32.6.4 - patch - logon -- name: "18.8.36.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "18.9.34.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited data: 0 type: dword when: - - win19cis_rule_18_8_36_1 + - win19cis_rule_18_9_34_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.36.1 + - rule_18.9.34.1 - patch - cora -- name: "18.8.36.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "18.9.34.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp data: 0 type: dword when: - - win19cis_rule_18_8_36_2 + - win19cis_rule_18_9_34_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.36.2 + - rule_18.9.34.2 - patch - csra -- name: "18.8.37.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "18.9.35.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution data: 1 type: dword when: - - win19cis_rule_18_8_37_1 - - win2019cis_is_domain_member + - win19cis_rule_18_9_35_1 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.8.37.1 + - rule_18.9.35.1 - patch - rpc -- name: "18.8.37.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "18.9.35.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients data: 1 type: dword when: - - win19cis_rule_18_8_37_2 - - win2019cis_is_domain_member + - win19cis_rule_18_9_35_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.8.37.2 + - rule_18.9.35.2 - patch - rpc -- name: "18.8.40.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled: Audit or higher" +- name: "18.9.38.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled: Audit or higher" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM name: SamNGCKeyROCAValidation data: 1 type: dword when: - - win19cis_rule_18_8_40_1 + - win19cis_rule_18_9_38_1 - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - - rule_18.8.40.1 + - rule_18.9.38.1 - patch - sam -- name: "18.8.48.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "18.9.46.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword when: - - win19cis_rule_18_8_48_5_1 + - win19cis_rule_18_9_46_5_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.48.5.1 + - rule_18.9.46.5.1 - patch - msdt -- name: "18.8.48.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" +- name: "18.9.46.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword when: - - win19cis_rule_18_8_48_11_1 + - win19cis_rule_18_9_46_11_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.48.11.1 + - rule_18.9.46.11.1 - patch - pertrack -- name: "18.8.50.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" +- name: "18.9.48.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword when: - - win19cis_rule_18_8_50_1 + - win19cis_rule_18_9_48_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.50.1 + - rule_18.9.48.1 - patch - advertising -- name: "18.8.53.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" +- name: "18.9.50.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword when: - - win19cis_rule_18_8_53_1_1 + - win19cis_rule_18_9_50_1_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.53.1.1 + - rule_18.9.50.1.1 - patch - ntp -- name: "18.8.53.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "18.9.50.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled data: 1 type: dword when: - - win19cis_rule_18_8_53_1_2 - - win2019cis_is_domain_member + - win19cis_rule_18_9_50_1_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.8.53.1.2 + - rule_18.9.50.1.2 - patch - ntp -- name: "18.9.4.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "18.10.3.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData data: 0 type: dword when: - - win19cis_rule_18_9_4_1 + - win19cis_rule_18_10_3_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.4.1 + - rule_18.10.3.1 - patch - data -- name: "18.9.6.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "18.10.5.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional data: 1 type: dword when: - - win19cis_rule_18_9_6_1 + - win19cis_rule_18_10_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.6.1 + - rule_18.10.5.1 - patch - accounts -- name: "18.9.8.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "18.10.7.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume data: 1 type: dword when: - - win19cis_rule_18_9_8_1 + - win19cis_rule_18_10_7_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.1 + - rule_18.10.7.1 - patch - autoplay -- name: "18.9.8.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "18.10.7.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun data: 1 type: dword when: - - win19cis_rule_18_9_8_2 + - win19cis_rule_18_10_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.2 + - rule_18.10.7.2 - patch - autorun -- name: "18.9.8.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" +- name: "18.10.7.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun data: 255 type: dword when: - - win19cis_rule_18_9_8_3 + - win19cis_rule_18_10_7_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.3 + - rule_18.10.7.3 - patch - autoplay -- name: "18.9.10.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "18.10.8.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing data: 1 type: dword when: - - win19cis_rule_18_9_10_1_1 + - win19cis_rule_18_10_8_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.10.1.1 + - rule_18.10.8.1.1 - patch - antispoofing -- name: "18.9.12.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" +- name: "18.10.10.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera data: 0 type: dword when: - - win19cis_rule_18_9_12_1 + - win19cis_rule_18_10_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.12.1 + - rule_18.10.10.1 - patch - camera -- name: "18.9.14.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" +- name: "18.10.12.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableConsumerAccountStateContent data: 1 type: dword when: - - win19cis_rule_18_9_14_1 + - win19cis_rule_18_10_12_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.1 + - rule_18.10.12.1 - patch - cloud -- name: "18.9.14.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.10.12.2 | PATCH | Ensure Turn off cloud optimized content is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableCloudOptimizedContent data: 1 type: dword when: - - win19cis_rule_18_9_14_2 + - win19cis_rule_18_10_12_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.2 + - rule_18.10.12.2 - patch - cloud -- name: "18.9.15.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.10.12.3 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures data: 1 type: dword when: - - win19cis_rule_18_9_15_1 + - win19cis_rule_18_10_12_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.1 + - rule_18.10.12.3 + - patch + - cloud + +- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" + block: + - name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_require_pin_for_pairing. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_require_pin_for_pairing != 1 + - win19cis_require_pin_for_pairing != 2 + + - name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.13.1' + when: + - win19cis_require_pin_for_pairing != 1 + - win19cis_require_pin_for_pairing != 2 + + - name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: "{{ win19cis_require_pin_for_pairing }}" + type: dword + when: + - win19cis_require_pin_for_pairing == 1 or win19cis_require_pin_for_pairing == 2 + when: + - win19cis_rule_18_10_13_1 + tags: + - level1-corporate-enterprise-environment + - rule_18.10.13.1 + - automated - patch - pin -- name: "18.9.16.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" +- name: "18.10.14.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal data: 1 type: dword when: - - win19cis_rule_18_9_16_1 + - win19cis_rule_18_10_14_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.1 + - rule_18.10.14.1 - patch - gui -- name: "18.9.16.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.10.14.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators data: 0 type: dword when: - - win19cis_rule_18_9_16_2 + - win19cis_rule_18_10_14_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.2 + - rule_18.10.14.2 - patch - accounts -- name: "18.9.17.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection - name: AllowTelemetry - data: 1 - type: dword +- name: "18.10.15.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data" + block: + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_allow_telemetry. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_allow_telemetry != 0 + - win19cis_allow_telemetry != 1 + + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.15.1' + when: + - win19cis_allow_telemetry != 0 + - win19cis_allow_telemetry != 1 + + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: AllowTelemetry + data: "{{ win19cis_allow_telemetry }}" + type: dword + when: + - win19cis_allow_telemetry == 0 or win19cis_allow_telemetry == 1 when: - - win19cis_rule_18_9_17_1 + - win19cis_rule_18_10_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.17.1 + - level1-corporate-enterprise-environment + - rule_18.10.15.1 + - automated - patch - - diagnostrics + - diagnostics -- name: "18.9.17.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "18.10.15.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection name: DisableEnterpriseAuthProxy data: 1 type: dword when: - - win19cis_rule_18_9_17_2 + - win19cis_rule_18_10_15_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.17.2 + - rule_18.10.15.2 - patch - datacollection -- name: "18.9.17.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" +- name: "18.10.15.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: DisableOneSettingsDownloads data: 1 type: dword when: - - win19cis_rule_18_9_17_3 + - win19cis_rule_18_10_15_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.3 + - rule_18.10.15.3 - patch - onesettings -- name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" +- name: "18.10.15.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications data: 1 type: dword when: - - win19cis_rule_18_9_17_4 + - win19cis_rule_18_10_15_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.4 + - rule_18.10.15.4 - patch - datacollection -- name: "18.9.17.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled" +- name: "18.10.15.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: EnableOneSettingsAuditing data: 1 type: dword when: - - win19cis_rule_18_9_17_5 + - win19cis_rule_18_10_15_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.5 + - rule_18.10.15.5 - patch - datacollection -- name: "18.9.17.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" +- name: "18.10.15.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: LimitDiagnosticLogCollection data: 1 type: dword when: - - win19cis_rule_18_9_17_6 + - win19cis_rule_18_10_15_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.6 + - rule_18.10.15.6 - patch - datacollection -- name: "18.9.17.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" +- name: "18.10.15.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: LimitDumpCollection data: 1 type: dword when: - - win19cis_rule_18_9_17_7 + - win19cis_rule_18_10_15_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.7 + - rule_18.10.15.7 - patch - datacollection -- name: "18.9.17.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.10.15.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview data: 0 type: dword when: - - win19cis_rule_18_9_17_8 + - win19cis_rule_18_10_15_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.15.8 + - patch + - previewbuilds + +- name: "18.10.17.1 | PATCH | Ensure Enable App Installer is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableAppInstaller + data: 0 + type: dword + when: + - win19cis_rule_18_10_17_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.8 + - rule_18.10.17.1 - patch + - appinstaller -- name: "18.9.27.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.17.2 | PATCH | Ensure Enable App Installer Experimental Features is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableExperimentalFeatures + data: 0 + type: dword + when: + - win19cis_rule_18_10_17_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.17.2 + - patch + - appinstaller + +- name: "18.10.17.3 | PATCH | Ensure Enable App Installer Hash Override is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableHashOverride + data: 0 + type: dword + when: + - win19cis_rule_18_10_17_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.17.3 + - patch + - appinstaller + +- name: "18.10.17.4 | PATCH | Ensure Enable App Installer ms-appinstaller protocol is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableMSAppInstallerProtocol + data: 0 + type: dword + when: + - win19cis_rule_18_10_17_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.17.4 + - patch + - appinstaller + +- name: "18.10.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention data: 0 type: string when: - - win19cis_rule_18_9_27_1_1 + - win19cis_rule_18_10_26_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.1.1 + - rule_18.10.26.1.1 - patch - eventlog -- name: "18.9.27.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" block: - - name: "18.9.27.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + - name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for win19cis_application_max_log_file_size please read" + - "Warning!! You have an invalid file size set for win19cis_application_max_log_file_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_application_max_log_file_size < 32768 - - name: "18.9.27.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.9.27.1.2' + warn_control_id: '18.10.26.1.2' when: win19cis_application_max_log_file_size < 32768 - - name: "18.9.27.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size." + - name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size." ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize @@ -2091,45 +2444,46 @@ type: dword when: win19cis_application_max_log_file_size >= 32768 when: - - win19cis_rule_18_9_27_1_2 + - win19cis_rule_18_10_26_1_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.1.2 + - rule_18.10.26.1.2 - patch - eventlog -- name: "18.9.27.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: Retention data: 0 type: string when: - - win19cis_rule_18_9_27_2_1 + - win19cis_rule_18_10_26_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.2.1 + - rule_18.10.26.2.1 - patch - eventlog -- name: "18.9.27.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" block: - - name: "18.9.27.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warning Check For Variable Standards." + - name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for win19cis_security_max_log_file_size please read" + - "Warning!! You have an invalid file size set for win19cis_security_max_log_file_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_security_max_log_file_size < 196608 - - name: "18.9.27.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.9.27.2.2' + warn_control_id: '18.10.26.2.2' when: win19cis_security_max_log_file_size < 196608 - - name: "18.9.27.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable." + - name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable." ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize @@ -2137,45 +2491,46 @@ type: dword when: win19cis_security_max_log_file_size >= 196608 when: - - win19cis_rule_18_9_27_2_2 + - win19cis_rule_18_10_26_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.2.2 + - rule_18.10.26.2.2 - patch - eventlog -- name: "18.9.27.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: Retention data: 0 type: string when: - - win19cis_rule_18_9_27_3_1 + - win19cis_rule_18_10_26_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.3.1 + - rule_18.10.26.3.1 - patch - eventlog -- name: "18.9.27.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" block: - - name: "18.9.27.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + - name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for win19cis_setup_max_log_file_size please read" + - "Warning!! You have an invalid file size set for win19cis_setup_max_log_file_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_setup_max_log_file_size < 32768 - - name: "18.9.27.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.9.27.3.2' + warn_control_id: '18.10.26.3.2' when: win19cis_setup_max_log_file_size < 32768 - - name: "18.9.27.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." + - name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize @@ -2183,45 +2538,46 @@ type: dword when: win19cis_setup_max_log_file_size >= 32768 when: - - win19cis_rule_18_9_27_3_2 + - win19cis_rule_18_10_26_3_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.3.2 + - rule_18.10.26.3.2 - patch - eventlog -- name: "18.9.27.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention data: 0 type: string when: - - win19cis_rule_18_9_27_4_1 + - win19cis_rule_18_10_26_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.4.1 + - rule_18.10.26.4.1 - patch - eventlog -- name: "18.9.27.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" block: - - name: "18.9.27.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + - name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for win19cis_system_max_log_file_size please read" + - "Warning!! You have an invalid file size set for win19cis_system_max_log_file_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win19cis_system_max_log_file_size < 32768 - - name: "18.9.27.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.9.27.4.2' + warn_control_id: '18.10.26.4.2' when: win19cis_system_max_log_file_size < 32768 - - name: "18.9.27.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." + - name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: MaxSize @@ -2229,150 +2585,150 @@ type: dword when: win19cis_system_max_log_file_size >= 32768 when: - - win19cis_rule_18_9_27_4_2 + - win19cis_rule_18_10_26_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.4.2 + - rule_18.10.26.4.2 - patch - eventlog -- name: "18.9.31.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "18.10.29.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention data: 0 type: dword when: - - win19cis_rule_18_9_31_2 + - win19cis_rule_18_10_29_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.2 + - rule_18.10.29.2 - patch - dep -- name: "18.9.31.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" +- name: "18.10.29.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption data: 0 type: dword when: - - win19cis_rule_18_9_31_3 + - win19cis_rule_18_10_29_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.3 + - rule_18.10.29.3 - patch - heap -- name: "18.9.31.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "18.10.29.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior data: 0 type: dword when: - - win19cis_rule_18_9_31_4 + - win19cis_rule_18_10_29_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.4 + - rule_18.10.29.4 - patch - shell -- name: "18.9.41.1 | PATCH | Ensure Turn off location is set to Enabled" +- name: "18.10.37.1 | PATCH | Ensure Turn off location is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation data: 1 type: dword when: - - win19cis_rule_18_9_41_1 + - win19cis_rule_18_10_37_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.41.1 + - rule_18.10.37.1 - patch - location -- name: "18.9.45.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "18.10.41.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync data: 0 type: dword when: - - win19cis_rule_18_9_45_1 + - win19cis_rule_18_10_41_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.45.1 + - rule_18.10.41.1 - patch - msc -- name: "18.9.46.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "18.10.42.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth data: 1 type: dword when: - - win19cis_rule_18_9_46_1 + - win19cis_rule_18_10_42_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.46.1 + - rule_18.10.42.1 - patch - account -- name: "18.9.47.4.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "18.10.43.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting data: 0 type: dword when: - - win19cis_rule_18_9_47_4_1 + - win19cis_rule_18_10_43_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.4.1 + - rule_18.10.43.5.1 - patch - maps -- name: "18.9.47.4.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" +- name: "18.10.43.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting data: 0 type: dword when: - - win19cis_rule_18_9_47_4_2 + - win19cis_rule_18_10_43_5_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.4.2 + - rule_18.10.43.5.2 - patch - maps -- name: "18.9.47.5.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "18.10.43.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR name: ExploitGuard_ASR_Rules data: 1 type: dword when: - - win19cis_rule_18_9_47_5_1_1 + - win19cis_rule_18_10_43_6_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.1.1 + - rule_18.10.43.6.1.1 - patch - defender -- name: "18.9.47.5.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +- name: "18.10.43.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules name: "{{ item }}" @@ -2392,398 +2748,444 @@ - d4f940ab-401b-4efc-aadc-ad5f3c50688a - e6db77e5-3df2-4cf1-b95a-636979351e5b when: - - win19cis_rule_18_9_47_5_1_2 + - win19cis_rule_18_10_43_6_1_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.1.2 + - rule_18.10.43.6.1.2 - patch - defender -- name: "18.9.47.5.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "18.10.43.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection name: EnableNetworkProtection data: 1 type: dword when: - - win19cis_rule_18_9_47_5_3_1 + - win19cis_rule_18_10_43_6_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.3.1 + - rule_18.10.43.6.3.1 - patch - defender -- name: "18.9.47.6.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" +- name: "18.10.43.7.1 | PATCH | (L2) Ensure Enable file hash computation feature is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine name: EnableFileHashComputation data: 1 type: dword when: - - win19cis_rule_18_9_47_6_1 + - win19cis_rule_18_10_43_7_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.6.1 + - rule_18.10.43.7.1 - patch - defender -- name: "18.9.47.9.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled" +- name: "18.10.43.10.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableIOAVProtection data: 0 type: dword when: - - win19cis_rule_18_9_47_9_1 + - win19cis_rule_18_10_43_10_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.1 + - rule_18.10.43.10.1 - patch - defender - real_time_protection -- name: "18.9.47.9.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" +- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableRealtimeMonitoring data: 1 datatype: dword when: - - win19cis_rule_18_9_47_9_2 + - win19cis_rule_18_10_43_10_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.2 + - rule_18.10.43.10.2 - patch - defender - real_time_protection -- name: "18.9.47.9.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" +- name: "18.10.43.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableBehaviorMonitoring data: 0 type: dword when: - - win19cis_rule_18_9_47_9_3 + - win19cis_rule_18_10_43_10_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.3 + - rule_18.10.43.10.3 - patch - defender - real_time_protection -- name: "18.9.47.9.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'" +- name: "18.10.43.10.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableScriptScanning data: 0 type: dword when: - - win19cis_rule_18_9_47_9_4 + - win19cis_rule_18_10_43_10_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.4 + - rule_18.10.43.10.4 - patch - defender - real_time_protection -- name: "18.9.47.11.1 | PATCH | Ensure Configure Watson events is set to Disabled" +- name: "18.10.43.12.1 | PATCH | Ensure Configure Watson events is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts data: 1 type: dword when: - - win19cis_rule_18_9_47_11_1 + - win19cis_rule_18_10_43_12_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.11.1 + - rule_18.10.43.12.1 - patch - defender -- name: "18.9.47.12.1 | PATCH | Ensure Scan removable drives is set to Enabled" +- name: "18.10.43.13.1 | PATCH | Ensure Scan removable drives is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning data: 0 type: dword when: - - win19cis_rule_18_9_47_12_1 + - win19cis_rule_18_10_43_13_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.12.1 + - rule_18.10.43.13.1 - patch - defender -- name: "18.9.47.12.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" +- name: "18.10.43.13.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning data: 0 type: dword when: - - win19cis_rule_18_9_47_12_2 + - win19cis_rule_18_10_43_13_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.12.2 + - rule_18.10.43.13.2 - patch - defender -- name: "18.9.47.15 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" +- name: "18.10.43.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: PUAProtection data: 1 type: dword when: - - win19cis_rule_18_9_47_15 + - win19cis_rule_18_10_43_16 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.15 + - rule_18.10.43.16 - patch - defender -- name: "18.9.47.16 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "18.10.43.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: DisableAntiSpyware data: 0 type: dword when: - - win19cis_rule_18_9_47_16 + - win19cis_rule_18_10_43_17 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.16 + - rule_18.10.43.17 - patch - defender -- name: "18.9.58.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "18.10.51.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC data: 1 type: dword when: - - win19cis_rule_18_9_58_1 + - win19cis_rule_18_10_51_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.58.1 + - rule_18.10.51.1 - patch - onedrive -- name: "18.9.64.1 | PATCH | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" +- name: "18.10.56.1 | PATCH | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall name: DisablePushToInstall data: 1 type: dword when: - - win19cis_rule_18_9_64_1 + - win19cis_rule_18_10_56_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.64.1 + - rule_18.10.56.1 - patch - pushtoinstall -- name: "18.9.65.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" +- name: "18.10.57.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving data: 1 type: dword when: - - win19cis_rule_18_9_65_2_2 + - win19cis_rule_18_10_57_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.2.2 + - rule_18.10.57.2.2 - patch - terminalservices -- name: "18.9.65.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "18.10.57.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser data: 1 type: dword when: - - win19cis_rule_18_9_65_3_2_1 + - win19cis_rule_18_10_57_3_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.2.1 + - rule_18.10.57.3.2.1 - patch - terminalservices -- name: "18.9.65.3.3.1 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" +- name: "18.10.57.3.3.1 | PATCH | Ensure Allow UI Automation redirection is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: EnableUiaRedirection + data: 0 + type: dword + when: + - win19cis_rule_18_10_57_3_3_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.10.57.3.3.1 + - patch + - terminalservices + +- name: "18.10.57.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm data: 1 type: dword when: - - win19cis_rule_18_9_65_3_3_1 + - win19cis_rule_18_10_57_3_3_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.1 + - rule_18.10.57.3.3.2 - patch - terminalservices -- name: "18.9.65.3.3.2 | PATCH | Ensure Do not allow drive redirection is set to Enabled" +- name: "18.10.57.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm data: 1 type: dword when: - - win19cis_rule_18_9_65_3_3_2 + - win19cis_rule_18_10_57_3_3_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.57.3.3.3 + - patch + - terminalservices + +- name: "18.10.57.3.3.4 | PATCH | Ensure Do not allow location redirection is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLocationRedir + data: 1 + type: dword + when: + - win19cis_rule_18_10_57_3_3_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.3.2 + - rule_18.10.57.3.3.4 - patch - terminalservices -- name: "18.9.65.3.3.3 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" +- name: "18.10.57.3.3.5 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT data: 1 type: dword when: - - win19cis_rule_18_9_65_3_3_3 + - win19cis_rule_18_10_57_3_3_5 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.3 + - rule_18.10.57.3.3.5 - patch - terminalservices -- name: "18.9.65.3.3.4 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "18.10.57.3.3.6 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir data: 1 type: dword when: - - win19cis_rule_18_9_65_3_3_4 + - win19cis_rule_18_10_57_3_3_6 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.4 + - rule_18.10.57.3.3.6 - patch - terminalservicess -- name: "18.9.65.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" +- name: "18.10.57.3.3.7 | PATCH | Ensure Do not allow WebAuthn redirection is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableWebAuthn + data: 1 + type: dword + when: + - win19cis_rule_18_10_57_3_3_6 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.10.57.3.3.7 + - patch + - terminalservicess + +- name: "18.10.57.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword data: 1 type: dword when: - - win19cis_rule_18_9_65_3_9_1 + - win19cis_rule_18_10_57_3_9_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.1 + - rule_18.10.57.3.9.1 - patch - terminalservices -- name: "18.9.65.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" +- name: "18.10.57.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic data: 1 type: dword when: - - win19cis_rule_18_9_65_3_9_2 + - win19cis_rule_18_10_57_3_9_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.2 + - rule_18.10.57.3.9.2 - patch - terminalservices -- name: "18.9.65.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" +- name: "18.10.57.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: SecurityLayer data: 2 type: dword when: - - win19cis_rule_18_9_65_3_9_3 + - win19cis_rule_18_10_57_3_9_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.3 + - rule_18.10.57.3.9.3 - patch - terminalservices -- name: "18.9.65.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" +- name: "18.10.57.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: UserAuthentication data: 1 type: dword when: - - win19cis_rule_18_9_65_3_9_4 + - win19cis_rule_18_10_57_3_9_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.4 + - rule_18.10.57.3.9.4 - patch - terminalservices -- name: "18.9.65.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" +- name: "18.10.57.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel data: 3 type: dword when: - - win19cis_rule_18_9_65_3_9_5 + - win19cis_rule_18_10_57_3_9_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.5 + - rule_18.10.57.3.9.5 - patch - terminalservices -- name: "18.9.65.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" block: - - name: "18.9.65.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warning Check For Variable Standards." + - name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid time set for win19cis_idle_rdp_session_disconnect_time please read" + - "Warning!! You have an invalid time set for win19cis_idle_rdp_session_disconnect_time please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_idle_rdp_session_disconnect_time == 0 or win19cis_idle_rdp_session_disconnect_time > 900000 - - name: "18.9.65.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '18.9.65.3.10.1' + warn_control_id: '18.10.57.3.10.1' when: - win19cis_idle_rdp_session_disconnect_time == 0 or win19cis_idle_rdp_session_disconnect_time > 900000 - - name: "18.9.65.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set Variable." + - name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set Variable." ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxIdleTime @@ -2795,526 +3197,587 @@ win19cis_idle_rdp_session_disconnect_time == 600000 or win19cis_idle_rdp_session_disconnect_time == 900000 when: - - win19cis_rule_18_9_65_3_10_1 + - win19cis_rule_18_10_57_3_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.10.1 + - rule_18.10.57.3.10.1 - patch - terminalservices -- name: "18.9.65.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "18.10.57.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime data: 60000 type: dword when: - - win19cis_rule_18_9_65_3_10_2 + - win19cis_rule_18_10_57_3_10_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.10.2 + - rule_18.10.57.3.10.2 - patch - terminalservices -- name: "18.9.65.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "18.10.57.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit data: 1 type: dword when: - - win19cis_rule_18_9_65_3_11_1 + - win19cis_rule_18_10_57_3_11_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.11.1 + - rule_18.10.57.3.11.1 - patch - terminalservices -- name: "18.9.65.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" +- name: "18.10.57.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir data: 1 type: dword when: - - win19cis_rule_18_9_65_3_11_2 + - win19cis_rule_18_10_57_3_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.11.2 + - rule_18.10.57.3.11.2 - patch - terminalservices -- name: "18.9.66.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" +- name: "18.10.58.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload data: 1 type: dword when: - - win19cis_rule_18_9_66_1 + - win19cis_rule_18_10_58_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.66.1 + - rule_18.10.58.1 - patch - enclosure -- name: "18.9.67.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +- name: "18.10.59.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch data: 0 type: dword when: - - win19cis_rule_18_9_67_2 + - win19cis_rule_18_10_59_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.67.2 + - rule_18.10.59.2 - patch - search - cloud -- name: "18.9.67.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" +- name: "18.10.59.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword when: - - win19cis_rule_18_9_67_3 + - win19cis_rule_18_10_59_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.67.3 + - rule_18.10.59.3 - patch - search - encrypted -- name: "18.9.72.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "18.10.59.4 | PATCH | Ensure Allow search highlights is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: EnableDynamicContentInWSB + data: 0 + type: dword + when: + - win19cis_rule_18_10_59_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.59.4 + - patch + - search + +- name: "18.10.63.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket data: 1 type: dword when: - - win19cis_rule_18_9_72_1 + - win19cis_rule_18_10_63_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.72.1 + - rule_18.10.63.1 - patch - kms -- name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel data: Block type: string when: - - win19cis_rule_18_9_85_1_1 + - win19cis_rule_18_10_76_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.85.1.1 + - rule_18.10.76.2.1 - patch - defender -- name: "18.9.89.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "18.10.80.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace data: 0 type: dword when: - - win19cis_rule_18_9_89_1 + - win19cis_rule_18_10_80_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.89.1 + - rule_18.10.80.1 - patch - wik -- name: "18.9.89.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "18.10.80.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace data: 1 type: dword when: - - win19cis_rule_18_9_89_2 + - win19cis_rule_18_10_80_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.89.2 + - rule_18.10.80.2 - patch - wik -- name: "18.9.90.1 | PATCH | Ensure Allow user control over installs is set to Disabled" +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl data: 0 type: dword when: - - win19cis_rule_18_9_90_1 + - win19cis_rule_18_10_81_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.90.1 + - rule_18.10.81.1 - patch -- name: "18.9.90.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword +- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + block: + - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_allow_windows_ink_workspace. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_allow_windows_ink_workspace != 0 + - win19cis_allow_windows_ink_workspace != 1 + + - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.80.2' + when: + - win19cis_allow_windows_ink_workspace != 0 + - win19cis_allow_windows_ink_workspace != 1 + + - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: "{{ win19cis_allow_windows_ink_workspace }}" + type: dword + when: + - win19cis_allow_windows_ink_workspace == 0 or win19cis_allow_windows_ink_workspace == 1 when: - - win19cis_rule_18_9_90_2 + - win19cis_rule_18_10_80_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.90.2 + - level1-corporate-enterprise-environment + - rule_18.10.80.2 + - automated - patch -- name: "18.9.90.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting data: 0 type: dword when: - - win19cis_rule_18_9_90_3 + - win19cis_rule_18_10_81_3 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.90.3 + - rule_18.10.81.3 - patch - ie -- name: "18.9.91.1 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +- name: "18.10.82.1 | PATCH | Ensure Enable MPR notifications for the system is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableMPR + data: 1 + type: dword + when: + - win19cis_rule_18_10_82_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.82.1 + - patch + - logon + +- name: "18.10.82.2 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn data: 1 type: dword when: - - win19cis_rule_18_9_91_1 + - win19cis_rule_18_10_82_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.91.1 + - rule_18.10.82.2 - patch - logon -- name: "19.9.100.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" +- name: "18.10.87.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging name: EnableScriptBlockLogging data: 1 type: dword when: - - win19cis_rule_18_9_100_1 + - win19cis_rule_18_10_87_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.100.1 + - rule_18.10.87.1 - patch - powershell -- name: "18.9.100.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" +- name: "18.10.87.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting - data: 0 + data: 1 type: dword when: - - win19cis_rule_18_9_100_2 + - win19cis_rule_18_10_87_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.100.2 + - rule_18.10.87.2 - patch - powershell -- name: "18.9.102.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" +- name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic data: 0 type: dword when: - - win19cis_rule_18_9_102_1_1 + - win19cis_rule_18_10_89_1_1 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.1 + - rule_18.10.89.1.1 - patch - winrm -- name: "18.9.102.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic data: 0 type: dword when: - - win19cis_rule_18_9_102_1_2 + - win19cis_rule_18_10_89_1_2 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.2 + - rule_18.10.89.1.2 - patch - winrm -- name: "18.9.102.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" +- name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest data: 0 type: dword when: - - win19cis_rule_18_9_102_1_3 + - win19cis_rule_18_10_89_1_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.3 + - rule_18.10.89.1.3 - patch - winrm -- name: "18.9.102.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" +- name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic data: 0 type: dword when: - - win19cis_rule_18_9_102_2_1 + - win19cis_rule_18_10_89_2_1 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.1 + - rule_18.10.89.2.1 - patch - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.102.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" +- name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig data: 1 type: dword when: - - win19cis_rule_18_9_102_2_2 + - win19cis_rule_18_10_89_2_2 - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.102.2.2 + - rule_18.10.89.2.2 - patch - winrm -- name: "18.9.102.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic data: 0 type: dword when: - - win19cis_rule_18_9_102_2_3 + - win19cis_rule_18_10_89_2_3 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.3 + - rule_18.10.89.2.3 - patch - winrm - encryption -- name: "18.9.102.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "18.10.89.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs data: 1 type: dword when: - - win19cis_rule_18_9_102_2_4 + - win19cis_rule_18_10_89_2_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.4 + - rule_18.10.89.2.4 - patch - winrm -- name: "18.9.103.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" +- name: "18.10.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess data: 0 type: dword when: - - win19cis_rule_18_9_103_1 + - win19cis_rule_18_10_90_1 - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.103.1 + - rule_18.10.90.1 - patch - winrm -- name: "18.9.105.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" +- name: "18.10.92.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride data: 1 type: dword when: - - win19cis_rule_18_9_105_2_1 + - win19cis_rule_18_10_92_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.105.2.1 + - rule_18.10.92.2.1 - patch - accounts -- name: "18.9.108.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +- name: "18.10.93.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword when: - - win19cis_rule_18_9_108_1_1 + - win19cis_rule_18_10_93_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.1.1 + - rule_18.10.93.1.1 - patch - winupdate -- name: "18.9.108.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" +- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate data: 0 type: dword when: - - win19cis_rule_18_9_108_2_1 + - win19cis_rule_18_10_93_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.2.1 + - rule_18.10.93.2.1 - patch - winupdate -- name: "18.9.108.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +- name: "18.10.93.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay data: 0 type: dword when: - - win19cis_rule_18_9_108_2_2 + - win19cis_rule_18_10_93_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.2.2 + - rule_18.10.93.2.2 - patch - winupdate -- name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword when: - - win19cis_rule_18_9_108_4_1 + - win19cis_rule_18_10_93_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.1 + - rule_18.10.93.4.1 - patch - winupdate -- name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'" +- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'" block: - - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" + - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword + - name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Variable Warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of days for win19cis_defer_feature_updates_period_in_days. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win19cis_defer_feature_updates_period_in_days < 180 - - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | BranchReadinessLevel" + - name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Warning Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.93.4.2' + when: win19cis_defer_feature_updates_period_in_days < 180 + + - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 + name: DeferFeatureUpdatesPeriodInDays + data: "{{ win19cis_defer_feature_updates_period_in_days }}" type: dword + when: win19cis_defer_feature_updates_period_in_days >= 180 when: - - win19cis_rule_18_9_108_4_2 + - win19cis_rule_18_10_93_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.108.4.2 + - level1-corporate-enterprise-environment + - rule_18.10.93.4.2 + - automated - patch - - winupdate + - manage-updates-offered-from-windows-update + - preview -- name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword when: - - win19cis_rule_18_9_108_4_3 + - win19cis_rule_18_10_93_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.4.3 + - rule_18.10.93.4.3 - patch - winupdate diff --git a/tasks/section19.yml b/tasks/section19.yml index 94b1806..b6680f2 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -53,14 +53,15 @@ - name: Warning Check For Variable Standards." ansible.builtin.debug: msg: - - "Warning!! You have a invalid time set for win19cis_screen_saver_timeout please read" + - "Warning!! You have an invalid time set for win19cis_screen_saver_timeout please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_screen_saver_timeout == 0 or win19cis_screen_saver_timeout > 900 - name: Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '19.1.3.3' when: @@ -191,186 +192,195 @@ - patch - antivirus -- name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword when: - - win19cis_rule_19_7_8_1 + - win19cis_rule_19_7_7_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.8.1 + - rule_19.7.7.1 - patch - - spotlight + - cloudcontent -- name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword when: - - win19cis_rule_19_7_8_2 + - win19cis_rule_19_7_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.8.2 + - rule_19.7.7.2 - patch - - spotlight + - cloudcontent -- name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword when: - - win19cis_rule_19_7_8_3 + - win19cis_rule_19_7_7_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.8.3 + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.3 - patch - - tailoredexperiences + - cloudcontent -- name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword when: - - win19cis_rule_19_7_8_4 + - win19cis_rule_19_7_7_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.8.4 + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.4 - patch - - spotlight - -- name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword + - cloudcontent + +- name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + block: + - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + ansible.windows.win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + + - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + ansible.windows.win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword when: - - win19cis_rule_19_7_8_5 + - win19cis_rule_19_7_7_5 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.8.4 + - rule_19.7.7.5 - patch - - spotlight + - cloudcontent -- name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.25.1| PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword when: - - win19cis_rule_19_7_28_1 + - win19cis_rule_19_7_25_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.28.1 + - rule_19.7.25.1 - patch - profiles - sharing -- name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" +- name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" block: - - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword when: - - win19cis_rule_19_7_43_1 + - win19cis_rule_19_7_40_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.43.1 + - rule_19.7.40.1 - patch - permissions -- name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" +- name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" block: - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword when: - - win19cis_rule_19_7_47_2_1 + - win19cis_rule_19_7_42_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_19.7.47.2.1 + - rule_19.7.42.2.1 - patch - codec From ada56abc9c60239f8f05688ba7ec0de4cae32da4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 10 Oct 2023 16:44:28 -0400 Subject: [PATCH 04/18] Update readme - removed Galaxy badge Signed-off-by: Frederick Witty --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 49e3c65..f3d983a 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) From d6858338964deda0a2a71682c32f4843b2df518d Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 11 Oct 2023 11:41:15 -0400 Subject: [PATCH 05/18] Update section prelim and section1 -1 Signed-off-by: Frederick Witty --- defaults/main.yml | 1 - tasks/prelim.yml | 8 +-- tasks/section01.yml | 94 +++++++++++++------------ tasks/section01_cloud_lockout_order.yml | 41 +++++++---- 4 files changed, 82 insertions(+), 62 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e28f27d..1e3ad51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,7 +59,6 @@ win19cis_rule_1_1_5: true # This setting is only available within the built-in OS security template of # Windows 10 Release 2004 and Server 2022 (or newer). Control is Commented out for now. win19cis_rule_1_1_6: false -win19cis_rule_1_1_7: true # We have found the order of these three tasks below varies between cloud-based instances # and VM-based instances locally. The task below breaks out to run in a different order # for cloud-based systems and local-based systems. Notes are applied in the section01.yml file. diff --git a/tasks/prelim.yml b/tasks/prelim.yml index dff2aa1..ce85f4e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -22,11 +22,11 @@ tags: - always -# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') -# This list is not complete and will be updated as we try on more cloud based services. -# As of now testing is working in azure using Hyper-V. We are curently using this for reference: +# HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# Current list is elastic and will be updated as we test more cloud based services. +# Current testing is working in Azure using Hyper-V. We are currently using this for reference: # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 -- name: Set Fact If Cloud Based System. +- name: Set Fact If Cloud-Based System. ansible.builtin.set_fact: win19cis_cloud_based_system: true when: diff --git a/tasks/section01.yml b/tasks/section01.yml index 0632781..176ba34 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -2,7 +2,7 @@ - name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords." block: - - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more then 24 saved passwords warning." + - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more than 24 saved passwords warning." ansible.builtin.debug: msg: - "Warning!! You have an invalid number of maximum passwords set in win19cis_max_passwords_saved please read" @@ -12,7 +12,8 @@ win19cis_max_passwords_saved <= 23 - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.1' when: @@ -46,7 +47,8 @@ win19cis_maximum_password_age == 0 - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2' when: @@ -72,17 +74,18 @@ - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" block: - - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimim password age." + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age." ansible.builtin.debug: msg: - - "Warning!! You have an invalid age set for win19cis_minimum_password_age please read" + - "Warning!! You have an invalid age set for win19cis_maximum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_maximum_password_age > 999 or win19cis_maximum_password_age == 0 - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.3' when: @@ -113,20 +116,21 @@ msg: - "Warning!! You have an invalid length set for win19cis_minimum_password_length please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: win19cis_maximum_password_age < 14 + when: win19cis_minimum_password_length < 14 - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.4' - when: win19cis_maximum_password_age < 14 + when: win19cis_minimum_password_length < 14 - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters. | Set Variable." community.windows.win_security_policy: section: System Access key: MinimumPasswordLength value: "{{ win19cis_minimum_password_length }}" - when: win19cis_maximum_password_age >= 14 + when: win19cis_minimum_password_length >= 14 when: - win19cis_rule_1_1_4 tags: @@ -163,37 +167,23 @@ - patch - password -- name: "1.1.7 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled" - community.windows.win_security_policy: - section: System Access - key: ClearTextPassword - value: 0 - when: - - win19cis_rule_1_1_7 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.7 - - patch - - password - -# We have found the order of tasks varies between cloud based instances and VM based instances. -# The task below loads the control group in the correct order for cloud based systems +# We have found the order of tasks varies between cloud-based instances and VM-based instances. +# The task below loads the control group in the correct order for cloud-based systems - name: “1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. 1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes - 1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." + 1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." ansible.builtin.import_tasks: file: section01_cloud_lockout_order.yml when: - - win19cis_cloud_based_system + - win19cis_cloud_based_system or win2019cis_is_domain_controller or win2019cis_is_domain_member tags: - section01_cloud_lockout_order -# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS -# CONTROL 1.2.2, CONTROL 1.2.3, CONTROL 1.2.1 +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS +# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." block: - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." @@ -206,7 +196,8 @@ win19cis_bad_login_lockout_count == 0 - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.2' when: @@ -223,9 +214,7 @@ - win19cis_bad_login_lockout_count > 0 when: - win19cis_rule_1_2_2 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member + - not win19cis_cloud_based_systema tags: - level1-domaincontroller - level1-memberserver @@ -233,9 +222,25 @@ - patch - account -- name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + +- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." block: - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_counter_reset please read" @@ -244,15 +249,16 @@ - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or win19cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '1.2.3' + warn_control_id: '1.2.4' when: - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or win19cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." community.windows.win_security_policy: section: System Access key: ResetLockoutCount @@ -261,18 +267,17 @@ - win19cis_account_lockout_counter_reset >= 15 - win19cis_account_lockout_counter_reset <= win19cis_account_lockout_duration when: - - win19cis_rule_1_2_3 + - win19cis_rule_1_2_4 - not win19cis_cloud_based_system or win2019cis_is_domain_controller or win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - - rule_1.2.3 + - rule_1.2.4 - patch - account -# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" block: - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -283,7 +288,8 @@ when: win19cis_account_lockout_duration < 15 - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.1' when: win19cis_account_lockout_duration < 15 diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index 557f4fc..58f05db 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -1,7 +1,7 @@ --- -# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS -# CONTROL 1.2.2, CONTROL 1.2.1, CONTROL 1.2.3 +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD-BASED SYSTEMS +# CONTROL 1.2.2, CONTROL 1.2.1, CONTROL 1.2.4 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." block: - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." @@ -14,7 +14,8 @@ win19cis_bad_login_lockout_count == 0 - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.2' when: @@ -38,7 +39,6 @@ - patch - account -# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" block: - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -50,7 +50,8 @@ - win19cis_account_lockout_duration < 15 - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.1' when: @@ -72,9 +73,22 @@ - patch - account -- name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + +- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." block: - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: msg: - "Warning!! You have an invalid number of minutes set for win19cis_account_lockout_counter_reset please read" @@ -83,15 +97,16 @@ - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or win19cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml vars: - warn_control_id: '1.2.3' + warn_control_id: '1.2.4' when: - win19cis_account_lockout_counter_reset > win19cis_account_lockout_duration or win19cis_account_lockout_counter_reset < 15 - - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." community.windows.win_security_policy: section: System Access key: ResetLockoutCount @@ -100,10 +115,10 @@ - win19cis_account_lockout_counter_reset >= 15 - win19cis_account_lockout_counter_reset <= win19cis_account_lockout_duration when: - - win19cis_rule_1_2_3 + - win19cis_rule_1_2_4 tags: - level1-domaincontroller - level1-memberserver - - rule_1.2.3 + - rule_1.2.4 - patch - account From b696e560612c2c09dd10b1d7322bd57e04f91b73 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 11 Oct 2023 11:47:47 -0400 Subject: [PATCH 06/18] Update section section5 -1 Signed-off-by: Frederick Witty --- tasks/section05.yml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/tasks/section05.yml b/tasks/section05.yml index 973982d..6ccaf15 100644 --- a/tasks/section05.yml +++ b/tasks/section05.yml @@ -1,13 +1,26 @@ --- - name: | - "5.1 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled - 5.2 | PATCH | Ensure 'Print Spooler (Spooler) is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Spooler - name: Start - data: 4 - type: dword + "5.1 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled Domain Controller & + 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled Member Server" + block: + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | Check to see if Spooler service exists." + ansible.windows.win_service_info: + name: Spooler + register: spooler_service_info + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | RegEdit" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Spooler + name: Start + data: 4 + type: dword + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | Service" + ansible.windows.win_service: + name: Spooler + start_mode: disabled + state: stopped + when: spooler_service_info.exists + notify: reboot_windows when: - win19cis_rule_5_1 or win19cis_rule_5_2 From 9c8754c881e6f70de602e5dc542f15730b8d29fb Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 08:13:53 -0400 Subject: [PATCH 07/18] Update section1 -1.2.2 Signed-off-by: Frederick Witty --- tasks/section01.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 176ba34..a5e3b0a 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -214,7 +214,7 @@ - win19cis_bad_login_lockout_count > 0 when: - win19cis_rule_1_2_2 - - not win19cis_cloud_based_systema + - not win19cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver From 60cfda78c4cfa3d68881b7247d02232fa613c8e9 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 08:37:22 -0400 Subject: [PATCH 08/18] Update section 1.2.3 -1 Signed-off-by: Frederick Witty --- tasks/section01.yml | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index a5e3b0a..d2ac6a8 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -171,7 +171,8 @@ # The task below loads the control group in the correct order for cloud-based systems - name: “1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. - 1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes + 1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes + 1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled 1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." ansible.builtin.import_tasks: file: section01_cloud_lockout_order.yml @@ -183,7 +184,7 @@ - section01_cloud_lockout_order # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS -# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1 +# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1, CONTROL 1.2.3 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." block: - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." @@ -222,22 +223,6 @@ - patch - account -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password - - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." block: - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -278,7 +263,7 @@ - patch - account -- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" +- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes" block: - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." ansible.builtin.debug: @@ -311,3 +296,19 @@ - rule_1.2.1 - patch - account + +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password From d9a994b036a02f26d27ad52724487dc741b98133 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 08:39:41 -0400 Subject: [PATCH 09/18] Update section 1.2.3 -2 Signed-off-by: Frederick Witty --- tasks/section01.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index d2ac6a8..ebead63 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -184,7 +184,23 @@ - section01_cloud_lockout_order # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS -# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1, CONTROL 1.2.3 +# CONTROL CONTROL 1.2.3, 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1 +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." block: - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." @@ -296,19 +312,3 @@ - rule_1.2.1 - patch - account - -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password From 274b95e5d78f0e970feb7d9b7f85dfc673513b1c Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 11:44:30 -0400 Subject: [PATCH 10/18] Update section 2.3.1.6-1 Signed-off-by: Frederick Witty --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 1e3ad51..9f11812 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -123,6 +123,7 @@ win19cis_rule_2_3_1_4: true # Setting win19cis_rule_2_3_1_5 Control To True Will Break Ansible Connection # Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. win19cis_rule_2_3_1_5: true +win19cis_rule_2_3_1_6: true win19cis_rule_2_3_2_1: true win19cis_rule_2_3_2_2: true win19cis_rule_2_3_4_1: true From 78e1fd4da87f812df66147201b857b1bcf39ccb4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 11:54:33 -0400 Subject: [PATCH 11/18] Update section 18 -update Signed-off-by: Frederick Witty --- tasks/section18.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 8abbfb5..2ebd753 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -603,7 +603,7 @@ type: dword when: - win19cis_rule_18_6_4_3 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver @@ -902,7 +902,7 @@ type: dword when: - win19cis_rule_18_6_21_2 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.6.21.2 @@ -1225,7 +1225,7 @@ type: dword when: - win19cis_rule_18_9_5_5 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - ngws-memberserver - rule_18.9.5.5 @@ -1240,7 +1240,7 @@ type: dword when: - win19cis_rule_18_9_5_6 - - win2022cis_is_domain_controller + - win2019cis_is_domain_controller tags: - ngws-domaincontroller - rule_18.9.5.6 @@ -1694,7 +1694,7 @@ type: dword when: - win19cis_rule_18_9_27_4 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.9.27.4 @@ -1874,7 +1874,7 @@ type: dword when: - win19cis_rule_18_9_35_1 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level1-memberserver - rule_18.9.35.1 @@ -1889,7 +1889,7 @@ type: dword when: - win19cis_rule_18_9_35_2 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.9.35.2 @@ -1979,7 +1979,7 @@ type: dword when: - win19cis_rule_18_9_50_1_2 - - win2022cis_is_domain_member + - win2019cis_is_domain_member tags: - level2-memberserver - rule_18.9.50.1.2 From 87641f2a0a9139ea22ee8983ea209ab8ef892b84 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 12:21:35 -0400 Subject: [PATCH 12/18] Update section 09+17 -1 Signed-off-by: Frederick Witty --- tasks/section09.yml | 11 ++++++---- tasks/section17.yml | 50 ++++++++++++++++++++++----------------------- 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/tasks/section09.yml b/tasks/section09.yml index ed1c391..5da8cf1 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -91,7 +91,8 @@ when: win19cis_domain_firewall_log_size < 16384 - name: "9.1.6 | AUDIT | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '9.1.6' when: win19cis_domain_firewall_log_size < 16384 @@ -140,7 +141,7 @@ tags: - level1-domaincontroller - level1-memberserver - - rule_9.1.7 + - rule_9.1.8 - patch - firewall - domain @@ -236,7 +237,8 @@ when: win19cis_private_firewall_log_size < 16384 - name: "9.2.6 | AUDIT | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '9.2.6' when: win19cis_private_firewall_log_size < 16384 @@ -414,7 +416,8 @@ when: win19cis_public_firewall_log_size < 16384 - name: "9.3.8 | AUDIT | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '9.3.8' when: win19cis_public_firewall_log_size < 16384 diff --git a/tasks/section17.yml b/tasks/section17.yml index d423f69..83007f8 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -24,20 +24,20 @@ - rule_17.1.1 - patch -- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" +- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Domain Controller" block: - - name: "17.1.2 | AUDIT | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Get current audit events." + - name: "17.1.2 | AUDIT | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_2_audit - - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Success" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable when: "'Success' not in rule_17_1_2_audit.stdout" - - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Failure" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Failure | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: @@ -69,7 +69,7 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - - rule_17.1.2 + - rule_17.1.3 - patch - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure" @@ -96,16 +96,16 @@ - rule_17.2.1 - patch -- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" +- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Domain Controller" block: - - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only | Get current audit events." + - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_2_audit - - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Success" + - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" @@ -117,16 +117,16 @@ - rule_17.2.2 - patch -- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" +- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Domain Controller" block: - - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only | Get current audit events." + - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_3_audit - - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Success" + - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: @@ -137,16 +137,16 @@ - rule_17.2.3 - patch -- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" +- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Domain Controller" block: - - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only | Get current audit events." + - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only | Get current audit events| Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_4_audit - - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Success" + - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: @@ -241,36 +241,36 @@ - rule_17.3.2 - patch -- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" +- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Domain Controller" block: - - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only | Get current audit events." + - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_1_audit - - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Failure" + - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Failure | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable when: "'Failure' not in rule_17_4_1_audit.stdout" when: - win19cis_rule_17_4_1 - - ansible_windows_domain_role == "Primary domain controller" + - win2019cis_is_domain_controller tags: - level1-domaincontroller - rule_17.4.1 - patch -- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" +- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Domain Controller" block: - - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only | Get current audit events." + - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_2_audit - - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Success" + - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: @@ -365,20 +365,20 @@ - rule_17.5.4 - patch -- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure" block: - - name: "17.5.5 | AUDIT | Ensure Audit Other LogonLogoff Events is set to Success and Failurr | Get current audit events." + - name: "17.5.5 | AUDIT | Ensure Audit Other Logon,Logoff Events is set to Success and Failurr | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_5_audit - - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable when: "'Success' not in rule_17_5_5_audit.stdout" - - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure | Failure" ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: From 21ae403f114e255316fb8d43fae7e72fac7cfb0a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 12:43:47 -0400 Subject: [PATCH 13/18] Update section 1.2.3 -1 Signed-off-by: Frederick Witty --- tasks/section01.yml | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index ebead63..57ca5f0 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -183,23 +183,8 @@ tags: - section01_cloud_lockout_order -# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS -# CONTROL CONTROL 1.2.3, 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1 -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password +# THE FOLLOWING 4 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS +# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1, CONTROL 1.2.3 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." block: @@ -312,3 +297,19 @@ - rule_1.2.1 - patch - account + +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password From 516f1ad331a6f20ba845816acd96d414da1e0f71 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 12:46:51 -0400 Subject: [PATCH 14/18] Update section 1.2.3 -2 Signed-off-by: Frederick Witty --- tasks/section01.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 57ca5f0..05b4dd5 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -224,6 +224,22 @@ - patch - account +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." block: - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -297,19 +313,3 @@ - rule_1.2.1 - patch - account - -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password From 50ceecd430c041f3b037709fb8a691a7b4da7370 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 13:09:15 -0400 Subject: [PATCH 15/18] Update section 1.2.3 -3 Signed-off-by: Frederick Witty --- tasks/section01.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 05b4dd5..3561fdc 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -224,22 +224,6 @@ - patch - account -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password - - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." block: - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -280,6 +264,22 @@ - patch - account +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes" block: - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." From fb29c3894bb83c0ba8246a0559554d32ccbe22cb Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 13:12:11 -0400 Subject: [PATCH 16/18] Update section 1.2.3 -4 Signed-off-by: Frederick Witty --- tasks/section01.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 3561fdc..57ca5f0 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -264,22 +264,6 @@ - patch - account -- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" - community.windows.win_security_policy: - section: System Access - key: AllowAdministratorLockout - value: "{{ win19cis_allow_admin_account_lockout }}" - when: - - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member - tags: - - level1-memberserver - - rule_1.2.3 - - patch - - password - - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes" block: - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." @@ -313,3 +297,19 @@ - rule_1.2.1 - patch - account + +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win19cis_allow_admin_account_lockout }}" + when: + - win19cis_rule_1_2_3 + - not win19cis_cloud_based_system or + win2019cis_is_domain_controller or + win2019cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password From b7adf47cad4ec7fe3e9b0330d1ba7bc3a113b6f9 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Oct 2023 13:15:46 -0400 Subject: [PATCH 17/18] Update section 1.2.3 -5 Signed-off-by: Frederick Witty --- tasks/section01.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 57ca5f0..3c7c063 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -305,9 +305,8 @@ value: "{{ win19cis_allow_admin_account_lockout }}" when: - win19cis_rule_1_2_3 - - not win19cis_cloud_based_system or - win2019cis_is_domain_controller or - win2019cis_is_domain_member + - win2019cis_is_domain_member + - not win19cis_cloud_based_system tags: - level1-memberserver - rule_1.2.3 From 79e5b6c660c45c59e2ad2b19161715c930bed264 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 20 Oct 2023 14:03:57 -0400 Subject: [PATCH 18/18] Update Collections -1 Signed-off-by: Frederick Witty --- collections/requirements.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 97aad6f..3bbac16 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: ansible.windows + type: git + source: https://github.com/ansible-collections/ansible.windows - name: community.windows + type: git + source: https://github.com/ansible-collections/community.windows - name: community.general + type: git + source: https://github.com/ansible-collections/community.general