You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.
The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc
The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS
Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed
Actual Behavior
The CertSvc and WINS path are always included
Control(s) Affected
2.3.10.9
Possible Solution
- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"block:
- name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"ansible.builtin.set_fact:
remote_registry_paths: ['System\CurrentControlSet\Control\Print\Printers','System\CurrentControlSet\Services\Eventlog','Software\Microsoft\OLAP Server','Software\Microsoft\Windows NT\CurrentVersion\Print','Software\Microsoft\Windows NT\CurrentVersion\Windows','System\CurrentControlSet\Control\ContentIndex','System\CurrentControlSet\Control\Terminal Server','System\CurrentControlSet\Control\Terminal Server\UserConfig','System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration','Software\Microsoft\Windows NT\CurrentVersion\Perflib','System\CurrentControlSet\Services\SysmonLog']
- name: 2.3.10.9 | Check if AD Certificate Services feature is installedcommunity.windows.win_feature_info:
name: AD-Certificateregister: adcs_feature
- name: 2.3.10.9 | Add CertSvc to pathsansible.builtin.set_fact:
remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"when: adcs_feature.features[0].installed
- name: 2.3.10.9 | Check if WINS feature is installedcommunity.windows.win_feature_info:
name: WINSregister: wins_feature
- name: 2.3.10.9 | Add WINS to pathsansible.builtin.set_fact:
remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"when: wins_feature.features[0].installed
- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpathsname: "Machine"data: '{{ remote_registry_paths }}'type: multistringwhen:
- win19cis_rule_2_3_10_9tags:
- level1-domaincontroller
- level1-memberserver
- rule_2.3.10.9
- patch
The text was updated successfully, but these errors were encountered:
Sorry for the late response on this it is a good adjustment and is being built into the Private Repo of 2019 now to be tested. Will work on rolling it out to this repo as well.
Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.
The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc
The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS
Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed
Actual Behavior
The CertSvc and WINS path are always included
Control(s) Affected
2.3.10.9
Possible Solution
The text was updated successfully, but these errors were encountered: